All Apps and Add-ons

Rapid7 Nexpose Integration: Please share your experience with the Nexpose TA. Expected data vs actual data vary immensely.

Explorer

Hello everyone, I am curious to what others have experienced with the Nexpose TA. We have had many discussions with there support and our account reps and were never able to get our nexpose dashboard to mirror what's actually on the servers.

As from our discussion with their support and SME's, they talked about how the TA functions by signaling the nexpose box to query the insightVM agents that are both accessible at that time and have new updates. My theory is that this query is no different then a normal query that nexpose invokes itself. Meaning if your cron from Splunk is to signal Nexpose everyday at 4:00 and Nexpose internally runs a query of the agents at 3:00 then you will only receive the delta from 3-4 in Splunk. If my theory is correct, then nexpose queried at 3 it will only forward logs from the machines that have new updates from 3-4.

Right now our experience is that when we search over 24 hours, we only see a fraction of the assets and vulnerabilities we have. If we look over 30 days, we get much more accurate asset counts, but then we will also see legacy vulnerabilities and assets.

What would be great is if the TA itself queried nexpose's database and received the entire table on a daily basis. Purging after x days. this way whenever we launch the app and look over 24 hours we are getting the full asset and vulnerabilities counts and types.

Any thoughts, ideas or experience that would be either prove otherwise of what I stated and/or a workaround for our issue?

I appreciate your time!
Thanks,
Christian

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!