Home New York Security Incident Management Security Operations Vulnerability Response Vulnerability Response integrations Understanding the Rapid7 Vulnerability Integration Install and configure the Rapid7 Integration for Security Operations application

Install and configure the Rapid7 Integration for Security Operations application

Before you run the integration on your instance, the installation and configuration steps must be completed so the Rapid7 Nexpose or Rapid7 InsightVM product properly integrates with Vulnerability Response. This application is available as a separate subscription.

Before you begin

Complete the following setup checklist prior to installation. These setup tasks are required for a smooth installation and configuration.

Note: This process applies only to applications downloaded to production instances. If you are downloading applications to sub-production or development instances, it is not necessary to get entitlements. Proceed to Activate a ServiceNow Store application.

Roles required: admin to install the application and vulnerability admin (sn_vul.vulnerability_admin or sn_vul.admin) to configure the application after it is installed.


Setup tasks	Description
Verify that the Vulnerability Response application is installed and activated.	To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased. If the application is not installed and activated see, Install and configure Vulnerability Response.
Verify that you have the required Now Platform roles for your instance.	The following roles are required for installation, configuration, and verification of expected results. Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response. If not already assigned, the system administrator [admin] installs the application and assigns the vulnerability admin [sn_vul.vulnerability_admin or sn_vul.admin] role. The vulnerability admin oversees configuration and verifies expected results. Prior to v10.3 of Vulnerability Response: If not already assigned, the system administrator [admin] installs the app and assigns the vulnerability admin [sn_vul.admin] role. The vulnerability admin [sn_vul.admin] oversees configuration and verifies expected results. The Rapid7 admin role is inherited when you are assigned an administrative role in the Security Operations Vulnerability Response (VR) application.
Prepare for Rapid7 Vulnerability Integration installation.	Read Preparing for the Rapid7 Vulnerability Integration.
For the Rapid7 Nexpose data warehouse integration type, ensure that you have a MID Server with access to the Rapid7 Nexpose data warehouse.	Note the data warehouse name. The Rapid7 data warehouse vulnerability integration only supports standalone MID Servers. Clustered MID Servers are not supported.
For the Rapid7 Nexpose data warehouse integration type, download the latest PostgresSQL driver.	Go to https://jdbc.postgresql.org/download.html and download the latest driver.
For the Rapid7 Nexpose data warehouse integration type, have your Rapid7 Nexpose data warehouse server URL and authentication credentials ready.	The credentials must provide adequate permissions for retrieving knowledge, scan, and detection information for a Rapid7 Nexpose subscription.
Version 8.0: For the Rapid7 InsightVM integration type, have your server URL and Rapid7 InsightVM API key ready. Version 9.0: For the Rapid7 InsightVM integration type, have your region and API key ready.	Version 8.0 Contact Rapid7 to obtain the appropriate URL and API key. Version 9.0: Contact Rapid7 to obtain the appropriate region and API key.

Note:

When migrating to the InsightVM integration type from the Data Warehouse integration type, you can deduplicate existing data warehouse vulnerable items as long as they belong to the same source data as your Rapid7 InsightVM data.

Procedure

Log in to the instance you want to install the Rapid7 Vulnerability Integration application on.
For the Rapid7 Nexpose data warehouse vulnerability integration, install the PostgreSQL JAR file.
1. In your ServiceNow instance, navigate to MID Server > JAR Files.
2. Click New.
3. Enter the name of the PostgresSQL driver that you downloaded earlier.
  Optionally, enter the Version, Source, and Description information. Leave the Active check box selected.
4. Attach the downloaded JAR file using the paper clip icon in the header.
5. Click Submit.
This process completes the Rapid7 Nexpose data warehouse-specific integration tasks.
Navigate to the ServiceNow Store.
In the ServiceNow Store, search for the Rapid7 Vulnerability Integration application.
Click the application tile.
Detailed information about the application you are installing is displayed.
Note: Consider reading the Other Requirements and Dependencies sections, as applicable.
Click Request App and enter your HI login credentials.
Click Get.
Enter the Instance Name and Reason for the Instance, and click Validate Instance.
Click Request.
You will receive an email with detailed installation instructions.
Navigate to System Applications > Applications.
Locate the application, select it, and click Install.
Your application is automatically installed on your instance.
The vulnerability admin can now configure the application.
Once the installation completes, navigate to Rapid7 > Configuration.
Select an Integration Type from the drop-down menu.

Figure 1. Version 9.0: Integration type drop-down menu

Figure 2. Version 8.0: Integration type drop-down menu
Version 9.0: Select an integration instance. The default Rapid7 InsightVM integration instance is selected by default. If that is the one you want, go to step 15.
For multiple deployments of the Rapid7 InsightVM integrations:
1. Open the Lookup list on Integration Instance field, select an existing integration instance and go to step 15, or click New in the pop-up menu.
2. For New, enter a Name for the integration instance and click Submit.
  The integration instance appears in the Rapid7 configuration form.
  Note: You can delete any integration instance except the default. Deleting an instance deletes the following (excluding VIs):
  - Integrations
  - Instance Parameters
  - Integration Runs
  - Integration Processes
  - Instance column on the VI is marked empty
3. Continue to step 15.
Click the Integration Setup tab.

On the appropriate form, fill in the fields:

Table 1. Integration Setup tab for InsightVM
Field	Description
InsightVM Region	The server URL you acquired from the Rapid7 site.
API Key	The API key you acquired from your Rapid7 Insight account.
Validation Status	Read only: Status of credential validation process.

Table 2. Integration Setup tab for Data Warehouse
Field	Description
JDBC credential name	Name of your data warehouse credentials.
User name	Rapid7 Data warehouse user name.
Password	Rapid7 Data warehouse password.
Validation Status	Read only: Status of credential validation process.
Database server DNS/IP	DNS or IP address for your data warehouse.
Database port	Port to use for your data warehouse integration.
Database name	Name of your data warehouse.
Data delay offset (Days)	The data delay offset factors in the delay between the real-time data in Rapid7 Nexpose and the data in the data warehouse.
MID Server	MID Server to use. Only standalone MID servers are supported. Clustered MID servers are not supported.
MID Server timeout (min)	Number of minutes to wait for the MID Server to respond before timing out the integration run.

Click Save.
Verify successful configuration by clicking Test credentials.
Configuration is successfully completed unless an error message is displayed.
If an error message is displayed during the configuration, reenter your data.
Click the Import Configuration tab.

On the appropriate form, fill in the fields.

Table 3. Import Configuration tab for InsightVM
Field	Description
Version 9.0: Min CVSS score	Minimum vulnerable item CVSS score used to filter vulnerable items during import.
Version 9.0: Max CVSS score	Maximum vulnerable item CVSS score used to filter vulnerable items during import.
Version 9.0: Site filter	Limits the data to the Rapid7 InsightVM sites chosen from the Sites list. You can choose more than one. The default (empty) is all sites. Note: Sites for Rapid7 InsightVM must be created manually in order to use this feature. See Create sites for Rapid7 InsightVM for more information. For information on using site filtering, see Filtering by Rapid7 sites.
Version 8.0: Create CVE entry	When checked, placeholders for CVEs, not already present, are created as NVD records and referenced in the third-party entry for Rapid7. When unchecked, these CVEs are ignored. Note: In version 9.0, CVE records, not already present, are created as NVD records and referenced in the third-party entry for Rapid7, by default.
Close by age (Deprecated)	Date after which the scheduled job, Check Close Vul Item By Age, closes the record. When selected, the choices are 30, 60, or 90 days from the Last Found date.
v 10.3: Reopen resolved by age	When selected, vulnerable items are automatically reopened when the number of days they have been resolved but not closed matches the value displayed in the Reopen resolved after field.

Table 4. Import Configuration tab for Data Warehouse
Field	Description
Version 8.0: Create CVE entry check box	When checked, placeholders for CVEs, not already present, are created as NVD records and referenced in the third-party entry for Rapid7. When unchecked, these CVEs are ignored. Note: In version 9.0, CVE records, not already present, are created as NVD records and referenced in the third-party entry for Rapid7, by default.
Min CVSS score	Minimum vulnerable item CVSS score used to filter vulnerable items during import.
Max CVSS score	Maximum vulnerable item CVSS score used to filter vulnerable items during import.
Site filter	Limits the imported Sites Integration data to the sites chosen. You can choose more than one. Note: Since the default setting is to import data from all sites, you do not need to use the filter if you want all sites. Doing so slows down the request.
Close by age check box (Deprecated)	Date after which the scheduled job, Check Close Vul Item By Age, closes the record. When selected, the choices are 30, 60, or 90 days from the Last Found date.
v 10.3: Reopen resolved by age	When selected, vulnerable items are automatically reopened when the number of days they have been resolved but not closed matches the value displayed in the Reopen resolved after field.

Click Save.
The Import since date field in the Rapid7 integrations is blank, by default, except for the Rapid7 Vulnerability Integration - API and the Rapid7 Vulnerable Item Integration - API. For these integrations, these fields are set to 1998-12-31 or 1999-01-01.
To retrieve historical data during your initial import from the Rapid7 scan, set a start date in the appropriate integration records. This process works for any Rapid7 integration with the following exceptions:
- The Rapid7 Exploit and Malware Kit integrations do not show the Import since field, because they do not do delta updates and therefore do not use that field.
- The Rapid7 Asset List integration ignores the field since its intent is to retrieve all data.
- For the initial run of the Rapid7 InsightVM Comprehensive Vulnerable Item Integration – API when the Auto-Close Stale Vulnerable Items module is enabled and the Import since field is left blank.
  Starting with v10.3, when you enable the Automatically close stale Vulnerability Response vulnerable items feature, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration or the Rapid7 Comprehensive Vulnerable Item Integration - API is required. These integrations are disabled by default.
  When you enable the Rapid7 InsightVM Comprehensive Vulnerable Item Integration – API, if you leave the Import since field blank on the integration configuration page, the value in the days ago field of the Auto-Close Stale Vulnerable Items form is also used for the Import since date on the first integration run. The default value for Auto-Close Stale Vulnerable Items is (90 days).
  For example, if the days ago field in the Auto-Close Stale Vulnerable Items form is 90, and the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API configuration page is blank, the first integration run imports the data for the last 90 days.
  This relationship between the Import since and days ago fields applies only to the first integration run. After that, changing the days ago field on the Auto-Close Stale Vulnerable Items form doesn’t affect the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API configuration page. The field is changed to the first run’s start time so that the subsequent integration runs import only the delta information
  The Import since field is editable, and you can enter whatever values you want for each of the integrations. To edit the Import since field, follow these steps.
1. Navigate to Rapid 7 > Administration > Integrations
2. Select, for example, Rapid7 Vulnerable Item Integration - API.
3. Set the Import since field to the earliest date you want to retrieve. Each successful import resets this date to that day's date and time.
Your Rapid7 Vulnerability Integration configuration is complete.

What to do next

If your environment requires domain-separated imports, see Create domain-separated imports for the Rapid7 Vulnerability Integration.

To create or refine your lookup rules prior to import, see Create a CI lookup rule.

Previous topic

Next topic

Release version

Install and configure the Rapid7 Integration for Security Operations application

Before you begin

Complete the following setup checklist prior to installation. These setup tasks are required for a smooth installation and configuration.

Roles required: admin to install the application and vulnerability admin (sn_vul.vulnerability_admin or sn_vul.admin) to configure the application after it is installed.


Setup tasks	Description
Verify that the Vulnerability Response application is installed and activated.	To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased. If the application is not installed and activated see, Install and configure Vulnerability Response.
Verify that you have the required Now Platform roles for your instance.	The following roles are required for installation, configuration, and verification of expected results. Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response. If not already assigned, the system administrator [admin] installs the application and assigns the vulnerability admin [sn_vul.vulnerability_admin or sn_vul.admin] role. The vulnerability admin oversees configuration and verifies expected results. Prior to v10.3 of Vulnerability Response: If not already assigned, the system administrator [admin] installs the app and assigns the vulnerability admin [sn_vul.admin] role. The vulnerability admin [sn_vul.admin] oversees configuration and verifies expected results. The Rapid7 admin role is inherited when you are assigned an administrative role in the Security Operations Vulnerability Response (VR) application.
Prepare for Rapid7 Vulnerability Integration installation.	Read Preparing for the Rapid7 Vulnerability Integration.
For the Rapid7 Nexpose data warehouse integration type, ensure that you have a MID Server with access to the Rapid7 Nexpose data warehouse.	Note the data warehouse name. The Rapid7 data warehouse vulnerability integration only supports standalone MID Servers. Clustered MID Servers are not supported.
For the Rapid7 Nexpose data warehouse integration type, download the latest PostgresSQL driver.	Go to https://jdbc.postgresql.org/download.html and download the latest driver.
For the Rapid7 Nexpose data warehouse integration type, have your Rapid7 Nexpose data warehouse server URL and authentication credentials ready.	The credentials must provide adequate permissions for retrieving knowledge, scan, and detection information for a Rapid7 Nexpose subscription.
Version 8.0: For the Rapid7 InsightVM integration type, have your server URL and Rapid7 InsightVM API key ready. Version 9.0: For the Rapid7 InsightVM integration type, have your region and API key ready.	Version 8.0 Contact Rapid7 to obtain the appropriate URL and API key. Version 9.0: Contact Rapid7 to obtain the appropriate region and API key.

Note:

Procedure

Log in to the instance you want to install the Rapid7 Vulnerability Integration application on.
For the Rapid7 Nexpose data warehouse vulnerability integration, install the PostgreSQL JAR file.
1. In your ServiceNow instance, navigate to MID Server > JAR Files.
2. Click New.
3. Enter the name of the PostgresSQL driver that you downloaded earlier.
  Optionally, enter the Version, Source, and Description information. Leave the Active check box selected.
4. Attach the downloaded JAR file using the paper clip icon in the header.
5. Click Submit.
This process completes the Rapid7 Nexpose data warehouse-specific integration tasks.
Navigate to the ServiceNow Store.
In the ServiceNow Store, search for the Rapid7 Vulnerability Integration application.
Click the application tile.
Detailed information about the application you are installing is displayed.
Note: Consider reading the Other Requirements and Dependencies sections, as applicable.
Click Request App and enter your HI login credentials.
Click Get.
Enter the Instance Name and Reason for the Instance, and click Validate Instance.
Click Request.
You will receive an email with detailed installation instructions.
Navigate to System Applications > Applications.
Locate the application, select it, and click Install.
Your application is automatically installed on your instance.
The vulnerability admin can now configure the application.
Once the installation completes, navigate to Rapid7 > Configuration.
Select an Integration Type from the drop-down menu.

Figure 1. Version 9.0: Integration type drop-down menu

Figure 2. Version 8.0: Integration type drop-down menu
Version 9.0: Select an integration instance. The default Rapid7 InsightVM integration instance is selected by default. If that is the one you want, go to step 15.
For multiple deployments of the Rapid7 InsightVM integrations:
1. Open the Lookup list on Integration Instance field, select an existing integration instance and go to step 15, or click New in the pop-up menu.
2. For New, enter a Name for the integration instance and click Submit.
  The integration instance appears in the Rapid7 configuration form.
  Note: You can delete any integration instance except the default. Deleting an instance deletes the following (excluding VIs):
  - Integrations
  - Instance Parameters
  - Integration Runs
  - Integration Processes
  - Instance column on the VI is marked empty
3. Continue to step 15.
Click the Integration Setup tab.

On the appropriate form, fill in the fields:

Table 1. Integration Setup tab for InsightVM
Field	Description
InsightVM Region	The server URL you acquired from the Rapid7 site.
API Key	The API key you acquired from your Rapid7 Insight account.
Validation Status	Read only: Status of credential validation process.

Table 2. Integration Setup tab for Data Warehouse
Field	Description
JDBC credential name	Name of your data warehouse credentials.
User name	Rapid7 Data warehouse user name.
Password	Rapid7 Data warehouse password.
Validation Status	Read only: Status of credential validation process.
Database server DNS/IP	DNS or IP address for your data warehouse.
Database port	Port to use for your data warehouse integration.
Database name	Name of your data warehouse.
Data delay offset (Days)	The data delay offset factors in the delay between the real-time data in Rapid7 Nexpose and the data in the data warehouse.
MID Server	MID Server to use. Only standalone MID servers are supported. Clustered MID servers are not supported.
MID Server timeout (min)	Number of minutes to wait for the MID Server to respond before timing out the integration run.

Click Save.
Verify successful configuration by clicking Test credentials.
Configuration is successfully completed unless an error message is displayed.
If an error message is displayed during the configuration, reenter your data.
Click the Import Configuration tab.

On the appropriate form, fill in the fields.

Table 3. Import Configuration tab for InsightVM
Field	Description
Version 9.0: Min CVSS score	Minimum vulnerable item CVSS score used to filter vulnerable items during import.
Version 9.0: Max CVSS score	Maximum vulnerable item CVSS score used to filter vulnerable items during import.
Version 9.0: Site filter	Limits the data to the Rapid7 InsightVM sites chosen from the Sites list. You can choose more than one. The default (empty) is all sites. Note: Sites for Rapid7 InsightVM must be created manually in order to use this feature. See Create sites for Rapid7 InsightVM for more information. For information on using site filtering, see Filtering by Rapid7 sites.
Version 8.0: Create CVE entry	When checked, placeholders for CVEs, not already present, are created as NVD records and referenced in the third-party entry for Rapid7. When unchecked, these CVEs are ignored. Note: In version 9.0, CVE records, not already present, are created as NVD records and referenced in the third-party entry for Rapid7, by default.
Close by age (Deprecated)	Date after which the scheduled job, Check Close Vul Item By Age, closes the record. When selected, the choices are 30, 60, or 90 days from the Last Found date.
v 10.3: Reopen resolved by age	When selected, vulnerable items are automatically reopened when the number of days they have been resolved but not closed matches the value displayed in the Reopen resolved after field.

Table 4. Import Configuration tab for Data Warehouse
Field	Description
Version 8.0: Create CVE entry check box	When checked, placeholders for CVEs, not already present, are created as NVD records and referenced in the third-party entry for Rapid7. When unchecked, these CVEs are ignored. Note: In version 9.0, CVE records, not already present, are created as NVD records and referenced in the third-party entry for Rapid7, by default.
Min CVSS score	Minimum vulnerable item CVSS score used to filter vulnerable items during import.
Max CVSS score	Maximum vulnerable item CVSS score used to filter vulnerable items during import.
Site filter	Limits the imported Sites Integration data to the sites chosen. You can choose more than one. Note: Since the default setting is to import data from all sites, you do not need to use the filter if you want all sites. Doing so slows down the request.
Close by age check box (Deprecated)	Date after which the scheduled job, Check Close Vul Item By Age, closes the record. When selected, the choices are 30, 60, or 90 days from the Last Found date.
v 10.3: Reopen resolved by age	When selected, vulnerable items are automatically reopened when the number of days they have been resolved but not closed matches the value displayed in the Reopen resolved after field.

Click Save.
The Import since date field in the Rapid7 integrations is blank, by default, except for the Rapid7 Vulnerability Integration - API and the Rapid7 Vulnerable Item Integration - API. For these integrations, these fields are set to 1998-12-31 or 1999-01-01.
To retrieve historical data during your initial import from the Rapid7 scan, set a start date in the appropriate integration records. This process works for any Rapid7 integration with the following exceptions:
- The Rapid7 Exploit and Malware Kit integrations do not show the Import since field, because they do not do delta updates and therefore do not use that field.
- The Rapid7 Asset List integration ignores the field since its intent is to retrieve all data.
- For the initial run of the Rapid7 InsightVM Comprehensive Vulnerable Item Integration – API when the Auto-Close Stale Vulnerable Items module is enabled and the Import since field is left blank.
  Starting with v10.3, when you enable the Automatically close stale Vulnerability Response vulnerable items feature, a successful run from the Rapid7 Comprehensive Vulnerable Item Integration or the Rapid7 Comprehensive Vulnerable Item Integration - API is required. These integrations are disabled by default.
  When you enable the Rapid7 InsightVM Comprehensive Vulnerable Item Integration – API, if you leave the Import since field blank on the integration configuration page, the value in the days ago field of the Auto-Close Stale Vulnerable Items form is also used for the Import since date on the first integration run. The default value for Auto-Close Stale Vulnerable Items is (90 days).
  For example, if the days ago field in the Auto-Close Stale Vulnerable Items form is 90, and the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API configuration page is blank, the first integration run imports the data for the last 90 days.
  This relationship between the Import since and days ago fields applies only to the first integration run. After that, changing the days ago field on the Auto-Close Stale Vulnerable Items form doesn’t affect the Import since field on the Rapid7 Comprehensive Vulnerable Item Integration – API configuration page. The field is changed to the first run’s start time so that the subsequent integration runs import only the delta information
  The Import since field is editable, and you can enter whatever values you want for each of the integrations. To edit the Import since field, follow these steps.
1. Navigate to Rapid 7 > Administration > Integrations
2. Select, for example, Rapid7 Vulnerable Item Integration - API.
3. Set the Import since field to the earliest date you want to retrieve. Each successful import resets this date to that day's date and time.
Your Rapid7 Vulnerability Integration configuration is complete.

What to do next

If your environment requires domain-separated imports, see Create domain-separated imports for the Rapid7 Vulnerability Integration.

To create or refine your lookup rules prior to import, see Create a CI lookup rule.

How search works:

Topics are ranked in search results by how closely they match your search terms

Install and configure the Rapid7 Integration for Security Operations application

Install and configure the Rapid7 Integration for Security Operations application

On this page

Install and configure the Rapid7 Integration for Security Operations application

Install and configure the Rapid7 Integration for Security Operations application

Log in to personalize your search results and subscribe to topics