Rapid7 InsightVM collector
- Juan Tomás Alonso Nieto (Deactivated)
Service description
Rapid7 is a company that offers multiple tools to help you reduce risk across your entire connected environment. This goes for easily managing vulnerabilities, monitoring for malicious behavior, investigating and shutting down attacks, or just automating your operations.
This collector is focused on one of these tools, InsightVM, which helps us detect security risks to our environment, manage vulnerabilities, and quickly take action.
Data source description
InsightVM works analyzing "Assets" (Devices) grouped in "Sites" with several scan templates and engines from the InsightVM server, retrieving all detected vulnerabilities and allowing us to have a general view of the risks that our environment has. The collector gets this data and sends it to the Devo platform, which will categorize all information received on tables.
InsightVM resources
Listed in the table below are the data provided by InsightsVM and how Devo treats the data:
Application name | Details | Dump type | Devo data tables |
|---|---|---|---|
Scans | History of processes by which the application discovers network assets and checks them for vulnerabilities. | Full dump | vuln.rapid7.insightvm.scans |
Assets | Device/s on a network discovered during a scan. | Full dump | vuln.rapid7.insightvm.assets |
Sites | Collection of assets that are targeted for a scan. | Full dump | vuln.rapid7.insightvm.sites |
Vulnerabilities | Reported vulnerabilities found during a scan. | New events | vuln.rapid7.insightvm.vulnerabilities |
The Dump type column indicates how the collector will retrieve the data in each iteration. This is an important factor to take into account when setting the request_period_in_seconds field later in the configuration file.
Full dump - All available data.
New events - The collector saves the retrieving status to always get newly-detected items.
Configurable - There is a field in the configuration file where you can choose the dump type.
Setup
The InsightVM data collector works over the installed on-premises InsightVM server, so you need to have the collector running in a machine with server visibility and have the following ports opened:
InsightVM port (default: 3780)
You will also need a user with the necessary permissions to get the data.
Setting up user permissions
Go to the InsightVM server with any supported browser (https://{server_ip/server_name}:{InsightVM port}) and log in.
Go to the Administration tab and click Create in the Users box.
Fill the General tab data with the desired values and go to the Roles tab.
Here, you can configure the desired role. It must have at least the following permissions to work properly:
Go to the Site Access and Asset Group Access tabs and make sure that the Allow this user to all sites and Allow this user to all asset groups options are checked.
Save the changes.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).