9 Replies Latest reply on Jun 22, 2016 8:21 PM by moorej1

    NeXpose & McAfee ESM ???


      Hi All,

      Need personal/business experience with NeXpose and Intel Mcafee SIEM.


      Specifically referring to this:



      what value do you get?

      what does it solve?

      Who uses it?

      why do they use it?


      ALL experience and comments welcome.


        • 1. Re: NeXpose & McAfee ESM ???
          Peter M

          Moved to SIEM for better responses.




          • 2. Re: NeXpose & McAfee ESM ???

            We have never had luck getting anything useful from Rapid7. The notes I gathered in conversations with pro services is:


            Whatever account SIEM uses to communicate with the Rapid7 scanner has to be an admin. It looks for site scan reports. If we aren’t doing site scan reports, then nothing will be returned.


            If you get this to work, I would like to see your setup. Thanks!

            • 3. Re: NeXpose & McAfee ESM ???

              Here is the Integration Guide for Nexpose into Mcafee ESM

              • 4. Re: NeXpose & McAfee ESM ???

                The Nexpose integration guide is pretty confusing if you're on 9.6, as there is no data source for "syslog", Rapid7 or Nexpose.  You have to use the data source "generic".


                Not sure if this is the case as well on earlier versions.

                • 5. Re: NeXpose & McAfee ESM ???

                  NeXpose is not a source, to add it you have to click on the "Asset Manager" icon :


                  Then go to the "Vulnerability Assessment" tab and configure your scanner :

                  Sans titre.png


                  I use OpenVas myself, but still I think you'll get the same level of information.


                  Adding a vulnerability scanner will give you access to some reports that were empty until now (Asset, Threat and Risk).

                  It also give you a better "SEVERITY" score, that is more close to the reality.

                  And the last (but not least) if you're doing some CyberSecurity or Incident Response, you can create a correlation rule like this :

                     -  IF

                            this asset is vulnerable to a specific attack

                     - AND

                            the IPS/Firewall have seen this kind of event (NOT dropped)

                     - THEN

                            generate an alarm. 


                  Hope this helped and sorry for my English.

                  • 6. Re: NeXpose & McAfee ESM ???

                    Please note that you may see API authentication errors when adding Rapid7 Nexpose 6.2 or later as Vulnerability Assessment source.  The problem is due to code change in Nexpose. At this point, we are hoping MR1 will resolve this issue.


                    Furthermore, the attached integration guide in previous messages will not give you the asset scoring that can be used in a meaningful way.

                    • 7. Re: NeXpose & McAfee ESM ???

                      I am having this same issue we are unable to integrate via the Nexpose (v6.3) API using valid credentials. We see a McAfee ESM error stating the server requires authorization when we are using the correct credentials. Nexpose has errors in it's logs stating the creds are incorrect. I suspect the ESM is passing the creds incorrectly. Is there any update from McAfee to when this will work? P.S. Other major SIEM vendors have issues with the new release of Nexpose as well.

                      • 8. Re: NeXpose & McAfee ESM ???

                        Auth.log info from NeXpose below:

                        Unable to determine login module for user, defaulting to XML. org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [SELECT u.user_id, u.user_login, u.user_name, u.user_email, u.user_disabled, u.authsrc_id, u.def_silo_id, a.module, a.source, u.super_user_ind, array((SELECT silo_id FROM REDACTED.silo_user_brg WHERE user_id = u.user_id)) AS silos

                        FROM REDACTED.users u

                          JOIN REDACTED.auth_source a USING (authsrc_id)

                          WHERE u.user_login = ?]; nested exception is org.postgresql.util.PSQLException: ERROR: permission denied for relation users

                          at org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.doTranslate(SQL StateSQLExceptionTranslator.java:99) ~[spring-jdbc-4.2.4.RELEASE.jar:4.2.4.RELEASE]



                        So it appears that Rapid7 has changed their DBSchema and the SQL command that they gave McAfee no longer works.


                        Found this article on GRANTing permissions on tables:

                        postgresql - Permission denied for relation - Stack Overflow

                        • 9. Re: NeXpose & McAfee ESM ???

                          I Stand corrected. looks like we're are affected by an existing defect where a session login fails when the user is already logged in. Check access.log