|Protocol||Information collected||Used for|
|InsightVM API||Vulnerability scan data||Security and Compliance|
FortiSIEM can pull vulnerability scan data from Rapid7 InsightVM Server via InsightVM API.
InsightVM scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type Rapid7-InsightVM-Vuln-Detected.
Create an account to be used for FortiSIEM communication.
Use the account in previous step to enable FortiSIEM access:
- Login to FortiSIEM.
- Go to Admin > Setup > Credential.
- Click New to create a Rapid7 InsightVM credential.
- Choose Device Type = Rapid7 InsightVM (Vendor = Rapid7, Model = InsightVM).
- Choose Access Protocol = InsightVM API.
- Choose Pull Interval = 5 minutes.
- Choose HTTPS Port (default 3780).
- Choose User name and Password for the account created while Configuring Rapid7 InsightVM Server.
- Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
- Click Save.
- Enter an IP Range to Credential Association:
- Set IP to the IP address of the Rapid7 InsightVM Server.
- Select the Credential created in step 3
- Click Save.
- Perform Test Connectivity to make sure that the credential works correctly.
- Discover the Rapid7 InsightVM Server using the IP address used in Step 4. Make sure Discover succeeds.
- An entry will be created in Admin > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Rapid7 InsightVM Server using the InsightVM REST API.
To test for received InsightVM Vulnerability events:
- Go to Admin > Setup > Pull Events
- Select the InsightVM entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from InsightVM Server in the last 15 minutes. You can modify the time interval to get more events.