InsightVM

InsightVM identifies and prioritizes weak points on your network. Integrating InsightVM with InsightIDR allows you to detect malicious behavior earlier in the attack chain, expose user and asset risk, and list the exploitable vulnerabilities on your network, which are ordered by the number of users impacted by the vulnerability. Every asset that has been scanned by InsightVM displays its exploitable vulnerabilities, threat count, and risk score on its Asset Details page.

When malicious behavior is detected, InsightIDR hunts threats by combining user behavior analytics, SIEM, and endpoint capabilities.

To set up InsightVM:

  1. Complete the prerequisite steps.
  2. Configure InsightVM to send data to InsightIDR.
  3. Configure InsightIDR to receive data from the event source.
  4. Test the configuration.
  5. Troubleshoot common issues.

Viewing InsightVM events

Logs from this event source do not appear in Log Search. To learn more about viewing event details, read Test the configuration.

Requirements

To successfully configure the InsightVM event source, you must be a global administrator to ensure that events from InsightVM will be sent to InsightIDR.

SSO user not compatible with InsightVM event source

An SSO user cannot be used to successfully configure the InsightVM event source.

Configure InsightVM to send data to InsightIDR

You must create an InsightVM global administrator user to send InsightVM logs to InsightIDR. As a part of this process, ensure you complete the information in the User Info, User Role, Site Permissions, and Asset Group Permissions sections.

Configure InsightIDR to collect data from the event source

Usage limitations

Both Nexpose and InsightVM subscribers can use the InsightVM event source. In this context, Nexpose simply refers to the on-premises Security Console that both InsightVM and Nexpose contain.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for InsightVM in the event sources search bar.
    • In the Product Type filter, select Rapid7.
  3. Select the InsightVM event source tile.
  4. Name the event source. This name will be used to name the log that contains the event data in Log Search.
  5. Select a collector.
  6. Select a timezone.
  7. Enter the server IP of the Security Console.
  8. Enter the port number of the Security Console. The default port is 3780 but this can be changed. For details on how to change your port number, view our documentation on how to manage the security console.
  9. Enter a poll rate in hours.
  10. Select your InsightVM credentials, or optionally create a new credential that matches the global administrator credentials you created earlier as part of Configure InsightVM to send data to InsightIDR.
  11. Click Save.

Assets with a criticality tag are given the Restricted Asset label

If you've integrated InsightVM with InsightIDR, a restricted asset label will automatically be applied to any assets that are tagged with the your selected criticality value.

A Restricted Asset Authentication - New User detection is generated whenever a new user logs in to this asset for the first time.

A Restricted Asset Authentication - New Source detection is generated whenever a permitted user is authenticating to a restricted asset from a new source asset.

Test the configuration

To test that event data is flowing into InsightIDR through the Collector:

  1. Verify that data is flowing to the Collector.
    1. From the Data Collection Management page, click the Event Sources tab.
    2. Wait approximately seven minutes, find the event source you created, and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  2. Verify that the risk scores for assets are appearing on the Asset and Endpoints page.
    1. From the left menu, go to Assets and Endpoints.
    2. From the Restricted Assets page, review for a risk score for an asset.
  3. Verify that the risk scores for assets are appearing on the User and Accounts page.
    1. From the left menu, go to User and Accounts.
    2. Review for exploitable vulnerabilities on the Vulnerabilities card.

Troubleshoot common issues

These are some of the common issues and solutions associated with the InsightVM event source.

What port should I use?

If you do not know the webserver port for your Security Console, do this:

  1. From your Security Console, go to nsc/conf.
  2. Open the nsc.xml file.
  3. Search for webserver. Your port number will be displayed on that line.

Health Check Failed

If you receive the error message Health Check failed. Encountered Exception during health check. This could indicate networking issues. Please check with Support, it means that the InsightVM event source failed to connect. This failure has multiple possible causes, including firewall ACLs, Security Groups, DNS settings, Certificate failures, and more.

To resolve this issue:

  1. Review the Collector log, located at:
    • /opt/rapid7/collector/logs/collector.log for Linux machines.
    • C:\Program Files\Rapid7\Collector\logs\collector.log for Windows machines.
  2. In the collector.log file, search for Health Check or nexpose to locate the place in the logs where the attempt failed.

The logs might show more details about the specific error.

Connection Refused/Timed Out Error

If you receive the error message Connection Refused/Timed Out Error, it could have been caused by a firewall rule (such as hardware or local software firewall on the console) or a security group rule in AWS for our hosted consoles.

To resolve this issue:

  1. Log in to the Collector host and open a browser window.
  2. Go to the URL https://CONSOLEIP:PORT, replacing CONSOLEIP with the Security Console IP and PORT with the port you configured in the event source configuration.
  3. If the above is not an option, you can use traceroute to establish if a connection can be made from the collector to the console, and what path it is taking. If the traceroute hangs, you can use this to determine where in the path it is failing.

To test this resolution:

  1. Log in to the Security Console.
  2. If logging in to the Security Console fails, try these options:
Check Firewall and Security Group rules
  1. Set up an inbound and outbound firewall rule on both the Collector host and the Security Console.
  2. Allow traffic from the Collector outbound to the port that the event source is configured with.
    • If you allow all traffic, ensure this setting is applied to both the inbound and outbound firewall rules.
  3. Restart the event source in InsightIDR.
Validate the correct port
  1. In the installation directory of the Security Console, open the nsc.xml file.
  2. Look for the Webserver port and take note of it.
  3. Ensure the Webserver port matches the port for the event source for InsightIDR.

Error codes

These are some of the error codes you might see if there is an issue with the event source configuration.

Received 401 response

If you receive the error message Received 401 response from the InsightVM/Nexpose API. Please Check Credentials., it means that your account is either locked or the password entered was incorrect.

To resolve this issue, review your credentials:

  1. Open the auth.log file in the InsightVM installation directory:
    • /opt/rapid7/nexpose/nsc/logs/auth.log for Linux machines.
    • C:\Program Files\Rapid7\Nexpose\nsc\logs\auth.log for Windows machines.
  2. Look for any authentication failures from the service account that was configured for the event source.
  3. If there are still failures:
    • Ensure the credentials being used to log in are valid by logging in with the correct credentials, and ensure that the user account has not been locked out due to too many failed attempts.

Response Code 403

If you receive the error message Response Code 403 - Not permitted to perform requests. Please ensure Credentials have the required permission., it means that you do not have the correct permissions to perform API requests to the console.

To resolve this issue, verify that you have the required permissions. The service account in use must be a Global Admin for the event source to function.

Java certificate error

If you receive the error message sun.security.validator.ValidatorException: PKIX path validation failed: or java.security.cert.CertPathValidatorException, it means that there is an issue with the certificate in the Security Console. This certificate has most likely expired, which means that InsightIDR is unable to authenticate to your on-premises console.

To resolve this issue, reissue a self-signed certificate to the Security Console. For instructions, read our product documentation on managing the HTTPS certificate.

To test if the resolution was successful:

  • Restart the Security Console to apply the updates.
  • Stop and start the InsightVM event source within InsightIDR so it can reach out and confirm the new certificate and to clear the error from your InsightIDR instance.

If this issue persists after replacing the Security Console certificate, create a new support case referencing this guide.

PKIX path validation failed error

If you receive the error message PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, it means that a certified path could not be found for the request.

To resolve this issue using Windows:

  1. Ensure that the cer file is located somewhere on the collector server and is easy to locate, for example, in Desktop\NewCertificate.cer.
  2. Open an admin command prompt and navigate to C:\Program Files\Rapid7\Collector\jre\bin.
  3. Run the Ketyool command, keytool.exe -importcert -alias NAME_HERE -Keystore "C:\Program Files\Rapid7\Collector\jre\lib\security\cacerts" -file C:\Users\Administrator\Desktop\NewCertificate.cer. You can set the alias name to something easy to identify, if you need to replace or remove this certificate in the future.
  4. Press Enter. You will be prompted for a password.
  5. Enter changeit. Your certificate will be displayed.
  6. Enter Yes to trust this certificate.
  7. Once your certificate has been added to the Keystore, restart the collector service.
  8. Stop and start the event source within InsightIDR and confirm if the error message is still visible.

To resolve this issue using Linux:

  1. Ensure that the cer file is located somewhere on the collector server and is easy to locate, for example, in /tmp/NewCertificate.cer.
  2. As root, navigate to /opt/rapid7/collector/jre/bin/keytool.
  3. Run the Keytool command, ./keytool -importcert -alias NAME_HERE -keystore /opt/rapid7/collector/jre/lib/security/cacerts -file /tmp/NewCertificate.cer. You can set the alias name to something easy to identify, if you ever need to replace or remove this certificate.
  4. Press Enter. You will be prompted for a password.
  5. Enter changeit. Your certificate will be displayed.
  6. Enter Yes to trust this certificate.
  7. Once your certificate has been added to the Keystore, restart the collector service.
  8. Stop and start your event source within InsightIDR to confirm if you still see the error message.

Unknown host exception

If you receive the error message UnknownHostException, it means that the hostname entered is incorrect. This could be because the hostname may not be valid or the hostname was entered incorrectly.

To resolve this issue, run the nslookup CONSOLE_HOSTNAME command from the collector host.

To test if the resolution was successful, verify that you received the IP address of the Security Console. If you do not receive the IP address of the Security Console, then the issue might lie with the DNS server the collector is using, or there might not be a DNS record for the Security Console, in which case, a record must be created.

Alternatively, the IP address of the Security Console can be used during event source configuration, provided that it is assigned a static IP address.