Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Rapid7

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
INFOBLOX & RAPID7 NEXPOSE INTEGRATION - SESSION, LOGIN & LOGOUT TEMPLATES
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi there,

In this post I’m going to review session, login and logout templates. Do not copy/past templates from the post, they may not work. Download templates attached to this post. The templates are provided “as-is”, please check them in you Lab environment and modify for your needs before implementing them in production.


Session template does not require a detailed description. All parameters are described in the NIOS administrator guide

 

Template Comments
{
 "name": "Rapid7 Session",
 "version": "2.0",
 "type": "REST_ENDPOINT",
 "comment": "no comments",
 "vendor_identifier": "Rapid7",
 "path": "/api/1.1/xml",

Version must be set to  “2.0”

 "login_template": "Rapid7_Login",
 "logout_template": "Rapid7_Logout",

Login_template, Logout_template must contains exact template names (defined in a template itself, it is not a file name)

 "logout_only_at_template_end": true,

 "step_execution_limit": 100,
 "inactivity_interval": 100000,

 "keepalive": true,
 "override_path": true,

 "rate_limit": 0,
 "rate_limit_requests": 10,
 "rate_limit_interval": 1000,
 "rate_limit_reset": 1000,
 "retry": 0,
 "retry_template": 0,
 "timeout": 10,

 "logout_any_condition": true,
 "logout_regexp": "asd.*",
 "logout_status_code": 34
}

“Step_execution_limit” defines maximum loop iteration. If you system has more than 100 sites or more 100 “real” assets per site increase this number up to a desired value (it is required only for delete operation).

 

Rapid7_Login template is used for authentication because Rapid7 Nexpose doesn’t support basic authentication.

Template Comments
{
   "vendor_identifier": "Rapid7",
   "version": "2.0",
   "name": "Rapid7_Login",
   "content_type": "text/xml",
   "quoting": "XMLA",
   "type": "REST_EVENT",
   "event_type": ["SESSION"],

“version” must be set to “2.0”


“event_type” should be set to [“Session”]


XMLA quoting is used by default.

   "steps": [
      {
         "name": "login: remove basic auth headers",
         "body": "${XC:ASSIGN:{H:Authorization}:{S:}}",
         "operation": "NOP"
      },

Rapid7 Nexpose does not allow to login if basic authorisation headers contains correct credentials, so set the header variable H:Authorization to empty value

      {
         "name": "login: request",
         "parse": "XMLA",
         "operation": "POST",
         "no_connection_debug": false,
         "body_list": [
            "",
            ""
         ]
      },

Authenticate on Rapid7 Nexpose using LoginRequest method

      {
         "name": "login: errorcheck",
         "operation": "CONDITION",
         "condition": {
            "statements": [
               {
                  "op": "!=",
                  "right": "${P:A:PARSE[[name]]}",
                  "left": "LoginResponse"
               },
               {
                  "op": "!=",
                  "right": "1",
                  "left": "${P:A:PARSE{{success}}}"
               }
            ],
            "condition_type": "AND",
            "else_eval": "${XC:COPY:{S:SESSID}:{P:PARSE{{session-id}}}}",
            "error": true
         }
      }
   ]
}

Check that the authentication was successful and copy the session id to S: SESSID variable.


S: SESSID should be used in all API requests send to Rapid7 Nexpose.



Rapid7_Logout template is used to terminate a session

Template Comments
{
   "vendor_identifier": "Rapid7",
   "version": "2.0",
   "name": "Rapid7_Logout",
   "content_type": "text/xml",
   "quoting": "XMLA",
   "type": "REST_EVENT",
   "event_type": ["SESSION"],

“version” must be set to “2.0”


“event_type” should be set to [“Session”]


XMLA quoting will be used by default.

   "steps": [
      {
         "name": "logout: request",
         "parse": "XMLA",
         "operation": "POST",
         "no_connection_debug": false,
         "body_list": [
            "",
            ""
         ]
      },
      {
         "operation": "CONDITION",
         "name": "logout: errorcheck",
         "condition": {
            "statements": [
               {
                  "op": "!=",
                  "right": "${P:A:PARSE[[name]]}",
                  "left": "LogoutResponse"
               },
               {
                  "op": "!=",
                  "right": "1",
                  "left": "${P:A:PARSE{{success}}}"
               }

            ],
            "condition_type": "AND",
            "error": true
         }
      }
   ]
}

Send a LogoutRequest.


S: SESSID is used to identify a session. Response is analysed for errors.

 

 

Any feedback and/or questions are appreciated and very welcome.

BR,

Vadim Pavlov

Showing results for 
Search instead for 
Did you mean: