Exploitable Data Scenario Rule Conditions

This topic describes the conditions that you can use to create rules and the default rules provided for the exploitable data scenarios.

Exploitable data includes the following scenarios:

Exploitable data includes the following scenarios:
Open ports
Email security
Certificate issues
SSL issues
Exposed services
Vulnerabilities

Each scenario has its own conditions and default rules.

Open ports

Open ports - conditions The following table describes the conditions you can use to create rules for the open ports scenario.

Feature	Operator	Values	Description
Detection algorithm	identified/did not identify	A company IP address with open ports	Did the Rapid7 internal algorithm identify a problematic open port that should be closed?
Asset tags	in/not in	Select tags	Are any of the threat's matched assets tagged with any of the specified tags?
IP address	in/not in	IP address list	Which IP addresses should be searched for open ports? Some IP addresses are more important than others.
Open port number	in/not in	Port list/Port range	Which port numbers should be checked for being open?
Protocol name	in/not in	Protocol list	Does the identified protocol type match a selected protocol?

Open ports - default rule

The following table lists the rules that are provided to get you started quickly.

Rule name	Description of match	Default state
Open Ports - Default Detection Rule	A problematic open port on a company IP address was detected by the internal detection algorithm	Enabled

Email security

Email security - conditions The following table describes the conditions you can use to create rules for the email security scenario.

Feature	Operator	Values	Description
Detection algorithm	identified/did not identify	A problem in a DMARC/SPF record	Did the Rapid7 internal algorithm identify a problem with email security?
Asset tags	in/not in	Select tags	Are any of the threat's matched assets tagged with any of the specified tags?
Domain	in/not in	"Domain name list"	Is the problem found on a domain from a configured list of domains?
Failed tests	in/not in	Dropdown	Did the domain fail a specific test?

Email security - default rule

The following table lists the rules that are provided to get you started quickly.

Rule name	Description of match	Default state
Email Security Validation - Default Detection Rule	A server with DMARC/SPF problem was detected by the internal Rapid7 detection algorithm.	Enabled

Certificate issues

Certificate issues - conditions The following table describes the conditions you can use to create rules for the certificate issues scenario.

Feature	Operator	Values	Description
Detection algorithm	identified/did not identify	A problem in an SSL certificate	Did the Rapid7 internal algorithm identify a problem with an SSL certificate?
Asset tags	in/not in	Select tags	Are any of the threat's matched assets tagged with any of the specified tags?
Certificate days until expiration	=, !=, >=, <=, >, <		Does the certificate expire within a specified time?
Certificate status	in/not in	dropdown	Did the certificate scan fail specified tests? Or is it valid?
Issuer	is/is not	"Named"	Was the certificate issued by a specific issuer/self-signed?
Linked domains	in/not in	"Domain name"	Is the affected domain in a list of domains?
Matched asset	in/not in	Domains	Does the threat contain a matched Domain asset?
Matched asset	in/not in	Login pages	Does the threat contain a matched Login page asset?

Certificate issue - default rule The following table lists the rules that are provided to get you started quickly.

Rule name	Description of match	Default state
Certificate Issues - Default Detection Rule	A company certificate with a problem was detected by the internal Rapid7 detection algorithm.	Disabled

SSL issues

SSL issues - conditions The following table describes the conditions you can use to create rules for the SSL issues scenario.

Feature	Operator	Values	Description
Detection algorithm	identified/did not identify	a server with SSL issues	Did the Rapid7 internal algorithm identify a server with SSL issues?
Asset tags	in/not in	Select tags	Are any of the threat's matched assets tagged with any of the specified tags?
Detected issue types	in/not in	dropdown	Did the domain scan detect specific types of issues?
Detected issues	in/not in	dropdown	Did the domain scan fail specific issues?
IP address	in/not in	"IP list"	Is the IP address in a list of IP addresses?
Linked domain	in/not in	"Domain name"	Is the domain in a list of domains?
Linked domain	contains/doesn't contain	"valid website"	Do any of the domains linked to the server host websites?
Matched asset	in/not in	Domains	Does the threat contain a matched Domain asset?
Matched asset	in/not in	Login pages	Does the threat contain a matched Login page asset?

SSL issues - default rule

The following table lists the rules that are provided to get you started quickly.

Rule name	Description of match	Default state
SSL Issues - Default Detection Rule	The following conditions were all detected by the internal Rapid7 detection algorithm:- A company server has an SSL problem. - The server IP address was updated in the past 14 days.- In the most recent scan, at least one linked domain hosts a website.	Disabled

Exposed services

Exposed services - conditions The following table describes the conditions you can use to create rules for the exposed services scenario.

Feature	Operator	Values	Description
Asset tags	in/not in	Select tags	Are any of the threat's matched assets tagged with any of the specified tags?
Months since page was last updated	=, !=, >=, <=, >, <		Was the page last updated in a specific month?
Page	contains/does not contain	"Contact support options"	Does the page contain words that can indicate an option to contact a support team, such as "chat,", "contact us," etc.? Contact availability usually indicates a public website.
Page	contains/does not contain	"Indication of limited access options"	Does the page contain words that can indicate that access to the page is restricted or limited, such as "'authorized users only," "sign in," etc.?
Page	contains/does not contain	"Registration options"	Does the page contains words that can indicate registration options such as "subscribe," "sign-up," etc.? The presence of registration options usually indicates a public website.
Page	contains/does not contain	"Login options"	Does the page contain words that indicate it has login options, such as "forgot password", etc.?
Page	contains/does not contain	"Promotional content"	Does the page contain words that can indicate that the content of the page is promotional, such as "free trial" etc.?
Page	contains/does not contain	"Social media links"	Does the page contain links to official social media pages such as Facebook, Twitter, etc.?
Page	contains/does not contain	"Ads"	Does the page contain links to advertisements?
Page	is/is not	"Monitored by Google Analytics"	Is the page monitored by analytic tools, such as Google Analytics?
Page	is/is not	"A login page"	Does the page have a login form?
Page type	in/not in	"Choose page type"	Does the page type match a selected page type?
Page URL	contains/does not contain	"indication of development system/development environment/ internal platform/internal service"	Does the page URL contain an indication of a development system/development environment/ internal platform/ internal service, such as Jira, Dev, etc.?
Page URL	contains/does not contain	"regex list"	Does the page URL contain a specific pattern (can be expressed as a regular expression)?
Years since copyright date	=, !=, >=, <=, >, <		Is the page copyright from a specific year?

Exposed services - default rule The following table lists the rules that are provided to get you started quickly.

Rule name	Description of match	Default state
Exposed Services - Default Detection Rule	An exposed internal service was detected by the internal Rapid7 detection algorithm.	Enabled

Vulnerabilities

Vulnerabilities - conditions The following table describes the conditions you can use to create rules for the Vulnerabilities scenario.

Condition	Operators	Values	Description
Asset tags	in/not in	Select tags	Are any of the threat's matched assets tagged with any of the specified tags?
CVE ID	in/not in	Select a CVE value	Does the CVE ID match a selected number? Use this to follow a specific CVE.
CVSS score	in/not in	Select a CVSS rating	Does a CVE match the selected CVSS score (Critical, High, Medium, Low, None)? You can use to assign a different alert severity than the current CVSS score.
Exploit	is/is not	Select Yes (explot is available) or No (no exploit available)	Does the CVE have an available exploit?
Rapid7 score	in/not in		Does a CVE match the Rapid7 score (Critical, High, Medium, Low)? You can use to assign a different alert severity than the current Rapid7 CVE score.
NVD days since published	=, !=, >=, <=, >, <		Was the CVE was published on a certain date. Your VRA probably contains many CVEs, and you may only want to create alerts for new ones. You can set this value to <=1, so only new CVEs will be elevated to alerts.
Product	in/not in	Select a product	Does the product of the CVE match the specified products. For example, only create alerts on products that are most critical to your operations.

Vulnerabilities - default rule The following table lists the rules that are provided to get you started quickly.

Rule name	Description of match	Default state
Vulnerabilities - Default Detection Rule	A vulnerability was detected by the internal Rapid7 detection algorithm.	Enabled

For more information about using the Alert Profiler for vulnerabilities, see Vulnerability Alerts.

Did this page help you?

Automation

Phishing Scenario Rule Conditions

Automation

Public Repositories Scenario Rule Conditions