There are two ways to install the technology add-on - via the Splunk app listing, or manually with a provided
technology add-on package. To install the add-on via the app listing, follow these steps:
Apps menu in Splunk, select Manage AppsBrowse More AppsInstall from the app listingTo install the add-on manually, follow these steps:
Apps menu in Splunk, select Manage AppsInstall app from fileThe add-on should now appear as Rapid7 InsightVM under the Apps menu in Splunk.
The following details the configuration of the technology add-on in order to perform retrieval and ingestion of
InsightVM data.
A connection must be created within the add-on to facilitate the retrieval of InsightVM data. This connection utilizes
a generated Insight platform API key. The following details how to generate a new API key:
API KeysOrganization Key+ New KeyGenerateOnce you have an API key, you can configure a connection for the technology add-on in Splunk. To create a connection,
follow these steps:
Apps menu in SplunkConfigurationAddAddThere are two types of inputs in the technology add-on, and three sourcetypes that result from these inputs. They are:
When configuring the inputs it is important to select the proper index for storing the imported events. The Technology
Add-On defaults to an index name of rapid7; however, the index is not automatically created. Make sure to either have
a Splunk administrator create the rapid7 index or select an index that already exists.
The InsightVM Asset Import can be configured to perform an import of two types of data from InsightVM: assets and
(optionally) vulnerability findings. To configure this input, select Inputs from the technology add-on menu, then
select InsightVM Asset Import under Create New Input.
The fields for this input are as follows:
| Field | Description |
|---|---|
| Name | The name of the input as it will appear in Splunk |
| Interval | The frequency in seconds that the import of InsightVM data will occur. Default is once per hour |
| Index | Your preferred Splunk index for data. Default is rapid7 |
| InsightVM Connection | The InsightVM connection, created as per the instructions in the Configuration section above |
| Asset Filter | A query for filtering assets that are imported |
| Import vulnerabilities | An option for whether to import vulnerability findings into Splunk in addition to assets |
| Vulnerability filter | A query for filtering vulnerability findings that are imported |
Here are some example asset filters that can be applied within this input configuration:
sites IN ['site-name']tags IN ['tag-name']os_family = 'Windows'And some example vulnerability filters:
cvss_v2_score > 6severity = 'Critical'The InsightVM Vulnerability Definition Import is used to import vulnerability definitions from InsightVM. This can be
used to correlate with vulnerability findings, should you want to import those, as well. This input is not required
for visualizing asset findings in your environment. However, it does provide additional details about the
vulnerabilities.
The fields for this input are as follows:
| Field | Description |
|---|---|
| Name | The name of the input as it will appear in Splunk |
| Interval | The frequency in seconds that the import of InsightVM data will occur. Default is once per day |
| Index | Your preferred Splunk index for data. Default is rapid7 |
| InsightVM Connection | The InsightVM connection, created as per the instructions in the Configuration section above |
| Vulnerability filter | A query for filtering vulnerability definitions that are imported |
Important Note: Due to the large amount of data contained within vulnerability definitions, we recommend
importing them a maximum of once per day.
We've also created the Rapid7 InsightVM Dashboard as a starting point for visualizing data that's imported with the
InsightVM technology add-on. The dashboard can be installed as an app much like the add-on and further customized to
suit your visualization needs.
Does the asset input import all assets each time it is run?
No. When the asset import is run for the very first time, it will default to importing assets that were scanned within
the past 90 days. After that, all subsequent imports will only pull in assets that have been newly scanned since the
last import occurred. In other words, if the last import of data occurred on June 5 at 12 PM, then only assets that
have been scanned between then and now will be imported.
Does the vulnerability definition import input import all definitions each time it is run?
Yes, all vulnerability definitions will be imported each time it is run. For this reason, we recommend running this
import at a maximum of once per day.
Can I identify whether a vulnerability has been remediated?
Yes, all vulnerability findings will have a finding_status when they are imported into Splunk. Those that are
remediated will have a finding_status of remediated.
How do I know if a vulnerability is new versus remediated?
Check the finding_status of a vulnerability finding to determine whether it's new, remediated, or unchanged. The
new and remediated statuses indicate new and remediated vulnerabilities respectively, while the status found
indicates a previously found, unchanged vulnerability finding.
Why am I not seeing any data in my add-on/dashboard?
Check the selected index and time period for filtering data. These often need to be adjusted to filter correctly
for assets and vulnerabilities. In addition, if the default rapid7 index was defined for the inputs, make sure this
input has already been created.
Two log files are available to help debug issues, usually located at <splunk_home>/var/log/splunk/:
splunkd.log - Splunk general log
ta_rapid7_insightvm_insightvm_asset_import.log - Log for the Rapid7 Technology Add-on
1.0.1 - Fixed bug to properly map Tags to Event Types for CIM | Added retry logic when saving import state fails due to Splunk ConnectionError
1.0.0 - Initial release of Rapid7 InsightVM Technology Add-On providing functionality to import asset and vulnerability findings from the InsightVM Platform
1.0.4 - For initial imports remove the comparisonTime of 90 days ago, which only affects how vulnerabilities are grouped. Increase the TRUNCATE setting for vulnerability findings and vulnerability definitions. If a vulnerability definition is still larger than the TRUNCATE setting the length of some of its fields are truncated by the add-on. Always set the ingest time to the CURRENT time instead of letting Splunk default the ingest time.
1.0.3 - Logging level changes when requests return non 200 responses. Update the request retry backoff time to allow more time between retries. Asset import checkpoint is now the most recent asset last_scan_end rather than the current time.
1.0.2 - Bug fix to ensure all vulnerabilities are returned by InsightVM on paged requests. Change maximum records per page to 100.
1.0.1 - Fixed bug to properly map Tags to Event Types for CIM | Added retry logic when saving import state fails due to Splunk `ConnectionError`
1.0.0 - Initial release of Rapid7 InsightVM Technology Add-On providing functionality to import asset and vulnerability findings from the InsightVM Platform
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.