Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Rapid7

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
[ Edited ]
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello,

 

Infoblox and Rapid7 Nexpose/InsightVM integration enables security operations teams to automate site management and perform scans as a response to DNS security events (such as malicious DNS requests and/or DNS Exfiltration detection) and/or when new devices connect to a network.

 

The updated templates use Rapid 7 Nexpose/InsightVM REST API v3 which eliminate some issues found in the previous API. Due to limitations on the API the templates no longer have support for Deleting assets on Rapid7 Nexpose/InsightVM.

 

Be sure to check out the video on how the integration works:

 

 

In the attached documents you will find txt format templates for the Rapid7 Nexpose/InsightVM integration. The templates are provided as-is and with no actual or implied warranties. The templates should be tested in your lab environment and modified as needed before implementing them into production.

 

The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.

 

Extensible Attribute

Description

R7_Sync

Defines if an object should be synced with Rapid7 Nexpose/InsightVM. Possible values: true, false

R7_SyncedAt

Contains date/time when the object was synchronized, updated by the assets management template

R7_NetToSite

Defines if a network should be added to a site (as shown on the video). Possible values: true, false. If R7_NetToSite is false but R7_Sync is true, R7_SiteID will be updated.

R7_RangeToSite

Defines if a range should be added to a site. Possible values: true, false. If R7_NetToSite is false but R7_Sync is true, R7_SiteID will be updated.

R7_ScanOnEvent

Defines if an asset should be scanned if RPZ or DNS Tunneling events were triggered

R7_ScanOnAdd

Defines if an asset should be scanned immediately after creation

R7_ScanTemplate

Defines a Rapid7 Nexpose/InsightVM template which should be used for scans initiated by an Infoblox appliance. Possible values: default, full-audit, full-audit-without-web-spider etc (internal templates IDs). If set to “default” then a template configured for a site will be used.

R7_Site

Defines a Site name

R7_SiteID

Contains an internal site ID. Updated automatically. If the value was inherited from a top level, templates will bypass a few steps retrieving this ID. It should not be manually updated.

R7_LastScan

Contains a date when an asset was scanned last time by a request from Infoblox

R7_AddByHostname

Defines if a host should be synced with Rapid7 Nexpose/InsightVM using a hostname. The hostname should be resolvable by Nexpose. Possible values: true, false

 

Any feedback or questions are welcome.

 

Thank you,

Kevin Zettel

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
New Member
Posts: 1
Registered: ‎08-17-2017
New Member
Posts: 1

This appears to be about scanning non-Infoblox devices with Rapid7. Are there any resources referring to scanning Infoblox devices with Rapid7, and / or baseline configurations for Infoblox devices that Rapid7 scanning would use?

 

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello kcox,

 

Infoblox does not provide/have this informaiton. You could check with Rapid 7 support if they have this informaiton.

 

Thank you,

Kevin Zettel

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
New Member
Posts: 1
Registered: ‎10-08-2018
New Member
Posts: 1

Hello!  I'm super confused...

Which blog post has the docs I should use to implement this integration today?  Should I only use docs from the latest blog post?  I would love to see this integration documentation make its way into Infoblox's doc repository.  Following this blog is really confusing.

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
[ Edited ]
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello,

 

If you are running the most recent version of the Rapid7 Nexpose/InsightVM then this is the one you want to use however you should note that there are some limitations to this integration because of API limitations on Rapid7 side. If you are not running the most recent version then the older blog post here: https://community.infoblox.com/t5/Rapid7/INFOBLOX-amp-RAPID-7-NEXPOSE-INTEGRATION-UPDATE-10-31-17/gp...will be what you will want. 

 

Also thank you for the feedback! We actually do have these documents on the Infoblox doc repository however some documents are hidden based on access so this may be the issue you’re facing. I try to place all documents like this one on the community site because I have full control over it and allows me to give access to people like you, who would like to have them.

 

Hope this helps,

Kevin Zettel

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
[ Edited ]
New Member
Posts: 4
Registered: ‎08-16-2019
New Member
Posts: 4

I'm having issues with these templates.  Specifically, in these elements pulling null values:

 

{
"name": "skip object modification",
"operation": "CONDITION",
"condition": {
"statements": [
{
"left": "${E:A: operation_type}",
"op": "==",
"right": "MODIFY"
},
{
"left": "${E:A: operation_type}",
"op": "==",
"right": "DELETE"
}
],
"condition_type": "OR",
"stop": true
}
},

 

{
"name": "skip if Site is not defined or sync not requested",
"operation": "CONDITION",
"condition": {
"statements": [
{
"left": "${E:A:values{extattrs}{R7_Site}{value}}",
"op": "==",
"right": ""
},
{
"left": "${E:A:values{extattrs}{R7_Sync}{value}}",
"op": "==",
"right": ""
},
{
"left": "${E:A:values{extattrs}{R7_Sync}{value}}",
"op": "==",
"right": "false"
}
],
"condition_type": "OR",
"stop": true
}
},

 

It would appear that "operation_type" isn't a valid value in the E name space, but "event_type" is.

 

Also, the E:A:values{extattrs}{R7_Sync}{value}} doesn't look like it references a valid listindex.  If I replace this with ${E:A:ip.extattrs{R7_Site}}, it pulls the data I expect.  However, I have looked at other integrations templates like Qualys and the former format is used throughout, so I'm nervous that I'm missing something as to why the former format is being used, even though it appears broken.  Can you shed some light into this?

 

-Drew

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi Drew,

 

On which NIOS release are you testing the templates?

operation_type is INSERT/MODIFY/DELETE. So it should be there for any DB operations (but not for the lease).

Could you please provide the debug log (E namespace) and where it is falling?

 

I'm not sure if it is a copy/past issue but I see spaces between the colon and operation_type ("${E:A: operation_type}"). Please remove it if it exists in the template.

 

 

BR,

Vadim

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
[ Edited ]
New Member
Posts: 4
Registered: ‎08-16-2019
New Member
Posts: 4

@Vadim wrote:

Hi Drew,

 

On which NIOS release are you testing the templates?

operation_type is INSERT/MODIFY/DELETE. So it should be there for any DB operations (but not for the lease).

Could you please provide the debug log (E namespace) and where it is falling?

 

I'm not sure if it is a copy/past issue but I see spaces between the colon and operation_type ("${E:A: operation_type}"). Please remove it if it exists in the template.

 

 

BR,

Vadim


NIOS release is 8.4.3-383835

 

See debug log attached. (removed debug logs)

 

The spaces between the colon and operation type was because the forum was injecting an emoji.  I have attached a copy of the template as is with the testing updates I have made.  This is edited from the most recent post template.

 

First timestamp you can see the E namespace is [2019/09/11 17:06:11.676876] in the debug log.  You can see it drop out of the template because it matches a null statement and stop at [2019/09/11 17:06:11.679342], but the expected situation should say "True =  " and continue on through the template.

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
[ Edited ]
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Ruonavd,

 

looks like this may be a bug. I'll fix it and re-add it.

 

*Edit #1*

 

Okay it should be good to go now after my test it looks fine but I didn't test it all the way yet. but will confirm in a little. 

 

please redownload the file:

"Rapid7_Nexpose_Assets.txt"

 

and reupload it to your environment.

 

The fix was simple I simply added a step called "checkEType_Lease_to_skip_to_Lease".

 

we were running lease events where the Hosts, Fixed, ranges, etc. are suppose to go. Now you will skip to the lease event right away.

 

I'll keep you updated once I've tested in my environment.

 

*Edit #1*

 

Hope this helps,

Kevin Zettel

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
New Member
Posts: 4
Registered: ‎08-16-2019
New Member
Posts: 4

Thanks, I will try and test this as soon as I can.

 

I am still not following this format:

 

${E:A:values{extattrs}{R7_Site}{value}}

 

Compared to this one in my edit when I tried to fix my problem alone:

 

${E:A:ip.extattrs{R7_Site}}

 

If I'm looking at these directly, in the first example, I'm not sure how to parse this.

 

In the second example, ip.extattrs is an existing list in the E namespace and it's pulling the value for R7_Site "as-is".

 

I'd just like to make sense of what the first format is doing and why it is is used in the template, and why the second format would be wrong to use in it's place?

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

hello Ruonavd,

 

Yup I can help answer that! it's really simple I promise but may be hard to explain over text so bear with me until the end! 

 

every event produces a different E: namespace even though many are similar such as Host events and Fixed events.

 

things like Lease events have different fields inside the E: namespace.

 

if you go here (which is our admin guide for NIOS):

https://docs.infoblox.com/display/nios84/Creating+Action+Templates

and under the "event variables" section you will see all the variables that are populated based on the event that occurs.

 

Table 45.13 Shows the data that is populated when Lease events occur. in this case we are getting the ip.extattrs being Enriched from IPv4 Address and IPv6 Address. Which just means that if there is anything on that IP it will enrich the lease event.

 

do note that the “p.extattrs” that you see in Table 45.13 is actually “ip.extattrs”... it's a typo Smiley Happy

 

when you look at table 45.21, which is the table for fixed events variables, you will see that ip.extattrs doesn’t exist but rather “extattrs” exists.

 

This is because we are not enriching the variables from another source but directly from that object.

 

Hope this helps,

 

Kevin Zettel

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
[ Edited ]
New Member
Posts: 4
Registered: ‎08-16-2019
New Member
Posts: 4

I tested the template this morning.  I think the logic is backwards on the skip step:

 

"name": "checkEType_Lease_to_skip_to_Lease",
"operation": "CONDITION",
"condition": {
"condition_type": "AND",
"statements": [{
"left": "${E:A:event_type}",
"op": "!=",
"right": "LEASE"
}],
"next": "skip if not defined for lease"

 

I went in and changed the op from "!=" to "==" and got farther.  I get a 404 error reason: "not found" in the debug at 2019/09/17 10:47:27.466262.  I can't tell if this is a malformed API call or a misconfiguration of the Nexpose site.  Either way I think I am getting closer and think the issues with the beginning of the template are now fixed.  I'll investigate further to see if somehow we got something mixed up with the extensible attributes or the configuration of the site in Nexpose.

 

(removed debug log)

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

 

There is an explict message in the debug log why it doesn't work.

You can validate the request and if you can access the resource using curl or Postman. If you still see the error in curl/Postman - check the resources (full path) and permissions your API user has. 

 

GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'application/json;charset=UTF-8'} data:{
  "status" : 404,
  "message" : "The resource does not exist or access is prohibited.",
  "links" : [ {
    "href" : "https://[**Redacted**]/api/3/sites/1/included_targets",
    "rel" : "self"
  } ]
}

Vadim

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
New Member
Posts: 2
Registered: ‎09-26-2018
New Member
Posts: 1

Hi Guys,

 

I have managed to set up the integration partially,

 

When I add an new IPv4 Network or Range the R7_Synced_At notifacation triggers and it adds the network/range as assets in the nexpose.

 

When I then add an fixed address the same thing happens but it also starts the scan.

 

Why would it not start the scan when i add an Network or Range? Have any of you simmiliar problem and how did you solve it?

Re: INFOBLOX & RAPID 7 NEXPOSE/INSIGHTVM INTEGRATION UPDATE 12/13/18
New Member
Posts: 10
Registered: ‎06-24-2019
New Member
Posts: 12

Hi eliassaado,

 

Templates found here will now scan networks and ranges upon creation. Be careful as you can scan a very large amount of data!

 

Thanks!

 

Showing results for 
Search instead for 
Did you mean: