Skip to content

Rapid7 Insight

Rapid7 Insight

About

Partnering with Rapid7 gives you solutions you can count on, seamless controls, and the strategic guidance you need to stay ahead of attacks. The Insight Platform also helps unite your teams so you can stop putting out fires and focus on the threats that matter. Security, IT, and DevOps now have easy access to vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more.

Product Details

Vendor URL: Rapid7 Insight

Product Type: Vulnerability Management

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Rapid7 Insight

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: Near 100%

Data Label: RAPID7_INSIGHT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
assessed_for_policies additional.fields.additional_assessed_for_policies.value.string_value
assessed_for_vulnerabilities additional.fields.additional_assessed_for_vulnerabilities.value.string_value
critical_vulnerabilities security_result.detection_fields.critical_vulnerabilities_label.value
exploits security_result.detection_fields.exploits_label.value
host_name principal.hostname
id metadata.product_log_id
ip principal.ip
mac principal.mac
malware_kits security_result.detection_fields.malware_kits_label.value
moderate_vulnerabilities security_result.detection_fields.moderate_vulnerabilities_label.value
os_architecture principal.asset.hardware.cpu_model
os_family principal.platform
os_name principal.platform_version
os_version principal.platform_patch_level
risk_score security_result.confidence_details
severe_vulnerabilities security_result.detection_fields.severe_vulnerabilities_label.value
total_vulnerabilities security_result.detection_fields.total_vulnerabilities_label.value
unique_identifiers.id extensions.vulns.vulnerabilities.vendor_vulnerability_id
unique_identifiers.source extensions.vulns.vulnerabilities.name

Product Event Types

type,subtype UDM Event Classification
all others SCAN_VULN_HOST
blank GENERIC_EVENT

Log Sample

{"assessed_for_policies":false,"assessed_for_vulnerabilities":true,"credential_assessments":[{"port":161,"protocol":"UDP","status":"NO_CREDS_SUPPLIED"},{"port":22,"protocol":"TCP","status":"SUPPLIED_FAILED"},{"port":23,"protocol":"TCP","status":"NO_CREDS_SUPPLIED"}],"critical_vulnerabilities":0,"exploits":0,"id":"asset","ip":"10.10.10.21","last_assessed_for_vulnerabilities":"2021-12-28T18:47:17.024Z","last_scan_end":"2021-12-28T18:47:17.024Z","last_scan_start":"2021-12-28T18:35:17.338Z","malware_kits":0,"moderate_vulnerabilities":5,"new":[],"os_architecture":"","os_description":"Cisco IOS 12","os_family":"IOS","os_name":"IOS","os_system_name":"Cisco IOS","os_type":"Router","os_vendor":"Cisco","os_version":"12","remediated":[],"risk_score":3513.08740234375,"severe_vulnerabilities":4,"tags":[{"name":"","type":"SITE"},{"name":"","type":"SITE"}],"total_vulnerabilities":9,"unique_identifiers":[]}

Sample Parsing

metadata.event_timestamp = "2021-12-28T18:47:17.024Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_log_id = "asset"
metadata.product_name = "Insight"
metadata.vendor_name = "Rapid7"
additional.assessed_for_policies = "false"
additional.assessed_for_vulnerabilities = "true"
principal.platform_version = "IOS"
principal.platform_patch_level = "12"
principal.ip = "10.10.10.21"
security_result.detection_fields.critical_vulnerabilities = "0"
security_result.detection_fields.exploits = "0"
security_result.detection_fields.malware_kits = "0"
security_result.detection_fields.moderate_vulnerabilities = "5"
security_result.detection_fields.severe_vulnerabilities = "4"
security_result.detection_fields.total_vulnerabilities = "9"
security_result.confidence_details = "3513.08740234375"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon