Rapid7 Nexpose

Overview


Rapid7 Nexpose provides vulnerability management, assessment, and response to changes in the environment while prioritizing risk across vulnerabilities, configurations, and controls.
Use the Nexpose integration to access sites, assets, vulnerabilities and their solutions, scans and reports. The integration was developed with the Nexpose API v3.

Rapid7 Nexpose Playbooks


For scans (Demisto v4.0) there are two sub-playbooks available, depending on the command. To start a site scan, use the Nexpose Scan Site sub-playbook. To start an assets scan, use the Nexpose Scan Assets sub-playbook.

When using the sort parameter, the fields to sort must be provided as they are in the API, e.g riskScore . All the available fields for any type of response can be found in the API Documentation.

Nexpose Scan Assets
image

Nexpose Scan Site
image

Vulnerability Handling - Nexpose
image

Vulnerability Management - Nexpose
image

Known Limitations


When starting a scan, the API cannot specify scan targets for sites configured with an Amazon Web Services discovery connection. To configure AWS with Nexpose, see https://nexpose.help.rapid7.com/docs/amazon-web-services .

A regular scan engine requires authorization and compliance with AWS. Receiving authorization from AWS can take up to 72 hours and must be renewed every 90 days after creating a connection. Nexpose imposes no restrictions on the scan engine however you must still abide by AWS terms. More information can be found at https://aws.amazon.com/security/penetration-testing/ .

Use cases


The integration is used to retrieve information about assets/endpoints in the environment. This information can be used in playbooks to determine asset vulnerabilities and risk, and to take action according to the information, like creating reports for assets, sites and scans as a downloadable PDF file and start scans(See additional information below) for sites or assets.

Configure Rapid7 Nexpose on Demisto


To use Nexpose on Demisto, you need user credentials for Nexpose. You can also use a two-factor authentication token.

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Rapid7 Nexpose.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1:8080 )
    • Username
    • Trust any certificate (not secure)
    • Use system proxy settings
    • 2FA token
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

When using the sort parameter, you need to specify the fields to sort as they are in the API, for example, riskScore . All the available fields for any type of response can be found in the API Documentation.

  1. Get a single asset: nexpose-get-asset
  2. Get all assets: nexpose-get-assets
  3. Get all assets that match the filters: nexpose-search-assets
  4. Get a specified scan: nexpose-get-scan
  5. Get an asset's details: nexpose-get-asset-vulnerability
  6. Create a site: nexpose-create-site
  7. Delete a site: nexpose-delete-site
  8. Retrieve sites: nexpose-get-sites
  9. Get report templates: nexpose-get-report-templates
  10. Create an assets report: nexpose-create-assets-report
  11. Create a sites report: nexpose-create-sites-report
  12. Create a scan report: nexpose-create-scan-report
  13. Start a site scan: nexpose-start-site-scan
  14. Start an assets scan: nexpose-start-assets-scan
  15. Stop a scan: nexpose-stop-scan
  16. Pause a scan: nexpose-pause-scan
  17. Resume a scan: nexpose-resume-scan
  18. Get a list of scans: nexpose-get-scans

1. Get a single asset


Returns the specified asset.

Base Command

nexpose-get-asset

Input
Argument Name Description Required
id integer The identifier of the asset. Required
Context Output
Path Type Description
Nexpose.Asset.Addresses unknown All addresses discovered on the asset.
Nexpose.Asset.AssetId number Id of the asset.
Nexpose.Asset.Hardware string The primary Media Access Control (MAC) address of the asset. The format is six groups of two hexadecimal digits separated by colons.
Nexpose.Asset.Aliases unknown All host names or aliases discovered on the asset.
Nexpose.Asset.HostType string The type of asset, Valid values are unknown, guest, hypervisor, physical, mobile
Nexpose.Asset.Site string Asset site name.
Nexpose.Asset.OperatingSystem string Operating system of the asset.
Nexpose.Asset.Vulnerabilities number The total number of vulnerabilities on the asset.
Nexpose.Asset.CPE string The Common Platform Enumeration (CPE) of the operating system.
Nexpose.Asset.LastScanDate date Last scan date of the asset.
Nexpose.Asset.LastScanId number Id of the asset's last scan.
Nexpose.Asset.RiskScore number The risk score (with criticality adjustments) of the asset.
Nexpose.Asset.Software.Software string The description of the software.
Nexpose.Asset.Software.Version string The version of the software.
Nexpose.Asset.Services.Name string The name of the service.
Nexpose.Asset.Services.Port number The port of the service.
Nexpose.Asset.Services.Product string The product running the service.
Nexpose.Asset.Services.protocol string The protocol of the service, valid values are ip, icmp, igmp, ggp, tcp, pup, udp, idp, esp, nd, raw
Nexpose.Asset.Users.FullName string The full name of the user account.
Nexpose.Asset.Users.Name string The name of the user account.
Nexpose.Asset.Users.UserId number The identifier of the user account.
Nexpose.Asset.Vulnerability.Id number The identifier of the vulnerability.
Nexpose.Asset.Vulnerability.Instances number The number of vulnerable occurrences of the vulnerability. This does not include invulnerable instances.
Nexpose.Asset.Vulnerability.Title string The title (summary) of the vulnerability.
Nexpose.Asset.Vulnerability.Malware number The malware kits that are known to be used to exploit the vulnerability.
Nexpose.Asset.Vulnerability.Exploit number The exploits that can be used to exploit a vulnerability.
Nexpose.Asset.Vulnerability.CVSS string The CVSS exploit score.
Nexpose.Asset.Vulnerability.Risk number The risk score of the vulnerability, rounded to a maximum of to digits of precision. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000.
Nexpose.Asset.Vulnerability.PublishedOn date The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD.
Nexpose.Asset.Vulnerability.ModifiedOn date The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD.
Nexpose.Asset.Vulnerability.Severity string The severity of the vulnerability, one of: "Moderate", "Severe", "Critical".
Endpoint.IP string Endpoint IP address.
Endpoint.HostName string Endpoint host name.
Endpoint.OS string Endpoint operating system.
CVE.ID string Common Vulnerabilities and Exposures ids
Command Example

!nexpose-get-asset id="5"

Context Example
{
    "Endpoint": [
        {
            "HostName": [
                "hostname1",
                "HostName2"
            ],
            "IP": [
                "1.2.3.4"
            ],
            "MAC": [],
            "OS": "Linux 2.6.X"
        }
    ],
    "Nexpose": {
        "Asset": {
            "Addresses": [
                "1.2.3.4"
            ],
            "Aliases": [
                "alias1",
                "alias2"
            ],
            "AssetId": 5,
            "CPE": null,
            "Hardware": [],
            "HostType": null,
            "LastScanDate": "2018-06-13T13:33:17.451Z",
            "LastScanId": 42794,
            "OperatingSystem": "Linux 2.6.X",
            "RiskScore": 2071.67822265625,
            "Service": [
                {
                    "Name": "SSH",
                    "Port": 22,
                    "Product": "OpenSSH",
                    "Protocol": "tcp"
                },
                {
                    "Name": "HTTPS",
                    "Port": 443,
                    "Product": null,
                    "Protocol": "tcp"
                }
            ],
            "Site": "Site 1",
            "Software": null,
            "User": null,
            "Vulnerabilities": 5,
            "Vulnerability": [
                {
                    "CVSS": 7.1,
                    "Exploit": 0,
                    "Id": "certificate-common-name-mismatch",
                    "Instances": 1,
                    "Malware": 0,
                    "ModifiedOn": "2018-03-21",
                    "PublishedOn": "2007-08-03",
                    "Risk": 786.41,
                    "Severity": "Severe",
                    "Title": "X.509 Certificate Subject CN Does Not Match the Entity Name"
                },
                {
                    "CVSS": 0,
                    "Exploit": 0,
                    "Id": "generic-tcp-timestamp",
                    "Instances": 1,
                    "Malware": 0,
                    "ModifiedOn": "2018-03-21",
                    "PublishedOn": "1997-08-01",
                    "Risk": 0,
                    "Severity": "Moderate",
                    "Title": "TCP timestamp response"
                },
                {
                    "CVSS": 4.3,
                    "Exploit": 0,
                    "Id": "ssl-self-signed-certificate",
                    "Instances": 1,
                    "Malware": 0,
                    "ModifiedOn": "2012-07-12",
                    "PublishedOn": "1995-01-01",
                    "Risk": 248.19,
                    "Severity": "Severe",
                    "Title": "Self-signed TLS/SSL certificate"
                },
                {
                    "CVSS": 2.6,
                    "Exploit": 0,
                    "Id": "ssl-static-key-ciphers",
                    "Instances": 1,
                    "Malware": 0,
                    "ModifiedOn": "2018-08-02",
                    "PublishedOn": "2015-02-01",
                    "Risk": 342.17,
                    "Severity": "Moderate",
                    "Title": "TLS/SSL Server Supports The Use of Static Key Ciphers"
                },
                {
                    "CVSS": 5.8,
                    "Exploit": 0,
                    "Id": "tls-untrusted-ca",
                    "Instances": 1,
                    "Malware": 0,
                    "ModifiedOn": "2015-07-27",
                    "PublishedOn": "1995-01-01",
                    "Risk": 694.92,
                    "Severity": "Severe",
                    "Title": "Untrusted TLS/SSL server X.509 certificate"
                }
            ]
        }
    }
}
Human Readable Output

image

2. Get all assets


Returns all assets for which you have access.

Base Command

nexpose-get-assets

Input
Argument Name Description Required
sort Multiple criteria of The criteria to sort the records by, in the format: property[,ASC DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC' Optional
limit integer The number of records retrieve. False
Context Output
Path Type Description
Nexpose.Asset.AssetId number The identifier of the asset.
Nexpose.Asset.Address string The primary IPv4 or IPv6 address of the asset.
Nexpose.Asset.Name string The primary host name (local or FQDN) of the asset.
Nexpose.Asset.Site string Asset site name.
Nexpose.Asset.Exploits number The number of distinct exploits that can exploit any of the vulnerabilities on the asset.
Nexpose.Asset.Malware number The number of distinct malware kits that vulnerabilities on the asset are susceptible to.
Nexpose.Asset.OperatingSystem string Operating system of the asset.
Nexpose.Asset.Vulnerabilities number The total number of vulnerabilities.
Nexpose.Asset.RiskScore number The risk score (with criticality adjustments) of the asset.
Nexpose.Asset.Assessed boolean Whether the asset has been assessed for vulnerabilities at least once.
Nexpose.Asset.LastScanDate date Last scan date of the asset.
Nexpose.Asset.LastScanId number Id of the asset's last scan.
Endpoint.IP string Endpoint IP address.
Endpoint.HostName string Endpoint host name.
Endpoint.OS string Endpoint operating system.
Command Example

!nexpose-get-assets limit=2 sort="riskScore,ASC"

Context Example
{
    "Endpoint": [
        {
            "HostName": "hostname1",
            "IP": "1.2.3.4",
            "OS": "Ubuntu Linux"
        },
        {
            "HostName": "hostname2",
            "IP": "3.4.5.6",
            "OS": "Ubuntu Linux"
        }
    ],
    "Nexpose": {
        "Asset": [
            {
                "Address": "1.2.3.4",
                "Assessed": true,
                "AssetId": 2,
                "Exploits": 0,
                "LastScanDate": "2018-04-29T11:21:19.350Z",
                "LastScanId": 15,
                "Malware": 0,
                "Name": "hostname1",
                "OperatingSystem": "Ubuntu Linux",
                "RiskScore": 0,
                "Site": "Site 1",
                "Vulnerabilities": 1
            },
            {
                "Address": "3.4.5.6",
                "Assessed": true,
                "AssetId": 1,
                "Exploits": 0,
                "LastScanDate": "2018-04-29T11:21:18.637Z",
                "LastScanId": 15,
                "Malware": 0,
                "Name": "hostname2",
                "OperatingSystem": "Ubuntu Linux",
                "RiskScore": 0,
                "Site": "Site 1",
                "Vulnerabilities": 1
            }
        ]
    }
}
Human Readable Output

image

3. Get all assets that match the filters


Returns all assets for which you have access that match the given search criteria.

Base Command

nexpose-search-assets

Input
Argument Name Description Required
query Multiple criteria of Filter to match assets, according to the Search Criteria API standard. multiple filters can be provided using ';' separator. For example: 'ip-address in range 1.2.3.4,1.2.3.8;host-name is myhost'. For more information regarding Search Criteria, refer to https://help.rapid7.com/insightvm/en-us/api/index.html#section/Overview/Responses Optional
limit integer The number of records retrieve. Optional
sort Multiple criteria of The criteria to sort the records by, in the format: property[,ASC DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC Optional
ipAddressIs Search by a specific IP address Optional
hostNameIs Search by a specific host name Optional
riskScoreHigherThan Get all assets whose risk score is higher Optional
vulnerabilityTitleContains Search by vulnerability title Optional
siteIdIn Multiple criteria of integer Search by site ids Optional
match Operator to determine how to match filters. all requires that all filters match for an asset to be included. any requires only one filter to match for an asset to be included. Optional
Context Output
Path Type Description
Nexpose.Asset.AssetId number The identifier of the asset.
Nexpose.Asset.Address string The primary IPv4 or IPv6 address of the asset.
Nexpose.Asset.Name string The primary host name (local or FQDN) of the asset.
Nexpose.Asset.Site string Asset site name.
Nexpose.Asset.Exploits number The number of distinct exploits that can exploit any of the vulnerabilities on the asset.
Nexpose.Asset.Malware number The number of distinct malware kits that vulnerabilities on the asset are susceptible to.
Nexpose.Asset.OperatingSystem string Operating system of the asset.
Nexpose.Asset.Vulnerabilities number The total number of vulnerabilities.
Nexpose.Asset.RiskScore number The risk score (with criticality adjustments) of the asset.
Nexpose.Asset.Assessed boolean Whether the asset has been assessed for vulnerabilities at least once.
Nexpose.Asset.LastScanDate date Last scan date of the asset.
Nexpose.Asset.LastScanId number Id of the asset's last scan.
Endpoint.IP string Endpoint IP address.
Endpoint.HostName string Endpoint host name.
Endpoint.OS string Endpoint operating system.
Command Example

!nexpose-search-assets query="risk-score is 0" limit="2" sort="riskScore,ASC" match="all"

Context Example
{
    "Endpoint": [
        {
            "HostName": "hostname1",
            "IP": "1.2.3.4",
            "OS": "Ubuntu Linux"
        },
        {
            "HostName": "hostname2",
            "IP": "3.4.5.6",
            "OS": "Ubuntu Linux"
        }
    ],
    "Nexpose": {
        "Asset": [
            {
                "Address": "1.2.3.4",
                "Assessed": true,
                "AssetId": 2,
                "Exploits": 0,
                "LastScanDate": "2018-04-29T11:21:19.350Z",
                "LastScanId": 15,
                "Malware": 0,
                "Name": "hostname1",
                "OperatingSystem": "Ubuntu Linux",
                "RiskScore": 0,
                "Site": "Site 1",
                "Vulnerabilities": 1
            },
            {
                "Address": "3.4.5.6",
                "Assessed": true,
                "AssetId": 1,
                "Exploits": 0,
                "LastScanDate": "2018-04-29T11:21:18.637Z",
                "LastScanId": 15,
                "Malware": 0,
                "Name": "hostname2",
                "OperatingSystem": "Ubuntu Linux",
                "RiskScore": 0,
                "Site": "Site 1",
                "Vulnerabilities": 1
            }
        ]
    }
}
Human Readable Output

image

4. Get a specified scan


Returns the specified scan.

Base Command

nexpose-get-scan

Input
Argument Name Description Required
id Multiple criteria of integer Identifiers of scans Required
Context Output
Path Type Description
Nexpose.Scan.Id number The identifier of the scan.
Nexpose.Scan.ScanType string The scan type (automated, manual, scheduled).
Nexpose.Scan.StartedBy string The name of the user that started the scan.
Nexpose.Scan.Assets number The number of assets found in the scan
Nexpose.Scan.TotalTime string The duration of the scan in minutes.
Nexpose.Scan.Status string The scan status. Valid values are aborted, unknown, running, finished, stopped, error, paused, dispatched, integrating
Nexpose.Scan.Completed date The end time of the scan in ISO8601 format.
Nexpose.Scan.Vulnerabilities.Critical number The number of critical vulnerabilities.
Nexpose.Scan.Vulnerabilities.Moderate number The number of moderate vulnerabilities.
Nexpose.Scan.Vulnerabilities.Severe number The number of severe vulnerabilities.
Nexpose.Scan.Vulnerabilities.Total number The total number of vulnerabilities.
Command Example

!nexpose-get-scan id=15

Context Example
{
    "Nexpose": {
        "Scan": {
            "Assets": 32,
            "Completed": "2018-04-29T11:24:58.721Z",
            "Id": 15,
            "Message": null,
            "ScanName": "Sun 29 Apr 2018 11:17 AM",
            "ScanType": "Manual",
            "StartedBy": null,
            "Status": "finished",
            "TotalTime": "9.76666666667 minutes",
            "Vulnerabilities": {
                "Critical": 0,
                "Moderate": 48,
                "Severe": 61,
                "Total": 109
            }
        }
    }
}
Human Readable Output

image

5. Get an asset's details


Returns the details and possible remediations for an asset's given vulnerability.

Base Command

nexpose-get-asset-vulnerability

Input
Argument Name Description Required
id integer The identifier of the asset. Required
vulnerabilityId The identifier of the vulnerability. Required
Context Output
Path Type Description
Nexpose.Asset.AssetId number Identifier of the asset.
Nexpose.Asset.Vulnerability.Id number The identifier of the vulnerability.
Nexpose.Asset.Vulnerability.Title string The title (summary) of the vulnerability.
Nexpose.Asset.Vulnerability.Severity string The severity of the vulnerability, one of: "Moderate", "Severe", "Critical".
Nexpose.Asset.Vulnerability.RiskScore number The risk score of the vulnerability, rounded to a maximum of to digits of precision. If using the default Rapid7 Real Risk™ model, this value ranges from 0-1000.
Nexpose.Asset.Vulnerability.CVSS string The CVSS vector(s) for the vulnerability.
Nexpose.Asset.Vulnerability.CVSSV3 string The CVSS v3 vector.
Nexpose.Asset.Vulnerability.Published date The date the vulnerability was first published or announced. The format is an ISO 8601 date, YYYY-MM-DD.
Nexpose.Asset.Vulnerability.Added date The date the vulnerability coverage was added. The format is an ISO 8601 date, YYYY-MM-DD.
Nexpose.Asset.Vulnerability.Modified date The last date the vulnerability was modified. The format is an ISO 8601 date, YYYY-MM-DD.
Nexpose.Asset.Vulnerability.CVSSScore number The CVSS score, which ranges from 0-10.
Nexpose.Asset.Vulnerability.CVSSV3Score number The CVSS3 score, which ranges from 0-10.
Nexpose.Asset.Vulnerability.Categories unknown All vulnerability categories assigned to this vulnerability.
Nexpose.Asset.Vulnerability.CVES unknown All CVEs assigned to this vulnerability.
Nexpose.Asset.Vulnerability.Check.Port number The port of the service the result was discovered on.
Nexpose.Asset.Vulnerability.Check.Protocol string The protocol of the service the result was discovered on, valid values ip, icmp, igmp, ggp, tcp, pup, udp, idp, esp, nd, raw
Nexpose.Asset.Vulnerability.Check.Since date The date and time the result was first recorded, in the ISO8601 format. If the result changes status this value is the date and time of the status change.
Nexpose.Asset.Vulnerability.Check.Proof string The proof explaining why the result was found vulnerable.
Nexpose.Asset.Vulnerability.Check.Status string The status of the vulnerability check result. Valid values are, unknown, not-vulnerable, vulnerable, vulnerable-version, vulnerable-potential, vulnerable-with-exception-applied, vulnerable-version-with-exception-applied, vulnerable-potential-with-exception-applied
Nexpose.Asset.Vulnerability.Solution.Type string The type of the solution. One of: "Configuration", "Rollup patch", "Patch".
Nexpose.Asset.Vulnerability.Solution.Summary string The summary of the solution.
Nexpose.Asset.Vulnerability.Solution.Steps string The steps required to remediate the vulnerability.
Nexpose.Asset.Vulnerability.Solution.Estimate string The estimated duration to apply the solution, in minutes.
Nexpose.Asset.Vulnerability.Solution.AdditionalInformation string Additional information or resources that can assist in applying the remediation
CVE.ID string Common Vulnerabilities and Exposures ids
Command Example

!nexpose-get-asset-vulnerability id=37 vulnerabilityId=apache-httpd-cve-2017-3169

Context Example
{
    "CVE": {
        "ID": "CVE-2017-3169"
    },
    "Nexpose": {
        "Asset": {
            "AssetId": "37",
            "Vulnerability": [
                {
                    "Added": "2017-06-20",
                    "CVES": [
                        "CVE-2017-3169"
                    ],
                    "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                    "CVSSScore": 7.5,
                    "CVSSV3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                    "CVSSV3Score": 9.8,
                    "Categories": [
                        "Apache",
                        "Apache HTTP Server",
                        "Web"
                    ],
                    "Check": [
                        {
                            "Port": 8080,
                            "Proof": "Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.6Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.6",
                            "Protocol": "tcp",
                            "Since": "2018-04-29T11:36:54.597Z",
                            "Status": "vulnerable-version"
                        },
                        {
                            "Port": 443,
                            "Proof": "Running HTTPS serviceProduct HTTPD exists -- Apache HTTPD 2.4.6Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.6",
                            "Protocol": "tcp",
                            "Since": "2018-04-29T11:36:54.597Z",
                            "Status": "vulnerable-version"
                        }
                    ],
                    "Id": "apache-httpd-cve-2017-3169",
                    "Modified": "2018-01-08",
                    "Published": "2017-06-20",
                    "RiskScore": 574.63,
                    "Severity": "Critical",
                    "Solution": [
                        {
                            "AdditionalInformation": "The latest version of Apache HTTPD is 2.4.34.\n\nMany platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.",
                            "Estimate": "120.0 minutes",
                            "Steps": "Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.4.34.tar.gz (http://archive.apache.org/dist/httpd/httpd-2.4.34.tar.gz)",
                            "Summary": "Upgrade to the latest version of Apache HTTPD",
                            "Type": "rollup-patch"
                        }
                    ],
                    "Title": "Apache HTTPD: mod_ssl Null Pointer Dereference (CVE-2017-3169)"
                }
            ]
        }
    }
}
Human Readable Output

image

6. Create a site


Creates a new site with the specified configuration.

Base Command

nexpose-create-site

Input
Argument Name Description Required
name The site name. Name must be unique. Required
description The site's description. False
assets Multiple criteria of Specify asset addresses to be included in site scans Required
scanTemplateId The identifier of a scan template. Use nexpose-get-report-templates to get all templates, default scan template is selected when not specified. False
importance The site importance. Defaults to "normal" if not specified. False
Context Output
Path Type Description
Nexpose.Site.Id number The created site Id
Command Example

!nexpose-create-site name="site_test" assets="127.0.0.1"

Context Example
{
    "Nexpose": {
        "Site": {
            "Id": 11
        }
    }
}
Human Readable Output

image

7. Delete a site


Deletes a site.

Base Command

nexpose-delete-site

Input
Argument Name Description Required
id ID of the site to delete Required
Context Output

There is no context output for this command.

Command Example

!nexpose-delete-site id=1258

Human Readable Output

image

8. Retrieve sites


Retrieves accessible sites.

Base Command

nexpose-get-sites

Input
Argument Name Description Required
limit integer The number of records retrieve. Optional
sort Multiple criteria of The criteria to sort the records by, in the format: property[,ASC DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC' Optional
Context Output
Path Type Description
Nexpose.Site.Id number The identifier of the site.
Nexpose.Site.Name string The site name.
Nexpose.Site.Assets number The number of assets that belong to the site.
Nexpose.Site.Type string The type of the site. Valid values are agent, dynamic, static
Nexpose.Site.Vulnerabilities number The total number of vulnerabilities.
Nexpose.Site.Risk number The risk score (with criticality adjustments) of the site.
Nexpose.Site.LastScan date The date and time of the site's last scan.
Command Example

!nexpose-get-sites limit=1 sort="riskScore,DESC"

Context Example
{
    "Nexpose": {
        "Site": {
            "Assets": 29,
            "Id": 2,
            "LastScan": "2018-07-27T07:46:35.159Z",
            "Name": "Site 1",
            "Risk": 131586,
            "Type": "dynamic",
            "Vulnerabilities": 351
        }
    }
}
Human Readable Output

image

9. Get report templates


Returns all available report templates.

Base Command

nexpose-get-report-templates

Input

There is no input for this command.

Context Output
Path Type Description
Nexpose.Template.Id number The identifier of the report template.
Nexpose.Template.Name string The name of the report template.
Nexpose.Template.Description string The description of the report template.
Nexpose.Template.Type string The type of the report template. document is a templatized, typically printable, report that has various sections of content. export is data-oriented output, typically CSV. file is a printable report template using a report template file.
Command Example

!nexpose-get-report-templates

Context Example
{
    "Nexpose": {
        "Template": [
            {
                "Description": "Provides comprehensive details about discovered assets, vulnerabilities, and users.",
                "Id": "audit-report",
                "Name": "Audit Report",
                "Type": "document"
            },
            {
                "Description": "Compares current scan results to those of an earlier baseline scan.",
                "Id": "baseline-comparison",
                "Name": "Baseline Comparison",
                "Type": "document"
            },
            {
                "Description": "Includes a basic set of data fields for vulnerability check results in CSV format.",
                "Id": "basic-vulnerability-check-results",
                "Name": "Basic Vulnerability Check Results (CSV)",
                "Type": "export"
            },
            {
                "Description": "Provides a high-level view of security data, including general results information and statistical charts.",
                "Id": "executive-overview",
                "Name": "Executive Overview",
                "Type": "document"
            },
            {
                "Description": "Provides information and metrics about 10 discovered vulnerabilities with the highest risk scores.",
                "Id": "highest-risk-vulns",
                "Name": "Highest Risk Vulnerabilities",
                "Type": "document"
            },
            {
                "Description": "Serves as a cover sheet for the completed set of PCI-mandated reports.",
                "Id": "pci-attestation-v12",
                "Name": "PCI Attestation of Scan Compliance",
                "Type": "document"
            },
            {
                "Description": "PCI-mandated compliance summary with overview of Pass/Fail results, statistical charts, and vulnerability metrics.",
                "Id": "pci-executive-summary-v12",
                "Name": "PCI Executive Summary",
                "Type": "document"
            },
            {
                "Description": "Provides detailed, sorted scan information about each asset discovered in a PCI scan.",
                "Id": "pci-host-details-v12",
                "Name": "PCI Host Details",
                "Type": "document"
            },
            {
                "Description": "Provides a PCI-mandated listing of details, metrics, and Pass/Fail score for every vulnerability discovered in a PCI scan.",
                "Id": "pci-vuln-details-v12",
                "Name": "PCI Vulnerability Details",
                "Type": "document"
            },
            {
                "Description": "Shows detailed results for each policy rule scanned on an asset, including the percentage of policy rules that assets comply with and test results for each rule.",
                "Id": "policy-details",
                "Name": "Policy Details",
                "Type": "file"
            },
            {
                "Description": "Lists results for standard policy scans (AS/400, Oracle, Domino, Windows Group, CIFS/SMB account). Does not include Policy Manager results.",
                "Id": "policy-eval",
                "Name": "Policy Evaluation",
                "Type": "document"
            },
            {
                "Description": "Shows results for each tested policy, including the numbers and percentages of compliant assets, and the percentage of policy rules that assets comply with.",
                "Id": "policy-summary",
                "Name": "Policy Compliance Status",
                "Type": "file"
            },
            {
                "Description": "Lists top remediations as prioritized by vulnerability-related criteria that you select.",
                "Id": "prioritized-remediations",
                "Name": "Top Remediations",
                "Type": "file"
            },
            {
                "Description": "Lists top remediations as prioritized by vulnerability-related criteria that you select. Also provides steps for each remediation and lists each affected asset.",
                "Id": "prioritized-remediations-with-details",
                "Name": "Top Remediations with Details",
                "Type": "file"
            },
            {
                "Description": "Lists information about new assets discovered within a specific time period. This allows you to track changes to your network environment over time.",
                "Id": "r7-discovered-assets",
                "Name": "Newly Discovered Assets",
                "Type": "file"
            },
            {
                "Description": "Shows vulnerability exception activity during a specified time frame.",
                "Id": "r7-vulnerability-exceptions",
                "Name": "Vulnerability Exception Activity",
                "Type": "file"
            },
            {
                "Description": "Provides detailed remediation instructions for each discovered vulnerability.",
                "Id": "remediation-plan",
                "Name": "Remediation Plan",
                "Type": "document"
            },
            {
                "Description": "Lists test results for each discovered vulnerability, including how it was verified.",
                "Id": "report-card",
                "Name": "Report Card",
                "Type": "document"
            },
            {
                "Description": "Grades sets of assets based on risk and provides data and statistics for determining risk factors.",
                "Id": "risk-scorecard",
                "Name": "Risk Scorecard",
                "Type": "file"
            },
            {
                "Description": "Shows results for each asset against the selected policies' rules, including the percentage of policy rules that assets comply with.",
                "Id": "rule-breakdown-summary",
                "Name": "Policy Rule Breakdown Summary",
                "Type": "file"
            },
            {
                "Description": "Lists top policy compliance remediations as prioritized by policies that you select.",
                "Id": "top-policy-remediations",
                "Name": "Top Policy Remediations",
                "Type": "file"
            },
            {
                "Description": "Lists top policy compliance remediations as prioritized by policies that you select. Also provides steps for each remediation and lists each affected asset.",
                "Id": "top-policy-remediations-with-details",
                "Name": "Top Policy Remediations with Details",
                "Type": "file"
            },
            {
                "Description": "Lists risk scores, total vulnerabilities, and malware and exploit exposures for 10 assets with the highest risk scores.",
                "Id": "top-riskiest-assets",
                "Name": "Top 10 Assets by Vulnerability Risk",
                "Type": "file"
            },
            {
                "Description": "Lists total vulnerabilities and malware and exploit exposures for 10 assets with the most vulnerabilities.",
                "Id": "top-vulnerable-assets",
                "Name": "Top 10 Assets by Vulnerabilities",
                "Type": "file"
            },
            {
                "Description": "Tracks trends for vulnerabilities found, assets scanned, malware kit and exploit exposures, severity levels, and vulnerability age over a date range that you  select.",
                "Id": "vulnerability-trends",
                "Name": "Vulnerability Trends",
                "Type": "file"
            }
        ]
    }
}
Human Readable Output

image

10. Create an assets report


Generates a new report on given assets according to a template and arguments.

Base Command

nexpose-create-assets-report

Input
Argument Name Description Required
assets Multiple criteria of integer Asset ids to create the report on, comma separated. Required
template Report template id to create the report with. If none is provided, the first template available will be used. False
name The report name False
format The report format, default is PDF False
Context Output
Path Type Description
InfoFile.EntryId string Entry Id of the report file
InfoFile.Name string Name of the report file
InfoFile.Extension string File extension of the report file
InfoFile.Info string Info about the report file
InfoFile.Size number Size of the report file
InfoFile.Type string Type of the report file
Command Example

!nexpose-create-assets-report assets="1,2,3,4"

Context Example
{
    "InfoFile": {
        "EntryID": "759@cc00e449-9e7b-4609-8a68-1c8c01114562",
        "Extension": "pdf",
        "Info": "application/pdf",
        "Name": "report 2018-08-20 11:41:54.343571.pdf",
        "Size": 143959,
        "Type": "PDF document, version 1.4\n"
    }
}
Human Readable Output

image

11. Create a sites report


Generates a new report on given sites according to a template and arguments.

Base Command

nexpose-create-sites-report

Input
Argument Name Description Required
sites Multiple criteria of integer Site ids to create the report on, comma separated. Required
template Report template id to create the report with. If none is provided, the first template available will be used. False
name The report name False
format The report format, default is PDF False
Context Output
Path Type Description
InfoFile.EntryId string Entry Id of the report file
InfoFile.Name string Name of the report file
InfoFile.Extension string File extension of the report file
InfoFile.Info string Info about the report file
InfoFile.Size number Size of the report file
InfoFile.Type string Type of the report file
Command Example

!nexpose-create-sites-report sites=1,3

Context Example
{
    "InfoFile": {
        "EntryID": "765@cc00e449-9e7b-4609-8a68-1c8c01114562",
        "Extension": "pdf",
        "Info": "application/pdf",
        "Name": "report 2018-08-20 11:45:33.531668.pdf",
        "Size": 255774,
        "Type": "PDF document, version 1.4\n"
    }
}
Human Readable Output

image

12. Create a scan report


Generates a new report for a specified scan.

Base Command

nexpose-create-scan-report

Input
Argument Name Description Required
scan integer The identifier of the scan. True
template Report template id to create the report with. If none is provided, the first template available will be used. False
name The report name False
format The report format, default is PDF False
Context Output
Path Type Description
InfoFile.EntryId string Entry Id of the report file
InfoFile.Name string Name of the report file
InfoFile.Extension string File extension of the report file
InfoFile.Info string Info about the report file
InfoFile.Size number Size of the report file
InfoFile.Type string Type of the report file
Command Example

!nexpose-create-scan-report scan="15"

Context Example
{
    "InfoFile": {
        "EntryID": "771@cc00e449-9e7b-4609-8a68-1c8c01114562",
        "Extension": "pdf",
        "Info": "application/pdf",
        "Name": "report 2018-08-20 11:49:56.187193.pdf",
        "Size": 205544,
        "Type": "PDF document, version 1.4\n"
    }
}
Human Readable Output

image

13. Start a site scan


Starts a scan for the specified site.

Base Command

nexpose-start-site-scan

Input
Argument Name Description Required
site integer The identifier of the site. True
hosts Multiple criteria of The hosts that should be included as a part of the scan. This should be a mixture of IP Addresses and Hostnames as a comma separated string array. False
name The user-driven scan name for the scan. False
Context Output
Path Type Description
Nexpose.Scan.Id number The identifier of the scan.
Nexpose.Scan.ScanType string The scan type (automated, manual, scheduled).
Nexpose.Scan.StartedBy date The name of the user that started the scan.
Nexpose.Scan.Assets number The number of assets found in the scan
Nexpose.Scan.TotalTime string The duration of the scan in minutes.
Nexpose.Scan.Completed date The end time of the scan in ISO8601 format.
Nexpose.Scan.Status string The scan status. Valid values are aborted, unknown, running, finished, stopped, error, paused, dispatched, integrating
Nexpose.Scan.Vulnerabilities.Critical number The number of critical vulnerabilities.
Nexpose.Scan.Vulnerabilities.Moderate number The number of moderate vulnerabilities.
Nexpose.Scan.Vulnerabilities.Severe number The number of severe vulnerabilities.
Nexpose.Scan.Vulnerabilities.Total number The total number of vulnerabilities.
Command Example

!nexpose-start-site-scan site=2 hosts=127.0.0.1

Context Example
{
    "Nexpose": {
        "Scan": {
            "Assets": 0,
            "Completed": null,
            "Id": 89391,
            "Message": null,
            "ScanName": "scan 2018-08-20 11:54:59.673365",
            "ScanType": "Manual",
            "StartedBy": null,
            "Status": "running",
            "TotalTime": "0 minutes",
            "Vulnerabilities": {
                "Critical": 0,
                "Moderate": 0,
                "Severe": 0,
                "Total": 0
            }
        }
    }
}
Human Readable Output

image

14. Start an assets scan


Starts a scan for specified asset IP addresses and host names.

Base Command

nexpose-start-assets-scan

Input
Argument Name Description Required
IPs Multiple criteria of IP addresses of assets, comma separated. False
hostNames Multiple criteria of Host names of assets, comma separated. False
name The user-driven scan name for the scan. False
Context Output
Path Type Description
Nexpose.Scan.Id number The identifier of the scan.
Nexpose.Scan.ScanType string The scan type (automated, manual, scheduled).
Nexpose.Scan.StartedBy date The name of the user that started the scan.
Nexpose.Scan.Assets number The number of assets found in the scan
Nexpose.Scan.TotalTime string The duration of the scan in minutes.
Nexpose.Scan.Completed date The end time of the scan in ISO8601 format.
Nexpose.Scan.Status string The scan status. Valid values are aborted, unknown, running, finished, stopped, error, paused, dispatched, integrating
Nexpose.Scan.Vulnerabilities.Critical number The number of critical vulnerabilities.
Nexpose.Scan.Vulnerabilities.Moderate number The number of moderate vulnerabilities.
Nexpose.Scan.Vulnerabilities.Severe number The number of severe vulnerabilities.
Nexpose.Scan.Vulnerabilities.Total number The total number of vulnerabilities.
Command Example

!nexpose-start-assets-scan IPs=127.0.0.1

Context Example
{
    "Nexpose": {
        "Scan": {
            "Assets": 0,
            "Completed": null,
            "Id": 89410,
            "Message": null,
            "ScanName": "scan 2018-08-20 12:31:52.951818",
            "ScanType": "Manual",
            "StartedBy": null,
            "Status": "running",
            "TotalTime": "0 minutes",
            "Vulnerabilities": {
                "Critical": 0,
                "Moderate": 0,
                "Severe": 0,
                "Total": 0
            }
        }
    }
}
Human Readable Output

image

15. Stop a scan that is in progress


Stops the specified scan, which is in progress.

Base Command

nexpose-stop-scan

Input
Argument Name Description Required
id ID of the scan to stop Required
Context Output

There is no context output for this command.

Command Example

!nexpose-stop-scan id=143200

Human Readable Output

image

16. Pause a scan that is in progress


Pauses the specified scan, which is in progress.

Base Command

nexpose-pause-scan

Input
Argument Name Description Required
id ID of the scan to pause Required
Context Output

There is no context output for this command.

Command Example

!nexpose-pause-scan id=143200

Human Readable Output

image

17. Resume a scan


Resumes a scan that is paused or stopped.

Base Command

nexpose-resume-scan

Input
Argument Name Description Required
id ID of the scan to resume Required
Context Output

There is no context output for this command.

Command Example

!nexpose-resume-scan id=143200

Human Readable Output

image

18. Get a list of scans


Returns a list of scans.

Base Command

nexpose-get-scans

Input
Argument Name Description Required
active Return active or previous scans (boolean) Optional
limit The number of records retrieve Optional
sort Multiple criteria of <string> The criteria to sort the records by, in the format: property [ASC, DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters separated by a ';'. For example: 'riskScore,DESC;hostName,ASC' Optional
Context Output
Path Type Description
Nexpose.Scan.Id number The ID of the scan
Nexpose.Scan.ScanType string The scan type ("automated", "manual", "scheduled")
Nexpose.Scan.StartedBy date The name of the user that started the scan
Nexpose.Scan.Assets number The number of assets found in the scan
Nexpose.Scan.TotalTime string The duration of the scan (in minutes)
Nexpose.Scan.Completed date The end time of the scan in ISO8601 format
Nexpose.Scan.Status string The scan status ("aborted", "unknown", "running", "finished", "stopped", "error", "paused", "dispatched", "integrating")
Command Example

!nexpose-get-scans active=false limit=5

Context Example
{
    "Nexpose": {
        "Scan": [
            {
                "Assets": 32,
                "Completed": "2018-04-29T11:24:58.721Z",
                "Id": 15,
                "Message": null,
                "ScanName": "Sun 29 Apr 2018 11:17 AM",
                "ScanType": "Manual",
                "StartedBy": null,
                "Status": "finished",
                "TotalTime": "9.76666666667 minutes"
            },
            {
                "Assets": 19,
                "Completed": "2018-04-29T11:42:16.765Z",
                "Id": 25,
                "Message": null,
                "ScanName": "Sun 29 Apr 2018 11:32 AM",
                "ScanType": "Manual",
                "StartedBy": null,
                "Status": "finished",
                "TotalTime": "24.6333333333 minutes"
            },
            {
                "Assets": 29,
                "Completed": "2018-06-13T13:36:54.288Z",
                "Id": 42794,
                "Message": null,
                "ScanName": "Wed 13 Jun 2018 01:29 PM",
                "ScanType": "Manual",
                "StartedBy": null,
                "Status": "finished",
                "TotalTime": "18.3 minutes"
            },
            {
                "Assets": 1,
                "Completed": "2018-06-13T13:41:59.184Z",
                "Id": 42799,
                "Message": null,
                "ScanName": "Wed 13 Jun 2018 01:35 PM",
                "ScanType": "Manual",
                "StartedBy": null,
                "Status": "finished",
                "TotalTime": "21.85 minutes"
            },
            {
                "Assets": 1,
                "Completed": "2018-06-13T14:16:41.766Z",
                "Id": 42824,
                "Message": null,
                "ScanName": "Wed 13 Jun 2018 02:09 PM",
                "ScanType": "Manual",
                "StartedBy": null,
                "Status": "finished",
                "TotalTime": "7.3 minutes"
            }
        ]
    }
}
Human Readable Output

image

Troubleshooting


  • In case of a timeout error, the API server address or port may be incorrect.
  • In case of a 400 Bad Request error, incorrect values were provided to an API resource, e.g incorrect search fields.
  • In case of a 401 Unauthorized error, incorrect credentials were provided or there are insufficient privileges for a specific resource.
  • In case of a 404 Not Found error, a specified resource was not found, e.g a vulnerability that doesn't exist in an asset.