icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Rapid7 InsightVM Technology Add-On for Splunk
SHA256 checksum (rapid7-insightvm-technology-add-on-for-splunk_130.tgz) a640942d6d7d5d3a9a41f86f7ed1db8d929ceaa79920d11544c28b1c23b8b1f3 SHA256 checksum (rapid7-insightvm-technology-add-on-for-splunk_120.tgz) 933d322fdd6ddc4152fa29d24b7156c0c9e7d1b61ae9344afd37449103dca3e1 SHA256 checksum (rapid7-insightvm-technology-add-on-for-splunk_114.tgz) af9b99f9251d2439c4586c8c4f00c3e860d5e71300cbdb4890f366d7d54c6866 SHA256 checksum (rapid7-insightvm-technology-add-on-for-splunk_113.tgz) 1e789c918d3c58d6b9acf909c82b3212de5a34ec9eb9ab97efd0733c365a8d9f SHA256 checksum (rapid7-insightvm-technology-add-on-for-splunk_112.tgz) 4dfc185b05cc06136f2094cd4d90285c4b778df8b61643b2d6c8c4a561f8551b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Rapid7 InsightVM Technology Add-On for Splunk

Splunk Cloud
Overview
Details
The Rapid7 InsightVM Technology Add-On is used for retrieving asset and vulnerability data from InsightVM and ingesting
into Splunk following the Common Information Model (CIM). The add-on is designed to be compatible with Splunk
Enterprise and Splunk Cloud with the use of a Universal Forwarder.

This Technology Add-On is intended to import asset and vulnerability findings from the InsightVM Platform without the use of the InsightVM console. The default configuration will import assets and vulnerabilities for devices that have been scanned since the last import run. Key functionality includes:
- Import all asset and vulnerability data when it runs for the first time
- Track previous import times to only import assets and their associated vulnerabilities that have been scanned in the time since the last import
- Vulnerabilities that are newly found or have been remediated will be imported as new events in Splunk and
respectively assigned a status of "new" or "remediated"
- Previously imported vulnerabilities that have not changed in status will not be imported as new events and will retain their `found` status
- An optional configuration that allows importing all data every run, or every X period of days.

The Rapid7 InsightVM Dashboard and Technology Add-On are recommended in place of the Nexpose Dashboard and Technology Add-On listed on Splunkbase for all InsightVM customers.

Support for the application is provided by Rapid7 Support via our Customer Support Portal at https://www.rapid7.com/for-customers/

Note: If a version of the Add-On is marked as not availble for Splunk Cloud, you can request Splunk install the Add-on in your cloud instance. There are manual checks that must be performed by Splunk before the Add-On is marked as cloud compatible.

Rapid7 InsightVM Technology Add-On

Additional help documentation is available at https://docs.rapid7.com/insightvm/insightvm-technology-add-on-for-splunk/

Installation

There are two ways to install the technology add-on - via the Splunk app listing, or manually with a provided
technology add-on package. To install the add-on via the app listing, follow these steps:

  1. From the Apps menu in Splunk, select Manage Apps
  2. Select Browse More Apps
  3. Do a search for the "Rapid7 InsightVM Technology Add-On"
  4. Select Install from the app listing
  5. Perform a restart of Splunk when prompted

To install the add-on manually, follow these steps:

  1. From the Apps menu in Splunk, select Manage Apps
  2. Select Install app from file
  3. Select the InsightVM Technology Add-On package
  4. Perform a restart of Splunk when prompted

The add-on should now appear as Rapid7 InsightVM under the Apps menu in Splunk.

Configuration

The following details the configuration of the technology add-on in order to perform retrieval and ingestion of
InsightVM data.

Creating a connection

A connection must be created within the add-on to facilitate the retrieval of InsightVM data. This connection utilizes
a generated Insight platform API key. The following details how to generate a new API key:

  1. Login to the Insight platform here
  2. Select the gear icon on the top menu and click API Keys
  3. Select Organization Key
  4. Select + New Key
  5. Enter a name for the key and click Generate
  6. Copy and securely store the generated key

Once you have an API key, you can configure a connection for the technology add-on in Splunk. To create a connection,
follow these steps:

  1. Navigate to the Rapid7 InsightVM technology add-on, available under the Apps menu in Splunk
  2. Select Configuration
  3. Select Add
  4. Enter a name for the connection
  5. Enter your region. Additional info on regions is available here
  6. Enter your generated API key
  7. Click Add

Inputs

There are two types of inputs in the technology add-on, and three sourcetypes that result from these inputs. The sourcetypes are:

  • rapid7:insightvm:asset
  • rapid7:insightvm:asset:vulnerability_finding
  • rapid7:insightvm:vulnerability_definition

When configuring the inputs it is important to select the proper index for storing the imported events. The Technology
Add-On defaults to an index name of rapid7; however, the index is not automatically created. Make sure to either have
a Splunk administrator create the rapid7 index or select an index that already exists.

InsightVM Asset Import

The InsightVM Asset Import can be configured to perform an import of two types of data from InsightVM: assets and
(optionally) vulnerability findings. To configure this input, select Inputs from the technology add-on menu, then
select InsightVM Asset Import under Create New Input.

The fields for this input are as follows:

Field Description
Name The name of the input as it will appear in Splunk
Interval The frequency in seconds that the import of InsightVM data will occur. Default is once per hour
Index Your preferred Splunk index for data. Default is rapid7
InsightVM Connection The InsightVM connection, created as per the instructions in the Configuration section above
Asset Filter A query for filtering assets that are imported
Import vulnerabilities An option for whether to import vulnerability findings into Splunk in addition to assets
Vulnerability filter A query for filtering vulnerability findings that are imported
Include same vulnerabilities An option to import vulnerabilities that are not newly discovered or remediated since the last import
Full import schedule The number of days (up to 90) after which a full import is forced. Setting this to 0 will mean all data is pulled in every import

Here are some example asset filters that can be applied within this input configuration:

  • sites IN ['site-name']
  • tags IN ['tag-name']
  • os_family = 'Windows'

And some example vulnerability filters:

  • cvss_v2_score > 6
  • severity = 'Critical'

Both filters use the search filter syntax

InsightVM Vulnerability Definition Import

The InsightVM Vulnerability Definition Import is used to import vulnerability definitions from InsightVM. This can be
used to correlate with vulnerability findings, should you want to import those, as well. This input is not required
for visualizing asset findings in your environment. However, it does provide additional details about the
vulnerabilities.

The fields for this input are as follows:

Field Description
Name The name of the input as it will appear in Splunk
Interval The frequency in seconds that the import of InsightVM data will occur. Default is once per day
Index Your preferred Splunk index for data. Default is rapid7
InsightVM Connection The InsightVM connection, created as per the instructions in the Configuration section above
Vulnerability filter A query for filtering vulnerability definitions that are imported

Important Note: Due to the large amount of data contained within vulnerability definitions, we recommend
importing them a maximum of once per day.

Data Visualization

We've also created the Rapid7 InsightVM Dashboard as a starting point for visualizing data that's imported with the
InsightVM technology add-on. The dashboard can be installed as an app much like the add-on and further customized to
suit your visualization needs.

FAQs

Does the asset input import all assets each time it is run?

No. When the asset import is run for the very first time, it will default to importing assets that were scanned within
the past 90 days. After that, all subsequent imports will only pull in assets that have been newly scanned since the
last import occurred. In other words, if the last import of data occurred on June 5 at 12 PM, then only assets that
have been scanned between then and now will be imported.

Does the vulnerability definition import input import all definitions each time it is run?

Yes, all vulnerability definitions will be imported each time it is run. For this reason, we recommend running this
import at a maximum of once per day.

Can I identify whether a vulnerability has been remediated?

Yes, all vulnerability findings will have a finding_status when they are imported into Splunk. Those that are
remediated will have a finding_status of remediated.

How do I know if a vulnerability is new versus remediated?

Check the finding_status of a vulnerability finding to determine whether it's new, remediated, or unchanged. The
new and remediated statuses indicate new and remediated vulnerabilities respectively, while the status found
indicates a previously found, unchanged vulnerability finding.

Why am I not seeing any data in my add-on/dashboard?

Check the selected index and time period for filtering data. These often need to be adjusted to filter correctly
for assets and vulnerabilities. In addition, if the default rapid7 index was defined for the inputs, make sure this
input has already been created.

Debugging

Two log files are available to help debug issues, usually located at <splunk_home>/var/log/splunk/:

splunkd.log - Splunk general log
ta_rapid7_insightvm_insightvm_asset_import.log - Log for the Rapid7 Technology Add-on

Release Notes

Version 1.3.0
Feb. 15, 2022

1.3.0 - Support for unauthenticated proxies. A proxy tab has now been added to the configuration menu.

Version 1.2.0
Jan. 14, 2022

1.2.0 - Improve request logic around retries & data returned. Add a configuration option 'full import schedule' that can force a full import.

Version 1.1.4
Dec. 16, 2021

1.1.4 - Upgrade to Splunk Add-on builder 4.

If upgrading from an older release to v1.1.4 the InsightVM API key must be re-entered in the configuration menu.

Version 1.1.3
Aug. 25, 2021

1.1.3 - Improvements to the InsightVM query. Add logs to display the imported number of vulnerability finding events per job.

Version 1.1.2
July 16, 2021

1.1.2 - Changes to the InsightVM query intended to ensure all new/remediated vulnerability findings are imported as well as reducing the amount of duplicate data.


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.