Rapid 7 Integration

Introduction

The ColorTokens Security Platform (CTSP) integrates with third party (widely used) Vulnerability Management applications. This integration allows CTSP to offer customer to evaluate vulnerabilities on enforced servers and to take appropriate actions such as quarantining the application server (so as to avoid the spreading malware or viruses to other services on the network).

Rapid7 is a widely used third party vulnerability management service. This document describes the pre-requisites required for integration of CTSP with customers Rapid7 service.

The integration from CTSP is via APIs exported and publicly published by Rapid7. Rapid7 tool can be hosted on-premise or as a cloud service. The APIs exported by the two models are vastly different and hence up front information is required on the mode of operation to use the right set of APIs.

Integrations

Integration with Rapid7 On-premise Service

in this model, Rapid7 scanner is implemented on customers environment. CTSP will connect directly to Rapid7 services, and make appropriate API call to pull vulnerability information.

Prerequisites

CTSP will need, below information about the Rapid7 on-premises services:

  • Rapid7 scanner’s FQDN or Public IP address and service port number
  • Administrative login credentials to Rapid7 service. (username, password)

Integration with Rapid7 AWS Cloud Service

In this model, Rapid7 is hosting a SaaS platform on which customer has purchased a service of vulnerability management for their servers, and endpoints. CTSP will connect directly to the Rapid7 SaaS platform and make the appropriate API call along with the API key (provided by the SaaS customer) to provide the vulnerability service.

Prerequisites

CTSP will need below information about the Rapid7 SaaS services:

  • Region (Rapid7 supports US, Europe, Canada, Australia and Japan)
  • API Key of customer to access the Rapid7 cloud service

Integration Work Flow

  • Tenant administrator must first add the Rapid7 configuration on the ColorToken Security Platform (CTSP). This configuration is described above in the prerequisites based on whether the tenant is connecting to an on-premise server or to the Rapid7 cloud service.
  • CTSP will use the appropriate public APIs of Rapid7 to retrieve scan results for the assets that are managed by the platform. This operation will be performed once every twenty four (24) hours and will start at 1:00 AM local time (region where the cluster is deployed).
  • Rapid7 scan results also can be retrieved on a demand basis if required.
  • CVE-IDs and CVSS base scores of the vulnerabilities are pulled from the scan results and are made available as part of the asset page on CTSP. By design, it only lists vulnerabilities above a CVSS base score of 7.0 and above.

Usage guidelines

  • Rapid7 service must be available and reachable at the time of the scan report request for CTSP to be able to retrieve the results.
  • If Rapid7 service is not reachable at the time of the scan report request then CTSP will continue to show the vulnerabilities that were pulled from the previous request.
  • The CTSP platform does not request the Rapid7 service to initiate a scan and hence it is important for the administrator to perform a scan operation on the customers assets prior to requesting for the report (from CTSP).

Configuration

Activate and configure Rapid7 Scanner for on-premise

You must enable using the vulnerability results of the Rapid7 scanner by integrating with the Rapid7 service.


  1. Go to Settings > Tools > Risk assessment tools.
  2. Click Activate in the Rapid7 tile.
  3. Click Configure in the Rapid7 tile.
  4. In the URL text box on the fly panel, enter the FQDN or IP address of the Rapid7 setup.
  5. In the Login text box, add the administrative username for the Rapid7 setup.
  6. In the Password text box, add the administrative password for the Rapid7 setup.

  7. Click Save.

    If the Rapid7 setup is reachable, CTSP fetches vulnerabilities data in the upcoming sync cycle (1 AM UTC).

    From here on, CTSP refreshes the vulnerabilities data every day.

    The timestamp and status of the everyday refreshes are displayed in the fly panel.

Activate and configure Rapid7 Cloud Scanner 

You must enable using the vulnerability results of the Rapid7 scanner by integrating with the Rapid7 service.


  1. Go to Settings > Tools > Risk assessment tools.
  2. Click Activate in the Rapid7 tile.
  3. Click Configure in the Rapid7 tile.
  4. Select region from the drop down list
  5. In the APIKey text box, add the apikey for the Rapid7 setup.

  6. Click Save.

    If the Rapid7 setup is reachable, CTSP fetches vulnerabilities data immediately

    From here on, CTSP refreshes the vulnerabilities data every day at the scheduled sync (1 AM UTC).

    The timestamp and status of the everyday refreshes are displayed in the fly panel.


Interpret vulnerabilities data for an asset

Vulnerabilities data is displayed on the fly panels of the assets.


  • Click an asset on the Assets page.
  • Click the Security tab on the fly panel.

  • See when the exposure data was last refreshed for this asset at the top of the fly panel.

    If there are ongoing efforts to fix vulnerabilities on assets locally, you may have to click Fetch now to fetch the latest exposure data of the asset.

    Click Refresh at the top-right corner of the fly panel to see the latest vulnerabilities data.

    See the following details in the Security on open ports listing on the fly panel.

    • Ports - the number and protocol used on the port
    • Process - the process running on the port
    • Vulnerabilities - the list of vulnerabilities by their CVE IDs
    • Exposure (Probe) - the probe mapped with this open port


You will see the CVE IDs, CVSS scores, and the names and descriptions of the vulnerabilities on the port.

Disconnect and re-connect Rapid7 Scanner

Disconnect Rapid7 Scanner when you want to stop fetching vulnerabilities data from the Rapid7 setup temporarily.

  1. Go to Settings > Tools > Risk assessment tools.
  2. Click Configure in the Rapid7 tile.
  3. Click Disconnect in the fly panel.
  • To re-connect CTSP with the Rapid7 setup, click Connect in the fly panel.

Fetch the latest vulnerability status from Rapid7 Scanner

To see the most recent exposure status of your assets, we recommend that you run the Rapid7 Scanner for your assets once every day before CTSP fetches vulnerability data or immediately after you make critical changes on the assets.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.