All Apps and Add-ons

Rapid7 Nexpose Integration: Please share your experience with the Nexpose TA. Expected data vs actual data vary immensely.

clozach
Path Finder

Hello everyone, I am curious to what others have experienced with the Nexpose TA. We have had many discussions with there support and our account reps and were never able to get our nexpose dashboard to mirror what's actually on the servers.

As from our discussion with their support and SME's, they talked about how the TA functions by signaling the nexpose box to query the insightVM agents that are both accessible at that time and have new updates. My theory is that this query is no different then a normal query that nexpose invokes itself. Meaning if your cron from Splunk is to signal Nexpose everyday at 4:00 and Nexpose internally runs a query of the agents at 3:00 then you will only receive the delta from 3-4 in Splunk. If my theory is correct, then nexpose queried at 3 it will only forward logs from the machines that have new updates from 3-4.

Right now our experience is that when we search over 24 hours, we only see a fraction of the assets and vulnerabilities we have. If we look over 30 days, we get much more accurate asset counts, but then we will also see legacy vulnerabilities and assets.

What would be great is if the TA itself queried nexpose's database and received the entire table on a daily basis. Purging after x days. this way whenever we launch the app and look over 24 hours we are getting the full asset and vulnerabilities counts and types.

Any thoughts, ideas or experience that would be either prove otherwise of what I stated and/or a workaround for our issue?

I appreciate your time!
Thanks,
Christian

Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...