Provisioning IVM Accounts - Discussion

Hey All,

I wanted to see if anyone else out there in discuss land has turned their IVM implementation into a self-service and automation opportunity for all product and platform owners to manage their own risk? I have began to onboard folks to the platform, but it has been a very manual task for each user.

I came to the realization after sending out a broad communication to the org regarding onboarding folks to the platform. We are talking 100’s or thousands of folks. Having to do this manually is not an ideal situation.

I am wondering if this would be a potential opportunity for the IVM platform to support some workflow automation when it comes to provisioning new users to the platform. The only manual effort I could see needing to be done is select what sites, asset groups, etc a user would have access too.

Perhaps an integration workflow with AD/Azure AD for implementations that use SAML?

or

Does this conceptual idea exist already? If yes, please share your experience with it. Otherwise, I am sure this is possible with having an ICON entitlement under your belt?

Thoughts ? Feedback ?

Thanks for listening !

That sounds like you’re referring to SSO

Converting InsightVM to a self-service application has been big on my list over the past few months.

We use SSO for both the platform and InsightVM/Nexpose.
I have a PowerShell script that adds users to both, assigns the correct access to applications and Asset Groups and runs the command to give both InsightVM and Nexpose the same options.

Obviously this is tied to the ways that we have configured AD and access in the application, but I would be willing to assist you if you are interested in doing something similar.

In terms of processes:

  1. You need to link assets to asset owners. This is often achieved by linking a CMDB that holds this contextual information.
  2. You need to provide access to users, re-using their corporate identity roles as a way to implement organization-wide access. (SSO)
  3. When this is achieved, you could create scoped remediation projects, e.g., by filtering dynamically on tags (user/user group). The challenge is that for remediation projects, I haven’t seen any automation out-of-the-box.

This is the only thing I cannot automate yet and it drives me crazy.
I have asked for the ability to create remediation projects and also to pull their status for reporting

Hi Brandon,

Thanks for the reply! Yes, I am super interested in learning more about this powershell script. I think this would be a sustainable way forward to getting users provisioned.

Cheers.
Jake

Thanks for the reply!

  1. Re : linking assets to asset owners. Have you integrated your cmdb with IVM? If so I would be interested in hearing more about your experiences. I have the integration connected, but I need to sit down with my ITSM team to finish up some of the remaining work.

  2. The current procedure that we have is for any user who needs access to manage risk of their assets needs to have a privileged account. We currently use a specific GPO that gives the user SSO capabilities into the ivm platform. For on-prem saml we provide the user a azure ad url that authenticates them + azure mfa.

  3. I have been utilizing dynamic asset groups that are nested into sites. Custom tags really seem to be the quickest on the fly solution for putting together dashboards, queries, remediation projects. The best ive been able to achieve with the remediation projects is the active ticketing connection to ITSM - service now. Only caveat here is the way tickets are being parsed out. As far as I know… the level of granularity just isnt quite there/available for drilling down to singular asset. Right now I am just waiting for leadership to give the green light on procuring the snow - vulnerability response module. I think this will allow us to achieve that granularity.

Here is the essence of what I do without any of the custom things that we do and URLs to the Documentation for what is done.
You will need the connection information to your systems including the BaseURL and Authentication Tokens for the Headers for both the InsightPlatform ($R7Insight_Header) and Nexpose ($Rapid7_Headers)

#https://help.rapid7.com/insightAccount/en-us/api/v1/docs.html#tag/Users/operation/createUser

$R7Insight_UserBody = [pscustomobject]@{
            email = $User.mail
            first_name = $User.GivenName
            last_name = $User.Surname
            platform_admin = $false
            timezone = $R7Insight_Timezone
        }
$R7Insight_User = Invoke-RestMethod -Uri "$R7Insight_BaseUrl/users" -Headers $R7Insight_Header -Method Post -ContentType 'application/json' -Body ($R7Insight_UserBody | ConvertTo-Json)

#https://help.rapid7.com/insightAccount/en-us/api/v1/docs.html#tag/Users/operation/addUserToOrgProduct
Invoke-RestMethod -Uri "$R7Insight_BaseUrl/users/$($R7Insight_User.id)/products/$R7Insight_Product" -Headers $R7Insight_Header -Method Put

#https://help.rapid7.com/insightvm/en-us/api/index.html#operation/createUser
$Rapid7_Body = @{
                authentication = [pscustomobject]@{
                    type = 'saml'
                }
                email = $User.mail
                enabled = $true
                locale = [pscustomobject]@{
                           default = 'en-US'
                           reports = 'en-US'
                }
                login = $User.mail
                name = "$($User.Givenname) $($User.Surname)"
                passwordResetOnLogin = $false
                role = [pscustomobject]@{
                    allAssetGroups = $false
                    allSites = $true
                    id = 'system-admin'    # name : Asset Owner, description : Manage report operations and run unscheduled scans in accessible sites and asset groups. View asset data in accessible sites and asset groups.
                    superuser = $false
                }
            }
$Rapid7_User = Invoke-RestMethod -Uri "$Rapid7_BaseUrl/users" -Body ($Rapid7_Body | ConvertTo-Json) -Method Post -ContentType 'application/json' -Headers $Rapid7_Headers

#https://help.rapid7.com/insightvm/en-us/api/index.html#operation/updateUser
Invoke-RestMethod -Uri "$Rapid7_BaseUrl/users/$($Rapid7_User.id)/asset_groups/$($Rapid7_AssetGroup.id)" -Headers $Rapid7_Headers -Method Put
sleep -Seconds 10 # This is needed to give the user a change to be created otherwise you'll get a user not found in the next command
#https://help.rapid7.com/insightvm/en-us/api/index.html#operation/executeCommand
Invoke-RestMethod -Uri "$Rapid7_BaseUrl/administration/commands" -Body "platform-login enable $($User.mail)" -Method Post -ContentType 'application/json' -Headers $Rapid7_Headers
4 Likes

Regarding the SNow integration - we attempted the Remediation project integration but found it to be too noisy with updates and not configurable as to the ticket content & actions we required. I’ve heard they have made some changes and would be interested in hearing how you make out if you pursue that integration approach.

Thank you for sharing as I was just starting to cobble together my own script. You sir, are my new hero.

1 Like