
Rapid7 InsightVM
Vulnerability Management- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Rapid7 InsightVM connector integrates with the cloud-based Rapid7 InsightVM platform through the Insight Platform REST API (vm/v4/integration/*) and the InsightVM bulk-export GraphQL API (export/graphql). It synchronizes hosts (assets), the vulnerabilities found on those hosts, vulnerability definitions (including full CVSS v2/v3 detail), and policy violations with their definitions into the Brinqa Unified Data Model (UDM).
The connector synchronizes the following models:
- Host — Asset inventory records, including operating system, network, cloud instance, tag, and site metadata
- Vulnerability — Vulnerability findings detected on each host (new, unchanged, and remediated)
- Vulnerability Definition — Vulnerability catalog entries with CVSS v2/v3 detail, references, and remediation
- Violation — Policy assessment failures per asset from the bulk policy export
- Violation Definition — Benchmark/rule definitions behind each policy violation
Data retrieved from Rapid7 InsightVM
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Host | Yes | Host |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
Model relationships
For detailed steps on how to view the data retrieved from Rapid7 InsightVM in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Rapid7 InsightVM from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://<region>.api.insight.rapid7.com | Rapid7 Insight Platform API url |
| API key | Yes | — | Rapid7 Insight Platform API key |
| Page size | No | 500 | The maximum number of records to get per API request |
| Request timeout (secs) | No | 120 | The maximum seconds allotted before a request will time out. Enter zero (0) to disable timeouts (not recommended). |
| Parallel requests | No | min(8, available processors) | The maximum number of parallel API requests |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
Authentication
The connector authenticates to the Rapid7 Insight Platform using an API Key. The configured key is sent on every request in the X-Api-Key header (along with X-Requested-With: brinqa). No token-exchange step is performed; the same key is reused for every subsequent REST and GraphQL request.
Endpoint
| Method | URL |
|---|---|
POST | {url}/vm/v4/integration/assets |
Request Headers
| Header | Value |
|---|---|
X-Api-Key | <API key> |
X-Requested-With | brinqa |
Content-Type | application/json |
Sample Response
{
"data": [
{
"id": "0a14c7b2-...",
"host_name": "web-01.example.com",
"ip": "10.0.0.5",
"os_name": "Ubuntu Linux 22.04"
}
],
"metadata": { "cursor": "eyJ0b2tlbiI6...", "size": 500 }
}
Usage
A 2xx response confirms the key is valid. The connection test issues POST /vm/v4/integration/assets with size=1. The same X-Api-Key value is reused on every model sync request, including the bulk-export GraphQL requests.
How to obtain Rapid7 InsightVM credentials
Create a Rapid7 InsightVM API key
For the Rapid7 InsightVM connector to use the Rapid7 InsightVM API, you must provide the API key from Rapid7. There are two types of API keys for Rapid7 InsightVM:
-
User key: The user key is tied to a specific user account and can be used to authenticate API requests made by that user. The user key inherits the permissions of the user who creates the API key.
-
Organization key: The organization key is tied to an organization as a whole. An organization key can be used to authenticate API requests and also provides access to all data within the organization, including assets, vulnerabilities, and reports. Only administrators can create organization API keys.
To generate a user API key, follow these steps:
-
Log in to your organization's Rapid7 InsightVM account as an administrator.
-
Navigate to API Keys > User Key and then click New User Key.
-
Select a user and provide a name for the key.
The new user API key displays. You cannot view the key again. Copy the API key and save it in a secure location.
To generate an organization API key, follow these steps:
-
Log in to your Rapid7 InsightVM account as an administrator.
-
Navigate to API Keys > Organization Key and click New Organization Key.
-
Select an organization and provide a name for the key.
The new organization API key displays. You cannot view the key again. Copy the API key and save it in a secure location.
Note: The above steps describe the minimum requirements for the Rapid7 InsightVM connector to work properly. For additional information, see Rapid7 Documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Host
| Source Field Name | SDM Attribute |
|---|---|
asset.assessed_for_policies | ASSESSED_FOR_POLICIES |
asset.assessed_for_vulnerabilities | ASSESSED_FOR_VULNERABILITIES |
asset.credential_assessments[] | CREDENTIAL_ASSESSMENTS |
asset.host_name (normalized) | HOSTNAMES |
asset.host_name (when not a public DNS name) | PRIVATE_DNS_NAMES |
asset.host_name (when public DNS name) | PUBLIC_DNS_NAMES |
asset.host_name / instance ID / asset.ip / asset.mac / asset.id | NAME |
asset.id | UID |
asset.ip | IP_ADDRESSES |
asset.ip (when a local IP) | PRIVATE_IP_ADDRESSES |
asset.ip (when not a local IP) | PUBLIC_IP_ADDRESSES |
asset.last_assessed_for_vulnerabilities | LAST_SEEN |
asset.last_assessed_for_vulnerabilities | LAST_SCANNED |
asset.mac (normalized) | MAC_ADDRESSES |
asset.os_architecture | OS_ARCHITECTURE |
asset.os_description / os_system_name / os_name / os_family / os_vendor | OPERATING_SYSTEM |
asset.os_family | OS_FAMILY |
asset.os_name | OS_NAME |
asset.os_system_name | OS_SYSTEM |
asset.os_type | OS_TYPE |
asset.os_vendor | OS_VENDOR |
asset.os_version | OS_VERSION |
asset.risk_score | SOURCE_RISK_SCORE |
asset.tags[] (non-SITE tags) | TAGS |
asset.tags[] (SITE-type tags) | SITES |
asset.unique_identifiers[].id (cloud source) | INSTANCE_ID |
asset.unique_identifiers[].source + id | UNIQUE_IDENTIFIERS |
ASSET_CATEGORY_HOST (+ host type derived from asset.type) | CATEGORIES |
generated (active) | STATUS |
generated (sync time) | LAST_CAPTURED |
operating system + host type, else asset.host_name | DESCRIPTION |
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
asset.host_name | HOSTNAMES |
asset.id | TARGETS |
asset.ip | IP_ADDRESSES |
asset.last_assessed_for_vulnerabilities | TARGET_LAST_SCANNED |
definition.severity | SOURCE_SEVERITY |
definition.severity (normalized) | SEVERITY |
| derived from normalized severity | SEVERITY_SCORE |
| derived from normalized status | STATUS_CATEGORY |
finding state (new / unchanged / remediated) | PROVIDER_STATUS |
md5(asset.id, vulnerability_id, port, protocol, key, proof) | UID |
| normalized finding state | SOURCE_STATUS |
| normalized finding state | STATUS |
| same as UID | NAME |
vulnerability.first_found | FIRST_FOUND |
vulnerability.key | KEY |
vulnerability.last_found | LAST_FOUND |
vulnerability.port | PORT |
vulnerability.proof (+ remediation steps) | RESULTS |
vulnerability.protocol | PROTOCOL |
vulnerability.reintroduced | REINTRODUCED |
vulnerability.vulnerability_id | TYPE |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
| calculated from CVSS v2 vector | CVSS_V2_BASE_SCORE |
| calculated from CVSS v2 vector | CVSS_V2_TEMPORAL_SCORE |
| calculated from CVSS v3 vector | CVSS_V3_BASE_SCORE |
| calculated from CVSS v3 vector | CVSS_V3_TEMPORAL_SCORE |
| derived from normalized severity | SEVERITY_SCORE |
| merged solution text | RECOMMENDATION |
| parsed from cvss_v2_vector | CVSS_V2_AV / AC / AU / CI / II / AI / E / RL / RC / SEVERITY |
| parsed from cvss_v3_vector | CVSS_V3_AV / AC / PR / UI / CI / II / AI / E / RL / RC / SEVERITY |
| solution summaries | SOLUTION_SUMMARY |
| true when a solution has type patch | PATCHABLE |
vulnerability.added | SOURCE_CREATED_DATE |
vulnerability.categories | CATEGORIES |
vulnerability.cves | CVE_IDS |
vulnerability.cves | CVE_RECORDS |
vulnerability.cvss_v2_vector | CVSS_V2_VECTOR |
vulnerability.cvss_v3_vector | CVSS_V3_VECTOR |
vulnerability.denial_of_service | DENIAL_OF_SERVICE |
vulnerability.description | DESCRIPTION |
vulnerability.exploits[].value | EXPLOITS |
vulnerability.id | UID |
vulnerability.malware_kits[].name | MALWARE |
vulnerability.modified | SOURCE_LAST_MODIFIED |
vulnerability.pci_severity_score | PCI_SEVERITY |
vulnerability.pci_status | PCI_STATUS |
vulnerability.published | PUBLISHED_DATE |
vulnerability.references | REFERENCES |
vulnerability.risk_score | SOURCE_RISK_SCORE |
vulnerability.severity | SOURCE_SEVERITY |
vulnerability.severity (normalized) | SEVERITY |
vulnerability.title | NAME |
Violation
| Source Field Name | SDM Attribute |
|---|---|
assetId | TARGETS |
finalStatus | PROVIDER_STATUS |
finalStatus (normalized) | SOURCE_STATUS |
lastAssessmentTimestamp | LAST_FOUND |
md5(benchmarkNaturalId, ruleNaturalId, profileNaturalId, benchmarkVersion) | TYPE |
md5(benchmarkNaturalId, ruleNaturalId, profileNaturalId, benchmarkVersion, assetId, finalStatus) | UID |
orgId | ORGANISATION_ID |
proof | PROOF |
| same as UID | NAME |
Violation Definition
| Source Field Name | SDM Attribute |
|---|---|
benchmarkNaturalId | BENCHMARK_NATURAL_ID |
benchmarkTitle | BENCHMARK_TITLE |
| benchmarkTitle + , + ruleTitle | NAME |
benchmarkVersion | BENCHMARK_VERSION |
fixTexts | FIX_TEXTS |
fixTexts (joined) | RECOMMENDATION |
md5(benchmarkNaturalId, ruleNaturalId, profileNaturalId, benchmarkVersion) | UID |
profileNaturalId | PROFILE_NATURAL_ID |
profileTitle | PROFILE_TITLE |
publisher | PUBLISHER |
rationales | RATIONALES |
rationales (joined) | DESCRIPTION |
ruleNaturalId | RULE_NATURAL_ID |
ruleTitle | RULE_TITLE |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Host
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
POST /vm/v4/integration/assets - Default filters:
includeUniqueIdentifiers=true,includeSame=true
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
POST /vm/v4/integration/assets - Default filters:
includeUniqueIdentifiers=true,includeSame=true
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint · Endpoint:
POST /vm/v4/integration/vulnerabilities
Violation
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: GraphQL bulk export (results read from downloaded Parquet files) · Endpoint:
POST /export/graphql
mutation CreatePolicyExport {
createPolicyExport(input: {}) {
id
}
}
Violation Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: GraphQL bulk export (results read from downloaded Parquet files) · Endpoint:
POST /export/graphql
mutation CreatePolicyExport {
createPolicyExport(input: {}) {
id
}
}
Changelog
The Rapid7 InsightVM connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.4.27 | No changes in this release. | N/A |
| 3.4.26 | No changes in this release. | N/A |
| 3.4.25 | No changes in this release. | N/A |
| 3.4.24 | No changes in this release. | N/A |
| 3.4.23 | No changes in this release. | N/A |
| 3.4.22 | Improvements - Refined policy violation data: the violation description is now built from the rule rationales, and fix-text guidance is captured more completely in the recommendation and fix text fields. | N/A |
| 3.4.21 | No changes in this release. | N/A |
| 3.4.20 | No changes in this release. | N/A |
| 3.4.19 | No changes in this release. | N/A |
| 3.4.18 | New Features - Added support for policy compliance data with two new models: Violation and Violation Definition. These synchronize policy benchmark rule violations and their definitions alongside existing asset and vulnerability data. | N/A |
| 3.4.17 | No changes in this release. | N/A |
| 3.4.16 | No changes in this release. | N/A |
| 3.4.15 | No changes in this release. | N/A |
| 3.4.14 | No changes in this release. | N/A |
| 3.4.13 | Bug Fixes - Vulnerability severity attributes are now populated only when a severity is reported by the source, avoiding spurious values on findings without severity data. | N/A |
| 3.4.12 | Bug Fixes - Hardened hostname normalization so an unset skip-normalization setting no longer causes asset synchronization to fail. | N/A |
| 3.4.11 | Improvements Dependency Upgrades - Updated bundled common, HTTP, and model libraries. | N/A |
| 3.4.10 | New Features - Added a hostname normalization skip list so hostnames matching configured patterns are preserved as reported by the source instead of being normalized. Improvements - Vulnerability findings now carry normalized severity, source severity, and a severity score derived from the reported severity. | N/A |
| 3.4.9 | Improvements Dependency Upgrades - Updated the bundled model library and CVSS calculator. | N/A |
| 3.4.8 | Improvements - Added a Reintroduced timestamp to vulnerability findings to capture when a previously closed finding reappeared. | • Vulnerability: the "patch available" attribute was re-keyed to "patchable". Re-sync the connector so existing findings pick up the new attribute key. |
| 3.4.7 | Improvements - Added a Solution Summary attribute to vulnerability definitions summarizing the available remediation guidance. | N/A |
| 3.4.6 | Improvements - Added a Target Last Scanned attribute to vulnerability findings, reflecting when the affected asset was last assessed for vulnerabilities. | N/A |
| 3.4.5 | No changes in this release. | N/A |
| 3.4.4 | Improvements - Reworked asset last-seen and last-scanned timestamps so they reflect the source-reported assessment dates, and added a last-captured timestamp recording when the asset was synchronized. | N/A |
| 3.4.3 | No changes in this release. | N/A |
| 3.4.2 | Bug Fixes - Corrected CVE identifier and CVE record attributes on vulnerability definitions, which previously could be populated from the wrong source field. - Fixed the display label of the NetBIOS name attribute on assets. | N/A |
| 3.4.1 | Improvements - Vulnerability finding status is now normalized into a status category and exposed alongside the provider and source status, giving a consistent open/closed view across versions. | N/A |
| 3.4.0 | Improvements - Added a normalized source status attribute to vulnerability findings. | N/A |
| 3.3.3 | Improvements - Vulnerability finding status is now normalized, with the original provider status preserved separately and a consistent normalized status used for reporting. | • Vulnerability: finding status values are now normalized rather than passed through as reported by the source. Re-sync the connector so existing findings reflect the normalized status. |
| 3.3.2 | Improvements - The "assessed for vulnerabilities" attribute on assets is now a true/false value instead of text. | • Host: the "assessed for vulnerabilities" attribute changed from a text type to a boolean type. Re-sync the connector so existing assets store the value with the new type. |
| 3.3.1 | No changes in this release. | N/A |
| 3.3.0 | No changes in this release. | N/A |
| 3.2.8 | Improvements - Host hostname, DNS name, and IP address attributes are now multi-valued, allowing all reported names and addresses to be retained. | • Host: the hostname, public/private DNS name, and public IP address attributes were re-keyed to their multi-valued counterparts. Re-sync the connector so existing assets populate the new attribute keys. |
| 3.2.7 | No changes in this release. | N/A |
| 3.2.6 | New Features - Added a configurable Request Timeout setting controlling how long the connector waits for a response from the Rapid7 Insight Platform. | N/A |
| 3.2.5 | No changes in this release. | N/A |
| 3.2.4 | No changes in this release. | N/A |
| 3.2.3 | No changes in this release. | N/A |
| 3.2.2 | No changes in this release. | N/A |
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | Improvements - Improved error reporting with InsightVM-specific messages for failed API requests. - Refined cloud asset source detection (AWS, Azure) for more accurate asset attribution. | N/A |
| 3.1.2 | Improvements - Vulnerability finding results text is now captured more reliably, and a severity score is now derived from the reported severity. | N/A |
| 3.1.1 | Improvements Dependency Upgrades - Updated the bundled model library. | N/A |
| 3.1.0 | No changes in this release. | N/A |
| 3.0.2 | Improvements - Host names are now normalized before being stored, improving asset matching consistency. | N/A |
| 3.0.1 | Bug Fixes - Improved API error handling, including proper retry behavior on rate-limit (HTTP 429) responses and clearer messages for authorization and not-found errors. | • Vulnerability: the way a vulnerability finding's unique identifier is composed changed, which alters the identifier for existing findings. Re-sync the connector so findings are re-keyed consistently. |
| 3.0.0 | Overview The Rapid7 InsightVM connector integrates with the Rapid7 Insight Platform to synchronize assets, vulnerability findings, and vulnerability definitions. Category: Vulnerability Management Models | N/A |