we are using R7 since 2 years and have a few customers.
My primary part is insight VM.
I worked with different vuln scanner before and think R7 is pretty good, but a few things are bothering me.
Asset Duplicate: A thing which is often discussed here and there is no change. Asset Linking Update a few versions ago was absolute … Also that there is just a overall retention policy and no possibility to make a retention policy on different asset groups. Why should i keep a phone, which was scanned 20 days ago in the guest Wifi? On the other hand I want to keep the records of my road warriors which are not daily online. I can only define a number and it will enforce on all assets.
Scan Templates: Last Update from support was, that if you change the default scan template, it will not include new vulns? Did this change, or is it the same?
Alerting/Notifications: The Teams Notifications are pretty nice, but the builtin notifications are not that great it is getting worse, if you are working on multiple customers.
Tamper Protection Agent: Still nothing (Friends in IDR are not happy about it)
Dashboards Insight IVM vs IDR: No cards to edit like in IDR feels a bit like stoneage
SSH authenticated scans on different port: If it is not on port 22 you have a lot of trouble to scan the asset, is there change in the future?
And last point … no light mode in Insight VM
I know there were a lot of negativ points, but maybe the community will look it up and also has some points in common.
I aggree with you in most things.
In my case I also work with multiclient. The part of Dashboards in VM is as you say a little bit old. I would love to edit the cards and make some nice graphics, to add to a executive report.
It could be cool that R7 transforms some graphs of the reports, that are very nice, to cards.
If you have filled an IDEA with any of the features you want feel free to post it so I can add to it.
I am also seeing the Asset Duplicate. We just found an Asset that has duplicated itself 500 times in the past few days. Also the retention policy is a hit and miss if it really removes the devices. We had an issue with a ton of stale devices and the only fix was reinstall, which caused duplicate entries and the system is taking sweet time to clear out the duplicates that meet the requirements.
PowerShell Guy w/ RESTMethod API calls:
The way I handle removing certain assets is create a detailed dynamic asset filter group. Then have scheduled task management run a daily PowerShell script that deletes all things within that group.
For duplicates, I run a script that pulls down all assets, sorts by IP and LastScanDate. Then from there I run through a Foreach, comparing index[0] IP and MAC address w/ index[1]. If equal then send index[0] to a csv file as a dupe (since LastScanDate is sorted older to newer, index[1] would be the newer scan) for me to review…and probably run another script to remove.
I don’t run it very often and I like to review before deleting, so I don’t have this set up w/ an automated task.
so you are running the sheduled task on the console? So you also provide the passwort in cleartext in the script? I also was thinking about that, but would be nicer if R7 just would add dynamic retention policies
I understand the steps
Some thoughts on this one:
There is one issue, if the attacker enters the mashine and escalates the privileges he can decrypt your file and find the pw. (worst case)
Problem of the API:
The authentication needs the pw in clear text, after the powershell script it can use base64 for authentication. So you need smth, where the password is stored and can be used from saved spot.
So you use credential store in your pw script. But it can also be reversed, if the attacker can enter the mashine.
Point on your side if the attacker is on the mashine and he knows how IVM works, he can reset the password in interactive mode.
I know R7 does not want to implement it because of licensing… But also VDI duplicates and the new asset linking are not the current best practice …
So I was thinking this through, but decided to not implement it.
since we have installed the Insight Agent on our non-persistent VDIs, we have been suffering from multiple duplicated assets each day. This not only bloats our license consumption, but also affects the reported vulnerability counts.
From what I understand from the various threads in this forum, each VDI gets a new R7 Agent ID, which is the reason why we see duplicated assets every day. However, there is also a second unique identifier, the Windows UUID, and this UUID does not change for a given asset.
Do I understand correctly that Rapid7 creates a new asset as soon as it sees a new Agent ID, effectively ignoring the Windows UUID, which would indicate that this asset already exists?
Is there no way to prioritize the Windows UUID over the Agent ID? It would be great if there were an option for customers to fine-tune the asset correlation logic.
I am fortunate in that I export the vulnerability data into a dedicated PostgreSQL database and present it in Power BI. There, I was able to remove duplicates via a PostgreSQL query on the data source, so our reports and dashboards only show unique assets.
However, it would be very helpful to have fewer duplicates directly in the Rapid7 console as well.
I have already created a support case, but the initial response was not very helpful. Maybe this could be considered as a product idea: allow customers to fine-tune asset correlation and configure the order in which asset identifier values are used (first, second, third, etc.).
I assume you are referring to this option. Would this imply that all of our more than 1'000 VDIs are aggregated into a single device?
If so, what would be the benefit of distributing the agent to every VDI? Installing the agent only on our golden image should lead to the same outcome.
correct - from the description, each time the VDI image starts up, it is assigned a new UUID, causing IVM to treat it as a new asset. Setting the custom UUID would override the system UUID so the multiple instances of the golden image map back to a singular asset.
feels a bit like stoneage 
