Vulnerability Management (InsightVM)
Copy link

Vulnerability Management (InsightVM) identifies and prioritizes weak points on your network. Integrating Vulnerability Management (InsightVM) with SIEM (InsightIDR) allows you to detect malicious behavior earlier in the attack chain, expose user and asset risk, and list the exploitable vulnerabilities on your network, which are ordered by the number of users impacted by the vulnerability. Every asset that has been scanned by Vulnerability Management (InsightVM) displays its exploitable vulnerabilities, threat count, and risk score on its Asset Details page.

When malicious behavior is detected, SIEM (InsightIDR) hunts threats by combining user behavior analytics, SIEM, and endpoint capabilities.

To set up Vulnerability Management (InsightVM):

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Vulnerability Management (InsightVM) to send data to SIEM (InsightIDR).
  3. Configure SIEM (InsightIDR) to receive data from the event source.
  4. Test the configuration.

You can also:

⚠️

Viewing Vulnerability Management (InsightVM) events

Logs from this event source do not appear in Log Search. To learn more about viewing event details, read Test the configuration.

Requirements
Copy link

To successfully configure the Vulnerability Management (InsightVM) event source, you must be a global administrator to ensure that events from Vulnerability Management (InsightVM) will be sent to SIEM (InsightIDR).

ℹ️

SSO user not compatible with Vulnerability Management (InsightVM) event source

An SSO user cannot be used to successfully configure the Vulnerability Management (InsightVM) event source.

Configure Vulnerability Management (InsightVM) to send data to SIEM (InsightIDR)
Copy link

You must create a Vulnerability Management (InsightVM) global administrator user  to send Vulnerability Management (InsightVM) logs to SIEM (InsightIDR). As a part of this process, ensure you complete the User Info, User Role, Site Permissions, and Asset Group Permissions sections.

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

ℹ️

Usage limitations

Both Nexpose and Vulnerability Management (InsightVM) subscribers can use the Vulnerability Management (InsightVM) event source. In this context, Nexpose simply refers to the on-premises Security Console that both Vulnerability Management (InsightVM) and Nexpose contain.

To configure the new event source in SIEM (InsightIDR):

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Vulnerability Management (InsightVM) in the event sources search bar.
    • In the Product Type filter, select Rapid7.
  3. Select the Vulnerability Management (InsightVM) event source tile.
  4. Name the event source. This name will be used to name the log that contains the event data in Log Search.
  5. Select a collector.
  6. Select a timezone.
  7. Enter the server IP of the Security Console.
    • If your deployment is managed, the corresponding IP address is provided during the deployment of your Managed Security Console. If you are unsure of your Managed Security Console URL, contact support  for assistance.
  8. Enter the port number of the Security Console. The default port is 3780 but this can be changed. For details on how to change your port number, read manage the security console .
    • Rapid7-hosted consoles use port 443.
  9. Enter a poll rate in hours.
  10. Select your Vulnerability Management (InsightVM) credentials, or optionally create a new credential Vulnerability Management (InsightVM) that matches the global administrator credentials you created earlier as part of Configure Vulnerability Management (InsightVM) to send data to SIEM (InsightIDR).
  11. Click Save.
ℹ️

Assets with a criticality tag are given the Restricted Asset label

If you’ve integrated Vulnerability Management (InsightVM) with SIEM (InsightIDR), a restricted asset label will automatically be applied to any assets that are tagged with the your selected criticality value.

A Restricted Asset Authentication - New User detection is generated whenever a new user logs in to this asset for the first time.

A Restricted Asset Authentication - New Source detection is generated whenever a permitted user is authenticating to a restricted asset from a new source asset.

Test the configuration
Copy link

To test that event data is flowing into SIEM (InsightIDR) through the Collector:

  1. Verify that data is flowing to the Collector.
    1. From the Data Collection Management page, click the Event Sources tab.
    2. Wait approximately seven minutes, find the event source you created, and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  2. Verify that the risk scores for assets are appearing on the Asset and Endpoints page.
    1. From the left menu, go to Assets and Endpoints.
    2. From the Restricted Assets page, review for a risk score for an asset.
  3. Verify that the risk scores for assets are appearing on the User and Accounts page.
    1. From the left menu, go to User and Accounts.
    2. Review for exploitable vulnerabilities on the Vulnerabilities card.
ℹ️

Vulnerability Management (InsightVM) data availability delay

Data from Vulnerability Management (InsightVM) may take 2–3 days to appear. This delay is expected due to the large volume of data that must be ingested during initial processing.

Troubleshoot common issues
Copy link

These are some of the common issues and solutions associated with the Vulnerability Management (InsightVM) event source.

What port should I use?
Copy link

If you do not know the webserver port for your Security Console, do this:

  1. From your Security Console, go to nsc/conf.
  2. Open the nsc.xml file.
  3. Search for webserver. Your port number will be displayed on that line.
ℹ️

Port issues in hosted or managed consoles

If your console is hosted or managed, and you have port 443 configured in the event source but are still experiencing issues, contact support  for assistance.

Health Check Failed
Copy link

If you receive the error message Health Check failed. Encountered Exception during health check. This could indicate networking issues. Please check with Support, it means that the Vulnerability Management (InsightVM) event source failed to connect. This failure has multiple possible causes, including firewall ACLs, Security Groups, DNS settings, Certificate failures, and more.

To resolve this issue:

  1. Review the Collector log, located at:
    • /opt/rapid7/collector/logs/collector.log for Linux machines.
    • C:\Program Files\Rapid7\Collector\logs\collector.log for Windows machines.
  2. In the collector.log file, search for Health Check or nexpose to locate the place in the logs where the attempt failed.

The logs might show more details about the specific error.

Connection Refused/Timed Out Error
Copy link

If you receive the error message Connection Refused/Timed Out Error, it could have been caused by a firewall rule (such as hardware or local software firewall on the console) or a security group rule in AWS for our hosted consoles.

To resolve this issue:

  1. Log in to the Collector host and open a browser window.
  2. Go to the URL https://CONSOLEIP:PORT, replacing CONSOLEIP with the Security Console IP and PORT with the port you configured in the event source configuration.
  3. If the above is not an option, you can use traceroute <ConsoleIP> to establish if a connection can be made from the collector to the console, and what path it is taking. If the traceroute hangs, you can use this to determine where in the path it is failing.

To test this resolution:

  1. Log in to the Security Console.
  2. If logging in to the Security Console fails, try these options:

Check Firewall and Security Group rules

  1. Set up an inbound and outbound firewall rule on both the Collector host and the Security Console.
  2. Allow traffic from the Collector outbound to the port that the event source is configured with.
    • If you allow all traffic, ensure this setting is applied to both the inbound and outbound firewall rules.
  3. Restart the event source in SIEM (InsightIDR).

Validate the correct port

  1. In the installation directory of the Security Console, open the nsc.xml file.
  2. Look for the Webserver port and take note of it.
  3. Ensure the Webserver port matches the port for the event source for SIEM (InsightIDR).

Error codes
Copy link

These are some of the error codes you might see if there is an issue with the event source configuration.

Received 401 response
Copy link

If you receive the error message Received 401 response from the Vulnerability Management (InsightVM)/Nexpose API. Please Check Credentials., it means that your account is either locked or the password entered was incorrect.

To resolve this issue, review your credentials:

  1. Open the auth.log file in the Vulnerability Management (InsightVM) installation directory:
    • /opt/rapid7/nexpose/nsc/logs/auth.log for Linux machines.
    • C:\Program Files\Rapid7\Nexpose\nsc\logs\auth.log for Windows machines.
  2. Look for any authentication failures from the service account that was configured for the event source.
  3. If there are still failures:
    • Ensure the credentials being used to log in are valid by logging in with the correct credentials, and ensure that the user account has not been locked out due to too many failed attempts.

Response Code 403
Copy link

If you receive the error message Response Code 403 - Not permitted to perform requests. Please ensure Credentials have the required permission., it means that you do not have the correct permissions to perform API requests to the console.

To resolve this issue, verify that you have the required permissions. The service account in use must be a Global Admin for the event source to function.

Java certificate error
Copy link

If you receive the error message sun.security.validator.ValidatorException: PKIX path validation failed: or java.security.cert.CertPathValidatorException, it means that there is an issue with the certificate in the Security Console. This certificate has most likely expired, which means that SIEM (InsightIDR) is unable to authenticate to your on-premises console.

To resolve this issue, reissue a self-signed certificate to the Security Console. For instructions, read our product documentation on managing the HTTPS certificate .

To test if the resolution was successful:

  • Restart the Security Console to apply the updates.
  • Stop and start the Vulnerability Management (InsightVM) event source within SIEM (InsightIDR) so it can reach out and confirm the new certificate and to clear the error from your SIEM (InsightIDR) instance.

If this issue persists after replacing the Security Console certificate, create a new support case  referencing this guide.

PKIX path validation failed error
Copy link

If you receive the error message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, it means that a certified path could not be found for the request.

To resolve this issue using Windows:

  1. Ensure that the cer file is located somewhere on the collector server and is easy to locate, for example, in Desktop\NewCertificate.cer.
  2. Open an admin command prompt and navigate to C:\Program Files\Rapid7\Collector\jre\bin.
  3. Run the Ketyool command, keytool.exe -importcert -alias NAME_HERE -Keystore "C:\Program Files\Rapid7\Collector\jre\lib\security\cacerts" -file C:\Users\Administrator\Desktop\NewCertificate.cer. You can set the alias name to something easy to identify, if you need to replace or remove this certificate in the future.
  4. Press Enter. You will be prompted for a password.
  5. Enter changeit. Your certificate will be displayed.
  6. Enter Yes to trust this certificate.
  7. Once your certificate has been added to the Keystore, restart the collector service.
  8. Stop and start the event source within SIEM (InsightIDR) and confirm if the error message is still visible.

To resolve this issue using Linux:

  1. Ensure that the cer file is located somewhere on the collector server and is easy to locate, for example, in /tmp/NewCertificate.cer.
  2. As root, navigate to /opt/rapid7/collector/jre/bin/keytool.
  3. Run the Keytool command, ./keytool -importcert -alias NAME_HERE -keystore /opt/rapid7/collector/jre/lib/security/cacerts -file /tmp/NewCertificate.cer. You can set the alias name to something easy to identify, if you ever need to replace or remove this certificate.
  4. Press Enter. You will be prompted for a password.
  5. Enter changeit. Your certificate will be displayed.
  6. Enter Yes to trust this certificate.
  7. Once your certificate has been added to the Keystore, restart the collector service.
  8. Stop and start your event source within SIEM (InsightIDR) to confirm if you still see the error message.

Unknown host exception
Copy link

If you receive the error message UnknownHostException, it means that the hostname entered is incorrect. This could be because the hostname may not be valid or the hostname was entered incorrectly.

To resolve this issue, run the nslookup CONSOLE_HOSTNAME command from the collector host.

To test if the resolution was successful, verify that you received the IP address of the Security Console. If you do not receive the IP address of the Security Console, then the issue might lie with the DNS server the collector is using, or there might not be a DNS record for the Security Console, in which case, a record must be created.

Alternatively, the IP address of the Security Console can be used during event source configuration, provided that it is assigned a static IP address.

Managed or hosted Vulnerability Management (InsightVM) Security Console considerations
Copy link

If your Vulnerability Management (InsightVM) Security Console is managed or hosted by Rapid7, you may experience configuration and troubleshooting scenarios that differ from those of standard on-premises Vulnerability Management (InsightVM) deployments. Managed and hosted consoles are deployed and maintained by Rapid7 in AWS, rather than installed on infrastructure owned by the customer. As a result, communication patterns and networking requirements are distinct, and the steps below can help ensure successful setup and troubleshooting.

Console web server port
Copy link

For managed and hosted environments, the Security Console’s web server always runs on port 443, unless otherwise changed during deployment. This differs from on-premises Vulnerability Management (InsightVM) Security Consoles, which use port 3780 by default.

Networking and security groups
Copy link

For managed and hosted consoles, customers cannot directly modify inbound firewall rules, as Rapid7 administers the security groups. If networking errors occur during event source configuration, you should verify that the Collector’s public IP address has been added to the console’s inbound allowlist. Contact support  to confirm this configuration.

Troubleshooting Vulnerability Management (InsightVM) event source connectivity
Copy link

Customers using SIEM (InsightIDR) may be less familiar with how to access or validate connectivity to the Vulnerability Management (InsightVM) Security Console. The following steps provide a clear starting point for diagnosing issues reported in the event source UI.

1. Test console web server reachability
Copy link

The first step when encountering a networking-related error is to attempt to open the console’s web server directly.

The console URL format is always:

https://ConsoleHostnameOrIP:ConsoleWebServerPort

For example (on-prem default):

https://ITCompany:3780

If using a hosted console:

https://ConsoleURL:443

Interpretation of results:

  • Page does not load or connection refused: A firewall rule is preventing access. The required inbound rule has not been properly configured.

  • Page loads but shows a certificate warning:
    The Security Console’s HTTPS certificate likely needs to be reconfigured. You can contact support  to open a support case for assistance with certificate updates.

2. Understanding 401 / 401 Unauthorized Errors
Copy link

Although documentation may reference a 401 error, the event source often displays 401 Unauthorized. This error almost always indicates a Vulnerability Management (InsightVM) permissions issue, not a SIEM (InsightIDR) or Collector problem.

Key clarifications:

  • SIEM (InsightIDR) does not use a system account or OS-level credentials to access the console.
  • Instead, it uses application-level credentials for a local Vulnerability Management (InsightVM) Security Console user.
  • This user must have Global Administrator permissions.
  • SSO must be disabled for this account, or authentication will fail.

Recommended remediation:

  1. Create a new Global Administrator user.
  2. From the Data Collection Management page, click the Event Sources tab and find your Vulnerability Managment (InsightVM) event source.
  3. Edit the event source, create a new credential, and enter the Global Administrator user credentials you created.
  4. Click Save.
  5. Restart the event source.

3. Proxy-Related Errors
Copy link

If the event source displays an error referencing a proxy, check whether a proxy is configured in the Collector’s config.properties file:

  • Windows:
    C:\Program Files\Rapid7\Collector\conf\config.properties

  • Linux: /opt/rapid7/collector/conf/config.properties

If a proxy is defined, all traffic, including traffic to the Security Console, even if on the same internal network—will be routed through that proxy. This can cause unexpected connectivity failures and is a known issue under investigation (DNR-5460).

Use your preferred networking tools (browser, curl) to confirm whether the proxy-enabled Collector can successfully reach the console URL.