Document toolboxDocument toolbox

Rapid7 InsightVM collector

Overview

Rapid7 is a company that offers multiple tools to help you reduce risk across your entire connected environment. This goes for easily managing vulnerabilities, monitoring for malicious behavior, investigating and shutting down attacks, or just automating your operations. 

This collector is focused on one of these tools, InsightVM, which helps us detect security risks to our environment, manage vulnerabilities, and quickly take action. 

Configuration requirements

To run this collector, there are some configurations detailed below that you need to take into account.

Configuration

Details

Configuration

Details

InsightVM port

You will need to have a collector running machine with the Insights port (default : 3780)

Server and port

You need a server and a port, which take the following form:

https://{server_ip/server_name}:{InsightVM port}

This is typically the address used to sign into the Rapid7 instance.

Permissions

You will need to configure an user with the right permissions to get the data. Refer to the Vendor setup section.

Data sources

InsightVM works by analyzing Assets (Devices) grouped in Sites with several scan templates and engines from the InsightVM server, retrieving all detected vulnerabilities and allowing us to have a general view of the risks that our environment has. The collector gets this data and sends it to the Devo platform, which will categorize all information received on tables.

InsightVM resources

Listed in the table below are the data provided by InsightsVM and how Devo treats the data:

Data source

Description

Dump type

Devo data tables

Scans

History of processes by which the application discovers network assets and checks them for vulnerabilities.

Full dump

vuln.rapid7.insightvm.scans

Assets

Device/s on a network discovered during a scan.

Full dump

vuln.rapid7.insightvm.assets

Sites

Collection of assets that are targeted for a scan.

Full dump

vuln.rapid7.insightvm.sites

Vulnerabilities

Reported vulnerabilities found during a scan.

New events

vuln.rapid7.insightvm.vulnerabilities

Dump type

The Dump type column indicates how the collector will retrieve the data in each iteration. This is an important factor to take into account when setting the request_period_in_seconds field later in the configuration file.

  • Full dump: All available data.

  • New events: Collector saves the retrieving status to get always the latest items detected.

  • Configurable: There is a field in the configuration file where you can choose the dump type.

Vendor setup

The InsightVM data collector works over the installed on-premises InsightVM server, there are some requirements to run the collector, you will need to have:

  • A collector running in a machine with the InsightVM port (default: 3780).

  • A user with the necessary permissions to get the data.

Setting up user permissions

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.7.0

Jul 22, 2023

IMPROVEMENT

bug fixing

Updated the docker base image to 1.3.0

  • Update DCSDK from 1.11.1 to 1.12.2:

    • Added new sender for relay in house + TLS

    • Added persistence functionality for gzip sending buffer

    • Added Automatic activation of gzip sending

    • Improved behaviour when persistence fails

    • Upgraded DevoSDK dependency

    • Fixed console log encoding

    • Restructured python classes

    • Improved behavior with non-utf8 characters

    • Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)

    • New persistence format/structure (compression in some cases)

    • Removed dmesg execution (It was invalid for docker execution)

    • DevoSDK has been updated to version 5.4.0

Bug fixing

  • Added the yield method to tackle the vulnerabilities not ingesting issue.

Recommended version

v1.6.0

Jun 19, 2023

IMPROVEMENT

bug fixing

Improvements

  • Updated the docker base image to 1.2.0

  • Update DCSDK from 1.10.2 to 1.11.1:

    • Updated DevoSDK to v5.1.9

    • Fixed some bug related to development on MacOS

    • Added an extra validation and fix when the DCSDK receives a wrong timestamp format

    • Added an optional config property for use the Syslog timestamp format in a strict way

    • Updated DevoSDK to v5.1.10

    • Fix for SyslogSender related to UTF-8

    • Enhace of troubleshooting. Trace Standardization, Some traces has been introduced.

    • Introduced a mechanism to detect "Out of Memory killer" situation

Bug fixing

  • Fixed the issue of NoneType error.

Update

v1.5.0

Nov 24, 2023

IMPROVEMENT

Improvements:

  • Upgraded DCSDK from 1.9.2 to 1.10.2

    • Upgrade internal dependencies

    • Added input metrics

    • Modified output metrics

    • Updated DevoSDK to version 5.1.6

    • Standardized exception messages for traceability

    • Added more detail in queue statistics

    • Updated PythonSDK to version 5.0.7

Update

v1.4.0

Sept 12, 2023

IMPROVEMENT

Improvements:

  • Upgraded DCSDK from 1.4.3 to 1.9.2

    • Upgrade internal dependencies

    • Store lookup instances into DevoSender to avoid creation of new instances for the same lookup

    • Ensure service_config is a dict into templates

    • Ensure special characters are properly sent to the platform

    • Changed log level to some messages from info to debug

    • Changed some wrong log messages

    • Upgraded some internal dependencies

    • Changed queue passed to setup instance constructor

    • New “templates” functionality

    • Functionality for detecting some system signals for starting the controlled stopping

    • Input objects sends again the internal messages to devo.collectors.out table

    • Upgraded DevoSDK to version 3.6.4 to fix a bug related to a connection loss with Devo

    • Refactored source code structure

    • Changed way of executing the controlled stopping

    • Minimized probabilities of suffering a DevoSDK bug related to “sender” to be null

    • Ability to validate collector setup and exit without pulling any data

    • Ability to store in the persistence the messages that couldn’t be sent after the collector stopped

    • Ability to send messages from the persistence when the collector starts and before the puller begins working

    • Ensure special characters are properly sent to the platform

    • Added a lock to enhance sender object

    • Added new class attrs to the setstate and getstate queue methods

    • Fix sending attribute value to the setstate and getstate queue methods

    • Added log traces when queues are full and have to wait

    • Added log traces of queues time waiting every minute in debug mode

    • Added method to calculate queue size in bytes

    • Block incoming events in queues when there are no space left

    • Send telemetry events to Devo platform

    • Upgraded internal Python dependency Redis to v4.5.4

    • Upgraded internal Python dependency DevoSDK to v5.1.3

    • Fixed obfuscation not working when messages are sent from templates

    • New method to figure out if a puller thread is stopping

    • Upgraded internal Python dependency DevoSDK to v5.0.6

    • Improved logging on messages/bytes sent to Devo platform

    • Fixed wrong bytes size calculation for queues

    • New functionality to count bytes sent to Devo Platform (shown in console log)

    • Upgraded internal Python dependency DevoSDK to v5.0.4

    • Fixed bug in persistence management process, related to persistence reset

    • Aligned source code typing to be aligned with Python 3.9.x

    • Inject environment property from user config

    • Obfuscation service can be now configured from user config and module definition

    • Obfuscation service can now obfuscate items inside arrays

    • Ensure special characters are properly sent to the platform

    • Changed log level to some messages from info to debug

    • Changed some wrong log messages

    • Upgraded some internal dependencies

    • Changed queue passed to setup instance constructor

Updated

v1.3.0

Oct 31,2022

IMPROVEMENT

Improvements:

  • Events persistence improved and moved event sending to batch processing

  • Devo Collector SDK version has been updated from 1.4.2 to 1.4.3

    • Added log traces for knowing the execution environment status (debug mode)

    • Fixes in the current puller template version

Update

v1.2.0

Sep 13, 2022

IMPROVEMENT

Improvements:

  • Upgraded underlay IFC SDK v1.3.0 to v1.4.2.

  • Updated the underlying DevoSDK package to v3.6.4 and dependencies, this upgrade increases the resilience of the collector when the connection with Devo or the Syslog server is lost. The collector is able to reconnect in some scenarios without running the self-kill feature.

  • Support for stopping the collector when a GRACEFULL_SHUTDOWN system signal is received.

  • Re-enabled the logging to devo.collector.out for Input threads.

  • Improved self-kill functionality behavior.

  • Added more details in log traces.

  • Added log traces for knowing system memory usage.

-