cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
739
Views
1
Helpful
0
Comments
jaredkalmus
Cisco Employee
Cisco Employee

Cisco Vulnerability Management’s new InsightVM connector provides many benefits over the Nexpose XML and API connectors, but if you are currently using one of the Nexpose connectors then you’ll need to complete a migration of connectors to ensure the historical context of your assets and vulnerabilities carry over to your new InsightVM connector. Here is a list of data points which are of concern should you look to move to a new connector:

  • Asset created at date
  • Asset priority score
  • Asset owner
  • Vulnerability custom fields
  • Vulnerability service ticket association (Jira/SNOW)
  • Vulnerability closed at date
  • Vulnerability notes
  • Vulnerability custom status (Risk Accepted/False Positive)

If the fields above are not of importance for you then you can simply delete your Nexpose connectors and configure a new InsightVM connector to complete your migration.

If you would like to retain the fields above, then you’ll need to complete the steps below to merge assets and vulnerabilities from both the Nexpose and InsightVM connectors.

Preliminary Steps

We recommend performing a full export of your assets and vulnerabilities (including inactive assets and closed vulnerabilities) so that you have an offline copy of your data before making any changes to your environment.

Additionally, we will be releasing a new feature which will assist in ensuring an asset match between Nexpose and InsightVM assets. We’ve applied new logic which ensures DNS short hostnames are mapped to the hostname field in CVM, while FQDNs are exclusively mapped to the fqdn field. We highly recommend enabling this feature before migrating from your Nexpose connector to an InsightVM connector. This feature will be enabled for all customers on February 1st 2024, however Customer Success or Technical Support can enable the feature for you today at your request.

Lastly, we suggest reviewing your risk meter queries to identify any risk meters which may no longer return accurate results following the connector migration. Look for any risk meters with queries for connector names or connector types which will need to be updated to reflect the new InsightVM connector.

Migration Steps

Our goal in this migration is to merge assets and vulnerabilities from Nexpose and InsightVM in order to retain the historical data on the existing records. The assets will merge on the asset locators, while the vulnerabilities will merge on the CVE IDs. Once these mergers are confirmed, then we can proceed with deleting the Nexpose connector as the data from InsightVM as the historical data will be retained for the assets and vulnerabilities from InsightVM

  1. If needed, update the Nexpose connector with a locator order which prioritizes asset merging. Hostname, FQDN, NetBios, and IP address locators should be near the top, with external ID at the bottom or the order. If you'd like to minimize asset deduplication changes we recommend placing FQDN ahead of hostname.
  2. Run your Nexpose connectors to have any locator order changes and hostname updates applied
  3. Create an InsightVM connector
  4. Add an API token to the InsightVM connector
  5. Update the InsightVM locator order to match the order for the Nexpose connector
  6. Run the InsightVM connector
  7. Ensure asset and vulnerability mergers by confirming that asset and vulnerability raw counts do not substantially increase following the InsightVM connector run, assuming your InsightVM service account used for the connector includes permissions to all of your Nexpose assets which are being brought into Cisco Vulnerability Management
  8. Perform some acceptance testing to confirm that assets and vulnerabilities appear as expected. The external ID field should be updated to reflect the UUID from InsightVM, and CVEs should have two scanner vulnerability tabs (one for Nexpose and one for InsightVM)
  9. Once comfortable with the merger results, proceed with deleting your Nexpose connector. This will remove any duplicated scanner vulnerabilities
  10. If risk meters with queries containing Nexpose connector names or types were identified in the preliminary steps, then update the relevant risk meter queries to reflect your new InsightVM connector

Your migration is now complete. Historical data is now safely stored on your InsightVM assets and vulnerabilities. Please reach out to your customer success team or technical support if you have any questions or concerns.

 

Frequently Asked Questions

Q: I have hundreds of risk meters, how can I quickly identify which may have Nexpose connector identification in the query?

A: Our GitHub contains a script which provides an output of all risk meters and their queries. You can execute this script then search for “Nexpose” or other connector names to identify risk meters which may need to be updated.

Q: I am seeing an increase in asset count after running the InsightVM connector. Why might that be?

A: Your InsightVM console may contain assets which were not previously brought in to Cisco Vulnerability Management through a Nexpose connector.

Q: Some of my assets from Nexpose were not merged with an asset from InsightVM

A: There are a few possibilities here.

  1. Assets from your Nexpose consoles may not be available in InsightVM. Please confirm the presence of any missing assets in InsightVM to ensure they will be brought in to Cisco Vulnerability Management.
  2. The API service account you used to create the InsightVM connector may not have permission to view/download all of your assets in InsightVM.
  3. If assets are not merging then you may need to update your locator orders on the connectors to ensure all assets are merged.
  4. Your Nexpose connector may have been bringing in stale data which is no longer brought in through the InsightVM connector. Review your scan report selection in the Nexpose connector, and validate the asset activity limit for both connectors.
Q: I see fewer total fixes from InsightVM than I observed when I was using my Nexpose connector. Why is that?
 
A: This is actually another benefit of the InsightVM product and connector. Nexpose provides a granular fix for each CVE based on the individual patch which first resolved the CVE in question. InsightVM has the ability to provide better and more broad fixes which can be cumulative of the patches which resolve several different vulnerabilities. Cisco Vulnerability Management gains access to this rich fix data through InsightVM's APIs.
 
As an example, Nexpose may correctly tell you that a CVE is patched by 2022-10 Dynamic Cumulative Update for Windows 10 Version 22H2 for x86-based Systems (KB5018410), however InsightVM would provide the most recent cumulative update from Microsoft (2024-01 Dynamic Cumulative Update for Windows 10 Version 22H2 for x86-based Systems (KB5034122)) which also patches the same CVE and many other vulnerabilities in a superseding fashion. This will reduce friction for your remediation teams and enable them to patch their systems more efficiently.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: