Issue
All assets with Rapid7 Insight Agents are being automatically added to our asset count in InsightVM. While we want to keep the Insight Agents on all assets (including desktops) for use of InsightIDR, we only want InsightVM to contain server assets. Despite not performing vulnerability scans on any these unwanted assets, they still appear in the asset count within InsightVM, specifically under the ‘Rapid7 Insight Agents’ site, which cannot be edited beyond deleting assets within the site, this only temporary as they just come back.
Current Situation
At the start of the day, we had 8XXX assets.
We deleted down to 2XXX assets (Within the allowed license limit)
Now, the asset count has increased to 3XXX assets again, indicating that the unwanted systems are repopulating. and very quickly at that. (Not within the allowed license limit)
Steps Taken
-Deleted all unwanted systems under the ‘Insight Agent’ site
+They reappear and are added back to our asset count, impacting the license limit, and seemingly affecting the quality of scanning due to this.
Questions
Is there a way to manage or edit the ‘Rapid7 Insight Agents’ site to exclude these unwanted systems permanently?
How can we ensure that the deleted assets do not repopulate and impact our license count? According to Rapid7 " …an asset will only occupy license count once you perform Vulnerability or Policy Scans." Which shouldn’t be happening.
*Could this also be a collector issue? Or a configuration issue from the start?
As far as I know R7 only allows the same amount of asset count for both IDR and IVM as the Insight Agent is used for both services → it does vulnerability scanning for IVM and telemetry/information/ gathering and enforcement for IDR.
Back when we started with IVM and added IDR later R7 told me that it’s not possible to have different amount of assets for IDR/IVM. Best thing would propably be to talk to your R7 CSM directly to sort this out.
Thanks Robert. I’ve been in contact with support, it seems there might be some workarounds for this but I am waiting on being transferred to another branch in support. I appreciate your insight.
So for yourself and anyone coming across this thread; we can set the task status for either product on Agents, and this is a very common ask from customers who have different license allocations for InsightVM and InsightIDR.
What’s happening here is that, once you delete the asset within the InsightVM Security Console, the Agent is still running on the asset(s) and when it performs the next vulnerability data collection, it’ll end up creating a new asset within the InsightVM Security Console.
What we do on our end is set these Agents not to run the InsightVM tasks but keep on running the IDR tasks, essentially turning IVM off for them, so they don’t perform further vulnerability data collection and thus don’t recreate the assets. Working via Support is the way to have this handled currently.
If you don’t make any headway with that via the Support case, just ping me in this thread and I can take a look as well.
I have the same issue. non-persistent VDI’s duplicate. Windows UUID is the same but it gets a new rapid7 agend ID. quite frustrating. any help would be appreciated.