icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Rapid7 InsightVM Technology Add-On for Splunk
SHA256 checksum (rapid7-insightvm-technology-add-on-for-splunk_100.tgz) f5cc2837160cdf6915d3940a2c3dc4a521b4d6a14bdb05844cef44f928d16097
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Rapid7 InsightVM Technology Add-On for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The Rapid7 InsightVM Technology Add-On is used for retrieving asset and vulnerability data from InsightVM and ingesting
into Splunk following the Common Information Model (CIM). The add-on is designed to be compatible with Splunk
Enterprise and Splunk Cloud with the use of a Universal Forwarder.

This Technology Add-On is intended to import asset and vulnerability findings from the InsightVM Platform without the use of the InsightVM console. It is designed to only import assets and vulnerabilities for devices that have been scanned since the last import run. Key functionality includes:
- Import the past 90 days worth of asset and vulnerability data when it runs for the first time
- Track previous import times to only import assets and their associated vulnerabilities that have been scanned in the time since the last import
- Vulnerabilities that are newly found or have been remediated will be imported as new events in Splunk and
respectively assigned a status of "new" or "remediated"
- Previously imported vulnerabilities that have not changed in status will not be imported as new events and will retain their `found` status

The Rapid7 InsightVM Dashboard and Technology Add-On are recommended in place of the Nexpose Dashboard and Technology Add-On listed on Splunkbase for all InsightVM customers.

Rapid7 InsightVM Technology Add-On

Installation

There are two ways to install the technology add-on - via the Splunk app listing, or manually with a provided
technology add-on package. To install the add-on via the app listing, follow these steps:

  1. From the Apps menu in Splunk, select Manage Apps
  2. Select Browse More Apps
  3. Do a search for the "Rapid7 InsightVM Technology Add-On"
  4. Select Install from the app listing
  5. Perform a restart of Splunk when prompted

To install the add-on manually, follow these steps:

  1. From the Apps menu in Splunk, select Manage Apps
  2. Select Install app from file
  3. Select the InsightVM Technology Add-On package
  4. Perform a restart of Splunk when prompted

The add-on should now appear as Rapid7 InsightVM under the Apps menu in Splunk.

Configuration

The following details the configuration of the technology add-on in order to perform retrieval and ingestion of
InsightVM data.

Creating a connection

A connection must be created within the add-on to facilitate the retrieval of InsightVM data. This connection utilizes
a generated Insight platform API key. The following details how to generate a new API key:

  1. Login to the Insight platform here
  2. Select the gear icon on the top menu and click API Keys
  3. Select Organization Key
  4. Select + New Key
  5. Enter a name for the key and click Generate
  6. Copy and securely store the generated key

Once you have an API key, you can configure a connection for the technology add-on in Splunk. To create a connection,
follow these steps:

  1. Navigate to the Rapid7 InsightVM technology add-on, available under the Apps menu in Splunk
  2. Select Configuration
  3. Select Add
  4. Enter a name for the connection
  5. Enter your region. Additional info on regions is available here
  6. Enter your generated API key
  7. Click Add

Inputs

There are two types of inputs in the technology add-on, and three sourcetypes that result from these inputs. They are:

  • rapid7:insightvm:asset
  • rapid7:insightvm:asset:vulnerability_finding
  • rapid7:insightvm:vulnerability_definition

When configuring the inputs it is important to select the proper index for storing the imported events. The Technology
Add-On defaults to an index name of rapid7; however, the index is not automatically created. Make sure to either have
a Splunk administrator create the rapid7 index or select an index that already exists.

InsightVM Asset Import

The InsightVM Asset Import can be configured to perform an import of two types of data from InsightVM: assets and
(optionally) vulnerability findings. To configure this input, select Inputs from the technology add-on menu, then
select InsightVM Asset Import under Create New Input.

The fields for this input are as follows:

Field Description
Name The name of the input as it will appear in Splunk
Interval The frequency in seconds that the import of InsightVM data will occur. Default is once per hour
Index Your preferred Splunk index for data. Default is rapid7
InsightVM Connection The InsightVM connection, created as per the instructions in the Configuration section above
Asset Filter A query for filtering assets that are imported
Import vulnerabilities An option for whether to import vulnerability findings into Splunk in addition to assets
Vulnerability filter A query for filtering vulnerability findings that are imported

Here are some example asset filters that can be applied within this input configuration:

  • sites IN ['site-name']
  • tags IN ['tag-name']
  • os_family = 'Windows'

And some example vulnerability filters:

  • cvss_v2_score > 6
  • severity = 'Critical'

InsightVM Vulnerability Definition Import

The InsightVM Vulnerability Definition Import is used to import vulnerability definitions from InsightVM. This can be
used to correlate with vulnerability findings, should you want to import those, as well. This input is not required
for visualizing asset findings in your environment. However, it does provide additional details about the
vulnerabilities.

The fields for this input are as follows:

Field Description
Name The name of the input as it will appear in Splunk
Interval The frequency in seconds that the import of InsightVM data will occur. Default is once per day
Index Your preferred Splunk index for data. Default is rapid7
InsightVM Connection The InsightVM connection, created as per the instructions in the Configuration section above
Vulnerability filter A query for filtering vulnerability definitions that are imported

Important Note: Due to the large amount of data contained within vulnerability definitions, we recommend
importing them a maximum of once per day.

Data Visualization

We've also created the Rapid7 InsightVM Dashboard as a starting point for visualizing data that's imported with the
InsightVM technology add-on. The dashboard can be installed as an app much like the add-on and further customized to
suit your visualization needs.

FAQs

Does the asset input import all assets each time it is run?

No. When the asset import is run for the very first time, it will default to importing assets that were scanned within
the past 90 days. After that, all subsequent imports will only pull in assets that have been newly scanned since the
last import occurred. In other words, if the last import of data occurred on June 5 at 12 PM, then only assets that
have been scanned between then and now will be imported.

Does the vulnerability definition import input import all definitions each time it is run?

Yes, all vulnerability definitions will be imported each time it is run. For this reason, we recommend running this
import at a maximum of once per day.

Can I identify whether a vulnerability has been remediated?

Yes, all vulnerability findings will have a finding_status when they are imported into Splunk. Those that are
remediated will have a finding_status of remediated.

How do I know if a vulnerability is new versus remediated?

Check the finding_status of a vulnerability finding to determine whether it's new, remediated, or unchanged. The
new and remediated statuses indicate new and remediated vulnerabilities respectively, while the status found
indicates a previously found, unchanged vulnerability finding.

Why am I not seeing any data in my add-on/dashboard?

Check the selected index and time period for filtering data. These often need to be adjusted to filter correctly
for assets and vulnerabilities. In addition, if the default rapid7 index was defined for the inputs, make sure this
input has already been created.

Debugging

Two log files are available to help debug issues, usually located at <splunk_home>/var/log/splunk/:

splunkd.log - Splunk general log
ta_rapid7_insightvm_insightvm_asset_import.log - Log for the Rapid7 Technology Add-on

Changelog:

1.0.0 - Initial release of Rapid7 InsightVM Technology Add-On providing functionality to import asset and vulnerability findings from the InsightVM Platform

Release Notes

Version 1.0.0
July 1, 2020

1.0.0 - Initial release of Rapid7 InsightVM Technology Add-On providing functionality to import asset and vulnerability findings from the InsightVM Platform

100
Installs
99
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.