Note: If a version of the Add-On is marked as not availble for Splunk Cloud, you can request Splunk install the Add-on in your cloud instance. There are manual checks that must be performed by Splunk before the Add-On is marked as cloud compatible.
Additional help documentation is available at https://docs.rapid7.com/insightvm/insightvm-technology-add-on-for-splunk/
There are two ways to install the technology add-on - via the Splunk app listing, or manually with a provided
technology add-on package. To install the add-on via the app listing, follow these steps:
Apps menu in Splunk, select Manage AppsBrowse More AppsInstall from the app listingTo install the add-on manually, follow these steps:
Apps menu in Splunk, select Manage AppsInstall app from fileThe add-on should now appear as Rapid7 InsightVM under the Apps menu in Splunk.
The following details the configuration of the technology add-on in order to perform retrieval and ingestion of
InsightVM data.
A connection must be created within the add-on to facilitate the retrieval of InsightVM data. This connection utilizes
a generated Insight platform API key. The following details how to generate a new API key:
API KeysOrganization Key+ New KeyGenerateOnce you have an API key, you can configure a connection for the technology add-on in Splunk. To create a connection,
follow these steps:
Apps menu in SplunkConfigurationAddAddThere are two types of inputs in the technology add-on, and three sourcetypes that result from these inputs. The sourcetypes are:
When configuring the inputs it is important to select the proper index for storing the imported events. The Technology
Add-On defaults to an index name of rapid7; however, the index is not automatically created. Make sure to either have
a Splunk administrator create the rapid7 index or select an index that already exists.
The InsightVM Asset Import can be configured to perform an import of two types of data from InsightVM: assets and
(optionally) vulnerability findings. To configure this input, select Inputs from the technology add-on menu, then
select InsightVM Asset Import under Create New Input.
The fields for this input are as follows:
| Field | Description |
|---|---|
| Name | The name of the input as it will appear in Splunk |
| Interval | The frequency in seconds that the import of InsightVM data will occur. Default is once per hour |
| Index | Your preferred Splunk index for data. Default is rapid7 |
| InsightVM Connection | The InsightVM connection, created as per the instructions in the Configuration section above |
| Asset Filter | A query for filtering assets that are imported |
| Import vulnerabilities | An option for whether to import vulnerability findings into Splunk in addition to assets |
| Vulnerability filter | A query for filtering vulnerability findings that are imported |
| Include same vulnerabilities | An option to import vulnerabilities that are not newly discovered or remediated since the last import |
| Full import schedule | The number of days (up to 90) after which a full import is forced. Setting this to 0 will mean all data is pulled in every import |
Here are some example asset filters that can be applied within this input configuration:
sites IN ['site-name']tags IN ['tag-name']os_family = 'Windows'And some example vulnerability filters:
cvss_v2_score > 6severity = 'Critical'Both filters use the search filter syntax
The InsightVM Vulnerability Definition Import is used to import vulnerability definitions from InsightVM. This can be
used to correlate with vulnerability findings, should you want to import those, as well. This input is not required
for visualizing asset findings in your environment. However, it does provide additional details about the
vulnerabilities.
The fields for this input are as follows:
| Field | Description |
|---|---|
| Name | The name of the input as it will appear in Splunk |
| Interval | The frequency in seconds that the import of InsightVM data will occur. Default is once per day |
| Index | Your preferred Splunk index for data. Default is rapid7 |
| InsightVM Connection | The InsightVM connection, created as per the instructions in the Configuration section above |
| Vulnerability filter | A query for filtering vulnerability definitions that are imported |
Important Note: Due to the large amount of data contained within vulnerability definitions, we recommend
importing them a maximum of once per day.
We've also created the Rapid7 InsightVM Dashboard as a starting point for visualizing data that's imported with the
InsightVM technology add-on. The dashboard can be installed as an app much like the add-on and further customized to
suit your visualization needs.
Does the asset input import all assets each time it is run?
No. When the asset import is run for the very first time, it will default to importing assets that were scanned within
the past 90 days. After that, all subsequent imports will only pull in assets that have been newly scanned since the
last import occurred. In other words, if the last import of data occurred on June 5 at 12 PM, then only assets that
have been scanned between then and now will be imported.
Does the vulnerability definition import input import all definitions each time it is run?
Yes, all vulnerability definitions will be imported each time it is run. For this reason, we recommend running this
import at a maximum of once per day.
Can I identify whether a vulnerability has been remediated?
Yes, all vulnerability findings will have a finding_status when they are imported into Splunk. Those that are
remediated will have a finding_status of remediated.
How do I know if a vulnerability is new versus remediated?
Check the finding_status of a vulnerability finding to determine whether it's new, remediated, or unchanged. The
new and remediated statuses indicate new and remediated vulnerabilities respectively, while the status found
indicates a previously found, unchanged vulnerability finding.
Why am I not seeing any data in my add-on/dashboard?
Check the selected index and time period for filtering data. These often need to be adjusted to filter correctly
for assets and vulnerabilities. In addition, if the default rapid7 index was defined for the inputs, make sure this
input has already been created.
Two log files are available to help debug issues, usually located at <splunk_home>/var/log/splunk/:
splunkd.log - Splunk general log
ta_rapid7_insightvm_insightvm_asset_import.log - Log for the Rapid7 Technology Add-on
1.3.0 - Support for unauthenticated proxies. A proxy tab has now been added to the configuration menu.
1.2.0 - Improve request logic around retries & data returned. Add a configuration option 'full import schedule' that can force a full import.
1.1.4 - Upgrade to Splunk Add-on builder 4.
If upgrading from an older release to v1.1.4 the InsightVM API key must be re-entered in the configuration menu.
1.1.3 - Improvements to the InsightVM query. Add logs to display the imported number of vulnerability finding events per job.
1.1.2 - Changes to the InsightVM query intended to ensure all new/remediated vulnerability findings are imported as well as reducing the amount of duplicate data.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.