Set Up an Vulnerability Management (InsightVM) Events Trigger
Copy link

The Vulnerability Management (InsightVM) Events trigger listens for webhook events generated by InsightVM. There are four event types available:

ℹ️

Vulnerability Management (InsightVM) and Automation (InsightConnect) Are Better Together!

The Vulnerability Management (InsightVM) Events trigger in Automation (InsightConnect) makes use of an experimental webhook feature in InsightVM. A webhook event subscription in Vulnerability Management (InsightVM) must be set up in tandem with the trigger in Automation (InsightConnect). Be sure to follow the instructions for subscribing to the webhook event after creating your trigger!

In this article, we cover how to:

  1. Create a new Vulnerability Management (InsightVM) Events Trigger
  2. Create a new Vulnerability Management (InsightVM) Webhook Event Subscription
  3. Use an InightVM Events Trigger

Create a new Vulnerability Management (InsightVM) Events Trigger
Copy link

In order to use the Vulnerability Management (InsightVM) Events trigger in Automation (InsightConnect), you will need a User API Key for the Insight Platform. See our documentation on generating a User Key for instructions on how to do so.

  1. Click Create New from any workflow manager page.
  2. Select Start from Scratch and enter a name and description for the workflow, then click Create.
  3. Choose the Vulnerability Management (InsightVM) Events trigger.
  4. Select the desired event type:
    • Asset Found
    • Asset Deleted
    • Vulnerability Found
    • Vulnerability Remediated
  5. Enter a name for the trigger, then click Save Step.

The trigger and associated API endpoint are created automatically. Before moving on to build your workflow, go on to subscribe to the appropriate Vulnerability Management (InsightVM) webhook events.

Create a new Vulnerability Management (InsightVM) Webhook Event Subscription
Copy link

  1. On the Instructions page of your Vulnerability Management (InsightVM) Events trigger, paste in your Insight Platform User API Key.
⚠️

Make sure to use a User API Key!

Vulnerability Management (InsightVM) only allows users to subscribe to webhook events. If you try using an Organization API Key, your request will fail.

  1. For Mac or Linux, copy the curl command. For Windows, copy the PowerShell command.
  2. Open a command line tool (Terminal for Mac users, Command Prompt for Windows users). Paste in the command from your clipboard and run it. This will make an API request to Vulnerability Management (InsightVM), creating a new webhook event subscription so that events will be delivered to your Vulnerability Management (InsightVM) Events trigger.
  3. After running the command, you should see a JSON response with an ID and a couple of links. This is expected and means the webhook has been activated.
  4. Close the Instructions menu in Automation (InsightConnect) and proceed to build your workflow.

Use an Vulnerability Management (InsightVM) Events Trigger
Copy link

Vulnerability Management (InsightVM) events will be delivered to your Automation (InsightConnect) trigger automatically when the relevant events occur in InsightVM. No manual action is necessary for events to be sent from Vulnerability Management (InsightVM) to Automation (InsightConnect).

ℹ️

How long does it take for events to reach Automation (InsightConnect)?

Events are delivered to Automation (InsightConnect) from Vulnerability Management (InsightVM) as soon as the Insight platform is notified of a change by the on-premises Vulnerability Management (InsightVM) Security Console. This can take anywhere from 5 minutes to several hours.

Each event type is described in further detail below.

Asset Found
Copy link

The Asset Found event is triggered any time a new asset is discovered in InsightVM. New assets may be discovered from a scan or from an agent assessment.

The Vulnerability Management (InsightVM) Asset Found Events trigger schema in Automation (InsightConnect) contains the following variables:

  • id - string - The webhook event ID
  • summary - object - An object containing the following variables:
    • agent_id - string - The asset agent ID (null if no agent is deployed to the asset)
    • hostname - string - The hostname identified by Vulnerability Management (InsightVM)
    • ip - string - The IP address identified by Vulnerability Management (InsightVM)
    • mac - string - The MAC address identified by Vulnerability Management (InsightVM)
    • os - string - The Operating System identified by Vulnerability Management (InsightVM)
    • critical_vulnerabilities - number - The number of critical vulnerabilities identified on the asset
    • severe_vulnerabilities - number - The number of severe vulnerabilities identified on the asset
    • moderate_vulnerabilities - number - The number of moderate vulnerabilities identified on the asset
    • services - number - The number of services running on the asset
    • last_vulnerability_assessment - number - The epoch of the last time the asset was assessed for vulnerabilities
    • last_scanned - number - The epoch of the last time the asset was scanned

Asset Deleted
Copy link

The Asset Deleted event is triggered any time an asset is deleted from the Vulnerability Management (InsightVM) database. This event may occur either from manually deleting an asset or due to an asset reaching the end of the data retention period.

The InsighVM Asset Deleted Events trigger schema in Automation (InsightConnect) is the same as the Asset Found trigger schema documented above.

Vulnerabilities Found
Copy link

The Vulnerability Management (InsightVM) Vulnerabilities Found event is triggered any time one or more new vulnerabilities are found on an asset after a scan or agent assessment.

The Vulnerability Management (InsightVM) Vulnerabilities Found Events Trigger schema in Automation (InsightConnect) contains the following variables:

  • id - string - The webhook event ID
  • summary - object - An object containing the following variables:
    • agent_id - string - The asset agent ID (null if no agent is deployed to the asset)
    • hostname - string - The hostname identified by Vulnerability Management (InsightVM)
    • ip - string - The IP address identified by Vulnerability Management (InsightVM)
    • mac - string - The MAC address identified by Vulnerability Management (InsightVM)
    • os - string - The Operating System identified by Vulnerability Management (InsightVM)
    • critical_vulnerabilities - number - The number of critical vulnerabilities identified on the asset
    • severe_vulnerabilities - number - The number of severe vulnerabilities identified on the asset
    • moderate_vulnerabilities - number - The number of moderate vulnerabilities identified on the asset
    • services - - The number of services running on the asset
    • last_vulnerability_assessment - number - The epoch of the last time the asset was assessed for vulnerabilities
    • last_scanned - number - The epoch of the last time the asset was scanned
  • changes - object - An object containing the following variables:
    • new_vulnerabilities_found - array - An array containing the identifiers of all newly discovered vulnerabilities on this asset

Vulnerabilities Remediated
Copy link

The Vulnerability Management (InsightVM) Vulnerabilities Remediated event is triggered any time one or more previously identified vulnerabilities are no longer present after a new scan or agent assessment. This event may occur either from a vulnerability being remediated or due to a vulnerability exception being applied.

The Vulnerability Management (InsightVM) Vulnerabilities Remediated Events Trigger schema in Automation (InsightConnect) is the same as the Vulnerabilities Found schema documented above.