Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Rapid7 InsightVM Integration (Vulnerability Management On-Premises)

Integration Points

Protocol Information collected Used For
InsightVM API Vulnerability scan data Security and Compliance

Rapid7 InsightVM API Integration

FortiSIEM can pull vulnerability scan data from Rapid7 InsightVM Server via InsightVM API.

InsightVM scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type Rapid7-InsightVM-Vuln-Detected.

Configuration

Configuring Rapid7 InsightVM Server

Create an account to be used for FortiSIEM communication.

Configuring FortiSIEM

Use the account in previous step to enable FortiSIEM access:

Define Rapid7 Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save.
    1. Settings Description
      Name Enter a name for the credential
      Device Type Rapid7 InsightVM
      Access Protocol InsightVM API
      Pull Interval Choose the Pull Interval (Default 60 minutes). Fortinet recommends 5 minutes for general cases.
      Port Choose the HTTPS Port (default 3780).
      User Name Enter the User Name for the account created while Configuring Rapid7 InsightVM Server.
      Password Enter the Password for the account created while Configuring Rapid7 InsightVM Server.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the IP address of the Rapid7 Insight VM Server in the IP/Host Name field.
      2. Select the name of the credential created in Define Rapid7 Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Discovery, click New, fill out the information and ensure you input the IP address used in Step 1a, and click Save.
    4. Click Discover and confirm it succeeds.
    5. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Rapid7 InsightVM Server using the InsightVM REST API.

    To test for received InsightVM Vulnerability events:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the InsightVM entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from InsightVM Server in the last 15 minutes. You can modify the time interval to get more events.

    Rapid7 InsightVM Integration (Vulnerability Management On-Premises)

    Integration Points

    Protocol Information collected Used For
    InsightVM API Vulnerability scan data Security and Compliance

    Rapid7 InsightVM API Integration

    FortiSIEM can pull vulnerability scan data from Rapid7 InsightVM Server via InsightVM API.

    InsightVM scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type Rapid7-InsightVM-Vuln-Detected.

    Configuration

    Configuring Rapid7 InsightVM Server

    Create an account to be used for FortiSIEM communication.

    Configuring FortiSIEM

    Use the account in previous step to enable FortiSIEM access:

    Define Rapid7 Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a new credential:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save.
    1. Settings Description
      Name Enter a name for the credential
      Device Type Rapid7 InsightVM
      Access Protocol InsightVM API
      Pull Interval Choose the Pull Interval (Default 60 minutes). Fortinet recommends 5 minutes for general cases.
      Port Choose the HTTPS Port (default 3780).
      User Name Enter the User Name for the account created while Configuring Rapid7 InsightVM Server.
      Password Enter the Password for the account created while Configuring Rapid7 InsightVM Server.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the IP address of the Rapid7 Insight VM Server in the IP/Host Name field.
      2. Select the name of the credential created in Define Rapid7 Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Discovery, click New, fill out the information and ensure you input the IP address used in Step 1a, and click Save.
    4. Click Discover and confirm it succeeds.
    5. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Rapid7 InsightVM Server using the InsightVM REST API.

    To test for received InsightVM Vulnerability events:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the InsightVM entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from InsightVM Server in the last 15 minutes. You can modify the time interval to get more events.