Moved to SIEM for better responses.
We have never had luck getting anything useful from Rapid7. The notes I gathered in conversations with pro services is:
Whatever account SIEM uses to communicate with the Rapid7 scanner has to be an admin. It looks for site scan reports. If we aren’t doing site scan reports, then nothing will be returned.
If you get this to work, I would like to see your setup. Thanks!
The Nexpose integration guide is pretty confusing if you're on 9.6, as there is no data source for "syslog", Rapid7 or Nexpose. You have to use the data source "generic".
Not sure if this is the case as well on earlier versions.
NeXpose is not a source, to add it you have to click on the "Asset Manager" icon :
Then go to the "Vulnerability Assessment" tab and configure your scanner :
I use OpenVas myself, but still I think you'll get the same level of information.
Adding a vulnerability scanner will give you access to some reports that were empty until now (Asset, Threat and Risk).
It also give you a better "SEVERITY" score, that is more close to the reality.
And the last (but not least) if you're doing some CyberSecurity or Incident Response, you can create a correlation rule like this :
this asset is vulnerable to a specific attack
the IPS/Firewall have seen this kind of event (NOT dropped)
generate an alarm.
Hope this helped and sorry for my English.
Please note that you may see API authentication errors when adding Rapid7 Nexpose 6.2 or later as Vulnerability Assessment source. The problem is due to code change in Nexpose. At this point, we are hoping MR1 will resolve this issue.
Furthermore, the attached integration guide in previous messages will not give you the asset scoring that can be used in a meaningful way.
I am having this same issue we are unable to integrate via the Nexpose (v6.3) API using valid credentials. We see a McAfee ESM error stating the server requires authorization when we are using the correct credentials. Nexpose has errors in it's logs stating the creds are incorrect. I suspect the ESM is passing the creds incorrectly. Is there any update from McAfee to when this will work? P.S. Other major SIEM vendors have issues with the new release of Nexpose as well.
Auth.log info from NeXpose below:
Unable to determine login module for user, defaulting to XML. org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [SELECT u.user_id, u.user_login, u.user_name, u.user_email, u.user_disabled, u.authsrc_id, u.def_silo_id, a.module, a.source, u.super_user_ind, array((SELECT silo_id FROM REDACTED.silo_user_brg WHERE user_id = u.user_id)) AS silos
FROM REDACTED.users u
JOIN REDACTED.auth_source a USING (authsrc_id)
WHERE u.user_login = ?]; nested exception is org.postgresql.util.PSQLException: ERROR: permission denied for relation users
at org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.doTranslate(SQL StateSQLExceptionTranslator.java:99) ~[spring-jdbc-4.2.4.RELEASE.jar:4.2.4.RELEASE]
So it appears that Rapid7 has changed their DBSchema and the SQL command that they gave McAfee no longer works.
Found this article on GRANTing permissions on tables:
I Stand corrected. looks like we're are affected by an existing defect where a session login fails when the user is already logged in. Check access.log