We have a requirement to pull a list of assets from our CMDB and add them to the global asset exclusion list in InsightVM so they’re not scanned. I’ve created a python script to pull the appropriate assets from our CMDB and now am working on adding them to InsightVM. Is there an API to add hostname/ip to the global asset exclusion list? We’ve been using the rapid7vmconsole python utility to perform other automated actions, and I’m seeing the APIs to manage excluded assets on sites, but I’m not seeing anything for adding hostname/ip to the global asset exclusion list.
I’m double checking with the team to see if we have an endpoint for that, but looking through the API docs, I didn’t see one offhand. If you’re doing this with a Python script, an alternative could be to write the IPs/hostnames of assets you want to exclude to a file, and then use the “Import list from file” option in InsightVM. I know that’s an extra step, but it beats manually entering each one in the textbox.
Thanks Holly. That’s what we’re doing for now, just manually loading the output from the python script. The hope was to fully automate the process, but this will work for now. If it’s confirmed that an API doesn’t exist, can we submit an enhancement request?
I confirmed with the team and it looks like there isn’t currently an APIv3 endpoint for global exclusions. I suppose another option could be to retrieve all your sites, then loop through those to add the assets you want to exclude to each site (since like you said, there is an endpoint for that). Definitely not the best option though, and it would depend on how your assets are grouped.
I can pass your feedback to the team regarding a new global asset exclusion-related endpoint. Thanks for letting us know!
Ok thanks Holly!
Do you guys has any update on the question asked ?@holly_wilsey
Hi Amit, apologies I missed your previous message, no we don’t have a python script for this. We’ve just been manually loading the records into the global exclusion list.
@joe_braun How about adding the list of IP for scanning into multiple sites
We haven’t created a script to do that.
@joe_braun - Would tagging work? You “tag” an asset as “Exclude”, and create a Dynamic Group based on the tag itself. This group can then be added to the sites “Exclude” section in the config?
Yeah that would work for assets that have already been discovered. The hope was to proactively exclude ip addresses/ranges so the scanner would never hit them in the first place.