All Apps and Add-ons

Rapid7 Nexpose Integration: Please share your experience with the Nexpose TA. Expected data vs actual data vary immensely.

Path Finder

Hello everyone, I am curious to what others have experienced with the Nexpose TA. We have had many discussions with there support and our account reps and were never able to get our nexpose dashboard to mirror what's actually on the servers.

As from our discussion with their support and SME's, they talked about how the TA functions by signaling the nexpose box to query the insightVM agents that are both accessible at that time and have new updates. My theory is that this query is no different then a normal query that nexpose invokes itself. Meaning if your cron from Splunk is to signal Nexpose everyday at 4:00 and Nexpose internally runs a query of the agents at 3:00 then you will only receive the delta from 3-4 in Splunk. If my theory is correct, then nexpose queried at 3 it will only forward logs from the machines that have new updates from 3-4.

Right now our experience is that when we search over 24 hours, we only see a fraction of the assets and vulnerabilities we have. If we look over 30 days, we get much more accurate asset counts, but then we will also see legacy vulnerabilities and assets.

What would be great is if the TA itself queried nexpose's database and received the entire table on a daily basis. Purging after x days. this way whenever we launch the app and look over 24 hours we are getting the full asset and vulnerabilities counts and types.

Any thoughts, ideas or experience that would be either prove otherwise of what I stated and/or a workaround for our issue?

I appreciate your time!

Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...