Rapid7 Nexpose Data Warehouse
Rapid7 Nexpose is an on-premises vulnerability scanner, which allows you to export data to an external data warehouse. You can use the Rapid7 Nexpose Data Warehouse connector to bring host and security data from your data warehouse into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Rapid7 Nexpose and how to obtain that information from Rapid7. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Rapid7 Nexpose Data Warehouse from the Connector drop-down. If you cannot find the connector in the drop-down, make sure you have installed it first. You must provide the following information to authenticate Rapid7 Nexpose Data Warehouse with Brinqa:
-
Server name: The URL of your PostgreSQL server.
-
Server port: The TCP/IP port of your PostgreSQL server. The server port defaults to 5432.
-
Database name: The name of your Nexpose data warehouse database.
-
User and Password: The login credentials for the PostgreSQL Server. The user must have
readaccess to the database.
Additional settings
The Rapid7 Nexpose Data Warehouse connector contains additional options for specific configuration:
-
Fetch size: Set the number of rows per batch during query processing. The default is 1000.
-
Use SSL: Use a SSL connection to the target database during the data import process. This ensures that all data transmitted from the warehouse is encrypted in transit.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Rapid7 Nexpose Data Warehouse connector can retrieve the following types of data from the data warehouse:
Table 1: Data retrieved from Rapid7 Nexpose
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Asset | Yes | Host |
| Remediated Vulnerability | No | Not mapped |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
| Vulnerability Exception | No | Not mapped |
The Rapid7 Nexpose Data Warehouse connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Rapid7 Nexpose Data Warehouse in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
Asset
Table 2: Asset attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| address.getIpAddress | ipAddresses, privateIpAddresses |
| address.getMacAddress | macAddresses |
| assessed_for_policies | Local variable |
| assessed_for_vulnerabilities | Local variable |
| assetId | uid |
| associatedValues.assetGroups.get | Local variable |
| associatedValues.tags.get | tags |
| categories | categories |
| credential_status | Local variable |
| description | description |
| hostname | hostnames, publicDnsName, privateDnsName |
| instance id | cloudInstanceId |
| last_assessed_for_vulnerabilities | lastSeen, lastScanned |
| name | name |
| os_architecture | Local variable |
| os_cpe | Local variable |
| os_description | os |
| os_family | Local variable |
| os_name | Local variable |
| os_system | Local variable |
| os_type | Local variable |
| os_vendor | Local variable |
| os_version | Local variable |
| publicIpAddress.get | publicIpAddress |
| risk_modifier | Local variable |
| sites | Local variable |
| status | status |
Vulnerability
Table 3: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| asset_id | targets |
| first_found | firstFound |
| host_name | hostnames |
| ip_address | ipAddresses |
| key | Local variable |
| last_fixed | lastFixed |
| last_found | lastFound |
| nexpose_id | type |
| port | port |
| proof | results |
| protocol | protocol |
| reintroduced_date | reintroducedDate |
| service | service |
| severity | sourceSeverity |
| severityScore | severity |
| status | status, statusCategory |
| type | categories |
| uid | uid |
Vulnerability Definition
Table 4: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| cves | cveIds, cveRecords |
| cvss_score | cvssV2BaseScore |
| cvss_vector | cvssV2Vector |
| cvss_v3_score | cvssV3BaseScore |
| cvss_v3_vector | cvssV3Vector |
| cvssv2.getAttackComplexity | cvssV2Ac |
| cvssv2.getAttackVector | cvssV2Av |
| cvssv2.getAuthentication | cvssV2Au |
| cvssv2.getAvailability | cvssV2Ai |
| cvssv2.getConfidentiality | cvssV2Ci |
| cvssv2.getExploitability | cvssV2E |
| cvssv2.getIntegrity | cvssV2Ii |
| cvssv2.getRemediationLevel | cvssV2Rl |
| cvssv2.getReportConfidence | cvssV2Rc |
| cvssv2.getSeverity | cvssV2Severity |
| date_added | sourceCreatedDate |
| date_modified | sourceLastModified |
| date_published | publishedDate |
| denial_of_service | Local variable |
| description | description |
| exploits | exploits |
| exploit_skill_level | Local variable |
| malwareKits | malware |
| malware_popularity | Local variable |
| patch_available | patchAvailable |
| pci_severity | Local variable |
| pci_status | Local variable |
| recommendation | recommendation |
| risk_score | Local variable |
| score.getBaseScore | cvssV2BaseScore, cvssV3BaseScore |
| severity | sourceSeverity, severity |
| title | name, summary |
| uid | uid |
| urls | references |
| vulnerability_id | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Rapid7 Nexpose Data Warehouse connector supports the following operation options:
Table 5: Rapid7 Nexpose Data Warehouse connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability | asset_id | Any Rapid7 Nexpose asset ID(s) | A comma-separated list of asset IDs. You can use this option to filter vulnerabilities by their associated asset IDs. | Key: asset_id, Value: 12345,67890. This key and value combination only retrieves vulnerabilities associated with the specified asset IDs. |
| nexpose_id | Any Rapid7 Nexpose vulnerability ID(s) | A comma-separated list of Nexpose IDs. You can use this option to filter vulnerabilities by their associated nexpose IDs. | Key: nexpose_id, Value: CVE-2021-34527,CVE-2022-12345. This key and value combination only retrieves vulnerabilities with the specified Nexpose IDs. | |
| title | Any Rapid7 Nexpose vulnerability title(s) | A comma-separated list of vulnerability titles. You can use this option to filter vulnerabilities by their associated titles. | Key: title, Value: certificate-common-name-mismatch,insecure-http-methods. This key and value combination only retrieves vulnerabilities with the specified titles. |
APIs
The Rapid7 Nexpose Data Warehouse connector connects directly to an external data warehouse using a PostgreSQL connection and runs SQL queries against the data warehouse schema to retrieve data. Specifically, it uses the following queries:
Asset
SELECT
asset_id,
host_name,
host_type,
os_type,
os_vendor,
os_family,
os_name,
os_version,
os_architecture,
os_description,
os_system,
os_cpe,
risk_modifier,
assessed_for_vulnerabilities,
assessed_for_policies,
credential_status,
sites,
last_assessed_for_vulnerabilities
FROM
dim_asset
{% if syncToken %}
WHERE
last_assessed_for_vulnerabilities >= TO_TIMESTAMP(?::double precision / 1000)
{% endif %}
Remediated Vulnerability
SELECT
rdate.asset_id,
rdate.vulnerability_id,
rdate.day AS last_fixed
FROM
fact_asset_vulnerability_remediation_date AS rdate
{% if syncToken %}
WHERE
rdate.day >= TO_TIMESTAMP(?::double precision / 1000)
{% endif %}
Vulnerability
SELECT
vuln.nexpose_id AS nexpose_id,
vuln.vulnerability_id AS vulnerability_id,
asset.asset_id AS asset_id,
asset.host_name AS host_name,
host(asset.ip_address) AS ip_address,
inst.proof AS raw,
htmltotext(inst.proof, false) AS proof,
inst.status AS type,
inst.key AS key,
inst.service AS service,
inst.port AS port,
inst.protocol AS protocol,
vuln.severity AS severity,
vuln.severity_score AS severity_score,
inst.date AS date_tested,
fdate.date AS first_found,
asset.last_assessed_for_vulnerabilities AS last_found
FROM
fact_asset_vulnerability_instance AS inst
JOIN fact_asset_vulnerability_finding AS fdate USING (asset_id, vulnerability_id)
JOIN dim_vulnerability AS vuln USING (vulnerability_id)
JOIN dim_asset AS asset USING (asset_id)
{% if whereCondition %}
WHERE
{% if syncToken %}
asset.last_assessed_for_vulnerabilities >= TO_TIMESTAMP(?::double precision / 1000)
{% endif %}
{% if syncToken and title %}
AND
{% endif %}
{% if title %}
vuln.title LIKE ?
{% endif %}
{% if (syncToken or title) and nexposeId %}
AND
{% endif %}
{% if nexposeId %}
vuln.nexpose_id = ?
{% endif %}
{% if (syncToken or title or nexposeId) and assetId %}
AND
{% endif %}
{% if assetId %}
asset.asset_id = ?
{% endif %}
{% endif %}
Vulnerability Exception
SELECT
vulnerability_exception_id,
vulnerability_id,
scope,
scope_description,
reason,
COALESCE(additional_comments, '') AS additional_comments,
submitted_date,
submitted_by,
review_date,
reviewed_by,
review_comment,
expiration_date,
status,
site_id,
asset_id,
port,
key,
group_id
FROM
dim_vulnerability_exception
{% if syncToken %}
WHERE
expiration_date >= TO_TIMESTAMP(?::double precision / 1000)
{% endif %}
Vulnerability Definition
SELECT
nexpose_id,
vulnerability_id,
htmltotext(title, false) AS title,
htmltotext(description, false) AS description,
severity_score AS severity,
pci_severity_score AS pci_severity,
pci_status,
pci_adjusted_cvss_score,
risk_score,
cvss_vector,
ROUND(cvss_score::numeric, 1) AS cvss_score,
cvss_v3_vector,
ROUND(cvss_v3_score::numeric, 1) AS cvss_v3_score,
denial_of_service,
exploit_skill_level,
malware_popularity,
date_published,
date_added,
date_modified
FROM
dim_vulnerability
{% if syncToken %}
WHERE
date_modified >= TO_TIMESTAMP(?::double precision / 1000)
{% endif %}
Changelog
The Rapid7 Nexpose Data Warehouse connector has undergone the following changes:
Table 6: Rapid7 Nexpose Data Warehouse connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.17 | - Fixed an issue where vulnerability statuses were not getting updated despite successful syncs. - Added the REINTRODUCED_DATE attribute to the Vulnerability object. If there is a reintroduced date present on a vulnerability, it is treated as reopened. - Renamed the following attributes on the Host object: - HOSTNAME → HOSTNAMES - PRIVATE_DNS_NAME → PRIVATE_DNS_NAMES - PUBLIC_DNS_NAME → PUBLIC_DNS_NAMES - PUBLIC_IP_ADDRESS → PUBLIC_IP_ADDRESSES - Renamed the HOSTNAME attribute to HOSTNAMES on the Vulnerability object. - Renamed the PATCH_AVAILABLE attribute to PATCHABLE on the Vulnerability Definition object. | May 28th, 2025 |
| 3.0.16 | Changed the VULNERABILITY_ID attribute type on the Vulnerability Definition object from string to integer. | June 3rd, 2024 |
| 3.0.15 | Changed the ASSESSED_FOR_VULNERABILITIES attribute type on the Host object from string to boolean. | May 15th, 2024 |
| 3.0.14 | Fixed an issue where the CREDENTIAL_STATUS attribute on the Host object was incorrectly set to the boolean type. | March 27th, 2024 |
| 3.0.13 | Code clean up and general maintenance. | March 26th, 2024 |
| 3.0.12 | Fixed an issue where the connector was not pulling in data. | March 21st, 2024 |
| 3.0.11 | Updated to fetch azure_vmid as the Instance ID for Azure assets. | March 4th, 2024 |
| 3.0.10 | Added a 'fixed' status if the remediation_date is set in the source. | February 15th, 2024 |
| 3.0.9 | Added the CATEGORIES attribute to the Vulnerability object to store information about the vulnerability type. | February 12th, 2024 |
| 3.0.8 | Enhanced to normalize hostnames retrieved from Rapid7 Nexpose Data Warehouse. | November 26th, 2023 |
| 3.0.7 | Segregated local process files to avoid conflicts between multiple syncs. | October 24th, 2024 |
| 3.0.6 | Code clean up and general maintenance. | January 30th, 2023 |
| 3.0.5. | Code clean up and general maintenance. | January 28th, 2023 |
| 3.0.4 | Code clean up and general maintenance. | December 18th, 2022 |
| 3.0.3 | Improved how the connector generates asset names. | December 18th, 2022 |
| 3.0.2 | Code clean up and general maintenance. | December 16th, 2022 |
| 3.0.1 | Added missing descriptions to assets. | December 15th, 2022 |
| 3.0.0 | Initial Integration+ release. | December 15th, 2022 |