InsightVM Technology Add-On for Splunk

The InsightVM Technology Add-On for Splunk allows you to import InsightVM asset and vulnerability data into your Splunk environment and view that data with the companion InsightVM Dashboard. For InsightVM customers, these new Splunk import and visualization tools functionally replace the older Nexpose Technology Add-On and Nexpose Dashboard.

The new InsightVM edition of this add-on differs from its predecessor in the following ways:

InsightVM Technology Add-On for SplunkNexpose Technology Add-On for Splunk
Leverages the Rapid7 Insight Cloud to pull asset and vulnerability dataYes, the InsightVM add-on pulls data from the Insight Cloud and does not impact the on-premises Security Console.No, the Nexpose add-on pulls all data from the Security Console using SQL reports.
Includes Site, Tag, and Asset Group details for imported AssetsYes, the asset import will include Sites and Tags; however, Asset Groups are not currently included. Any sites included with an asset will show up under the tags key.No, the Nexpose add-on only includes a list of tag names for imported assets.
Only imports new data as inputs are runYes, the InsightVM add-on only imports the assets and vulnerabilities of recently scanned devices each time the input is run. This reduces the amount of data stored in Splunk and makes that data more actionable.The Nexpose add-on imports data based on any new scans identified for the sites in scope. Since all vulnerabilities are imported for the assets identified in new sites, there is no way to distinguish between a new, existing, or remediated vulnerability.
Provides the ability to filter assets and vulnerabilities within scopeYes, the InsightVM add-on features the same asset and vulnerability filters available with the Query Builder and can define them with input configurations to reduce the scope of the data being imported.It is possible to filter by site IDs with the Nexpose add-on, but no other filtering is supported.
Imports historical data when run for the first timeYes, the InsightVM add-on includes 90 days of historical data the first time the input is run. All subsequent imports only include data from assets and vulnerabilities that have been scanned since.Yes.
Vulnerability finding imports include remediation status on a deviceYes, the InsightVM add-on imports vulnerabilitiy findings with a finding_status = remediated value as remediation takes place. All new vulnerability findings are defined with finding_status = new.No.

Installation

You can install the add-on as an app using the Splunk UI:

  1. From the Apps menu in Splunk, select Manage Apps.
  2. Select Browse More Apps.
  3. Search for the "Rapid7 InsightVM Technology Add-On".
  4. Select Install from the app listing.
  5. When prompted, restart Splunk to finish.

Configuration

You must configure two components in the add-on before you can use it:

  • The connection
  • One or more inputs

Connection

The connection requires an API key for connecting to and retrieving data from InsightVM. The add-on allows you to create multiple connections if you want to use different connections across different inputs.

If you need to generate a new API key for a connection, follow these steps:

  1. Sign in to the Insight Platform.
  2. Select the gear icon in the top menu and click API Keys.
  3. Select Organization Key.
  4. Select + New Key.
  5. Enter a name for the key and click Generate.
  6. Copy and store the generated key in a secure location.

After you have an API key, follow these steps to configure the InsightVM connection in Splunk.

  1. Navigate to the Rapid7 InsightVM Technology Add-On available under the Apps menu in Splunk.
  2. Select Configuration.
  3. Select Add.
  4. Enter a name for the connection.
  5. Enter your region, which is a two-character string based on your location (such as us).
  6. Enter your generated API key.
  7. Click Add.

Inputs

The add-on uses inputs to configure the import of asset and vulnerability data from InsightVM. These inputs allow you to further filter the data that Splunk retrieves and ingests.

There are two inputs available for configuration:

  • InsightVM Asset Import - Imports asset and optional vulnerability finding data.
  • InsightVM Vulnerability Definition Import - Imports vulnerability definitions.

To create a new input, navigate to the add-on menu and click Inputs > Create New Input and select the one you want to configure.

InsightVM Asset Import

Customizable fields for the InsightVM Asset Import input are as follows:

FieldDescription
NameThe name of the input as it will appear in Splunk.
IntervalThe frequency in seconds that the add-on imports InsightVM data. The default (and recommended maximum) is once per hour.
IndexYour preferred Splunk index for data. The default is rapid7. Note that you must create a new rapid7 index in Splunk if you choose to use this one.
InsightVM ConnectionThe InsightVM connection, created per the previous instructions in the Connection section.
Asset FilterA query for filtering assets that the add-on imports.
Import VulnerabilitiesIf desired, this option allows the add-on to import vulnerability findings into Splunk in addition to assets.
Vulnerability FilterA query for filtering vulnerability findings that the add-on imports.
Example asset filters

The following queries are examples of what you can set for the Asset Filter field:

  • sites IN [`site-name]
  • tags IN [tag-name]
  • os_family = Windows
Example vulnerability filters

In similar fashion, these queries are examples for the Vulnerability Filter field:

  • cvss_v2_score > 6
  • severity = Critical

InsightVM Vulnerability Definition Import

The add-on uses this input to import vulnerability definitions from InsightVM. You can use this data to correlate with vulnerability findings (if you elect to import those) as well. Importing vulnerability definitions is not required for visualizing asset findings in your environment, but it does provide additional details about the vulnerabilities.

Only import vulnerability definitions if you need them

If vulnerability definition details are not necessary, we do not recommend that you enable this input as it will ingest a large amount of data each time the input is run.

Customizable fields for the InsightVM Vulnerability Definition Import input are as follows:

FieldDescription
NameThe name of the input as it will appear in Splunk.
IntervalThe frequency in seconds that the add-on imports InsightVM data. The default (and recommended maximum) is once per day for this input.
IndexYour preferred Splunk index for data. The default is rapid7. Note that you must create a new rapid7 index in Splunk if you choose to use this one.
InsightVM ConnectionThe InsightVM connection, created per the previous instructions in the Connection section.
Vulnerability FilterA query for filtering vulnerability definitions that the add-on imports.

Imported Data

The following tables indicate imported data fields and contain example data for each.

Asset Sourcetype

Field NameExample Data
assessed_for_policiesfalse
assessed_for_vulnerabilitiestrue
critical_vulnerabilities5
exploits12
host_namehostname-1
id234574486-34a7-40a3-0923-28bd0b5cc90e-default-asset-100
ip127.0.0.1
last_scan_end2020-06-23T17:45:59.963Z
last_scan_start2020-06-23T16:38:00.963Z
mac00:1B:44:11:3A:B7
malware_kits1
moderate_vulnerabilities8
os_descriptionMicrosoft Windows Server 2008 R2, Enterprise Edition SP1
os_familyWindows
os_nameWindows Server 2008 R2, Enterprise Edition
os_system_nameMicrosoft Windows
os_typeGeneral
os_vendorMicrosoft
os_versionSP1
risk_score5000
severe_vulnerabilities4
tags"name": "us-austin", "type": “SITE"
total_vulnerabilities17

Asset Vulnerability Finding Sourcetype

Field NameExample Data
first_found2020-04-15T02:38:41Z
last_found2020-06-23T20:40:51.981Z
port3389
proof

Negotiated with the following insecure cipher suites:

  • TLS 1.0 ciphers:
    • TLS_RSA_WITH_RC4_128_SHA

protocolTCP
solution_fix[Solution details]
solution_idssl-disable-rc4-ciphers
solution_summaryDisable TLS/SSL support for RC4 ciphers
solution_typeWORKAROUND
statusVULNERABLE_EXPL
vulnerability_idrc4-cve-2013-2566
finding_statusfound
asset_id234574486-34a7-40a3-0923-28bd0b5cc90e-default-asset-100
asset_hostnamehostname-1
asset_ip127.0.0.1

Vulnerability Definition Sourcetype

Field NameExample Data
added2018-05-16T00:00:00Z
categories7-Zip,Remote Execution
cvesCVE-2016-2334
cvss_v2_access_complexitymedium
cvss_v2_access_vectornetwork
cvss_v2_authenticationnone
cvss_v2_availability_impactcomplete
cvss_v2_confidentiality_impactcomplete
cvss_v2_exploit_score8.5888
cvss_v2_impact_score10.000845
cvss_v2_integrity_impactcomplete
cvss_v2_score9.3
cvss_v2_vectorAV:N/AC:M/Au:N/C:C/I:C/A:C
cvss_v3_attack_complexitylow
cvss_v3_attack_vectorlocal
cvss_v3_availability_impacthigh
cvss_v3_confidentiality_impacthigh
cvss_v3_exploit_score1.8345766
cvss_v3_impact_score5.873119
cvss_v3_integrity_impacthigh
cvss_v3_privileges_requirednone
cvss_v3_scopeunchanged
cvss_v3_score7.8
cvss_v3_user_interactionrequired
cvss_v3_vectorCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
denial_of_servicefalse
descriptionHeap-based buffer overflow in the NArchive::NHfs::CHandler::ExtractZlibFile method in 7zip before 16.00 and p7zip allows remote attackers to execute arbitrary code via a crafted HFS+ image.
id7-zip-cve-2016-2334
links[
{
"href": "http://www.securityfocus.com/bid/90531",
"id": "90531",
"rel": "advisory",
"source": "bid"
}
]
modified2018-06-08T00:00:00Z
pci_cvss_score9.3
pci_failtrue
pci_severity_score5
pci_statusfail
published2016-12-13T00:00:00Z
referencesbid:90531,cve:CVE-2016-2334,url:http://www.securitytracker.com/id/1035876
risk_score598.07
severitycritical
severity_score9
title7-Zip: CVE-2016-2334: Heap-based buffer overflow vulnerability

The Vulnerability Definition sourcetype is not currently used by the InsightVM Dashboard, but the imported data is made available to supplement the asset vulnerability findings imported with the Asset Import input.

Data duplication for vulnerability definitions

Note that Vulnerability Definitions do not change often. The resulting data that the add-on imports over time will likely produce duplicates.

Visualizing Data

The InsightVM Dashboard for Splunk serves as a starting point for visualizing data imported with the add-on. There are two dashboards included:

  • The InsightVM Assets dashboard used for visualizing asset details
  • The InsightVM Vulnerability Findings dashboard used for visualizing details of vulnerability instances found within assets.

The Rapid7 InsightVM Dashboard features several customization options and you can install it as an app in the same way as the add-on.

Asset Dashboard in Splunk

Vulnerability Findings Dashboard in Splunk

Index and time periods must be set

Note the selected index and time period in these dashboards. Data may not appear if these filter settings are not set correctly.

FAQs

Is there a migration path from the Nexpose Technology Add-On to this new Add-On for InsightVM?

No. Due to the differences in how each add-on retrieves data and the content that is stored, there is not a migration path from the legacy Nexpose Technology Add-On to the InsightVM Technology Add-On. However, both add-ons can be used at once so it is possible to continue using the Nexpose Technology Add-On until you are ready to fully disable it.

Why am I not seeing any data in my add-on/dashboard?

Check the selected index and time period for filtering data. These often need to be adjusted to filter correctly for assets and vulnerabilities. In addition, if the default rapid7 index was used for the inputs, make sure this index has already been created.

Does the Asset Import input import all assets each time it runs?

No. When the asset import is run for the very first time, it defaults to importing assets that were scanned within the past 90 days. After that, all subsequent imports will only pull in assets that have been newly scanned since the last import occurred. In other words, if the last import of data occurred on June 5th at 12:00 PM, then only assets that have been scanned between then and now will be imported.

Does the Vulnerability Definition Import input import all definitions each time it runs?

Yes, all vulnerability definitions will be imported each time it is run. For this reason, we recommend running this import at a maximum of once per day.

How do I know if a vulnerability is new as opposed to remediated?

Check the finding_status field of a vulnerability finding to determine whether it's new, remediated, or unchanged. The new and remediated statuses indicate new and remediated vulnerabilities respectively, while the found status indicates a previously found, unchanged vulnerability finding.

Can I identify whether a vulnerability has been remediated?

Yes, all vulnerability findings will have a finding_status when the add-on imports them into Splunk. If a vulnerability is remediated, the add-on imports it as a new event with a finding_status of remediated.

Can the add-on import all data every time an input runs?

No, the add-on currently only imports data for assets that have been scanned since the last time the input ran. Internally, Rapid7 tracks the last time a job was successful and it only updates when no errors are received to avoid losing data that should be imported.

Troubleshooting

Three log files are available to help debug issues, usually located at <splunk_home>/var/log/splunk/:

  • splunkd.log - Splunk general log
  • ta_rapid7_insightvm_insightvm_asset_import.log - Log for the InsightVM Asset Import input
  • ta_rapid7_insightvm_insightvm_vulnerability_definition_import.log - Log for the InsightVM Vulnerability Definition Import input