Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Rapid7 Vulnerability Integration

Log in to subscribe to topics and get notified when content changes.

Rapid7 Vulnerability Integration

The Rapid7 Vulnerability Integration by ServiceNow® uses data imported from the Rapid7 Nexpose data warehouse and, starting with version 5.1, Rapid7 InsightVM product to help you determine the impact and priority of potentially malicious threats.

Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 Nexpose product, which continuously analyzes and correlates the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and business services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

Rapid7 integrations are entry points to Rapid7 Nexpose interacting with the Rapid7 data warehouse or Rapid7 InsightVM product, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.

If you use both Rapid7 Nexpose data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.

To migrate from the Rapid7 Nexpose integration type to see the Rapid7 InsightVM integration type, KB0743164.

There is a configured run-as user for each integration record. The default value for this user is System Administrator [admin]. This value should be changed.
Note: Failing to set a valid run-as user results in multiple, often duplicate, data retrieval attachments on the data source records, every time the integration runs. Multiple attachments on the data source increase processing time, resulting in inconsistent transform results.

Available versions

Release version Release Notes
Rapid7 Vulnerability Integration v5.1 Vulnerability Response release notes

Rapid7 Vulnerability Integration v5.0

Documentation for this version is available here

Rapid7 integration release notes (Kingston)


Rapid7 vulnerability integration tasks involve the following roles.
  • sn_vul_r7.admin — can read, write, and delete records
  • sn_vul_r7.user — can read and write records
  • — can read records

Rapid7 integrations

To view the Rapid7 vulnerability integration, navigate to Rapid7 > Administration > Integrations.

The following integrations are included in the base system.

Table 1. Rapid7 Nexpose data warehouse integrations
Integration Description
Rapid7 Vulnerability Integration Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
Rapid7 Category Integration Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
Rapid7 Reference Integration Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
Rapid7 Solution Integration Retrieves solution data from Rapid7 Nexpose which provides recommended solutions to specific vulnerabilities.
Rapid7 Superceding Solution Integration Retrieves information about which solutions are superseded by other solutions.
Rapid7 Vulnerability Solution Map Integration Retrieves the mapping to associate solutions with vulnerabilities.
Rapid7 Vulnerable Item Integration Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance.

The outputs of this integration are vulnerable items.

Rapid7 Vulnerable Item Resolution Integration

Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.

Rapid7 Site Integration Retrieves site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
Table 2. Rapid7 InsightVM integrations
Integration Description
Rapid7 Vulnerability Integration - API Retrieves vulnerability data from the Rapid7 InsightVM product and processes it in your instance.
Rapid7 Vulnerable Item Integration - API Retrieves CMDB configuration item (CI) and vulnerable item information from the Rapid7 InsightVM product.

Lookup Rules

Lookup rules are used to search for CIs in the CMDB with matching information from the Rapid7 vulnerability integration. These rules define what fields contain matching data, and the order of precedence in which they are evaluated. Matches with the lowest order value are evaluated first.

Vulnerability integration transform maps and script includes use Lookup Rules to determine how to fill in the configuration item field in a vulnerable item. These rules are triggered when the IP address and other information are provided, but the CI field is empty.

When attempting a match, the first step is an ID lookup for an exact match across source, source_instance, and ID. Then, lookup rules are run in order, from lowest to highest and stop when a rule returns just a single CI as a match.

Several CI lookup rules are shipped with the base system.
  • MacAddress
  • FQDN
  • HostName
  • IP

To create or edit lookup rules, see Create a CI lookup rule in the Rapid7 Vulnerability Integration.

Discovered Hosts

CIs are automatically matched to CIs in the CMDB when they are imported. However, sometimes, if a CI cannot be identified during import, it can become an orphan. This module lists those configuration items without a match.

The unmatched state occurs when a CI is not in the CMDB. In that case, View and reclassify unmatched configuration items.
Note: The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.


A site is a collection of assets targeted for a scan within the Rapid7 Nexpose data warehouse. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. To view the Rapid7 vulnerability integration for data warehouse imported sites in a list, navigate to Rapid7 > Sites.


Solutions are known remediations imported into your Rapid7 vulnerability integration from either the Rapid7 Nexpose data warehouse or Rapid7 InsightVM product. Rapid7 Nexpose data warehouse imports both solutions and superceding solutions. Rapid7 InsightVM only imports superceding solutions. To view imported solutions in a list, navigate to Rapid7 > Solutions.