Rapid7 Nexpose
Overview
Rapid7 Nexpose provides vulnerability management, assessment, and response to changes in the environment while prioritizing risk across vulnerabilities, configurations, and controls.
Use the Nexpose integration to access sites, assets, vulnerabilities and their solutions, scans and reports. The integration was developed with the Nexpose API v3.
Rapid7 Nexpose Playbooks
For scans (Demisto v4.0) there are two sub-playbooks available, depending on the command. To start a site scan, use the
Nexpose Scan Site
sub-playbook. To start an assets scan, use the
Nexpose Scan Assets
sub-playbook.
When using the
sort
parameter, the fields to sort must be provided as they are in the API, e.g
riskScore
. All the available fields for any type of response can be found in the
API Documentation.
Nexpose Scan Assets
Nexpose Scan Site
Vulnerability Handling - Nexpose
Vulnerability Management - Nexpose
Known Limitations
When starting a scan, the API cannot specify scan targets for sites configured with an Amazon Web Services discovery connection. To configure AWS with Nexpose, see https://nexpose.help.rapid7.com/docs/amazon-web-services .
A regular scan engine requires authorization and compliance with AWS. Receiving authorization from AWS can take up to 72 hours and must be renewed every 90 days after creating a connection. Nexpose imposes no restrictions on the scan engine however you must still abide by AWS terms. More information can be found at https://aws.amazon.com/security/penetration-testing/ .
Use cases
The integration is used to retrieve information about assets/endpoints in the environment. This information can be used in playbooks to determine asset vulnerabilities and risk, and to take action according to the information, like creating reports for assets, sites and scans as a downloadable PDF file and start scans(See additional information below) for sites or assets.
Configure Rapid7 Nexpose on Demisto
To use Nexpose on Demisto, you need user credentials for Nexpose. You can also use a two-factor authentication token.
- Navigate to Settings > Integrations > Servers & Services .
- Search for Rapid7 Nexpose.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1:8080 )
- Username
- Trust any certificate (not secure)
- Use system proxy settings
- 2FA token
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
When using the
sort
parameter, you need to specify the fields to sort as they are in the API, for example,
riskScore
. All the available fields for any type of response can be found in the
API Documentation.
- Get a single asset: nexpose-get-asset
- Get all assets: nexpose-get-assets
- Get all assets that match the filters: nexpose-search-assets
- Get a specified scan: nexpose-get-scan
- Get an asset's details: nexpose-get-asset-vulnerability
- Create a site: nexpose-create-site
- Delete a site: nexpose-delete-site
- Retrieve sites: nexpose-get-sites
- Get report templates: nexpose-get-report-templates
- Create an assets report: nexpose-create-assets-report
- Create a sites report: nexpose-create-sites-report
- Create a scan report: nexpose-create-scan-report
- Start a site scan: nexpose-start-site-scan
- Start an assets scan: nexpose-start-assets-scan
- Stop a scan: nexpose-stop-scan
- Pause a scan: nexpose-pause-scan
- Resume a scan: nexpose-resume-scan
- Get a list of scans: nexpose-get-scans
1. Get a single asset
Returns the specified asset.
Base Command
nexpose-get-asset
Input
| Argument Name | Description | Required |
|---|---|---|
| id | integer The identifier of the asset. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Asset.Addresses | unknown | All addresses discovered on the asset. |
| Nexpose.Asset.AssetId | number | Id of the asset. |
| Nexpose.Asset.Hardware | string | The primary Media Access Control (MAC) address of the asset. The format is six groups of two hexadecimal digits separated by colons. |
| Nexpose.Asset.Aliases | unknown | All host names or aliases discovered on the asset. |
| Nexpose.Asset.HostType | string | The type of asset, Valid values are unknown, guest, hypervisor, physical, mobile |
| Nexpose.Asset.Site | string | Asset site name. |
| Nexpose.Asset.OperatingSystem | string | Operating system of the asset. |
| Nexpose.Asset.Vulnerabilities | number | The total number of vulnerabilities on the asset. |
| Nexpose.Asset.CPE | string | The Common Platform Enumeration (CPE) of the operating system. |
| Nexpose.Asset.LastScanDate | date | Last scan date of the asset. |
| Nexpose.Asset.LastScanId | number | Id of the asset's last scan. |
| Nexpose.Asset.RiskScore | number | The risk score (with criticality adjustments) of the asset. |
| Nexpose.Asset.Software.Software | string | The description of the software. |
| Nexpose.Asset.Software.Version | string | The version of the software. |
| Nexpose.Asset.Services.Name | string | The name of the service. |
| Nexpose.Asset.Services.Port | number | The port of the service. |
| Nexpose.Asset.Services.Product | string | The product running the service. |
| Nexpose.Asset.Services.protocol | string | The protocol of the service, valid values are ip, icmp, igmp, ggp, tcp, pup, udp, idp, esp, nd, raw |
| Nexpose.Asset.Users.FullName | string | The full name of the user account. |
| Nexpose.Asset.Users.Name | string | The name of the user account. |
| Nexpose.Asset.Users.UserId | number | The identifier of the user account. |
| Nexpose.Asset.Vulnerability.Id | number | The identifier of the vulnerability. |
| Nexpose.Asset.Vulnerability.Instances | number | The number of vulnerable occurrences of the vulnerability. This does not include invulnerable instances. |
| Nexpose.Asset.Vulnerability.Title | string | The title (summary) of the vulnerability. |
| Nexpose.Asset.Vulnerability.Malware | number | The malware kits that are known to be used to exploit the vulnerability. |
| Nexpose.Asset.Vulnerability.Exploit | number | The exploits that can be used to exploit a vulnerability. |
| Nexpose.Asset.Vulnerability.CVSS | string | The CVSS exploit score. |
| Nexpose.Asset.Vulnerability.Risk | number | The risk score of the vulnerability, rounded to a maximum of to digits of precision. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000. |
| Nexpose.Asset.Vulnerability.PublishedOn | date | The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. |
| Nexpose.Asset.Vulnerability.ModifiedOn | date | The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. |
| Nexpose.Asset.Vulnerability.Severity | string | The severity of the vulnerability, one of: "Moderate", "Severe", "Critical". |
| Endpoint.IP | string | Endpoint IP address. |
| Endpoint.HostName | string | Endpoint host name. |
| Endpoint.OS | string | Endpoint operating system. |
| CVE.ID | string | Common Vulnerabilities and Exposures ids |
Command Example
!nexpose-get-asset id="5"
Context Example
{
"Endpoint": [
{
"HostName": [
"hostname1",
"HostName2"
],
"IP": [
"1.2.3.4"
],
"MAC": [],
"OS": "Linux 2.6.X"
}
],
"Nexpose": {
"Asset": {
"Addresses": [
"1.2.3.4"
],
"Aliases": [
"alias1",
"alias2"
],
"AssetId": 5,
"CPE": null,
"Hardware": [],
"HostType": null,
"LastScanDate": "2018-06-13T13:33:17.451Z",
"LastScanId": 42794,
"OperatingSystem": "Linux 2.6.X",
"RiskScore": 2071.67822265625,
"Service": [
{
"Name": "SSH",
"Port": 22,
"Product": "OpenSSH",
"Protocol": "tcp"
},
{
"Name": "HTTPS",
"Port": 443,
"Product": null,
"Protocol": "tcp"
}
],
"Site": "Site 1",
"Software": null,
"User": null,
"Vulnerabilities": 5,
"Vulnerability": [
{
"CVSS": 7.1,
"Exploit": 0,
"Id": "certificate-common-name-mismatch",
"Instances": 1,
"Malware": 0,
"ModifiedOn": "2018-03-21",
"PublishedOn": "2007-08-03",
"Risk": 786.41,
"Severity": "Severe",
"Title": "X.509 Certificate Subject CN Does Not Match the Entity Name"
},
{
"CVSS": 0,
"Exploit": 0,
"Id": "generic-tcp-timestamp",
"Instances": 1,
"Malware": 0,
"ModifiedOn": "2018-03-21",
"PublishedOn": "1997-08-01",
"Risk": 0,
"Severity": "Moderate",
"Title": "TCP timestamp response"
},
{
"CVSS": 4.3,
"Exploit": 0,
"Id": "ssl-self-signed-certificate",
"Instances": 1,
"Malware": 0,
"ModifiedOn": "2012-07-12",
"PublishedOn": "1995-01-01",
"Risk": 248.19,
"Severity": "Severe",
"Title": "Self-signed TLS/SSL certificate"
},
{
"CVSS": 2.6,
"Exploit": 0,
"Id": "ssl-static-key-ciphers",
"Instances": 1,
"Malware": 0,
"ModifiedOn": "2018-08-02",
"PublishedOn": "2015-02-01",
"Risk": 342.17,
"Severity": "Moderate",
"Title": "TLS/SSL Server Supports The Use of Static Key Ciphers"
},
{
"CVSS": 5.8,
"Exploit": 0,
"Id": "tls-untrusted-ca",
"Instances": 1,
"Malware": 0,
"ModifiedOn": "2015-07-27",
"PublishedOn": "1995-01-01",
"Risk": 694.92,
"Severity": "Severe",
"Title": "Untrusted TLS/SSL server X.509 certificate"
}
]
}
}
}
Human Readable Output
2. Get all assets
Returns all assets for which you have access.
Base Command
nexpose-get-assets
Input
| Argument Name | Description | Required |
|---|---|---|
| sort | Multiple criteria of The criteria to sort the records by, in the format: property[,ASC DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC' | Optional |
| limit | integer The number of records retrieve. | False |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Asset.AssetId | number | The identifier of the asset. |
| Nexpose.Asset.Address | string | The primary IPv4 or IPv6 address of the asset. |
| Nexpose.Asset.Name | string | The primary host name (local or FQDN) of the asset. |
| Nexpose.Asset.Site | string | Asset site name. |
| Nexpose.Asset.Exploits | number | The number of distinct exploits that can exploit any of the vulnerabilities on the asset. |
| Nexpose.Asset.Malware | number | The number of distinct malware kits that vulnerabilities on the asset are susceptible to. |
| Nexpose.Asset.OperatingSystem | string | Operating system of the asset. |
| Nexpose.Asset.Vulnerabilities | number | The total number of vulnerabilities. |
| Nexpose.Asset.RiskScore | number | The risk score (with criticality adjustments) of the asset. |
| Nexpose.Asset.Assessed | boolean | Whether the asset has been assessed for vulnerabilities at least once. |
| Nexpose.Asset.LastScanDate | date | Last scan date of the asset. |
| Nexpose.Asset.LastScanId | number | Id of the asset's last scan. |
| Endpoint.IP | string | Endpoint IP address. |
| Endpoint.HostName | string | Endpoint host name. |
| Endpoint.OS | string | Endpoint operating system. |
Command Example
!nexpose-get-assets limit=2 sort="riskScore,ASC"
Context Example
{
"Endpoint": [
{
"HostName": "hostname1",
"IP": "1.2.3.4",
"OS": "Ubuntu Linux"
},
{
"HostName": "hostname2",
"IP": "3.4.5.6",
"OS": "Ubuntu Linux"
}
],
"Nexpose": {
"Asset": [
{
"Address": "1.2.3.4",
"Assessed": true,
"AssetId": 2,
"Exploits": 0,
"LastScanDate": "2018-04-29T11:21:19.350Z",
"LastScanId": 15,
"Malware": 0,
"Name": "hostname1",
"OperatingSystem": "Ubuntu Linux",
"RiskScore": 0,
"Site": "Site 1",
"Vulnerabilities": 1
},
{
"Address": "3.4.5.6",
"Assessed": true,
"AssetId": 1,
"Exploits": 0,
"LastScanDate": "2018-04-29T11:21:18.637Z",
"LastScanId": 15,
"Malware": 0,
"Name": "hostname2",
"OperatingSystem": "Ubuntu Linux",
"RiskScore": 0,
"Site": "Site 1",
"Vulnerabilities": 1
}
]
}
}
Human Readable Output
3. Get all assets that match the filters
Returns all assets for which you have access that match the given search criteria.
Base Command
nexpose-search-assets
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Multiple criteria of Filter to match assets, according to the Search Criteria API standard. multiple filters can be provided using ';' separator. For example: 'ip-address in range 1.2.3.4,1.2.3.8;host-name is myhost'. For more information regarding Search Criteria, refer to https://help.rapid7.com/insightvm/en-us/api/index.html#section/Overview/Responses | Optional |
| limit | integer The number of records retrieve. | Optional |
| sort | Multiple criteria of The criteria to sort the records by, in the format: property[,ASC DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC | Optional |
| ipAddressIs | Search by a specific IP address | Optional |
| hostNameIs | Search by a specific host name | Optional |
| riskScoreHigherThan | Get all assets whose risk score is higher | Optional |
| vulnerabilityTitleContains | Search by vulnerability title | Optional |
| siteIdIn | Multiple criteria of integer Search by site ids | Optional |
| match | Operator to determine how to match filters. all requires that all filters match for an asset to be included. any requires only one filter to match for an asset to be included. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Asset.AssetId | number | The identifier of the asset. |
| Nexpose.Asset.Address | string | The primary IPv4 or IPv6 address of the asset. |
| Nexpose.Asset.Name | string | The primary host name (local or FQDN) of the asset. |
| Nexpose.Asset.Site | string | Asset site name. |
| Nexpose.Asset.Exploits | number | The number of distinct exploits that can exploit any of the vulnerabilities on the asset. |
| Nexpose.Asset.Malware | number | The number of distinct malware kits that vulnerabilities on the asset are susceptible to. |
| Nexpose.Asset.OperatingSystem | string | Operating system of the asset. |
| Nexpose.Asset.Vulnerabilities | number | The total number of vulnerabilities. |
| Nexpose.Asset.RiskScore | number | The risk score (with criticality adjustments) of the asset. |
| Nexpose.Asset.Assessed | boolean | Whether the asset has been assessed for vulnerabilities at least once. |
| Nexpose.Asset.LastScanDate | date | Last scan date of the asset. |
| Nexpose.Asset.LastScanId | number | Id of the asset's last scan. |
| Endpoint.IP | string | Endpoint IP address. |
| Endpoint.HostName | string | Endpoint host name. |
| Endpoint.OS | string | Endpoint operating system. |
Command Example
!nexpose-search-assets query="risk-score is 0" limit="2" sort="riskScore,ASC" match="all"
Context Example
{
"Endpoint": [
{
"HostName": "hostname1",
"IP": "1.2.3.4",
"OS": "Ubuntu Linux"
},
{
"HostName": "hostname2",
"IP": "3.4.5.6",
"OS": "Ubuntu Linux"
}
],
"Nexpose": {
"Asset": [
{
"Address": "1.2.3.4",
"Assessed": true,
"AssetId": 2,
"Exploits": 0,
"LastScanDate": "2018-04-29T11:21:19.350Z",
"LastScanId": 15,
"Malware": 0,
"Name": "hostname1",
"OperatingSystem": "Ubuntu Linux",
"RiskScore": 0,
"Site": "Site 1",
"Vulnerabilities": 1
},
{
"Address": "3.4.5.6",
"Assessed": true,
"AssetId": 1,
"Exploits": 0,
"LastScanDate": "2018-04-29T11:21:18.637Z",
"LastScanId": 15,
"Malware": 0,
"Name": "hostname2",
"OperatingSystem": "Ubuntu Linux",
"RiskScore": 0,
"Site": "Site 1",
"Vulnerabilities": 1
}
]
}
}
Human Readable Output
4. Get a specified scan
Returns the specified scan.
Base Command
nexpose-get-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| id | Multiple criteria of integer Identifiers of scans | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Scan.Id | number | The identifier of the scan. |
| Nexpose.Scan.ScanType | string | The scan type (automated, manual, scheduled). |
| Nexpose.Scan.StartedBy | string | The name of the user that started the scan. |
| Nexpose.Scan.Assets | number | The number of assets found in the scan |
| Nexpose.Scan.TotalTime | string | The duration of the scan in minutes. |
| Nexpose.Scan.Status | string | The scan status. Valid values are aborted, unknown, running, finished, stopped, error, paused, dispatched, integrating |
| Nexpose.Scan.Completed | date | The end time of the scan in ISO8601 format. |
| Nexpose.Scan.Vulnerabilities.Critical | number | The number of critical vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Moderate | number | The number of moderate vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Severe | number | The number of severe vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Total | number | The total number of vulnerabilities. |
Command Example
!nexpose-get-scan id=15
Context Example
{
"Nexpose": {
"Scan": {
"Assets": 32,
"Completed": "2018-04-29T11:24:58.721Z",
"Id": 15,
"Message": null,
"ScanName": "Sun 29 Apr 2018 11:17 AM",
"ScanType": "Manual",
"StartedBy": null,
"Status": "finished",
"TotalTime": "9.76666666667 minutes",
"Vulnerabilities": {
"Critical": 0,
"Moderate": 48,
"Severe": 61,
"Total": 109
}
}
}
}
Human Readable Output
5. Get an asset's details
Returns the details and possible remediations for an asset's given vulnerability.
Base Command
nexpose-get-asset-vulnerability
Input
| Argument Name | Description | Required |
|---|---|---|
| id | integer The identifier of the asset. | Required |
| vulnerabilityId | The identifier of the vulnerability. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Asset.AssetId | number | Identifier of the asset. |
| Nexpose.Asset.Vulnerability.Id | number | The identifier of the vulnerability. |
| Nexpose.Asset.Vulnerability.Title | string | The title (summary) of the vulnerability. |
| Nexpose.Asset.Vulnerability.Severity | string | The severity of the vulnerability, one of: "Moderate", "Severe", "Critical". |
| Nexpose.Asset.Vulnerability.RiskScore | number | The risk score of the vulnerability, rounded to a maximum of to digits of precision. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000. |
| Nexpose.Asset.Vulnerability.CVSS | string | The CVSS vector(s) for the vulnerability. |
| Nexpose.Asset.Vulnerability.CVSSV3 | string | The CVSS v3 vector. |
| Nexpose.Asset.Vulnerability.Published | date | The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD. |
| Nexpose.Asset.Vulnerability.Added | date | The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD. |
| Nexpose.Asset.Vulnerability.Modified | date | The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD. |
| Nexpose.Asset.Vulnerability.CVSSScore | number | The CVSS score, which ranges from 0-10. |
| Nexpose.Asset.Vulnerability.CVSSV3Score | number | The CVSS3 score, which ranges from 0-10. |
| Nexpose.Asset.Vulnerability.Categories | unknown | All vulnerability categories assigned to this vulnerability. |
| Nexpose.Asset.Vulnerability.CVES | unknown | All CVEs assigned to this vulnerability. |
| Nexpose.Asset.Vulnerability.Check.Port | number | The port of the service the result was discovered on. |
| Nexpose.Asset.Vulnerability.Check.Protocol | string | The protocol of the service the result was discovered on, valid values ip, icmp, igmp, ggp, tcp, pup, udp, idp, esp, nd, raw |
| Nexpose.Asset.Vulnerability.Check.Since | date | The date and time the result was first recorded, in the ISO8601 format. If the result changes status this value is the date and time of the status change. |
| Nexpose.Asset.Vulnerability.Check.Proof | string | The proof explaining why the result was found vulnerable. |
| Nexpose.Asset.Vulnerability.Check.Status | string | The status of the vulnerability check result. Valid values are, unknown, not-vulnerable, vulnerable, vulnerable-version, vulnerable-potential, vulnerable-with-exception-applied, vulnerable-version-with-exception-applied, vulnerable-potential-with-exception-applied |
| Nexpose.Asset.Vulnerability.Solution.Type | string | The type of the solution. One of: "Configuration", "Rollup patch", "Patch". |
| Nexpose.Asset.Vulnerability.Solution.Summary | string | The summary of the solution. |
| Nexpose.Asset.Vulnerability.Solution.Steps | string | The steps required to remediate the vulnerability. |
| Nexpose.Asset.Vulnerability.Solution.Estimate | string | The estimated duration to apply the solution, in minutes. |
| Nexpose.Asset.Vulnerability.Solution.AdditionalInformation | string | Additional information or resources that can assist in applying the remediation |
| CVE.ID | string | Common Vulnerabilities and Exposures ids |
Command Example
!nexpose-get-asset-vulnerability id=37 vulnerabilityId=apache-httpd-cve-2017-3169
Context Example
{
"CVE": {
"ID": "CVE-2017-3169"
},
"Nexpose": {
"Asset": {
"AssetId": "37",
"Vulnerability": [
{
"Added": "2017-06-20",
"CVES": [
"CVE-2017-3169"
],
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSSScore": 7.5,
"CVSSV3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSSV3Score": 9.8,
"Categories": [
"Apache",
"Apache HTTP Server",
"Web"
],
"Check": [
{
"Port": 8080,
"Proof": "Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.6Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.6",
"Protocol": "tcp",
"Since": "2018-04-29T11:36:54.597Z",
"Status": "vulnerable-version"
},
{
"Port": 443,
"Proof": "Running HTTPS serviceProduct HTTPD exists -- Apache HTTPD 2.4.6Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.6",
"Protocol": "tcp",
"Since": "2018-04-29T11:36:54.597Z",
"Status": "vulnerable-version"
}
],
"Id": "apache-httpd-cve-2017-3169",
"Modified": "2018-01-08",
"Published": "2017-06-20",
"RiskScore": 574.63,
"Severity": "Critical",
"Solution": [
{
"AdditionalInformation": "The latest version of Apache HTTPD is 2.4.34.\n\nMany platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.",
"Estimate": "120.0 minutes",
"Steps": "Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.4.34.tar.gz (http://archive.apache.org/dist/httpd/httpd-2.4.34.tar.gz)",
"Summary": "Upgrade to the latest version of Apache HTTPD",
"Type": "rollup-patch"
}
],
"Title": "Apache HTTPD: mod_ssl Null Pointer Dereference (CVE-2017-3169)"
}
]
}
}
}
Human Readable Output
6. Create a site
Creates a new site with the specified configuration.
Base Command
nexpose-create-site
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The site name. Name must be unique. | Required |
| description | The site's description. | False |
| assets | Multiple criteria of Specify asset addresses to be included in site scans | Required |
| scanTemplateId | The identifier of a scan template. Use nexpose-get-report-templates to get all templates, default scan template is selected when not specified. | False |
| importance | The site importance. Defaults to "normal" if not specified. | False |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Site.Id | number | The created site Id |
Command Example
!nexpose-create-site name="site_test" assets="127.0.0.1"
Context Example
{
"Nexpose": {
"Site": {
"Id": 11
}
}
}
Human Readable Output
7. Delete a site
Deletes a site.
Base Command
nexpose-delete-site
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the site to delete | Required |
Context Output
There is no context output for this command.
Command Example
!nexpose-delete-site id=1258
Human Readable Output
8. Retrieve sites
Retrieves accessible sites.
Base Command
nexpose-get-sites
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | integer The number of records retrieve. | Optional |
| sort | Multiple criteria of The criteria to sort the records by, in the format: property[,ASC DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC' | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Site.Id | number | The identifier of the site. |
| Nexpose.Site.Name | string | The site name. |
| Nexpose.Site.Assets | number | The number of assets that belong to the site. |
| Nexpose.Site.Type | string | The type of the site. Valid values are agent, dynamic, static |
| Nexpose.Site.Vulnerabilities | number | The total number of vulnerabilities. |
| Nexpose.Site.Risk | number | The risk score (with criticality adjustments) of the site. |
| Nexpose.Site.LastScan | date | The date and time of the site's last scan. |
Command Example
!nexpose-get-sites limit=1 sort="riskScore,DESC"
Context Example
{
"Nexpose": {
"Site": {
"Assets": 29,
"Id": 2,
"LastScan": "2018-07-27T07:46:35.159Z",
"Name": "Site 1",
"Risk": 131586,
"Type": "dynamic",
"Vulnerabilities": 351
}
}
}
Human Readable Output
9. Get report templates
Returns all available report templates.
Base Command
nexpose-get-report-templates
Input
There is no input for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Template.Id | number | The identifier of the report template. |
| Nexpose.Template.Name | string | The name of the report template. |
| Nexpose.Template.Description | string | The description of the report template. |
| Nexpose.Template.Type | string | The type of the report template. document is a templatized, typically printable, report that has various sections of content. export is data-oriented output, typically CSV. file is a printable report template using a report template file. |
Command Example
!nexpose-get-report-templates
Context Example
{
"Nexpose": {
"Template": [
{
"Description": "Provides comprehensive details about discovered assets, vulnerabilities, and users.",
"Id": "audit-report",
"Name": "Audit Report",
"Type": "document"
},
{
"Description": "Compares current scan results to those of an earlier baseline scan.",
"Id": "baseline-comparison",
"Name": "Baseline Comparison",
"Type": "document"
},
{
"Description": "Includes a basic set of data fields for vulnerability check results in CSV format.",
"Id": "basic-vulnerability-check-results",
"Name": "Basic Vulnerability Check Results (CSV)",
"Type": "export"
},
{
"Description": "Provides a high-level view of security data, including general results information and statistical charts.",
"Id": "executive-overview",
"Name": "Executive Overview",
"Type": "document"
},
{
"Description": "Provides information and metrics about 10 discovered vulnerabilities with the highest risk scores.",
"Id": "highest-risk-vulns",
"Name": "Highest Risk Vulnerabilities",
"Type": "document"
},
{
"Description": "Serves as a cover sheet for the completed set of PCI-mandated reports.",
"Id": "pci-attestation-v12",
"Name": "PCI Attestation of Scan Compliance",
"Type": "document"
},
{
"Description": "PCI-mandated compliance summary with overview of Pass/Fail results, statistical charts, and vulnerability metrics.",
"Id": "pci-executive-summary-v12",
"Name": "PCI Executive Summary",
"Type": "document"
},
{
"Description": "Provides detailed, sorted scan information about each asset discovered in a PCI scan.",
"Id": "pci-host-details-v12",
"Name": "PCI Host Details",
"Type": "document"
},
{
"Description": "Provides a PCI-mandated listing of details, metrics, and Pass/Fail score for every vulnerability discovered in a PCI scan.",
"Id": "pci-vuln-details-v12",
"Name": "PCI Vulnerability Details",
"Type": "document"
},
{
"Description": "Shows detailed results for each policy rule scanned on an asset, including the percentage of policy rules that assets comply with and test results for each rule.",
"Id": "policy-details",
"Name": "Policy Details",
"Type": "file"
},
{
"Description": "Lists results for standard policy scans (AS/400, Oracle, Domino, Windows Group, CIFS/SMB account). Does not include Policy Manager results.",
"Id": "policy-eval",
"Name": "Policy Evaluation",
"Type": "document"
},
{
"Description": "Shows results for each tested policy, including the numbers and percentages of compliant assets, and the percentage of policy rules that assets comply with.",
"Id": "policy-summary",
"Name": "Policy Compliance Status",
"Type": "file"
},
{
"Description": "Lists top remediations as prioritized by vulnerability-related criteria that you select.",
"Id": "prioritized-remediations",
"Name": "Top Remediations",
"Type": "file"
},
{
"Description": "Lists top remediations as prioritized by vulnerability-related criteria that you select. Also provides steps for each remediation and lists each affected asset.",
"Id": "prioritized-remediations-with-details",
"Name": "Top Remediations with Details",
"Type": "file"
},
{
"Description": "Lists information about new assets discovered within a specific time period. This allows you to track changes to your network environment over time.",
"Id": "r7-discovered-assets",
"Name": "Newly Discovered Assets",
"Type": "file"
},
{
"Description": "Shows vulnerability exception activity during a specified time frame.",
"Id": "r7-vulnerability-exceptions",
"Name": "Vulnerability Exception Activity",
"Type": "file"
},
{
"Description": "Provides detailed remediation instructions for each discovered vulnerability.",
"Id": "remediation-plan",
"Name": "Remediation Plan",
"Type": "document"
},
{
"Description": "Lists test results for each discovered vulnerability, including how it was verified.",
"Id": "report-card",
"Name": "Report Card",
"Type": "document"
},
{
"Description": "Grades sets of assets based on risk and provides data and statistics for determining risk factors.",
"Id": "risk-scorecard",
"Name": "Risk Scorecard",
"Type": "file"
},
{
"Description": "Shows results for each asset against the selected policies' rules, including the percentage of policy rules that assets comply with.",
"Id": "rule-breakdown-summary",
"Name": "Policy Rule Breakdown Summary",
"Type": "file"
},
{
"Description": "Lists top policy compliance remediations as prioritized by policies that you select.",
"Id": "top-policy-remediations",
"Name": "Top Policy Remediations",
"Type": "file"
},
{
"Description": "Lists top policy compliance remediations as prioritized by policies that you select. Also provides steps for each remediation and lists each affected asset.",
"Id": "top-policy-remediations-with-details",
"Name": "Top Policy Remediations with Details",
"Type": "file"
},
{
"Description": "Lists risk scores, total vulnerabilities, and malware and exploit exposures for 10 assets with the highest risk scores.",
"Id": "top-riskiest-assets",
"Name": "Top 10 Assets by Vulnerability Risk",
"Type": "file"
},
{
"Description": "Lists total vulnerabilities and malware and exploit exposures for 10 assets with the most vulnerabilities.",
"Id": "top-vulnerable-assets",
"Name": "Top 10 Assets by Vulnerabilities",
"Type": "file"
},
{
"Description": "Tracks trends for vulnerabilities found, assets scanned, malware kit and exploit exposures, severity levels, and vulnerability age over a date range that you select.",
"Id": "vulnerability-trends",
"Name": "Vulnerability Trends",
"Type": "file"
}
]
}
}
Human Readable Output
10. Create an assets report
Generates a new report on given assets according to a template and arguments.
Base Command
nexpose-create-assets-report
Input
| Argument Name | Description | Required |
|---|---|---|
| assets | Multiple criteria of integer Asset ids to create the report on, comma separated. | Required |
| template | Report template id to create the report with. If none is provided, the first template available will be used. | False |
| name | The report name | False |
| format | The report format, default is PDF | False |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.EntryId | string | Entry Id of the report file |
| InfoFile.Name | string | Name of the report file |
| InfoFile.Extension | string | File extension of the report file |
| InfoFile.Info | string | Info about the report file |
| InfoFile.Size | number | Size of the report file |
| InfoFile.Type | string | Type of the report file |
Command Example
!nexpose-create-assets-report assets="1,2,3,4"
Context Example
{
"InfoFile": {
"EntryID": "759@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "report 2018-08-20 11:41:54.343571.pdf",
"Size": 143959,
"Type": "PDF document, version 1.4\n"
}
}
Human Readable Output
11. Create a sites report
Generates a new report on given sites according to a template and arguments.
Base Command
nexpose-create-sites-report
Input
| Argument Name | Description | Required |
|---|---|---|
| sites | Multiple criteria of integer Site ids to create the report on, comma separated. | Required |
| template | Report template id to create the report with. If none is provided, the first template available will be used. | False |
| name | The report name | False |
| format | The report format, default is PDF | False |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.EntryId | string | Entry Id of the report file |
| InfoFile.Name | string | Name of the report file |
| InfoFile.Extension | string | File extension of the report file |
| InfoFile.Info | string | Info about the report file |
| InfoFile.Size | number | Size of the report file |
| InfoFile.Type | string | Type of the report file |
Command Example
!nexpose-create-sites-report sites=1,3
Context Example
{
"InfoFile": {
"EntryID": "765@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "report 2018-08-20 11:45:33.531668.pdf",
"Size": 255774,
"Type": "PDF document, version 1.4\n"
}
}
Human Readable Output
12. Create a scan report
Generates a new report for a specified scan.
Base Command
nexpose-create-scan-report
Input
| Argument Name | Description | Required |
|---|---|---|
| scan | integer The identifier of the scan. | True |
| template | Report template id to create the report with. If none is provided, the first template available will be used. | False |
| name | The report name | False |
| format | The report format, default is PDF | False |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.EntryId | string | Entry Id of the report file |
| InfoFile.Name | string | Name of the report file |
| InfoFile.Extension | string | File extension of the report file |
| InfoFile.Info | string | Info about the report file |
| InfoFile.Size | number | Size of the report file |
| InfoFile.Type | string | Type of the report file |
Command Example
!nexpose-create-scan-report scan="15"
Context Example
{
"InfoFile": {
"EntryID": "771@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "report 2018-08-20 11:49:56.187193.pdf",
"Size": 205544,
"Type": "PDF document, version 1.4\n"
}
}
Human Readable Output
13. Start a site scan
Starts a scan for the specified site.
Base Command
nexpose-start-site-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| site | integer The identifier of the site. | True |
| hosts | Multiple criteria of The hosts that should be included as a part of the scan. This should be a mixture of IP Addresses and Hostnames as a comma separated string array. | False |
| name | The user-driven scan name for the scan. | False |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Scan.Id | number | The identifier of the scan. |
| Nexpose.Scan.ScanType | string | The scan type (automated, manual, scheduled). |
| Nexpose.Scan.StartedBy | date | The name of the user that started the scan. |
| Nexpose.Scan.Assets | number | The number of assets found in the scan |
| Nexpose.Scan.TotalTime | string | The duration of the scan in minutes. |
| Nexpose.Scan.Completed | date | The end time of the scan in ISO8601 format. |
| Nexpose.Scan.Status | string | The scan status. Valid values are aborted, unknown, running, finished, stopped, error, paused, dispatched, integrating |
| Nexpose.Scan.Vulnerabilities.Critical | number | The number of critical vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Moderate | number | The number of moderate vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Severe | number | The number of severe vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Total | number | The total number of vulnerabilities. |
Command Example
!nexpose-start-site-scan site=2 hosts=127.0.0.1
Context Example
{
"Nexpose": {
"Scan": {
"Assets": 0,
"Completed": null,
"Id": 89391,
"Message": null,
"ScanName": "scan 2018-08-20 11:54:59.673365",
"ScanType": "Manual",
"StartedBy": null,
"Status": "running",
"TotalTime": "0 minutes",
"Vulnerabilities": {
"Critical": 0,
"Moderate": 0,
"Severe": 0,
"Total": 0
}
}
}
}
Human Readable Output
14. Start an assets scan
Starts a scan for specified asset IP addresses and host names.
Base Command
nexpose-start-assets-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| IPs | Multiple criteria of IP addresses of assets, comma separated. | False |
| hostNames | Multiple criteria of Host names of assets, comma separated. | False |
| name | The user-driven scan name for the scan. | False |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Scan.Id | number | The identifier of the scan. |
| Nexpose.Scan.ScanType | string | The scan type (automated, manual, scheduled). |
| Nexpose.Scan.StartedBy | date | The name of the user that started the scan. |
| Nexpose.Scan.Assets | number | The number of assets found in the scan |
| Nexpose.Scan.TotalTime | string | The duration of the scan in minutes. |
| Nexpose.Scan.Completed | date | The end time of the scan in ISO8601 format. |
| Nexpose.Scan.Status | string | The scan status. Valid values are aborted, unknown, running, finished, stopped, error, paused, dispatched, integrating |
| Nexpose.Scan.Vulnerabilities.Critical | number | The number of critical vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Moderate | number | The number of moderate vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Severe | number | The number of severe vulnerabilities. |
| Nexpose.Scan.Vulnerabilities.Total | number | The total number of vulnerabilities. |
Command Example
!nexpose-start-assets-scan IPs=127.0.0.1
Context Example
{
"Nexpose": {
"Scan": {
"Assets": 0,
"Completed": null,
"Id": 89410,
"Message": null,
"ScanName": "scan 2018-08-20 12:31:52.951818",
"ScanType": "Manual",
"StartedBy": null,
"Status": "running",
"TotalTime": "0 minutes",
"Vulnerabilities": {
"Critical": 0,
"Moderate": 0,
"Severe": 0,
"Total": 0
}
}
}
}
Human Readable Output
15. Stop a scan that is in progress
Stops the specified scan, which is in progress.
Base Command
nexpose-stop-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the scan to stop | Required |
Context Output
There is no context output for this command.
Command Example
!nexpose-stop-scan id=143200
Human Readable Output
16. Pause a scan that is in progress
Pauses the specified scan, which is in progress.
Base Command
nexpose-pause-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the scan to pause | Required |
Context Output
There is no context output for this command.
Command Example
!nexpose-pause-scan id=143200
Human Readable Output
17. Resume a scan
Resumes a scan that is paused or stopped.
Base Command
nexpose-resume-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| id | ID of the scan to resume | Required |
Context Output
There is no context output for this command.
Command Example
!nexpose-resume-scan id=143200
Human Readable Output
18. Get a list of scans
Returns a list of scans.
Base Command
nexpose-get-scans
Input
| Argument Name | Description | Required |
|---|---|---|
| active | Return active or previous scans (boolean) | Optional |
| limit | The number of records retrieve | Optional |
| sort | Multiple criteria of <string> The criteria to sort the records by, in the format: property [ASC, DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC' | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Nexpose.Scan.Id | number | The ID of the scan |
| Nexpose.Scan.ScanType | string | The scan type ("automated", "manual", "scheduled") |
| Nexpose.Scan.StartedBy | date | The name of the user that started the scan |
| Nexpose.Scan.Assets | number | The number of assets found in the scan |
| Nexpose.Scan.TotalTime | string | The duration of the scan (in minutes) |
| Nexpose.Scan.Completed | date | The end time of the scan in ISO8601 format |
| Nexpose.Scan.Status | string | The scan status ("aborted", "unknown", "running", "finished", "stopped", "error", "paused", "dispatched", "integrating") |
Command Example
!nexpose-get-scans active=false limit=5
Context Example
{
"Nexpose": {
"Scan": [
{
"Assets": 32,
"Completed": "2018-04-29T11:24:58.721Z",
"Id": 15,
"Message": null,
"ScanName": "Sun 29 Apr 2018 11:17 AM",
"ScanType": "Manual",
"StartedBy": null,
"Status": "finished",
"TotalTime": "9.76666666667 minutes"
},
{
"Assets": 19,
"Completed": "2018-04-29T11:42:16.765Z",
"Id": 25,
"Message": null,
"ScanName": "Sun 29 Apr 2018 11:32 AM",
"ScanType": "Manual",
"StartedBy": null,
"Status": "finished",
"TotalTime": "24.6333333333 minutes"
},
{
"Assets": 29,
"Completed": "2018-06-13T13:36:54.288Z",
"Id": 42794,
"Message": null,
"ScanName": "Wed 13 Jun 2018 01:29 PM",
"ScanType": "Manual",
"StartedBy": null,
"Status": "finished",
"TotalTime": "18.3 minutes"
},
{
"Assets": 1,
"Completed": "2018-06-13T13:41:59.184Z",
"Id": 42799,
"Message": null,
"ScanName": "Wed 13 Jun 2018 01:35 PM",
"ScanType": "Manual",
"StartedBy": null,
"Status": "finished",
"TotalTime": "21.85 minutes"
},
{
"Assets": 1,
"Completed": "2018-06-13T14:16:41.766Z",
"Id": 42824,
"Message": null,
"ScanName": "Wed 13 Jun 2018 02:09 PM",
"ScanType": "Manual",
"StartedBy": null,
"Status": "finished",
"TotalTime": "7.3 minutes"
}
]
}
}
Human Readable Output
Troubleshooting
- In case of a timeout error, the API server address or port may be incorrect.
-
In case of a
400 Bad Requesterror, incorrect values were provided to an API resource, e.g incorrect search fields. -
In case of a
401 Unauthorizederror, incorrect credentials were provided or there are insufficient privileges for a specific resource. -
In case of a
404 Not Founderror, a specified resource was not found, e.g a vulnerability that doesn't exist in an asset.