hi i am finding it difficult for the Insight collector to get logs from the syslog already configured. the sophos XG firewall is sending logs to the syslog as we speak but the collector isnt recieving any as the event source created there is no raw data or EPM displayed . any suggestions
Posted by odida benedict 3 months ago
Has anyone actually been able to do this? The documentation below is BEYOND terrible. Does not make Rapid7 look good as a SIEM, especially next to Splunk whose documentation is, you know, helpful. https://insightidr.help.rapid7.com/docs/splunk#section-data-source
Posted by Jeff Smithwick 3 months ago
Hello, Just wanted to check if there is a sql query or a report template that would be able to give the status of the reported vulnerabilities ? The requirement is to add OPEN, CLOSED or NEW in the vulnerability status column. I have already gone through a SQL query which does this but that doesn't work as intended . Would like to know if there are any such queries. Even if there is no ready-made queries, would like to know which DB tables to relate to achieve this, so that I can give it a try. TIA
Posted by Vishva 3 months ago
hi, I'm writing a resource script that permits to exec an automated exploitation to some targets. I tried to use the instruction mod=framework.exploits.create(modname) and mod.exploit() or mod.exploit_simple(...) but those instructions after they are executed don't spawn a shell(I have already setted the datastore), so I tried to use run_single('use modname), run_single('set rhost ip), run_single(exploit), it worked but if some exploits fail I can't catch the exception. So what I have to do to launch an exploit and catch an exception if it fails?
Posted by lucaRuggeri1998 3 months ago
Hi there, If I use SSO to sign in to our Jira service and I created a new user to connect to JIRA from the InsightVM Console, should I use the account SSO password or create an API Token in JIRA and use that instead as the password for the Jira integration? Thanks.
Posted by Magno Logan 3 months ago
In configuring Sophos XG firewalls syslog for InsightIDR i'm finding that I am not getting any digestible events out of the logs that it's providing. Log Search has nothing to pull. We started with enabled all syslog options and we've dialed it back to options more pertinent to IDR. Current severity level is set to "Notification". Does anyone else have any experience configuring insightIDR for these devices?
Posted by Martino Popa 3 months ago
Is there any option to consolidate CIS Microsoft Windows Server 2016 Member Server policy with CIS Microsoft Windows Server 2016 Domain Controller? Also is there any workaround so that you can use one consolidated policy for both Windows Server 2012 and 2016? I've tried to consolidate a policy from 2016 and 2012 member server but it's not get any result of the scan.
Posted by Adrian Borlea 3 months ago
Checking database consistency... THE SECURITY CONSOLE IS INITIALIZING, PLEASE WAIT... Security Console Startup Progress 2/22/2019, 10:05:06 AM : 83% : Checking database consistency... The console is in this stage from a long time
Posted by Rajanikanta Dash 3 months ago
I am trying to figure out what this Failure Reason Means: Failure Reason: Jess reported an error in routine Jesp.parseValuePair. Message: Bad value at token 'variables'. Program text: ( defquery MAIN::query-valid-admin-creds ( declare ( variables at line 142. at jess.Jesp.error(Jesp.java:2324) at jess.Jesp.parseValuePair(Jesp.java:791) at jess.Jesp.parseDeclarations(Jesp.java:1534) at jess.Jesp.parseDefquery(Jesp.java:2067) at jess.Jesp.parseExpression(Jesp.java:424) at jess.Jesp.promptAndParseOneExpression(Jesp.java:304) at jess.Jesp.parse(Jesp.java:283) at jess.Jesp.parse(Jesp.java:263) at com.rapid7.jess.util.JessUtils.loadJessRuleFile(JessUtils.java:80) at com.rapid7.nexpose.scan.ScanUtils.loadRapid7Libraries(Unknown Source) at com.rapid7.nexpose.scan.Scan.start(Unknown Source) at com.rapid7.nexpose.scan.Scan.run(Unknown Source) at java.lang.Thread.run(Thread.java:748) All my scans are failing when using a specific scanner - all other scanners are working.
Posted by Christine Walter 3 months ago
I scan a site, I see a system I can remediate it, I make the changes to resolve the vulnerability, I go back to VM and select "scan asset" and I get a pop-up saying :scan action failed: <IP Address> is not included in the site configuration." What does that mean? The IP is within the range of the site's subnet. It scans fine with the site scan. Why is it failing when I try to do a single asset scan?
Posted by Kerry LeBlanc 3 months ago
Im interested in developing a report that show what scan the vulnerability appeared and then knowing when the vulnerability was resolved. The Problem is, It doest look like InsightVM keeps that information in the database. My end goal is to be able to show a report that says For the first quarter, average time to resolve Criticals was X number of days. Any ideas?
Posted by Richard E Miller 3 months ago
I am scanning different OSs (Linux) using Full Audit scan template of Nexpose but it does not show the CVEs present in the installed software e.g. I have Mozilla Firefox 52.6 installed and according to CVE database it has 188 CVEs, but none of them appear in the report of the Full Audit Scan. Please guide as to which settings/configurations or scan template is applicable to find out the CVEs in the installed software/packages. Thank you in advance.
Posted by SUH 3 months ago
I see there is a way to download the vulnerabilities of a particular asset, and one can write a report of how to remediate a site scan, but I would like a download (preferable) or report of all the proofs for the vulnerabilities found, either for an asset or a site. For example: Vulnerable OS: Microsoft Windows Server 2008 R2, Standard Edition SP1 Based on the following 2 results: 1. Based on the following 5 results: 1. • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100 - key exists 1. • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight • Version - contains 5.1.41212.0 1. • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight • Version - contains 5.1.41212.0 2. • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight\Components\Debugging - key does not exist 3. • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight • Version - contains unexpected value 5.1.41212.0 2. o HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight o Version - contains unexpected value 5.1.41212.0 The closest thing I found was this, and this isn't what I want: https://kb.help.rapid7.com/docs/sql-query-example-proof-of-a-specific-remediation
Posted by Al Wilson 3 months ago
I am using asset specific SSH Credentials for one specific Linux server that keeps failing during scans. I can SSH into the server no problem with the same credentials. I have already specified port 22 with the credentials, and have tried elevating them. We have confirmed that the server and scan engine can communicate with each other.
Posted by Daniel Jewett 3 months ago
Hello, 1. I have a task of remediating High Risk Vulnerabilities, how can I measure the remediated risks as a percentage metric to say 30% or 60% of risks have been remediated? 2. Is it possible to identify the highest risk vulnerability within an environment over a set period of time, for instance: over a one year basis, Jan-Dec 2018? e.g. vul1 > risk 100k vuln2 > risk 500k vuln3 > risk 200k
Posted by Delano Sinclair 3 months ago
Has anyone been successful in deploying the Agent through InTune or another MDM? The on-prem deployments through GPO etc are fine, but many of our laptops are not AD joined, rather they are Azure-joined and managed through InTune. This means they likely do not have access to a network share from which to install the files as is done through the GPO or script methods. InTune can happily deploy from an MSI - it would seem much more practical and beneficial to have all the files bundled into the MSI installer rather than separated out as they currently are.
Posted by Tim Lovegrove 3 months ago