Rapid7 Insight¶
About¶
Partnering with Rapid7 gives you solutions you can count on, seamless controls, and the strategic guidance you need to stay ahead of attacks. The Insight Platform also helps unite your teams so you can stop putting out fires and focus on the threats that matter. Security, IT, and DevOps now have easy access to vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more.
Product Details¶
Vendor URL: Rapid7 Insight
Product Type: Vulnerability Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Rapid7 Insight
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: RAPID7_INSIGHT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| critical_vulnerabilities | additional.fields |
| exploits | additional.fields |
| host_name | principal.hostname |
| id | principal.asset.asset_id |
| ip | principal.ip |
| mac | principal.mac |
| os_architecture | principal.labels (deprecation Nov 29 2024) |
| os_architecture | additional.fields |
| os_description | principal.platform_version |
| risk_score | additional.fields |
| unique_identifiers | principal.labels (deprecation Nov 29 2024) |
| unique_identifiers | additional.fields |
| same.solution_fix | extensions.vulns.vulnerabilities.about.labels |
| same.solution_id | extensions.vulns.vulnerabilities.about.labels |
| same.solution_summary | extensions.vulns.vulnerabilities.about.labels |
| same.solution_type | extensions.vulns.vulnerabilities.about.labels |
| same.proof | extensions.vulns.vulnerabilities.description |
| same.vulnerability_id | extensions.vulns.vulnerabilities.vendor_vulnerability_id |
| same.status | extensions.vulns.vulnerabilities.severity_details |
| last_found | metadata.event_timestamp |
| last_found | extensions.vulns.vulnerabilities[0].last_found |
| first_found | extensions.vulns.vulnerabilities[0].first_found |
| solution_summary,solution_type | extensions.vulns.vulnerabilities[0].description |
| proof | extensions.vulns.vulnerabilities[0].name |
| solution_fix | extensions.vulns.vulnerabilities[0].vendor_knowledge_base_article_id |
| vulnerability_id | extensions.vulns.vulnerabilities[0].vendor_vulnerability_id |
Product Event Types¶
| type,subtype | UDM Event Classification |
|---|---|
| blank | GENERIC_EVENT |
Log Sample¶
{"check_id":null,"first_found":"2023-07-25T23:18:08Z","key":"C:\\Program Files\\Java\\jre1.8.0_311\\bin\\java.dll","last_found":"2023-08-25T12:15:08.394Z","port":null,"proof":"\u003cp\u003e\u003cp\u003eVulnerable OS: Microsoft Windows 10 20H2\u003cp\u003e\u003c/p\u003e\u003c/p\u003e\u003cp\u003eVulnerable software installed: Oracle JRE 1.8.0.311 (C:\\Program Files\\Java\\jre1.8.0_311\\bin\\java.dll)\u003c/p\u003e\u003c/p\u003e","protocol":null,"solution_fix":"\u003cp\u003eDownload and apply the upgrade from: \u003ca href=\"https://www.java.com/en/download/manual.jsp\"\u003ehttps://www.java.com/en/download/manual.jsp\u003c/a\u003e\u003c/p\u003e","solution_id":"jre-upgrade-latest","solution_summary":"Upgrade to the latest version of Oracle Java","solution_type":"rollup","status":"VULNERABLE_VERS","vulnerability_id":"jre-vuln-cve-2023-21937"}
Sample Parsing¶
metadata.event_timestamp = "2023-08-25T13:38:44.765196Z"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type"RAPID7_INSIGHT"
metadata.product_name"Insight"
metadata.vendor_name"Rapid7"
extensions.vulns.vulnerabilities[0].description = "rollup -- Upgrade to the latest version of Oracle Java"
extensions.vulns.vulnerabilities[0].first_found = "2023-07-25T23:18:08Z"
extensions.vulns.vulnerabilities[0].last_found = "2023-08-25T12:15:08.394Z"
extensions.vulns.vulnerabilities[0].name = "Vulnerable OS: Microsoft Windows 10 20H2 Vulnerable software installed: Oracle JRE 1.8.0.311 (C:\Program Files\Java\jre1.8.0_311\bin\java.dll)"
extensions.vulns.vulnerabilities[0].vendor_knowledge_base_article_id = "Download and apply the upgrade from: https://www.java.com/en/download/manual.jsp"
extensions.vulns.vulnerabilities[0].vendor_vulnerability_id = "jre-vuln-cve-2023-21937"
Parser Alerting¶
This product currently does not have any Parser-based Alerting