Rapid7 Nexpose
Rapid7 Nexpose is an on-premises vulnerability management tool that scans your assets and generates vulnerabilities against those assets. You can bring asset and security data from Rapid7 Nexpose into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Rapid7 Nexpose and how to obtain that information from Rapid7. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Rapid7 Nexpose from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Rapid7 Nexpose with Brinqa:
-
Server URL: Your organization's Rapid7 Nexpose server URL. The URL format is
https://<host>:<port>/. -
Username and Password: The username and password associated with the Rapid7 Nexpose user account, which must have permissions to log in to the API server and return data.
infoThe Rapid7 user account must have permissions to view asset, site, and vulnerability data. For additional information on roles and permissions, see Rapid7 documentation.
Additional settings
The Rapid7 Nexpose connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 500.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Rapid7 Nexpose connector can retrieve the following types of data from the Rapid7 Nexpose API:
Table 1: Data retrieved from Rapid7 Nexpose
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Asset | Yes | Host, Installed Package, Package |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
info
For detailed steps on how to view the data retrieved from Rapid7 Nexpose in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Asset
Table 2: Asset attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ASSET_TYPE | categories |
| CPE | Local variable |
| DNS_NAME | dnsNames, publicDnsNames,privateDnsNames |
| INSTALLED_PACKAGE_ID | uid |
| IP_ADDRESS | publicIpAddress, ipAddresses,privateIpAddresses |
| LAST_SCANNED | lastScanned |
| MAC_ADDRESS | macAddresses(normalize) |
| NAME | name,hostnames |
| NETBIOS_NAME | Local variable |
| OPERATING_SYSTEM | operatingSystem |
| PORTS | Local variable |
| REF | type/references |
| RISK_SCORE | Local variable |
| SERVICES | Local variable |
| SITE_ID | Local variable |
| SITE_NAME | Local variable |
| SOFTWARES | uid, type |
| SOFTWARES_CPE_EDITION | Local variable |
| SOFTWARES_CPE_LANGUAGE | Local variable |
| SOFTWARES_CPE_OTHER | Local variable |
| SOFTWARES_CPE_PART | Local variable |
| SOFTWARES_CPE_PRODUCT | Local variable |
| SOFTWARES_CPE_SW_EDITION | Local variable |
| SOFTWARES_CPE_TARGET_HW | Local variable |
| SOFTWARES_CPE_TARGET_SW | Local variable |
| SOFTWARES_CPE_UPDATE | Local variable |
| SOFTWARES_CPE_V2_2 | Local variable |
| SOFTWARES_CPE_V2_3 | Local variable |
| SOFTWARES_CPE_VENDOR | Local variable |
| SOFTWARES_CPE_VERSION | Local variable |
| SOFTWARES_DESCRIPTION | description |
| SOFTWARES_FAMILY | Local variable |
| SOFTWARES_PRODUCT | name |
| SOFTWARES_TYPE | categories |
| SOFTWARES_VENDOR | name |
| SOFTWARES_VERSION | name |
| SOURCE | Local variable |
| STAGE | Local variable |
| STATUS | status(normalized), sourceStatus, statusCategory |
| SYS_ID | uid targets |
| THREAT_CATEGORY | Local variable |
| URL | url |
| UUID | Local variable |
Vulnerability
Table 3: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| FIRST_FOUND | firstFound |
| HOST_ID | targets |
| ID | type |
| LAST_FOUND | lastFound |
| PORT | port |
| PROTOCOL | protocol |
| RESULTS | results |
| STATUS | status(normalize), statusCategory, sourceStatus |
| SYS_ID | uid |
Vulnerability Definition
Table 4: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORIES | categories |
| CVE | cveIds, cveRecords |
| CVSS_BASE_SCORE | cvssV2BaseScore |
| CVSS_BASE_V3_SCORE | cvssV3BaseScore |
| CVSS_VECTOR | cvssV2 (calculate) |
| CVSS_V3_VECTOR | cvssV3 (calculate) |
| DESCRIPTION | description |
| EXPLOITS | exploits |
| MALWARES | malware |
| SEVERITY | severity(calculate), sourceSeverity, severityScore |
| SOLUTION | recommendation |
| SYS_ID | uid |
| TITLE | name |
info
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Rapid7 Nexpose connector supports the following operation options. See connector operation options for information about how to apply them.
Asset
Table 5: Rapid7 Asset operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Asset | container-image | Any valid container image name | A comma-separated list of container image names. Limit retrieved assets by their container image name. | Key: container-image Value: ContainerImage1, ContainerImage2. This key and value combination retrieves assets for the specified container images. |
| container-status | created, dead, exited, paused, restarting, running, unknown | A comma-separated list of container statuses. Limit retrieved assets by the status of their associated container. | Key: container-status Value: running, exited. This key and value combination retrieves assets with a running or exited container status. | |
| criticality-tag | Very Low, Low, Medium, High, Very High | A comma-separated list of criticality tags. Limit retrieved assets by their criticality tag. | Key: criticality-tag Value: High, Very High. This key and value combination retrieves assets with a criticality tag of High or Very High. | |
| cve | Any valid CVE identifier | A comma-separated list of CVE IDs. Limit retrieved assets by a specific CVE identifier. | Key: cve Value: CVE-2021-1234. This key and value combination retrieves assets associated with the specified CVE. | |
| cvss-access-complexity | L, M, H | A comma-separated list of access complexities. Limit retrieved assets by the access complexity, where L = Low, M = Medium, and H = High. | Key: cvss-access-complexity Value: L, H. This key and value combination retrieves assets with low or high access complexity. | |
| cvss-access-vector | L, A, N | A comma-separated list of access vectors. Limit retrieved assets by the access vector, where L = Local, A = Adjacent, and N = Network. | Key: cvss-access-vector Value: N. This key and value combination retrieves assets with a network access vector. | |
| cvss-authentication-required | N, S, M | A comma-separated list of authentication levels. Limit retrieved assets by the level of authentication required, where N = None, S = Single, and M = Multiple. | Key: cvss-authentication-required Value: N, S. This key and value combination retrieves assets that require no authentication or single authentication. | |
| cvss-availability-impact | N, P, C | A comma-separated list of availability impacts. Limit retrieved assets by their availability impact, where N = None, P = Partial, and C = Complete. | Key: cvss-availability-impact Value: P, C. This key and value combination retrieves assets with partial or complete availability impact. | |
| cvss-integrity-impact | N, P, C | A comma-separated list of integrity impacts. Limit retrieved assets by their integrity impact, where N = None, P = Partial, and C = Complete. | Key: cvss-integrity-impact Value: N, C. This key and value combination only retrieves assets with no integrity impact or complete integrity impact. | |
| cvss-v3-attack-complexity | L, H | A comma-separated list of attack complexities. Limit retrieved assets by the attack complexity, where L = Low and H = High. | Key: cvss-v3-attack-complexity Value: L. This key and value combination retrieves assets with low attack complexity. | |
| cvss-v3-attack-vector | N, A, L, P | A comma-separated list of attack vectors. Limit retrieved assets by the attack vector, where N = Network, A = Adjacent, L = Local, and P = Physical. | Key: cvss-v3-attack-vector Value: N, P. This key and value combination retrieves assets with a network or physical attack vector. | |
| cvss-v3-availability-impact | N, L, H | A comma-separated list of availability impacts. Limit retrieved assets by their availability impact, where N = None, L = Low, and H = High. | Key: cvss-v3-availability-impact Value: L. This key and value combination retrieves assets with low availability impact. | |
| cvss-v3-confidentiality-impact | N, L, H | A comma-separated list of confidentiality impacts. Limit retrieved assets by their confidentiality impact, where N = None, L = Low, and H = High. | Key: cvss-v3-confidentiality-impact Value: N. This key and value combination retrieves assets with no confidentiality impact. | |
| cvss-v3-integrity-impact | N, L, H | A comma-separated list of integrity impacts. Limit retrieved assets by their integrity impact, where N = None, L = Low, and H = High. | Key: cvss-v3-integrity-impact Value: L, H. This key and value combination retrieves assets with low or high integrity impact. | |
| cvss-v3-privileges-required | N, L, H | A comma-separated list of required privileges. Limit retrieved assets by the privileges required, where N = None, L = Low, and H = High. | Key: cvss-v3-privileges-required Value: N. This key and value combination retrieves assets that require no privileges. | |
| cvss-v3-user-interaction | N, R | Limit retrieved assets by the user interaction required, where N = None and R = Required. | Key: cvss-v3-user-interaction Value: R. This key and value combination retrieves assets that require user interaction. | |
| host-name | Any valid host name | Limit retrieved assets by their associated host name. | Key: host-name Value: host123. This key and value combination retrieves assets for the specified host name. | |
| ip-address | Any valid IP address | Limit retrieved assets by their associated IP address. | Key: ip-address Value: 10.128.0.3. This key and value combination retrieves assets for the specified IP address. | |
| last-scan-date | Any valid date in yyyy-MM-dd format | Limit retrieved assets by the date they were last scanned. | Key: last-scan-date Value: 2023-09-25. This key and value combination retrieves assets that were last scanned on September 25, 2023. | |
| location-tag | Any location tag | A comma-separated list of location tags. Limit retrieved assets by their location tag. | Key: location-tag Value: Datacenter-A. This key and value combination retrieves assets with the specified location tag. | |
| owner-tag | Any owner tag | A comma-separated list of owner tags. Limit retrieved assets by their owner tag. | Key: owner-tag Value: Owner1. This key and value combination retrieves assets with the specified owner tag. | |
| open-ports | Any valid port number | A comma-separated list of port numbers. Limit retrieved assets by their associated open ports. | Key: open-ports Value: 443. This key and value combination retrieves assets associated with port 443. | |
| pci-compliance | 0, 1 | Limit retrieved assets by their PCI compliance status, where 0 = fail and 1 = pass. | Key: pci-compliance Value: 1. This key and value combination retrieves assets that passed PCI compliance. | |
| risk-score | Any valid risk score | Limit retrieved assets by their risk score. | Key: risk-score Value: 8.8. This key and value combination retrieves assets with a risk score of 8.8. | |
| site-id | Any valid site ID | Limit retrieved assets by their associated site ID. | Key: site-id Value: 102. This key and value combination retrieves assets associated with site ID 102. | |
| vasset-cluster | Any vAsset cluster name | Limit retrieved assets by their vAsset cluster. | Key: vasset-cluster Value: vAssetCluster1. This key and value combination retrieves assets associated with the specified vAsset cluster. |
Vulnerability
Table 6: Rapid7 Vulnerability operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability | container-image | Any valid container image name | A comma-separated list of container image names. Limit retrieved vulnerabilities by their container image name. | Key: container-image Value: ContainerImage1, ContainerImage2. This key and value combination retrieves vulnerabilities for the specified container images. |
| container-status | created, dead, exited, paused, restarting, running, unknown | A comma-separated list of container statuses. Limit retrieved vulnerabilities by the status of their associated container, as determined by Rapid7 Nexpose. | Key: container-status Value: running,exited. This key and value combination retrieves vulnerabilities for containers with a running or exited status. | |
| criticality-tag | Very Low, Low, Medium, High, Very High | A comma-separated list of criticality tags. Limit retrieved vulnerabilities by their criticality tag, as determined by Rapid7 Nexpose. | Key: criticality-tag Value: High,Very High. This key and value combination retrieves vulnerabilities with a criticality tag of High or Very High. | |
| cve | Any valid CVE identifier | A comma-separated list of CVE IDs. Limit retrieved vulnerabilities by a specific CVE identifier. | Key: cve Value: CVE-2021-1234. This key and value combination retrieves vulnerabilities associated with the specified CVE. | |
| cvss-access-complexity | L, M, H | A comma-separated list of access complexities. Limit retrieved vulnerabilities by the access complexity, as determined by Rapid7 Nexpose, where L = Low, M = Medium, and H = High. | Key: cvss-access-complexity Value: L,H. This key and value combination retrieves vulnerabilities with low or high access complexity. | |
| cvss-access-vector | L, A, N | A comma-separated list of access vectors. Limit retrieved vulnerabilities by the access vector, where L = Local, A = Adjacent, and N = Network, as determined by Rapid7 Nexpose. | Key: cvss-access-vector Value: N. This key and value combination retrieves vulnerabilities with a network access vector. | |
| cvss-authentication-required | N, S, M | A comma-separated list of authentication levels. Limit retrieved vulnerabilities by the level of authentication required, as determined by Rapid7 Nexpose, where N = None, S = Single, and M = Multiple. | Key: cvss-authentication-required Value: N,S. This key and value combination retrieves vulnerabilities that require no authentication or single authentication. | |
| cvss-availability-impact | N, P, C | A comma-separated list of availability impacts. Limit retrieved vulnerabilities by their availability impact, as determined by Rapid7 Nexpose, where N = None, P = Partial, and C = Complete. | Key: cvss-availability-impact Value: ``P,C`. This key and value combination retrieves vulnerabilities with partial or complete availability impact. | |
| cvss-integrity-impact | N, P, C | A comma-separated list of integrity impacts. Limit retrieved vulnerabilities by their integrity impact, as determined by Rapid7 Nexpose, where N = None, P = Partial, and C = Complete. | Key: cvss-integrity-impact Value: N,C. This key and value combination only retrieves vulnerabilities with no integrity impact or complete integrity impact. | |
| cvss-v3-attack-complexity | L, H | A comma-separated list of attack complexities. Limit retrieved vulnerabilities by the attack complexity, where L = Low and H = High, as determined by Rapid7 Nexpose. | Key: cvss-v3-attack-complexity Value: L. This key and value combination retrieves vulnerabilities with low attack complexity. | |
| cvss-v3-attack-vector | N, A, L, P | A comma-separated list of attack vectors. Limit retrieved vulnerabilities by the attack vector, as determined by Rapid7 Nexpose, where N = Network, A = Adjacent, L = Local, and P = Physical. | Key: cvss-v3-attack-vector Value: N,P. This key and value combination retrieves vulnerabilities with a network or physical attack vector. | |
| cvss-v3-availability-impact | N, L, H | A comma-separated list of availability impacts. Limit retrieved vulnerabilities by their availability impact, where N = None, L = Low, and H = High, as determined by Rapid7 Nexpose. | Key: cvss-v3-availability-impact Value: L. This key and value combination retrieves vulnerabilities with low availability impact. | |
| cvss-v3-confidentiality-impact | N, L, H | A comma-separated list of confidentiality impacts. Limit retrieved vulnerabilities by their confidentiality impact, as determined by Rapid7 Nexpose, where N = None, L = Low, and H = High. | Key: cvss-v3-confidentiality-impact Value: N. This key and value combination retrieves vulnerabilities with no confidentiality impact. | |
| cvss-v3-integrity-impact | N, L, H | A comma-separated list of integrity impacts. Limit retrieved vulnerabilities by their integrity impact, as determined by Rapid7 Nexpose. where N = None, L = Low, and H = High. | Key: cvss-v3-integrity-impact Value: L,H. This key and value combination retrieves vulnerabilities with low or high integrity impact. | |
| cvss-v3-privileges-required | N, L, H | A comma-separated list of required privileges. Limit retrieved vulnerabilities by the privileges required, as determined by Rapid7 Nexpose, where N = None, L = Low, and H = High. | Key: cvss-v3-privileges-required Value: N. This key and value combination retrieves vulnerabilities that require no privileges. | |
| cvss-v3-user-interaction | N, R | Limit retrieved vulnerabilities by the user interaction required, as determined by Rapid7 Nexpose, where N = None and R = Required. | Key: cvss-v3-user-interaction Value: R. This key and value combination retrieves vulnerabilities that require user interaction. | |
| host-name | Any valid host name | Limit retrieved vulnerabilities by their associated host name. | Key: host-name Value: host123. This key and value combination retrieves vulnerabilities for the specified host name. | |
| ip-address | Any valid IP address | Limit retrieved vulnerabilities by their associated IP address. | Key: ip-address Value: 10.128.0.3. This key and value combination retrieves vulnerabilities for the specified IP address. | |
| last-scan-date | Any valid date in yyyy-MM-dd format | Limit retrieved vulnerabilities by the date they were last scanned, as determined by Rapid7 Nexpose. | Key: last-scan-date Value: 2023-09-25. This key and value combination retrieves vulnerabilities that were last scanned on September 25, 2023. | |
| location-tag | Any location tag | A comma-separated list of location tags. Limit retrieved vulnerabilities by their location tag. | Key: location-tag Value: Datacenter-A. This key and value combination retrieves vulnerabilities with the specified location tag. | |
| owner-tag | Any owner tag | A comma-separated list of owner tags. Limit retrieved vulnerabilities by their owner tag. | Key: owner-tag Value: Owner1. This key and value combination retrieves vulnerabilities with the specified owner tag. | |
| open-ports | Any valid port number | A comma-separated list of port numbers. Limit retrieved vulnerabilities by their associated open ports. | Key: open-ports Value: 443. This key and value combination retrieves vulnerabilities associated with port 443. | |
| pci-compliance | 0, 1 | Limit retrieved vulnerabilities by their PCI compliance status, as determined by Rapid7 Nexpose, where 0 = fail and 1 = pass. | Key: pci-compliance Value: 1. This key and value combination retrieves vulnerabilities that passed PCI compliance. | |
| risk-score | Any valid risk score | Limit retrieved vulnerabilities by their risk score, as determined by Rapid7 Nexpose. | Key: risk-score Value: 8.8. This key and value combination retrieves vulnerabilities with a risk score of 8.5 or higher. | |
| site-id | Any valid site ID | Limit retrieved vulnerabilities by their associated site ID. | Key: site-id Value: 102. This key and value combination retrieves vulnerabilities associated with site ID 102. | |
| vasset-cluster | Any vAsset cluster name | Limit retrieved vulnerabilities by their vAsset cluster. | Key: vasset-cluster Value: vAssetCluster1. This key and value combination retrieves vulnerabilities associated with the specified vAsset cluster. |
note
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Rapid7 Nexpose connector uses the InsightM API v3. Specifically, it uses the following endpoints:
Table 7: Rapid7 Nexpose API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Asset | POST /api/3/assets/search |
GET /api/3/sites | |
| Vulnerability | GET /api/3/assets/{id}/vulnerabilities |
POST /api/3/assets/search | |
| Vulnerability Definition | GET /api/3/exploits |
GET /api/3/malware_kits | |
GET /api/3/solutions | |
GET /api/3/vulnerabilities | |
GET /api/3/vulnerabilities/{id}/solutions |
Changelog
The Rapid7 Nexpose connector has undergone the following changes:
Table 8: Rapid7 Nexpose connector changelog
| Version | Description |
|---|---|
| 3.4.7 | No change. |
| 3.4.6 | No change. |
| 3.4.5 | - Fixed an issue where the Vulnerability object sync was failing. - Renamed the SOFTWARE attribute on the Asset object to SOFTWARES and changed the attribute type from long to string. - Updated UIDs for the Rapid7 Nexpose connector to prevent collisions with other sources by prepending Connector Name + Data Type to each UID. For example, UIDs for Assets now follow the format Rapid7NexposeAsset-12345. Updated Vulnerability targets to use this format as well. - Code clean up and general maintenance. |
| 3.4.4 | No change. |
| 3.4.3 | No change. |
| 3.4.2 | No change. |
| 3.4.1 | No change. |
| 3.4.0 | No change. |
| 3.3.3 | No change. |
| 3.3.2 | No change. |
| 3.3.1 | Fixed an issue where creating an integration with the Rapid7 Nexpose connector resulted in an error. |
| 3.3.0 | Initial Integration+ release. |