Set Up an InsightVM Events Trigger

The InsightVM Events trigger listens for webhook events generated by InsightVM. There are four event types available:

• Asset Found
• Asset Deleted
• Vulnerabilities Found
• Vulnerabilities Remediated

In this article, we cover how to:

1. Create a new InsightVM Events Trigger
2. Create a new InsightVM Webhook Event Subscription
3. Use an InightVM Events Trigger

Create a new InsightVM Events Trigger

In order to use the InsightVM Events trigger in InsightConnect, you will need a User API Key for the Insight Platform. See our documentation on generating a User Key for instructions on how to do so.

1. Click Create New from any workflow manager page.
2. Select Start from Scratch and enter a name and description for the workflow, then click Create.
3. Choose the InsightVM Events trigger.
4. Select the desired event type:
   • Asset Found
   • Asset Deleted
   • Vulnerability Found
   • Vulnerability Remediated
5. Enter a name for the trigger, then click Save Step.

The trigger and associated API endpoint are created automatically. Before moving on to build your workflow, go on to subscribe to the appropriate InsightVM webhook events.

Create a new InsightVM Webhook Event Subscription

1. On the Instructions page of your InsightVM Events trigger, paste in your Insight Platform User API Key.

2. For Mac or Linux, copy the curl command. For Windows, copy the PowerShell command.
3. Open a command line tool (Terminal for Mac users, Command Prompt for Windows users). Paste in the command from your clipboard and run it. This will make an API request to InsightVM, creating a new webhook event subscription so that events will be delivered to your InsightVM Events trigger.
4. After running the command, you should see a JSON response with an ID and a couple of links. This is expected and means the webhook has been activated.
5. Close the Instructions menu in InsightConnect and proceed to build your workflow.

Use an InsightVM Events Trigger

InsightVM events will be delivered to your InsightConnect trigger automatically when the relevant events occur in InsightVM. No manual action is necessary for events to be sent from InsightVM to InsightConnect.

Each event type is described in further detail below.

Asset Found

The Asset Found event is triggered any time a new asset is discovered in InsightVM. New assets may be discovered from a scan or from an agent assessment.

The InsightVM Asset Found Events trigger schema in InsightConnect contains the following variables:

• id - string - The webhook event ID
• summary - object - An object containing the following variables:
  • agent_id - string - The asset agent ID (null if no agent is deployed to the asset)
  • hostname - string - The hostname identified by InsightVM
  • ip - string - The IP address identified by InsightVM
  • mac - string - The MAC address identified by InsightVM
  • os - string - The Operating System identified by InsightVM
  • critical_vulnerabilities - number - The number of critical vulnerabilities identified on the asset
  • severe_vulnerabilities - number - The number of severe vulnerabilities identified on the asset
  • moderate_vulnerabilities - number - The number of moderate vulnerabilities identified on the asset
  • services - number - The number of services running on the asset
  • last_vulnerability_assessment - number - The epoch of the last time the asset was assessed for vulnerabilities
  • last_scanned - number - The epoch of the last time the asset was scanned

Asset Deleted

The Asset Deleted event is triggered any time an asset is deleted from the InsightVM database. This event may occur either from manually deleting an asset or due to an asset reaching the end of the data retention period.

The InsighVM Asset Deleted Events trigger schema in InsightConnect is the same as the Asset Found trigger schema documented above.

Vulnerabilities Found

The InsightVM Vulnerabilities Found event is triggered any time one or more new vulnerabilities are found on an asset after a scan or agent assessment.

The InsightVM Vulnerabilities Found Events Trigger schema in InsightConnect contains the following variables:

• id - string - The webhook event ID
• summary - object - An object containing the following variables:
  • agent_id - string - The asset agent ID (null if no agent is deployed to the asset)
  • hostname - string - The hostname identified by InsightVM
  • ip - string - The IP address identified by InsightVM
  • mac - string - The MAC address identified by InsightVM
  • os - string - The Operating System identified by InsightVM
  • critical_vulnerabilities - number - The number of critical vulnerabilities identified on the asset
  • severe_vulnerabilities - number - The number of severe vulnerabilities identified on the asset
  • moderate_vulnerabilities - number - The number of moderate vulnerabilities identified on the asset
  • services - - The number of services running on the asset
  • last_vulnerability_assessment - number - The epoch of the last time the asset was assessed for vulnerabilities
  • last_scanned - number - The epoch of the last time the asset was scanned
• changes - object - An object containing the following variables:
  • new_vulnerabilities_found - array - An array containing the identifiers of all newly discovered vulnerabilities on this asset

Vulnerabilities Remediated

The InsightVM Vulnerabilities Remediated event is triggered any time one or more previously identified vulnerabilities are no longer present after a new scan or agent assessment. This event may occur either from a vulnerability being remediated or due to a vulnerability exception being applied.

The InsightVM Vulnerabilities Remediated Events Trigger schema in InsightConnect is the same as the Vulnerabilities Found schema documented above.