Rapid7 Insight¶
About¶
Partnering with Rapid7 gives you solutions you can count on, seamless controls, and the strategic guidance you need to stay ahead of attacks. The Insight Platform also helps unite your teams so you can stop putting out fires and focus on the threats that matter. Security, IT, and DevOps now have easy access to vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more.
Product Details¶
Vendor URL: Rapid7 Insight
Product Type: Vulnerability Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Rapid7 Insight
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: RAPID7_INSIGHT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| assessed_for_policies | additional.fields.additional_assessed_for_policies.value.string_value |
| assessed_for_vulnerabilities | additional.fields.additional_assessed_for_vulnerabilities.value.string_value |
| critical_vulnerabilities | security_result.detection_fields.critical_vulnerabilities_label.value |
| exploits | security_result.detection_fields.exploits_label.value |
| host_name | principal.hostname |
| id | metadata.product_log_id |
| ip | principal.ip |
| mac | principal.mac |
| malware_kits | security_result.detection_fields.malware_kits_label.value |
| moderate_vulnerabilities | security_result.detection_fields.moderate_vulnerabilities_label.value |
| os_architecture | principal.asset.hardware.cpu_model |
| os_family | principal.platform |
| os_name | principal.platform_version |
| os_version | principal.platform_patch_level |
| risk_score | security_result.confidence_details |
| severe_vulnerabilities | security_result.detection_fields.severe_vulnerabilities_label.value |
| total_vulnerabilities | security_result.detection_fields.total_vulnerabilities_label.value |
| unique_identifiers.id | extensions.vulns.vulnerabilities.vendor_vulnerability_id |
| unique_identifiers.source | extensions.vulns.vulnerabilities.name |
Product Event Types¶
| type,subtype | UDM Event Classification |
|---|---|
| all others | SCAN_VULN_HOST |
| blank | GENERIC_EVENT |
Log Sample¶
{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"SUPPLIED_FAILED"},{"port":23,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":0,"exploits":0,"id":"asset","ip":"10.10.10.21","last_assessed_for_vulnerabilities":"2021-12-28T18:47:17.024Z","last_scan_end":"2021-12-28T18:47:17.024Z","last_scan_start":"2021-12-28T18:35:17.338Z","malware_kits":0,"moderate_vulnerabilities":5,"new":[],"os_architecture":"","os_description":"Cisco IOS 12","os_family":"IOS","os_name":"IOS","os_system_name":"Cisco IOS","os_type":"Router","os_vendor":"Cisco","os_version":"12","remediated":[],"risk_score":3513.08740234375,"severe_vulnerabilities":4,"tags":[{"name":"","type":"SITE"},{"name":"","type":"SITE"}],"total_vulnerabilities":9,"unique_identifiers":[]}
Sample Parsing¶
metadata.event_timestamp = "2021-12-28T18:47:17.024Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_log_id = "asset"
metadata.product_name = "Insight"
metadata.vendor_name = "Rapid7"
additional.assessed_for_policies = "false"
additional.assessed_for_vulnerabilities = "true"
principal.platform_version = "IOS"
principal.platform_patch_level = "12"
principal.ip = "10.10.10.21"
security_result.detection_fields.critical_vulnerabilities = "0"
security_result.detection_fields.exploits = "0"
security_result.detection_fields.malware_kits = "0"
security_result.detection_fields.moderate_vulnerabilities = "5"
security_result.detection_fields.severe_vulnerabilities = "4"
security_result.detection_fields.total_vulnerabilities = "9"
security_result.confidence_details = "3513.08740234375"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon