Versions Compared

Old Version 20

changes.mady.by.user Sarah Bigault

Saved on

compared with

New Version 21

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Data source

Description

Dump type

Devo data tables

Scans

History of processes by which the application discovers network assets and checks them for vulnerabilities.

Full dump

vuln.rapid7.insightvm.scans

Assets

Device/s on a network discovered during a scan.

Full dump

vuln.rapid7.insightvm.assets

Sites

Collection of assets that are targeted for a scan.

Full dump

vuln.rapid7.insightvm.sites

Vulnerabilities

Reported vulnerabilities found during a scan.

New events

vuln.rapid7.insightvm.vulnerabilities

...

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for use when running the Rapid7 InsightVM collector:

Code Block
<any_directory>
└── devo-collectors/
    └── rapid7_insightvm/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        └── config/ 
            └── config-insightvm.yaml

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <any directory>/devo-collectors/rapid7_insightvm/certs. Learn more about security credentials in Devo here.

Editing the config-insightvm.yaml file

In the config-insightvm.yaml file, replace the <short_unique_identifier>, <user>, <password>, <server>, and <port> values with the proper ones.

Code Block
globals:
  debug: false
  id: not_used
  name: rapid7_insightvm
  persistence:
    type: filesystem                                               # File system persistence ON
    config:
      directory_name: state                                        # Directory where the persistence will be saved in case of using filesystem
outputs:
  devo_1:                                                          # Cloud Devo config EU (for US use collector-us.devo.io)
    type: devo_platform                                            
    config:
      address: collector-us.devo.io
      port: 443
      type: SSL
      chain: chain.crt
      cert: your_domain.crt
      key: your_domain.key
inputs:
  rapid7:
    id: <short_unique_identifier>                                  # The value of this field will be used internally for having independent persistence areas
    enabled: true
    requests_per_second: 5                                         # Setup how many request API por second
    credentials:
      user: <user>                                                 # InsightVM on-premises user used to retrieve the data
      password: <password>                                         # InsightVM on-premises user's password
    server: <server_ip or name>                                    # InsightVM on-premises server ip or name
    port: <insightvm port, default 3780>                           # InsightVM on-premises server port
    services:                                                      # Services available for this collector are vulnerabilities, assets, sites and scans
      vulnerabilities:
        request_period_in_seconds: 60                              # Setting up time interval between API requests. 60 sec is recommended for vulnerabilities. 86400 or more for the other services.
        page_size: 100                                             # OPTIONAL, retrieving pagination size, only used to improve performance
        custom_tag: "my.app.insightvm.vulnerabilities"            # OPTIONAL, devo custom tag
      assets:
        request_period_in_seconds: 86400
        page_size: 100
        custom_tag: "my.app.insightvm.assets"
      sites:
        request_period_in_seconds: 86400
        page_size: 100
        custom_tag: "my.app.insightvm.sites"
      scans:
        request_period_in_seconds: 86400
        page_size: 100
        custom_tag: "my.app.insightvm.scans"
Note

Optional fields

  • custom_tag:Used to send retrieved data to a custom table (my.app). Use it only if you want to define your own synthesis, or send data to a custom parser. If this field is not present, events are sent to the default tables vuln.rapid7.insightvm.<>

  • page_size: Size of the batch that is retrieved in every iteration of the collector. Use it if you need to improve your bandwidth usage.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-rapid7_insigthvm_collector_if-docker-image-1.35.0

cc9bf1bc5d29c722d194a2c583ce143b69aba3e90208ea1072b3a9c120304f6d8a8f10bac8c3a17ba209f614701804c31e333612a1080920564ddcbb808d3845

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Info

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <version> with a proper value.

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/rapid7_insightvm/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <version> with a proper value.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Change

...

log

Release

Released on

Release type

Details

Recommendations

v1.4.0

Sept 12, 2023

Status
colourGreen
titleIMPROVEMENT

Improvements:

  • Upgraded DCSDK from 1.4.3 to 1.9.2

    • Upgrade internal dependencies

    • Store lookup instances into DevoSender to avoid creation of new instances for the same lookup

    • Ensure service_config is a dict into templates

    • Ensure special characters are properly sent to the platform

    • Changed log level to some messages from info to debug

    • Changed some wrong log messages

    • Upgraded some internal dependencies

    • Changed queue passed to setup instance constructor

    • New “templates” functionality

    • Functionality for detecting some system signals for starting the controlled stopping

    • Input objects sends again the internal messages to devo.collectors.out table

    • Upgraded DevoSDK to version 3.6.4 to fix a bug related to a connection loss with Devo

    • Refactored source code structure

    • Changed way of executing the controlled stopping

    • Minimized probabilities of suffering a DevoSDK bug related to “sender” to be null

    • Ability to validate collector setup and exit without pulling any data

    • Ability to store in the persistence the messages that couldn’t be sent after the collector stopped

    • Ability to send messages from the persistence when the collector starts and before the puller begins working

    • Ensure special characters are properly sent to the platform

    • Added a lock to enhance sender object

    • Added new class attrs to the setstate and getstate queue methods

    • Fix sending attribute value to the setstate and getstate queue methods

    • Added log traces when queues are full and have to wait

    • Added log traces of queues time waiting every minute in debug mode

    • Added method to calculate queue size in bytes

    • Block incoming events in queues when there are no space left

    • Send telemetry events to Devo platform

    • Upgraded internal Python dependency Redis to v4.5.4

    • Upgraded internal Python dependency DevoSDK to v5.1.3

    • Fixed obfuscation not working when messages are sent from templates

    • New method to figure out if a puller thread is stopping

    • Upgraded internal Python dependency DevoSDK to v5.0.6

    • Improved logging on messages/bytes sent to Devo platform

    • Fixed wrong bytes size calculation for queues

    • New functionality to count bytes sent to Devo Platform (shown in console log)

    • Upgraded internal Python dependency DevoSDK to v5.0.4

    • Fixed bug in persistence management process, related to persistence reset

    • Aligned source code typing to be aligned with Python 3.9.x

    • Inject environment property from user config

    • Obfuscation service can be now configured from user config and module definition

    • Obfuscation service can now obfuscate items inside arrays

    • Ensure special characters are properly sent to the platform

    • Changed log level to some messages from info to debug

    • Changed some wrong log messages

    • Upgraded some internal dependencies

    • Changed queue passed to setup instance constructor

Recommended version

v1.3.0

Oct 31,2022

Status
colourGreen
titleIMPROVEMENT

Improvements:

  • Events persistence improved and moved event sending to batch processing

  • Devo Collector SDK version has been updated from 1.4.2 to 1.4.3

    • Added log traces for knowing the execution environment status (debug mode)

    • Fixes in the current puller template version

Recommended version

v1.2.0

Status
colourGreen
titleIMPROVEMENT

Improvements:

  • Upgraded underlay IFC SDK v1.3.0 to v1.4.2.

  • Updated the underlying DevoSDK package to v3.6.4 and dependencies, this upgrade increases the resilience of the collector when the connection with Devo or the Syslog server is lost. The collector is able to reconnect in some scenarios without running the self-kill feature.

  • Support for stopping the collector when a GRACEFULL_SHUTDOWN system signal is received.

  • Re-enabled the logging to devo.collector.out for Input threads.

  • Improved self-kill functionality behavior.

  • Added more details in log traces.

  • Added log traces for knowing system memory usage.

Upgrade

...