This topic explains how to create an integration task to import vulnerabilities from a NeXpose scanner, available through the Administration module. This creates a routine for importing vulnerabilities detected by a certain vulnerability analysis performed with a NeXpose scanner.
NeXpose is a vulnerability management solution provided by Rapid7 that scans technology assets to identify, evaluate, and mitigate risks to them. Modulo Risk Manager provides a way to manage vulnerabilities in the organization by allowing these vulnerabilities identified by NeXpose to be displayed in the Organization module. These are shown under the Vulnerabilities tab by means of graphs for individual assets or consolidated by perimeter. Vulnerability data is displayed on the same graph even if more than one vulnerability scanner was integrated with the system (for example, Qualys, NeXpose, etc.). Note that if two or more vulnerability scanners scan the same objects, the information will not be consolidated and there will likely be duplicate vulnerabilities reports for the scanned objects.
The list of vulnerabilities will identify which vulnerability was identified by which service. NeXpose scores from 1 to 10 are adjusted to an internal score from 1 to 5, as follows:
NeXpose Level |
|
Modulo Risk Manager Level |
1 - 2 |
=> |
1 |
3 - 4 |
=> |
2 |
5 - 6 |
=> |
3 |
7 - 8 |
=> |
4 |
9 - 10 |
=> |
5 |
In addition to displaying these vulnerabilities in the Organization module, technology assets can be included in the scope of vulnerabilities of a risk project. Any vulnerabilities associated with these assets can then be evaluated so that analysts can decide whether they will be accepted or sent to treatment.
Any vulnerabilities identified for assets are also automatically included in the catalogue of vulnerabilities in the Risk Knowledge section of the Knowledge module. Vulnerabilities from scanners not supported by the system can also be manually imported to the catalogue and mapped to assets through spreadsheets. For details on manually including vulnerabilities to the catalogue, see Chapter 8: Knowledge -> Risk Knowledge -> Catalogue of Vulnerabilities. For details on manually mapping vulnerabilities from the catalogue to assets, see Chapter 5: Risk -> Vulnerability Occurrences.
The integration service for NeXpose queries information in this solution’s database using the NeXpose API. Requests through this API are performed through HTTPS, which in turn transports the content in XML from a NeXpose server. Further details can be viewed on the Rapid7 website. Note that you must have an account with Rapid7 before this service can be integrated. The scans performed by NeXpose follow the schedules defined in the service itself, with no interference from Modulo Risk Manager. To execute the task, the report generated by NeXpose and used by Modulo Risk Manager must be configured to be created after each scan is run, and the format for the report should be XML Export (version 1) or SCAP Compatible XML Report.
The match between the equipment scanned by a NeXpose scanner and the corresponding technology asset in Modulo Risk Manager is according to the asset mapping criteria specified in the Properties tab for each perimeter or for each asset individually. If there is no match between a vulnerability identified for a certain machine and an asset in the system, the integration task history will show the number of assets that were not associated with vulnerabilities due to this problem of identification. Also note that only confirmed or potential vulnerabilities will be imported, unlike Qualys, which also imports information gathered.
When creating an integration task of this type, you can select an option that allows notifications to be generated in the system when inconsistencies occur regarding the existence of vulnerabilities imported through the task and later sent to treatment. For instance, if a vulnerability is identified through a scan, imported and mapped to an asset through this integration task, and then sent to treatment through a risk project, the system will display notifications if the vulnerability is not found in subsequent executions of that same scan. These notifications will appear in the risk project through which the vulnerability was sent to treatment, in the Home module for the user that was assigned as project leader, and in the Progress and Associations tabs of the event created to treat the vulnerability.
These notifications will also be generated when an asset in the scope of the risk project is removed from the scope of a scan. This occurs because the vulnerabilities identified for that asset are no longer found, not necessarily because they do not exist but because the asset is no longer being analyzed by the scanner in that particular report. If the assets were purposely removed, the scan report should be renamed so as to prevent notifications from being generated erroneously. In addition, if different credentials or a different policy is used to access and scan the assets, this could prevent certain vulnerabilities from being again identified and generate erroneous notifications.