API imports enable QRadar® to import ad hoc report
data for vulnerabilities on your sites from Rapid7 Nexpose scanners. The site data that the scan
imports depends on the site name.
Before you begin
Before you add this scanner, you must have a server certificate that supports HTTPS
connections. QRadar supports certificates with the following file extensions: .crt, .cert, or .der.
To copy a certificate to the
/opt/qradar/conf/trusted_certificates directory,
choose one of the following options:
- Manually copy the certificate to the /opt/qradar/conf/trusted_certificates
directory by using SCP or SFTP.
- SSH into the Console or managed host and retrieve the certificate by using the following
command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443
default>. A certificate is then downloaded from the specified host name or IP and placed
into /opt/qradar/conf/trusted_certificates directory in the appropriate
format.
Procedure
-
Click .
-
Click the VA Scanners icon, and then click Add.
-
Type a Scanner Name to identify your Rapid7 Nexpose scanner.
-
From the Managed Host list, select an option that is based on one of the
following platforms:
- On the QRadar
Console, select the
managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is
hosted in the cloud, the QRadar Console can be
used as the managed host. Otherwise, select the data gateway that is responsible for communicating
with the scanner device.
-
Select Rapid7 Nexpose Scanner From the Type
list.
-
From the Import Type list, select from the following options:
- Import Site Data - Asset and Vulnerability data via SQL API - Default
and suggested option for importing results.
- Import Site Data - Adhoc Report via API
-
In the Remote Hostname field, type the IP address or host name of the
Rapid7 Nexpose scanner.
-
In the Login Username field, type the user name that is used to access
the Rapid7 Nexpose scanner.
The login must be a valid user. The username can be obtained from the
Rapid7 Nexpose user interface or from the Rapid7 Nexpose administrator.
-
In the Login Password field, type the password to access the Rapid7
Nexpose scanner.
-
In the Port field, type the port that is used to connect to the Rapid7
Nexpose Security Console.
The port number is the same port to connect to the Rapid7 Nexpose user interface.
-
In the Site Name Pattern field, type the regular expression (regex) to
determine which Rapid7 Nexpose sites to include in the scan. All sites that match the pattern are
included when the scan schedule starts.
The default value regular expression is .* to import all site
names.
- In the Cache Timout (Minutes) field,
type the length of time the data from the last generated scan report
is stored in the cache.
If the cache timeout limit expires,
new vulnerability data is requested from the API when the scheduled
scan starts.
-
Enter the path to the local directory to store downloaded XML reports.
-
To configure a CIDR range for the scanner complete the following steps:
-
In the field, type the CIDR range for the scan or click Browse to select
a CIDR range from the network list.
-
Click Add.
- Click Save.
- On the Admin tab, click Deploy
Changes.
What to do next
You are now ready to create a scan schedule. See Scheduling a vulnerability scan.