Rapid7 insightVM Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.1 |
| Compatible with ThreatQ Versions | >= 4.35.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Rapid7 InsightVM Operation allows a ThreatQ user to execute CVE actions on their Rapid7 InsightVM instance.
The integration allows users to query for CVE details in their Rapid7 InsightVM instance. This action will return information on the vulnerability such as the scores and solutions.
The integration also allows users to query Rapid7 InsightVM to see if any configured sites or assets are vulnerable to a specific CVE. This action will show information on the asset as well as solutions to the vulnerability.
The operation provides the following actions:
- Get Affected Assets - queries Rapid7 InsightVM to determine if you have any assets/sites affected by the specific CVE.
- Query - queries Rapid7 InsightVM to determine what information and scores it has for the vulnerability.
- Add Tag - adds a tag to an existing asset within Rapid7 insightVM.
- Remove Tag - removes a tag from an existing asset within Rapid7 insightVM.
The operation is compatible with CVE-type indicators and the Asset custom object type.
This integration requires the use of the Asset system object. See the Prerequisites chapter for more details.
Prerequisites
Review the following requirements before attempting to install or upgrade the operation.
Asset Object
The integration requires the Asset object. The Asset installation files are included with the integration download on the ThreatQ Marketplace. The Asset object must be installed prior to installing the integration.
You do not have to install the Asset object if you are running ThreatQ version 5.10.0 or greater as the object has been seeded as a default system object.
See the Custom Objects topic for steps on how to install the required custom object.
Installation
The operation requires the installation of a custom object before installing the actual operation if your are on ThreatQ version 5.9.0 or earlier. See the Prerequisites chapter for more details. The custom object must be installed prior to installing the operation. Attempting to install the operation without the custom object will cause the operation install process to fail.
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the integration zip file.
- Extract the zip file's contents and install the Asset custom object if you are on ThreatQ version 5.9 or earlier.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the integration .whl file using one of the following methods:
- Drag and drop the .whl file into the dialog box
- Select Click to Browse to locate the .whl file on your local machine
ThreatQ will inform you if the operation already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the operation contains changes to the user configuration. The new user configurations will overwrite the existing ones for the operation and will require user confirmation before proceeding.
The operation is now installed and will be displayed in the ThreatQ UI. You will still need to configure and then enable the operation.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Auto Create Assets Use the checkbox provided to select whether or not to automatically create and relate asset objects to the CVEs. Host URL The Host or IP of your Rapid7 InsightVM instance including the port. Username Your Rapid7 InsightVM username to use with the API. Password Your Rapid7 InsightVM password associated with the above username. Verify SSL Use the checkbox provided to verify the host's SSL certificate when requesting it.
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Get Affected Assets | Queries Rapid7 InsightVM to determine if you have any assets/sites affected by the specific CVE. | Asset, CVE | N/A |
| Query | Queries Rapid7 InsightVM to determine what information and scores it has for the vulnerability. | Asset, Indicator | CVE |
| Add Tag | Adds a tag to an existing asset within Rapid7 insightVM. | Asset | N/A |
| Remove Tag | Remove a tag from an existing asset within Rapid7 insightVM. | Asset | N/A |
Get Affected Assets
The Get Affected Assets action allows you to query Rapid7 InsightVM and see if you have any assets/sites affected by the specific CVE.
If there are no assets affected by the vulnerability, you will receive a message saying there are no affected assets.
Result Example
Query
The Query action allows you to query your Rapid7 InsightVM to see what information and scores it has for the vulnerability.
If there are no CVEs found, you will receive a message saying the CVE does not exist in Rapid7 InsightVM
Query General Result Example
Verdict Result Example
Solution Result Example
Add Tag
The Add Tag action allows you to add a tag to an existing asset within Rapid7 insightVM.
Action Parameters
ThreatQ provides the following parameters for this Action:
| Parameter | Description |
|---|---|
| Name | Enter a tag name to apply to the given asset. |
| Tag Type | Select the type of tag you want this tag to be.
This will be ignored if a tag with the same name already exists. |
Remove Tag
The Remove Tag action allows you to remove a tag from an existing asset within Rapid7 insightVM.
Action Parameters
ThreatQ provides the following parameter for this Action:
| Parameter | Description |
|---|---|
| Name | Enter a tag name to remove from the given asset. |
Change Log
- Version 1.1.1
- Optimized integration code to improve overall performance and upgraded support tier from Not Supported to ThreatQ Supported.
- Updated the Prerequisites chapter in this user guide.
- Version 1.1.0
- Initial Release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Rapid7 InsightVM Operation Guide v1.1.1 | 4.35.0 or Greater |
| Rapid7 InsightVM Operation Guide v1.1.0 | 4.35.0 or Greater |
| Rapid7 InsightVM Operation Guide v1.0.0 | 3.6.0 or Greater |