Importing your first InsightVM + InsightConnect Workflow

InsightConnect Workflows
, ,
1

With InsightConnect “connected” to InsightVM a whole world of possibilities is available. One of the quickest and easiest integrations is leveraging a chat tool - like Slack or Microsoft Teams - to inject information from InsightVM into your security and IT teams existing processes.

Let’s take a scenario - You receive vulnerability intelligence that Zerologon is being exploited in the wild and your network is likely to be targeted. You go into your IT team’s slack channel and the following happens:

you: “we just got intelligence that Zerologin - CVE-2020-1472 - is a big deal right now. We need to make sure we’re protected”.
sysad: “Okay, what assets are we talking about here?”

Before InsightConnect, you’d have to go to InsightVM, search for the vulnerabilities, and export a list of impacted hosts. Then you’d have to keep doing this periodically to help the IT team track their progress.
With InsightConnect we have a better way. Let’s pick-up our scenario where we left off:

you: “@rapidy insightConnect lookup-vuln-hosts CVE-2020-1472”
InsightConnect (in a thread): Searching… Vulnerability found… {details of vuln} {vulnerable assets}
you: That’s the current list from InsightVM. The InsightAgent submits a vulnerability assessment to InsightVM every 6 hours so you can re-run that command to get an updated list and verify your patches are successful.
sysad: Thanks! I’m on it.

So that’s really useful - but how do we get it setup?

In the Extension Library we have two versions of this workflow - one for Slack and one for MS Teams

Before we can import one of these workflows, we need a couple of things:

  1. an Orchestrator
  2. a connection to Slack or MS Teams
  3. a connection to InsightVM

Setting up an Orchestrator is covered here. We need an orchestrator to make the connection to InsightVM and to run the MS Teams plugin.

Setting up Slack is documented here and MS Teams here.

For InsightVM, we need an account on the InsightVM console. This account should be an admin account and should be configured locally on the console - so no SSO or federated account. It needs to be an admin account otherwise many actions will fail or give incomplete results.

If this is your first InsightVM workflow, don’t worry about importing the plugin beforehand - once you have the credentials provisioned in InsightVM we can easily setup the plugin while import ing the workflow.

Once we’ve met these minimum requirements, we can import our workflow! We’re going to use the Slack version going forward but the experience with the MS Teams version is nearly identical:

  1. Go to the extension library and find out workflow (link above). Click Import

  2. You’ll see this screen listing the plugins the workflow uses. Any missing plugins will be automatically imported when you hit next.
    image

  3. You’ll see this screen. See those yellow dots? Those are connections you need to either configure or specify
    image

  4. One at a time, expand the entry with the arrow at the right and configure the connection. Some steps, like the CSV step, you just need to expand and hit save to have it run in the cloud. Other steps, like InsightVM, you’ll need to select or create a connection. Here’s what the InsightVM connection config looks like. The URL s the console’s base url - https://:<your port (default 3780)> - NO TRAILING SLASH
    image

  5. Once you’ve gotten rid of all those yellow dots, hit next, give your workflow a name (or accept the default), and hit import. You’ll be taken to the workflow in the DRAFT view
    image

  6. Hit the pencil icon in the top corner of Parameters and configure our three Parameters.
    image

  • In Slack, we can listen in multiple channels using regex. To have it listen in EVERY channel, just but .* as the channel name.
  • Max hosts and Max Vulnerabilities are limits - without sensible values the workflow could return thousands of entries which wouldn’t be too practical
  1. Once you’re parameters are saved, you can activate the workflow and give it a try! Give the command from our scenario a go.

This workflow is just one example of how InsightConnect can enhance your VM program by removing friction and providing the right information in the right place at the right time.

Another great example to look at is the Tag Newly Discovered Devices with Active Directory OU from InsightVM workflow which demonstrates how InsightConnect can be used to add context to assets in InsightVM and how InsightConnect can react to evens in InsightVM.

So, now that we’ve got our first InsightVM workflow imported, how does it actually work?

This is going to get technical so if you don’t want the details, you’re all done.

Some background: InsightVM uses an internal Rapid7 identifier for vulnerabilities - the NexposeID. This is the same identifier used in the Rapid7 Vulnerability Database. In order to run a report in InsightVM, we need to use this identifier instead of the CVE, MSKB, or other identifier for the vulnerability.

InsightVM maintains a database of “vulnerability aliases” that links these “alternate identifiers” to the Rapid7 ID in a one-to-many relationship. This is why we can return multiple vulnerabilities when we search for a CVE.

The Lookup Vulnerable Assets with Slack workflow is split into two parts:

  1. Converting the vulnerability input into a Rapid7 VulnID
  2. Getting information about that VulnID from the InsightVM console

The vast majority of the workflow is dealing with part 1 - converting the vulnerability
image

During our conversion phase, the workflow:

  1. checks to see if the vuln is a Rapid7 ID already. If so we go on to step 2
  2. if not a Rapid7 ID, check the InsightVM alternate identifiers. If found, we go on to step 2
  3. if not found in the InsightVM alternate identifiers, run a search through the online Rapid7 VulnDB, if found, continue on to step 2
  4. If still not found, notify you that it can’t find that vulnerability

To do these alternate identifier lookups in InsightVM we’re leveraging the Ad-Hoc SQL query which allows us to run SQL directly against the InsightVM Reporting Data Model. While this step is running, you’ll see a report generating on your console. Don’t worry, the plugin cleans-up after itself so it won’t leave the report cluttering up your reporting history in InsightVM.
Because this action returns a CSV file, we then have to convert it from CSV for us to leverage.

During our vuln lookup phase, we take our output from step 1 - specifically a list of Rapid7 Vuln IDs, and

  1. do a sanity check to make sure we dont’ have more vulnerabilities than our limit (and bail out if we do)
  2. lookup each one in InsghtVM and return the vulnerability details and a list of vulnerable assets (limited to our max asset setting)

While this isn’t the simplest workflow around, it demonstrates both a 2-section workflow and how to interact with InsightVM multiple ways.