All Apps and Add-ons

Rapid7 Nexpose Integration: Please share your experience with the Nexpose TA. Expected data vs actual data vary immensely.

clozach
Path Finder

Hello everyone, I am curious to what others have experienced with the Nexpose TA. We have had many discussions with there support and our account reps and were never able to get our nexpose dashboard to mirror what's actually on the servers.

As from our discussion with their support and SME's, they talked about how the TA functions by signaling the nexpose box to query the insightVM agents that are both accessible at that time and have new updates. My theory is that this query is no different then a normal query that nexpose invokes itself. Meaning if your cron from Splunk is to signal Nexpose everyday at 4:00 and Nexpose internally runs a query of the agents at 3:00 then you will only receive the delta from 3-4 in Splunk. If my theory is correct, then nexpose queried at 3 it will only forward logs from the machines that have new updates from 3-4.

Right now our experience is that when we search over 24 hours, we only see a fraction of the assets and vulnerabilities we have. If we look over 30 days, we get much more accurate asset counts, but then we will also see legacy vulnerabilities and assets.

What would be great is if the TA itself queried nexpose's database and received the entire table on a daily basis. Purging after x days. this way whenever we launch the app and look over 24 hours we are getting the full asset and vulnerabilities counts and types.

Any thoughts, ideas or experience that would be either prove otherwise of what I stated and/or a workaround for our issue?

I appreciate your time!
Thanks,
Christian

Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...