Set Up an InsightVM Events Trigger
The InsightVM Events trigger listens for webhook events generated by InsightVM. There are four event types available:
InsightVM and InsightConnect Are Better Together!
The InsightVM Events trigger in InsightConnect makes use of an experimental webhook feature in InsightVM. A webhook event subscription in InsightVM must be set up in tandem with the trigger in InsightConnect. Be sure to follow the instructions for subscribing to the webhook event after creating your trigger!
In this article, we cover how to:
- Create a new InsightVM Events Trigger
- Create a new InsightVM Webhook Event Subscription
- Use an InightVM Events Trigger
Create a new InsightVM Events Trigger
In order to use the InsightVM Events trigger in InsightConnect, you will need a User API Key for the Insight Platform. See our documentation on generating a User Key for instructions on how to do so.
- Click Create New from any workflow manager page.
- Select Start from Scratch and enter a name and description for the workflow, then click Create.
- Choose the InsightVM Events trigger.
- Select the desired event type:
- Asset Found
- Asset Deleted
- Vulnerability Found
- Vulnerability Remediated
- Enter a name for the trigger, then click Save Step.
The trigger and associated API endpoint are created automatically. Before moving on to build your workflow, go on to subscribe to the appropriate InsightVM webhook events.
Create a new InsightVM Webhook Event Subscription
- On the Instructions page of your InsightVM Events trigger, paste in your Insight Platform User API Key.
Make sure to use a User API Key!
InsightVM only allows users to subscribe to webhook events. If you try using an Organization API Key, your request will fail.
- For Mac or Linux, copy the
curl
command. For Windows, copy the PowerShell command. - Open a command line tool (Terminal for Mac users, Command Prompt for Windows users). Paste in the command from your clipboard and run it. This will make an API request to InsightVM, creating a new webhook event subscription so that events will be delivered to your InsightVM Events trigger.
- After running the command, you should see a JSON response with an ID and a couple of links. This is expected and means the webhook has been activated.
- Close the Instructions menu in InsightConnect and proceed to build your workflow.
Use an InsightVM Events Trigger
InsightVM events will be delivered to your InsightConnect trigger automatically when the relevant events occur in InsightVM. No manual action is necessary for events to be sent from InsightVM to InsightConnect.
How long does it take for events to reach InsightConnect?
Events are delivered to InsightConnect from InsightVM as soon as the Insight platform is notified of a change by the on-premises InsightVM Security Console. This can take anywhere from 5 minutes to several hours.
Each event type is described in further detail below.
Asset Found
The Asset Found event is triggered any time a new asset is discovered in InsightVM. New assets may be discovered from a scan or from an agent assessment.
The InsightVM Asset Found Events trigger schema in InsightConnect contains the following variables:
id
- string - The webhook event IDsummary
- object - An object containing the following variables:agent_id
- string - The asset agent ID (null if no agent is deployed to the asset)hostname
- string - The hostname identified by InsightVMip
- string - The IP address identified by InsightVMmac
- string - The MAC address identified by InsightVMos
- string - The Operating System identified by InsightVMcritical_vulnerabilities
- number - The number of critical vulnerabilities identified on the assetsevere_vulnerabilities
- number - The number of severe vulnerabilities identified on the assetmoderate_vulnerabilities
- number - The number of moderate vulnerabilities identified on the assetservices
- number - The number of services running on the assetlast_vulnerability_assessment
- number - The epoch of the last time the asset was assessed for vulnerabilitieslast_scanned
- number - The epoch of the last time the asset was scanned
Asset Deleted
The Asset Deleted event is triggered any time an asset is deleted from the InsightVM database. This event may occur either from manually deleting an asset or due to an asset reaching the end of the data retention period.
The InsighVM Asset Deleted Events trigger schema in InsightConnect is the same as the Asset Found trigger schema documented above.
Vulnerabilities Found
The InsightVM Vulnerabilities Found event is triggered any time one or more new vulnerabilities are found on an asset after a scan or agent assessment.
The InsightVM Vulnerabilities Found Events Trigger schema in InsightConnect contains the following variables:
id
- string - The webhook event IDsummary
- object - An object containing the following variables:agent_id
- string - The asset agent ID (null if no agent is deployed to the asset)hostname
- string - The hostname identified by InsightVMip
- string - The IP address identified by InsightVMmac
- string - The MAC address identified by InsightVMos
- string - The Operating System identified by InsightVMcritical_vulnerabilities
- number - The number of critical vulnerabilities identified on the assetsevere_vulnerabilities
- number - The number of severe vulnerabilities identified on the assetmoderate_vulnerabilities
- number - The number of moderate vulnerabilities identified on the assetservices
- - The number of services running on the assetlast_vulnerability_assessment
- number - The epoch of the last time the asset was assessed for vulnerabilitieslast_scanned
- number - The epoch of the last time the asset was scanned
changes
- object - An object containing the following variables:new_vulnerabilities_found
- array - An array containing the identifiers of all newly discovered vulnerabilities on this asset
Vulnerabilities Remediated
The InsightVM Vulnerabilities Remediated event is triggered any time one or more previously identified vulnerabilities are no longer present after a new scan or agent assessment. This event may occur either from a vulnerability being remediated or due to a vulnerability exception being applied.
The InsightVM Vulnerabilities Remediated Events Trigger schema in InsightConnect is the same as the Vulnerabilities Found schema documented above.