Adding a Rapid7 Nexpose scanner remote file import
QRadar® uses remote files to import site vulnerability data from your Rapid7 Nexpose scanner.
Before you begin
- Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by using SCP or SFTP.
- Use SSH to log in to the Console or managed host and retrieve the certificate by using the following command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443 default>. A certificate is then downloaded from the specified host name or IP and placed into /opt/qradar/conf/trusted_certificates directory in the appropriate format.
About this task
Remote file imports collect vulnerabilities for a site from a remote file that is downloaded. The Rapid7 Nexpose XML file that contains the site and vulnerability information must be copied from your Rapid7 Nexpose appliance to the Console or managed host you specify when the scanner is added to QRadar. The destination directory on the managed host or Console must exist before the Rapid7 Nexpose appliance can copy site reports. The site files can be copied to the managed host or Console by using Secure Copy (SCP) or Secure File Transfer Protocol (SFTP).
The import directory that is created on the managed host or QRadar Console must have the appropriate owner and permission set on it for the VIS user within QRadar. For example, chown -R vis:qradar <import_directory_path> and chmod 755 <import_directory_path> set the owner of the import directory path to VIS user with adequate read-write-execute permissions.
- Click .
- Click the VA Scanners icon, and then click Add.
- Type a Scanner Name to identify your Rapid7 Nexpose scanner.
From the Managed Host list, select an option that is based on one of the
- On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
- From the Type, select Rapid7 Nexpose Scanner.
- From the Import Type list, select Import Site Data - Remote File.
- Enter the Remote Hostname of the server that has the scan result files and the Remote Port of the remote SSH server.
- Enter the user name and password for the remote SSH server.
- Optional: Enable key authentication, and then enter the full local path to the SSH private key file.
- Indicate the location of the remote directory that contains the scan results on the remote SSH server.
In the File Name Pattern field, type a regular expression (regex)
pattern to determine which Rapid7 Nexpose XML files to include in the scan report.
All file names that match the regex pattern are included when the vulnerability scan report is imported. You must use a valid regex pattern in this field. The default value .*\.xml imports all files from the import folder.
- Enter the maximum number of days to use the report file. Files older than this number of days aren't processed. Set the number to 0 if you want to disable report age checking.
Configure a CIDR range for your scanner:
- In the field, type the CIDR range that you want this scanner to consider or click Browse to select a CIDR range from the network list.
- Click Add.
- Click Save.
- On the Admin tab, click Deploy Changes.