Rapid7 InsightVM Historical Scans

So i dont know if i’m not seeing something right and didnt want to put in case for it if its no longer there anymore or cant be there.

It would be easier with scenario:

Glenda has servers1, and 2

Glenda ran scan on 1/12/2020 and it showed 8 vulnerabilities on server1
Glenda also ran a scan on 1/14/2021 and it showed 24 vulnerabilities on server 1

Glenda goes back through and sees the scan for 1/12/2021 and it shows the 8 on scan history but when she clicks on that scan date those 8 are not showing only the 24 are showing from the latest scan. How does Glenda get to see those 8…

We use to be able to see them now we can not…ANy suggestions? Is this feature taken away in version update? This is not ideal for auditing purposes… if audit wants to see those 8 they should be able to be pulled and compared to the 24… or better yet vice versa if there was 24 the drop to 8 and what came off…

1 Like

Hi Vanessa - I hope you’re having a great week so far!

It sounds like Glenda wants to see node data and not asset data if I’m understanding the scenario correctly.

What’s the difference between node data and asset data?
Node data is the data from the actual scan assessment, as-in what are the results from the scan prior to correlation. That is, the view of the asset from only this scan’s results without correlating any other results from the past or other data we know from other sources about this specific asset.

Asset data is the data about the asset in totality, as-in everything we know about that asset after correlation. That is, the view of the asset and everything we know about the asset from all known sources between discovery information, scan history and all correlated data for that asset.

You know you’re in an asset’s node when you are looking at an assets scan history and instead of the scan date you click on the IP address listed. This will show you the node for that scan.

image
image

How come I can’t see this information anymore?
Glenda should first confirm that she’s navigating to the node data appropriately using the steps I outlined above. Once she has, she should then confirm that she has configured the appropriate retention settings in her console that would allow her to retain the scan data necessary to view this information. If your organization has chosen to set a short time period for scan data then this could be why you don’t see some scan data anymore whereas you previously could. Please let me reassure you that there have not been any product updates that have taken this functionality away!

Is there an easier way to see significant changes in my environment?
Glenda might think that clicking on node data is neat for ad hoc requests but when it comes to maturing her Vulnerability Management Program she may want an overall easier way to view the significant changes in her environment, overall. Luckily, we have a Dashboard you can create named the Significant Changes in the Last 30 Days* simply navigate to the platform, click the dropdown for the Dashboards and choose the template and you can create a new Dashboard with this view for Glenda :grinning_face_with_smiling_eyes:

image

Hope this helps!

3 Likes

I love this question and the answer :slight_smile: I spent the better part of a week trying to figure out why I couldn’t query historical data after an EC2 instance was terminated… The difference between node and asset clears things up!!! Thank you both of you!

4 Likes

@gina_seiber awesome! Come to find out USER error. I knew where to go but evidently, my vulnerabilities were hidden under “Items” in the left-hand corner; there were many options hidden. Don’t know how that happened. Thank you for playing along with Glenda :rofl:

The way you explained it was so useful though always wondered what the difference was between the first page and the second asset page.
I’m excited to show that new dashboard to my users.

1 Like

One more question. Is there a possible sql query i can use to get a excel sheet of all the vulnerabilities for particular systems since node data only gives severity no cvss score is in there so when i save as pdf the person wont know if from that past history what cvss score the particular vulnerablities are?

I just want to create a sort of database they can reference back. I see the database rapid7 has but it doesnt give you cvss on most of the ones i picked.

Here’s what I use with the data warehouse (I still haven’t learned SQL reports from console… the schema is different and not as well documented/easy to use)

    WITH 
	aws_assets as (
	-- Get all recently scanned assets from specific sites
	select 
		asset_id
	from dim_asset
	where
		last_assessed_for_vulnerabilities >= current_date - 3
		and string_to_array(sites,',') && array['SiteName1','SiteName2', 'SiteName3']
),
	vulns as (
	-- Decorate all vulnerabilities
	select
		avi.asset_id,
		avi.vulnerability_id,
		avi.proof,
		vuln_data.title,
		vuln_data.cvss_score as cvss,
		vuln_data.nexpose_id,
		vuln_data.severity
	from fact_asset_vulnerability_instance as avi
	left join dim_vulnerability vuln_data on avi.vulnerability_id = vuln_data.vulnerability_id
	where
		avi.asset_id in (select asset_id from aws_assets)
),


select
	nexpose_id,
    title,
	severity,
	cvss,
	fix,
	json_agg(host_name) as hosts
from
	vulns
group by nexpose_id, title, severity, cvss, fix