How InsightVM links assets across sites

To ensure that the Security Console accurately integrates new scan data to your existing unique asset records when necessary, InsightVM Security Consoles that currently have asset linking disabled will now also consider the “Rapid7 Insight Agents'' site for correlation purposes in addition to the site that was used to perform the scan. As of January 13th, 2021, this behavior will automatically apply if you use Insight Agents to perform vulnerability assessments.

Read this article to learn more about how the original asset linking functionality works, what role Insight Agents now play in the correlation process when asset linking is disabled, what you should expect to see based on your pre existing asset linking setting, and how to perform any necessary asset record cleanup.

Linking assets across sites - a history

The original asset linking capability in the Security Console predated the use of Insight Agents for vulnerability assessments when Scan Engines were the sole data collection method. This optional setting was useful if your network and site configuration caused multiple sites to scan the same device. The decision to enable asset linking depended on which of the following scanning and site configuration strategies applied to you:

  • “Integrate the scan data retrieved from all nodes in each of my sites as unique assets” - To achieve this outcome, asset linking would have been disabled. All nodes in a site’s inclusion list would integrate into InsightVM as unique assets. When determining whether new scan data correlates to existing assets, InsightVM would only consider the existing asset records associated with the same site.

For example, this use case is ideal for scanning a chain of retail stores that each have the same network mapping, and as a result, have a very similar set of assets. To ensure that the devices inside each store appear as unique assets in InsightVM after scanning, each store would have its own site dedicated to it for scanning purposes.

  • “Correlate overlapping nodes across my sites to the correct unique asset record in InsightVM - To achieve this outcome, asset linking would have been enabled. If multiple sites ended up scanning the same device on the network, InsightVM would correlate the scan data from each site to the same unique asset record. Asset linking ensured that InsightVM considered all sites when determining whether new scan data correlated to an existing asset.

Enabling asset linking is ideal in cases where your sites are configured based on different asset categories. For example, you could have a site configured to scan the assets in a certain business unit (such as Finance or Human Resources) and another site dedicated to a specific operating system (such as Windows or Linux). In this case, it’s possible that each site could be targeting the same node (such as a Windows workstation in the Finance business unit). Enabling asset linking ensures that the scan data coming from each site will correlate to and integrate as one asset in InsightVM.

What is a "node"?

A "node" is a device on your network that a site was able to scan based on the configuration of the site’s inclusion list. Nodes are not considered assets until the scan data is fully integrated into InsightVM.

How InsightVM determines asset uniqueness

As InsightVM collects scan data from your devices, it uses the following node attributes to determine whether the device matches an existing asset in the Security Console or a new asset altogether:

  • Hostname
  • IP address
  • MAC address
  • One or more UUIDs

InsightVM integrates this attribute data (along with the node’s vulnerability assessment data and any other assessment data type based on your scan template) as a unique asset in your Security Console database. To ensure that this asset remains unique with subsequent scans, InsightVM assigns the asset record an asset ID. This simple identifier allows InsightVM to ultimately distinguish assets from one another and correlate new scan data to the correct asset record if it already exists in the Security Console database.

Where can I see an asset's ID in InsightVM?

Since their function is only related to backend processes, asset IDs are not populated in the InsightVM interface. However, if you’re curious, you can view an asset’s ID by examining the value appended to the devid= portion of the URL in your browser when viewing any asset’s detail page.

InsightVM's use and assignment of asset IDs varies depending on your asset linking setting:

  • If asset linking is disabled, all nodes in each of your sites integrate into InsightVM as unique assets and receive their own asset IDs. Subsequent scans of these devices will correlate to their existing asset record as long as InsightVM has sufficient attribute data to do so. In this case, InsightVM will only consider the existing asset records associated with the same site.
  • If asset linking is enabled, InsightVM compares the incoming attribute data from any node being scanned by any site to the asset records it already has in the database. If matching attribute data is sufficient, it correlates the new scan data to an existing asset record according to the asset’s ID. If InsightVM cannot correlate this attribute data to an existing asset, it will assume that the device is a new unique asset and create a new record for it with its own asset ID.

How the introduction of Insight Agents affected asset linking

When InsightVM began to support Insight Agents as an alternative vulnerability assessment method, all agent-based assets were implemented in the Security Console in their own immutable site called “Rapid7 Insight Agents”. The introduction of this site, along with the likelihood that assets could now be assessed by both Scan Engines and Insight Agents separately, inevitably meant that these sites would experience some node overlap. This condition did not pose an issue as long as asset linking was enabled.

However, this condition did cause Security Consoles with asset linking disabled to produce duplicate asset records for the same device if it was scanned by a traditional Scan Engine and assessed by an Insight Agent. Since the absence of asset linking prevented InsightVM from looking beyond the site that the node was a member of, InsightVM would integrate the data from each assessment method as two unique assets with separate histories, even though they both were for the same device.

The improvement shipped in product version 6.6.59 on January 13th, 2021 addresses this issue.

What should I expect to see when this change takes effect?

As covered earlier, Security Consoles that already had asset linking enabled prior to January 13th, 2021 will see no change in their results. In addition, no configuration adjustment is required going forward.

On the other hand, Security Consoles that had asset linking disabled prior to January 13th, 2021 will now see stale asset records if a device was scanned by a Scan Engine and assessed by an Insight Agent. This is because with product version 6.6.59 onwards, InsightVM will always consider the “Rapid7 Insight Agents” site in addition to the site that performed the scan for correlation purposes, even if asset linking is disabled. This broadening of the correlation pool ensures that InsightVM selects only one of these unique asset records to update going forward. Devices that you both scan with Scan Engines and assess with Insight Agents in the future will also correlate to one asset record in InsightVM.

How to perform asset cleanup

If your Security Console had asset linking disabled prior to this change, you can create a static asset group to clean up the stale, redundant asset records that will no longer be updated going forward:

  1. In InsightVM, expand the Create dropdown on the Home page and click Asset Group.
  2. In the filter selection dropdown, select Last Scan Data and the earlier than operator.
  3. Enter a number of days that corresponds to those assets that have stopped receiving scan data updates now that this change has taken effect.
    • The number you enter here is entirely up you and depends on how frequently you scan your assets. The number that you do enter here should align with the data retention policies that you may have already configured elsewhere in InsightVM.
  4. Click Search to get your list of matching assets.
  5. Make sure the Type option is set to Static.
  6. Name and describe this asset group so you can easily identify it.
  7. Click Save when finished.
  8. Return to the Home page and browse to the Asset Groups table. Click and open the asset group you just created.
  9. In your asset group, browse to the Assets table and check the global box at the top of the check box column to select all records.
  10. Click Delete Assets to remove these stale records from your Security Console.