InsightVM Integration

Instructions for Integration Between InsightVM & InsightCloudSec

The integration with Rapid7's InsightVM provides InsightCloudSec with the ability to ingest vulnerability and Common Vulnerabilities and Exposures (CVE) information associated with cloud instances and identify gaps in agent deployment gaps across a company's cloud footprint. The following use cases are possible using the InsightCloudSec/InsightVM integration:

  • Identify cloud assets which do/do not have the InsightVM agent installed
  • Leverage CVEs for added context when defining InsightCloudSec Insights/controls
  • Bot automation based on the presence of specific vulnerabilities
  • Risk Score Analysis

For more information check out the InsightVM Cloud Integration docs, or the main InsightVM documentation.

Prerequisites and Requirements

Before getting started you will need to have the following:

  • An Organization Key from the Insight Platform. An Organization Administrator will need to create this key, more information on this can be found here
  • The region in which your InsightVM Organization is configured
  • In order to delete content you will need to include read + deregistration permissions within your Nexpose console

Integration Configuration in InsightCloudSec

1. To set up this integration navigate to "Administration --> Integrations" (through the cog on the top right) and locate the "InsightVM" tile from your InsightCloudSec platform.

InsightVM IntegrationInsightVM Integration

InsightVM Integration

2. Configure the integration as follows:

  • Name: Provide a name for your Integration (Primary is the default)
  • Region: Select your desired region from the drop-down
    • Note: for the US-based regions you can specify a location
  • API Key: Provide your API Key (from your desired InsightVM configuration)
  • Console URL: Provide the URL for the Host console associated with your InsightVM setup
  • Console Username: Provide the username associated with console you specified
  • Console Password: Provide the password associated with the console you specified

Note: Console access to required to effectively implement the "Delete InsightVM Agent" Bot action.

InsightVM Integration SettingsInsightVM Integration Settings

InsightVM Integration Settings

3. Click "Save" to complete the integration setup.

Using The Integration

Once configured, the integration will harvest vulnerabilities and agent information from your InsightVM platform. Note: the harvest operation runs twice a day to limit the amount of traffic and API calls generated against your platform.

📘

Insight Agents

Only resources with the Insight Agent running will have vulnerability details synchronised with InsightCloudSec.

The following Query Filters are available for configuration within InsightCloudSec once the integration is active:

  • Instance With InsightVM Agent Last Assessment Threshold
  • Instance With InsightVM Agent Configured
  • Instance Without InsightVM Agent Configured
  • Resource InsightVM Risk Score
  • Resource InsightVM Vulnerability Count
  • Resource Vulnerable To Specific Vulnerability (CVE)
  • Resource Vulnerability Wildcard Search

Resources

An "Agent View" option is available when viewing Instances within the Resources interface. Selecting the "InsightVM" option for this displays risk and vulnerability assessment information for each instance instead of resource attributes.

Instance - InsightVM viewInstance - InsightVM view

Instance - InsightVM view

If you toggle on the Vulnerability View and open the resource properties for a vulnerable resource, there will be an "InsightVM Vulnerabilities" tab available that enumerates and classifies the vulnerabilities for that resource.

Resource Properties - VulnerabilitiesResource Properties - Vulnerabilities

Resource Properties - Vulnerabilities

Using the Delete InsightVM Agent Bot Action

For InsightVM/InsightCloudSec integrations that include access to the console associated with the InsightVM integration, you have the ability to enabled a Bot Action called Delete InsightVM Agent.

This purpose of this Bot action is to provide InsightCloudSec users with a mechanism to force the removal of terminated instances that may be stored within InsightVM (data is retained for 7 days) and removes an InsightVM agent from its parent installation.

Some other items to note:

  • It is recommended that this action can only be used with the Resource Destroyed event.
  • On-demand and scheduled scans will skip instances that are not in a terminating/terminated state.

For general details on working with automation, check out our BotFactory & Automation documentation.

Setting up the Delete InsightVM Agent Bot

1. Navigate to "Automation --> BotFactory"

2. Click "Create Bot" to launch the Bot creation process.

3. Provide a name, description, and category for your Bot and click "Next".

4. Under "Resource Types" select "Instance" (this is the only resource this Bot action applies to), select any applicable badges, and select your target cloud account(s), click "Next".

5. Provide your desired Query Filter (e.g., "Always Match") and then locate and select the "Delete InsightVM Agent" Bot action and select this action.

Delete InsightVM Agent Bot ActionDelete InsightVM Agent Bot Action

Delete InsightVM Agent Bot Action

6. Under the Run Options we recommend selecting the "Resource Destroyed" option under Reactive.

7. Click "Save" to complete the setup of your Bot.

Jinja2 Reporting

Once data has been imported from InsightVM, you can use Jinja2 templates in your Bot Actions to send detailed reports about your resources and any detected vulnerabilities. More details on the available attributes can be found in the Compute Resources documentation for Instances.


Did this page help you?