Skip to main content

Automated Vulnerability Remediation

Valerie
  • Updated

From the Manage → Remediations page, you can manage automated vulnerability remediation (AVR) as described in this section.

The following topics are described here:

What Is Automated Vulnerability Remediation (AVR)?

AVR allows you to bridge the gap that exists between vulnerability discovery and vulnerability remediation. AVR allows you to do the following:

  • Automatically ingest prioritized vulnerabilities from InsightVM’s Platform API into the Automox console

  • Extend remediation actions through Worklets using Rapid7 vulnerability solution details, moving remediation possibilities beyond patching alone

  • Identify coverage gaps in managed devices between Rapid7’s InsightVM API and the Automox console

Using Automated Vulnerability Remediation

Follow these requirements and configuration steps to ensure the integration with Rapid7 is successful.

Prerequisites:

  • You have zone administrator or zone operator permissions for the zone where the devices are located.

  • Your zone is under a Complete plan that includes AVR.

Note: Third-party applications are not patchable with this solution.

Requirements

To use AVR, you need the following information:

  • Your active Rapid7 license for InsightVM (Cloud Enabled)

  • Your active Rapid7 Insight Platform API key

  • Rapid7 Insight Platform region information

  • You have an active Automox license that includes AVR

  • Note: InsightConnect is not a requirement

Accessing your Rapid7 API key

Prior to configuring a connection to Rapid7 InsightVM from within Automox, it is first necessary to collect the information needed to save a connection. This includes generating a Rapid7 Insight Platform API key and identifying the appropriate Rapid7 region.

  1. Using an administrator account, login to the Rapid7 Insight Platform at https://insight.rapid7.com/platform#/  

  2. After logging in, capture the region information (you will need this later) and click the gear icon (⚙) to reveal the API Keys sub-menu. Click API Keys to continue.

     

  3. Click New User Key

     

  4. To generate a new user key, select an Organization from the drop-down menu and assign a Name to that organization.

     

  5. Click Generate.

  6. Copy the API key from the dialog window. This is needed to configure the provider connection in a later step. When you are finished, click Done.

Getting Started

To set up the automated vulnerability remediation integration with Rapid7, follow the steps described in this section:

  1. Creating a Connection to the Rapid7 Platform API

  2. Creating a Configuration, which defines Asset and Vulnerability scope

After you complete these steps, remediations are pulled into Automox on a recurring basis.

Creating a Connection

  1. From the Automox console, select Manage → Remediations.

  2. Note: If you are accessing the Remediations page for the first time, you may only see two boxes as shown here. Select the Get Started button in the Partner Integration: Rapid7 box and skip to Step 6 to configure the connection.

  3. If you see the Remediations page, select the Automated tab.

  4. Click Add New.

  5. From the Integration Provider drop-down menu, select Rapid7 InsightVM. Click Next.

     

  6. Follow these steps to configure the connection:

    • Select Create a new connection. Make sure you have the required information ready.

    • In the Connection Name field, enter a descriptive instance name. (For example, for customers with multiple organizations or regions: division01-us3 an division02-us2).

    • Enter the Rapid7 API key.

    • Select the region from the Rapid7 Region menu.

    • Click Next.

  7. Because connections are reusable, these steps only need to be performed more than once if there are multiple Rapid7 organizations in the environment. If only a single connection is necessary, select the existing connection from the Connection drop-down menu.

Creating a Configuration

After creating or selecting a connection, define the configuration settings.

See Rapid7 Insight documentation for information about R7 Asset Tags.

  1. Enter a descriptive Configuration Name.

  2. Add any Rapid7 Asset Tags that you would like to scope from Rapid7. Hit enter or tab to define multiple tags.

  3. From the Rapid7 Vulnerability Scope drop-down list, select a scope from the options available:

    • Exploitable Critical Vulnerabilities: Vulnerabilities with critical exploits available

    • Common Exploitable Vulnerabilities: Commonly exploited vulnerabilities

    • Vulnerabilities with 3+ Exploits: Vulnerabilities that have three or more exploits published

    • CISA Recommended Vulnerabilities: Cybersecurity and Infrastructure Security Agency identified threats

    • CVSS Score > 8: (CVSSv3) Vulnerabilities that are greater than a severity score of 8

  4. Click Submit to complete the configuration. The integration is saved and a pull of Rapid7 data is immediately initiated.

  5. When the sync successfully finishes, the status is updated in the banner area of the Automox console.

Viewing Reports

From the Automated tab, you can do the following:

  • View reports

  • Search for the most recent reports

  • Filter according to status or configuration name

  • Group the results by configuration

  • Delete reports using the Actions menu

The AVR filter panel is made up of different types of options to fine-tune your search. You can clear selections individually or select Clear All.

There are different ways to view the details of a report: You can click View Report or click the highlighted number to jump to those type of results.

Deleting Reports

From the Automated tab, you can delete a report.

  • Find the report that you want to remove and select Actions → Delete.

  • In the pop-up message, you have the option to disable scheduling before you delete the report.

Viewing Configurations

Select the Configuration tab to view all configurations.

From here you can do the following:

  • Create a new configuration: Click Add New

  • Search for a configuration

  • Edit a configuration

  • Delete a configuration

  • View reports that were created using a configuration

  • Fetch the latest remediations for a configuration

  • Disable scheduling for a configuration

Description of the Configuration table

Column

Description

Name

Name of the Configuration

Connection

This lists the connection associated with the configuration

Rapid7 Asset Tags

This lists all Rapid7 asset tags associated with the configuration

Rapid7 Vulnerability Scope

This specifies the Rapid7 vulnerability scope type

Next Scheduled Run

Shows when the configuration will run next

Actions

Options: Edit, Delete, View Report, Fetch Latest Remediations, Disable Scheduling

Frequently Asked Questions

  1. If I execute any actions from AVR, will it reboot those systems?

    • No - The patch executes, but the system is not rebooted

  2. Can I recreate a connection?

    • If an API key needs to be updated, we currently recommend creating a new connection with the updated API key and region information.

  3. Can Automated Vulnerability Remediation be used with Rapid7 Nexpose?

    • No - AVR is a platform to platform integration and does not support pulling data directly from the Rapid7 Nexpose console.

  4. Is it currently possible to leverage worklets from the Worklet Catalog for remediations?

    • It is possible to use worklets from the catalog as long as the worklet has already been defined as a custom policy within the organization.

  5. Is it possible to configure the integration to run at a particular time during the day?

    • No - The integration with Rapid7 is only configured to run on a schedule once per day at 4 AM MT.

Troubleshooting

  1. When a saved configuration runs, I receive an “invalid action connection unauthorized” error.

    • This error occurs when an invalid API key or region is selected when creating a connection. Create a new connection and verify the API key and region are correct for your Rapid7 Platform organization.

 

Related articles

Comments

0 comments

Article is closed for comments.