Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Understanding the Rapid7 Vulnerability Integration

Log in to subscribe to topics and get notified when content changes.

Understanding the Rapid7 Vulnerability Integration

The Rapid7 Vulnerability Integration by ServiceNow® uses data imported from the Rapid7 Nexpose data warehouse or the Rapid7 InsightVM product to help you determine the impact and priority of potentially malicious threats.

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, refer to the ServiceNow Store version history release notes.

Rapid7 Vulnerability Integration

Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 Nexpose product, which continuously analyzes and correlates the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

Rapid7 integrations are entry points to Rapid7 Nexpose interacting with the Rapid7 data warehouse or Rapid7 InsightVM product, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.
Note:

If you use both Rapid7 data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.

When migrating from the Data Warehouse integration type to the InsightVM type, you can deduplicate your existing data warehouse records. See Deduplicate Rapid7 Vulnerability Integration data warehouse records for more information.

Version 9.0: If you have multiple deployments of the Rapid7 InsightVM vulnerability integration, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.
Note: You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Available versions

Release version Release Notes

Rapid7 Vulnerability Integration v9.0

Rapid7 Vulnerability Integration v8.0

Vulnerability Response release notes

Roles

Rapid7 vulnerability integration tasks involve the following roles.
  • sn_vul_r7.admin: Can read, write, and delete records.
  • sn_vul_r7.user: Can read and write records.
  • sn_vul_r7.read: Can read records.

Rapid7 Vulnerability Integration integrations

To view the Rapid7 Vulnerability Integration, navigate to Rapid7 > Administration > Integrations.

The following integrations are included in the base system.

Table 1. Rapid7 Nexpose data warehouse integrations
Integration Description
Rapid7 Vulnerability Integration Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
Rapid7 Category Integration Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
Rapid7 Exploit Integration Retrieves exploit information from Rapid7 Nexpose.
Rapid7 Malware Kit Integration Retrieves malware kit information from Rapid7 Nexpose.
Rapid7 Reference Integration Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
Rapid7 Solution Integration Retrieves solution data from Rapid7 Nexpose which provides recommended solutions to specific vulnerabilities.
Rapid7 Superceding Solution Integration Retrieves information about which solutions are superseded by other solutions.
Rapid7 Vulnerability Solution Map Integration Retrieves the mapping to associate solutions with vulnerabilities.
Rapid7 Vulnerable Item Integration Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance.

The outputs of this integration are vulnerable items.

Rapid7 Vulnerable Item Resolution Integration

Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.

Rapid7 Site Integration Retrieves site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
Table 2. Rapid7 InsightVM integrations
Integration Description
Rapid7 Vulnerable Item Integration — API Retrieves vulnerable item data from Rapid7 InsightVM and processes it in your instance.
Rapid7 Vulnerability Integration — API Retrieves CMDB configuration item (CI), reference, category, exploit, malware kit and vulnerability data from Rapid7 InsightVM and processes it in your instance.
Version 9.0: Rapid7 Asset List Integration - API Retrieves host scan data once a week from Rapid7 InsightVM all assets and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned lately.

CI Lookup Rules

CI Lookup Rules determine how to fill in the Configuration item field in a vulnerable item record.

For more information on how CI lookup rules work, see Rules for identifying configuration items from third-party vulnerability integrations.

To create or edit lookup rules, see Create a CI lookup rule.
Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

Discovered Items

This module lists configuration items detected during import from the data warehouse or API Rapid7 Vulnerable Item Integrations and starting with version 9.0, the Rapid7 Asset List Integration - API.
Note: The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

See Discovered Items in Vulnerability Response for more information on the Discovered Items module.

Host tags

Version 9.0: All host tags are imported as part of the Rapid7 Asset List integration. Only tags for hosts with associated vulnerabilities are imported as part of the Rapid7 Vulnerable Item integration. Host tags are used primarily for filtering in Vulnerability Response Assignment and Vulnerability Group Rules. They are displayed in the Discovered Item form.
Note: The Rapid7 Asset List integration should be run prior to creating Assignment or Vulnerability Group Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
  • Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot not be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
  • Using host tags as a Group Key in a Vulnerability Group Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
  • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

Sites

A site is a collection of assets targeted for a scan within the Rapid7 Nexpose data warehouse. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. To view the Rapid7 Vulnerability Integration for data warehouse imported sites in a list, navigate to Rapid7 > Sites.

Solutions

Solutions are known remediations imported into your Rapid7 Vulnerability Integration from either Rapid7 Nexpose data warehouse or Rapid7 InsightVM. Rapid7 Nexpose data warehouse imports both solutions and superseding solutions. Rapid7 InsightVM only imports superseding solutions. To view imported solutions in a list, navigate to Rapid7 > Solutions.

Feedback