Rapid7 InsightVM
LAST UPDATED: 05/30/2024
Overview
Rapid7 InsightVM is a vulnerability management solution that goes beyond risk visibility within your IT environment. It enables comprehensive reporting, automation, and seamless integrations, enabling organizations to prioritize and remediate vulnerabilities efficiently.
D3 SOAR is providing REST operations to function with Rapid7 InsightVM.
Rapid7 InsightVM is available for use in:
D3 SOAR | V12.7.83.0+ |
Category | Vulnerability Management |
Deployment Options |
Known Limitations
Rapid7 InsightVM has limitations based on the licensing of your instance. For more information, visit Live Licensing | InsightVM Documentation.
Connection
To connect to Rapid7 InsightVM from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the Rapid7 InsightVM instance. | https://1.1.1.1:3780 |
Username | The username for authentication. | admin |
Password | The password for authentication. | password |
API Version | The API version to use for the connection. | 3 |
Permission Requirements
Each endpoint in the Rapid7 InsightVM API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Required Permission |
Create Scan Report | SITE PERMISSIONS > View Site Asset Data REPORT PERMISSIONS > Create Reports |
Create Site | Allow this user to access all sites GLOBAL PERMISSIONS > Manage Sites |
Delete Site | Allow this user to access all sites GLOBAL PERMISSIONS > Manage Sites |
Download Report | No permission needed |
Get Assets | SITE PERMISSIONS > View Site Asset Data |
Get Asset Vulnerability | SITE PERMISSIONS > View Site Asset Data VULNERABILITY INVESTIGATION PERMISSIONS > View Vulnerability Investigations |
Get Asset Vulnerability By IPs | SITE PERMISSIONS > View Site Asset Data VULNERABILITY INVESTIGATION PERMISSIONS > View Vulnerability Investigations |
Get Report Status | No permission needed |
Get Scans | SITE PERMISSIONS > View Site Asset Data |
List Report Templates | No permission needed |
List Scan Engines | GLOBAL PERMISSIONS > Manage Scan Engines |
List Scan Templates | No permission needed |
List Site | SITE PERMISSIONS > View Site Asset Data |
Search Asset | SITE PERMISSIONS > View Site Asset Data |
Start Site Scan | SITE PERMISSIONS > Start Unscheduled Scans |
Stop Scan | SITE PERMISSIONS > View Site Asset Data SITE PERMISSIONS > Start Unscheduled Scans |
Test Connection | No permission needed |
As Rapid7 InsightVM is using role-based access control (RBAC), the D3's connections need to be generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Rapid7 InsightVM console for each command in this integration.
READER NOTE
In addition to the required roles listed in the table above, some commands also require permission to access all sites in Rapid7 InsightVM. To grant this permission, please follow these steps:
Navigate to the User Configuration section.
Locate the Site Access tab.
Check the Allow this user to access all sites option.
For a comprehensive overview of permissions and their descriptions, please refer to Managing users and authentication | InsightVM Documentation.
Configuring Rapid7 InsightVM to Work with D3 SOAR
Role and site permissions need to be configured for the connected user account. Refer to Permission Requirements for the required permissions of each command. For instructions on creating users and enabling role and site permissions, please refer to Managing users and authentication | InsightVM Documentation.
Configuring D3 SOAR to Work with Rapid7 InsightVM
Log in to D3 SOAR.
Find the Rapid7 InsightVM integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Rapid7 InsightVM in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Rapid7 InsightVM.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the domain level Server URL.
2. Input the Username. Refer to step 4 of Configuring Rapid7 InsightVM to Work with D3 SOAR.
3. Input the Password. Refer to step 4 of Configuring Rapid7 InsightVM to Work with D3 SOAR.
4. Input the API Version. The default value is 3.Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Rapid7 InsightVM includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Rapid7 InsightVM API, please refer to the Rapid7 InsightVM API reference.
READER NOTE
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Rapid7 InsightVM to Work with D3 SOAR for details.
Create Scan Report
Generates a configured report, returns the instance identifier of the report, and saves the report into the D3 database.
READER NOTE
Scan ID and Template are required parameters to run this command.
Run the Start Site Scan or Get Scans commands to obtain Scan ID. Scan ID can be found from the Start Site Scan command returned raw data at the path $.id; or the Get Scans command returned raw data at the path $[*].id.
Run the List Report Templates command to obtain Template. Report template IDs can be found from the returned raw data at the path $.resources[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Name | Required | The name of the report. | |
Scan ID | Required | The scan ID used to generate the report. Scan IDs can be obtained using the Start Site Scan or Get Scans command. | 38 |
Format | Required | The output format of the report. | |
Template | Required | The template ID used to generate the report. Report Template ID can be obtained using the List Report Templates command. | audit-report |
Output
The primary response data from the API request.
SAMPLE DATA
{
"fileId": "346",
"fileName": "*****.pdf",
"md5": "*****",
"sha1": "*****",
"sha256": "*****"
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
{
"fileId": "346",
"fileName": "*****.pdf",
"md5": "*****",
"sha1": "*****",
"sha256": "*****"
}
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"ID": "\"184\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
FILE NAME | MD5 HASH | SHA1 HASH | SHA256 HASH |
---|---|---|---|
***** | ***** | ***** |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Scan Report failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The specified scan with identifier '1000' in the 'scans' scope does not exist. |
Error Sample Data Create Scan Report failed. Status Code: 404. Message: The specified scan with identifier '1000' in the 'scans' scope does not exist. |
Create Site
Creates a new site with the specified configuration.
Input
Input Parameter | Required/Optional | Description | Example |
Site Name | Required | The name of the new site. Note: Site names must be unique. | TestSite |
Description | Optional | The description text for the new site. | A new Site |
Included Asset Addresses | Optional | The list of asset addresses to include in the site's scans. | ["www.test.com","8.8.8.8"] |
Importance | Optional | The importance level of the site. The default value is normal. | very_low |
Output
The primary response data from the API request.
SAMPLE DATA
{
"links": [
{
"href": "https://1.1.1.1:3780/api/3/sites",
"rel": "self"
},
{
"href": "https://1.1.1.1:3780/api/3/sites/57",
"rel": "Site"
}
],
"id": *****
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
{
"links": [
{
"href": "https://1.1.1.1:3780/api/3/sites",
"rel": "self"
},
{
"href": "https://1.1.1.1:3780/api/3/sites/57",
"rel": "Site"
}
],
"id": *****
}
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"SiteID": "\"*****\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
links |
|
id | *** |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Site failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: A site with that name already exists. |
Error Sample Data Create Site failed. Status Code: 400. Message: A site with that name already exists. |
Delete Site
Deletes sites of the given site IDs.
READER NOTE
The parameter Site IDs is required to run this command.
Run the List Site command to obtain Site IDs. Site IDs can be found from the returned raw data at the path $[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Site IDs | Required | The IDs of the sites to delete. Site IDs can be obtained using the List Site command. | [*****] |
Output
The primary response data from the API request.
SAMPLE DATA
[
{
"links": [
{
"href": "https://1.1.1.1:3780/api/3/sites/13",
"rel": "self"
}
],
"siteid": *****,
"status": "deleted"
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customized the context data from the original Rapid7 InsightVM API response by adding the "siteid" and "status" fields.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"siteid": *****,
"status": "deleted"
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"IDs": "\"[*****]\""
}
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
SITEID | STATUS |
---|---|
*** | deleted |
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Site failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Authentication services are not available, please try again. |
Error Sample Data Delete Site failed. Status Code: 403. Message: Authentication services are not available, please try again. |
Download Report
Returns the contents of a generated report. The report content is usually returned in a GZip compressed format.
READER NOTE
Report ID is a required parameter to run this command.
Run the Create Scan Report command to obtain Report ID. Report ID can be found in the returned key fields.
Input
Input Parameter | Required/Optional | Description | Example |
Report Name | Optional | The name of the report to download. | downloadreporttest1 |
Report ID | Required | The ID of the report to download. Report ID can be obtained using the Create Scan Report command. | *** |
Instance ID | Optional | The ID of the report instance. | latest |
Output
The primary response data from the API request.
SAMPLE DATA
{
"fileId": "2***",
"fileName": "*****/15/2021_11:02:18_PM.pdf",
"md5": "*****",
"sha1": "*****",
"sha256": "*****"
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
{
"fileId": "***",
"fileName": "****8/15/2021_11:02:18_PM.pdf",
"md5": "*****",
"sha1": "****",
"sha256": "*****"
}
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"reportid": "\"*****\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
FILE NAME | MD5 HASH | SHA1 HASH | SHA256 HASH |
---|---|---|---|
***/15/2021_11:02:18_PM.pdf | 5*****E2F8 | 21*****2C | 7B*****AE |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Download Report failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 500. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Response status code does not indicate success. |
Error Sample Data Download Report failed. Status Code: 500. Message: Response status code does not indicate success. |
Get Assets
Returns a list of accessible assets.
Input
Input Parameter | Required/Optional | Description | Example |
Limit | Optional | The maximum number of results to return per page. The default value is 10, and the maximum value is 500. | 10 |
Sort | Optional | The criteria to sort the records by, in the format: property[,ASC|DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters. | id,asc |
Output
The primary response data from the API request.
D3 customizes the raw Data by extracting the data from path $.resources in API returned JSON.
SAMPLE DATA
[
{
"addresses": [
{
"ip": "1.1.1.1",
"mac": "00:0C:00:D0:00:0F"
}
],
"assessedForPolicies": false,
"assessedForVulnerabilities": true,
"history": [
{
"date": "2020-05-01T01:09:59.664Z",
"scanId": 2,
"type": "SCAN",
"version": 1
},
{
"date": "2020-05-26T23:08:41.148Z",
"type": "SCAN",
"version": 2
}
],
"hostName": "***-PC1",
"hostNames": [
{
"name": "***-PC1",
"source": "netbios"
}
],
"id": 1,
"ip": "1.1.1.1",
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/1",
"rel": "self"
}
],
"mac": "00:0C:00:D0:00:0F",
"os": "Microsoft Windows Server 2016 Standard Edition",
"osFingerprint": {
"description": "Microsoft Windows Server 2016 Standard Edition",
"family": "Windows",
"id": 1,
"product": "Windows Server 2016 Standard Edition",
"systemName": "Microsoft Windows",
"type": "General",
"vendor": "Microsoft"
},
"rawRiskScore": 6800.65918,
"riskScore": 6800.65918,
"services": [
{
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/***",
"rel": "self"
}
],
"name": "DCE Endpoint Resolution",
"port": ******,
"protocol": "tcp"
},
{
"configurations": [
{
"name": "***-name-1",
"value": "*****-PC1 (Computer Name)"
},
{
"name": "***-name-2",
"value": "*****(Domain Name)"
}
],
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/udp/***",
"rel": "self"
}
],
"name": "CIFS Name Service",
"port": *****,
"protocol": "udp"
},
{
"configurations": [
{
"name": "domain",
"value": "*****"
}
],
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/1/services/tcp/*****",
"rel": "self"
}
],
"name": "CIFS",
"port": 139,
"product": "Windows Server 2016 Standard 6.3",
"protocol": "tcp"
},
{
"configurations": [
{
"name": "ssl",
"value": "true"
},
{
"name": "ssl.cert.chainerror",
"value": "[Path does not chain with any of the trust anchors]"
}
],
"name": "HTTP",
"port": *****,
"product": "IIS",
"protocol": "tcp",
"vendor": "Microsoft",
"version": "10.0"
},
{
"configurations": [
{
"name": "domain",
"value": "*****"
}
],
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/4/services/tcp/139",
"rel": "self"
}
],
"name": "*****",
"port": *****,
"product": "Windows Server 2016 Standard 6.3",
"protocol": "tcp"
},
{
"configurations": [
{
"name": "domain",
"value": "*****"
}
],
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/4/services/tcp/445",
"rel": "self"
}
],
"name": "*****",
"port": *****,
"product": "Windows Server 2016 Standard 6.3",
"protocol": "tcp"
}
],
"vulnerabilities": {
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the context data obtained from the original Rapid7 InsightVM API response by including specific fields such as "id," "ip," "os," "rawRiskScore," "riskScore," "mac," "critical," "exploits," "malwareKits," "moderate," "severe," and "total."
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"id": 1,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2016 Standard Edition",
"rawRiskScore": 6797.21143,
"riskScore": 6797.21143,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 1,
"malwareKits": 0,
"moderate": 6,
"severe": 10,
"total": 16
},
{
"id": 2,
"ip": "***.***.***.***",
"os": "Microsoft Windows",
"rawRiskScore": 4940.26562,
"riskScore": 4940.26562,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 1,
"malwareKits": 0,
"moderate": 5,
"severe": 7,
"total": 12
},
{
"id": 3,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2016 Standard Edition",
"rawRiskScore": 10282.5293,
"riskScore": 10282.5293,
"mac": "****:****:****:***::****",
"critical": 1,
"exploits": 1,
"malwareKits": 0,
"moderate": 7,
"severe": 13,
"total": 21
},
{
"id": 4,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2016 Standard Edition",
"rawRiskScore": 0,
"riskScore": 0,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 5,
"ip": "***.***.***.***",
"os": "VMware ESXi Server 6.7.0 Update 3",
"rawRiskScore": 0,
"riskScore": 0,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 6,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2016 Standard Edition",
"rawRiskScore": 0,
"riskScore": 0,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 7,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2012 R2 Standard Edition",
"rawRiskScore": 11609.458,
"riskScore": 11609.458,
"mac": "****:****:****:***::****",
"critical": 1,
"exploits": 2,
"malwareKits": 0,
"moderate": 10,
"severe": 15,
"total": 26
},
{
"id": 8,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2012 Standard Edition",
"rawRiskScore": 9412.43945,
"riskScore": 9412.43945,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 2,
"malwareKits": 0,
"moderate": 8,
"severe": 13,
"total": 21
},
{
"id": 9,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2012 Standard Edition",
"rawRiskScore": 0,
"riskScore": 0,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 10,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2008 R2",
"rawRiskScore": 0,
"riskScore": 0,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"assetIDs": "\"[1]\"",
"ips": "\"[\\\"1.1.1.1\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID | IP | OS | RAWRISKSCORE | RISKSCORE | MAC | CRITICAL | EXPLOITS | MALWAREKITS | MODERATE | SEVERE | TOTAL |
---|---|---|---|---|---|---|---|---|---|---|---|
1 | 1.1.1.1 | Microsoft Windows Server 2016 Standard Edition | 6797.78711 | 6797.78711 | 00:0C:00:D0:00:0F | 0 | 1 | 0 | 6 | 10 | 16 |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Assets failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Get Assets failed. Status Code: 400. Message: The supplied credentials are invalid. |
Get Asset Vulnerability
Retrieves all vulnerability findings on the given assets.
READER NOTE
Asset ID List is a required parameter to run this command.
Run the Get Assets or Search Asset commands to obtain an Asset ID List. Asset IDs can be found in the Get Assets command returned raw data at the path $[*].id; or Search Asset command returned raw data at the path $[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Asset ID List | Required | The IDs of the assets to retrieve vulnerability findings. Asset ID List can be obtained using the Get Assets or Search Asset commands. | ["8","9"] |
Output
The primary response data from the API request.
D3 enriches the raw data from the original Rapid7 InsightVM API response by adding the "assetid" field.
SAMPLE DATA
[
{
"assetid": "8",
"resources": [
{
"id": "*****-common-name-mismatch",
"instances": 1,
"links": [
{
"href": "https://1.1.1.1:3780/api/3/assets/8/vulnerabilities/certificate-common-name-mismatch",
"rel": "self"
}
],
"results": [
{
"port": *****,
"proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:Subject CN *.d3securityonline.net does not match target name specified in the site.Subject CN *.d3securityonline.net could not be resolved to an IP address via DNS lookupSubject Alternative Name *.d3securityonline.net does not match target name specified in the site.Subject Alternative Name d3securityonline.net does not match target name specified in the site.",
"protocol": "tcp",
"since": "2020-05-26T23:07:00.947Z",
"status": "vulnerable"
}
],
"since": "2020-05-26T23:07:00.947Z",
"status": "vulnerable"
}
]
},
{
"assetid": "***",
"resources": []
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.resources in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"assetid": *****,
"id": "certificate-common-name-mismatch",
"instances": 1,
"results": [
{
"port": *****,
"proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:Subject CN *.d3securityonline.net does not match target name specified in the site.Subject CN *.d3securityonline.net could not be resolved to an IP address via DNS lookupSubject Alternative Name *.d3securityonline.net does not match target name specified in the site.Subject Alternative Name d3securityonline.net does not match target name specified in the site.",
"protocol": "tcp",
"since": "2020-05-26T23:07:00.947Z",
"status": "vulnerable"
}
],
"since": "2020-05-26T23:07:00.947Z",
"status": "vulnerable"
}
]
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ASSETID | ID | INSTANCES | RESULTS | SINCE | STATUS |
---|---|---|---|---|---|
*** | certificate-common-name-mismatch | 1 | [ The subject common name found in the X.509 certificate does not seem to match the scan target:
", | 5/26/2020 11:07:00 PM | vulnerable |
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Asset Vulnerability failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The resource does not exist or access is prohibited. |
Error Sample Data Get Asset Vulnerability failed. Status Code: 404. Message: The resource does not exist or access is prohibited. |
Get Asset Vulnerability By IPs
Retrieves all vulnerability findings on the given assets, by IP addresses.
Input
Input Parameter | Required/Optional | Description | Example |
IPs | Required | The IP addresses of the assets to retrieve vulnerability findings. | ["1.1.1.1"] |
Output
The primary response data from the API request.
SAMPLE DATA
[
{
"ip": "***.***.***.***",
"assetid": ***,
"resources": [
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/certificate-common-name-mismatch",
"rel": "self"
}
],
"results": [
{
"port": 443,
"proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:Subject CN localhost.localdomain does not match target name specified in the site.Subject CN localhost.localdomain could not be resolved to an IP address via DNS lookup",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-icmp-timestamp",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/generic-icmp-timestamp",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-icmp-timestamp/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-icmp-timestamp/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"proof": "Able to determine remote system time.",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-tcp-timestamp",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/generic-tcp-timestamp",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-tcp-timestamp/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-tcp-timestamp/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"proof": "Able to determine system boot time.",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/http-options-method-enabled",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/http-options-method-enabled",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/http-options-method-enabled/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/http-options-method-enabled/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"port": 443,
"proof": "OPTIONS method returned values including itself",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-cbc-ciphers",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/ssh-cbc-ciphers",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-cbc-ciphers/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-cbc-ciphers/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"port": 22,
"proof": "Running SSH serviceInsecure CBC ciphers in use: aes128-cbc,aes256-cbc,aes192-cbc",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable-version"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-weak-kex-algorithms",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/ssh-weak-kex-algorithms",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-weak-kex-algorithms/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-weak-kex-algorithms/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"port": 22,
"proof": "Running SSH serviceInsecure key exchange algorithms in use: diffie-hellman-group-exchange-sha1",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable-version"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
]
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"ip": "***.***.***.***",
"assetid": ***,
"resources": [
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/certificate-common-name-mismatch",
"rel": "self"
}
],
"results": [
{
"port": 443,
"proof": "The subject common name found in the X.509 certificate does not seem to match the scan target:Subject CN localhost.localdomain does not match target name specified in the site.Subject CN localhost.localdomain could not be resolved to an IP address via DNS lookup",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-icmp-timestamp",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/generic-icmp-timestamp",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-icmp-timestamp/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-icmp-timestamp/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"proof": "Able to determine remote system time.",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-tcp-timestamp",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/generic-tcp-timestamp",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-tcp-timestamp/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/generic-tcp-timestamp/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"proof": "Able to determine system boot time.",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/http-options-method-enabled",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/http-options-method-enabled",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/http-options-method-enabled/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/http-options-method-enabled/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"port": 443,
"proof": "OPTIONS method returned values including itself",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-cbc-ciphers",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/ssh-cbc-ciphers",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-cbc-ciphers/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-cbc-ciphers/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"port": 22,
"proof": "Running SSH serviceInsecure CBC ciphers in use: aes128-cbc,aes256-cbc,aes192-cbc",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable-version"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
},
{
"id": "***************************************",
"instances": 1,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-weak-kex-algorithms",
"rel": "self"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/vulnerabilities/ssh-weak-kex-algorithms",
"rel": "Vulnerability"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-weak-kex-algorithms/validations",
"rel": "Vulnerability Validations"
},
{
"id": "***************************************",
"href": "https://***.***.***.***:3780/api/3/assets/36/vulnerabilities/ssh-weak-kex-algorithms/solution",
"rel": "Vulnerability Solutions"
}
],
"results": [
{
"port": 22,
"proof": "Running SSH serviceInsecure key exchange algorithms in use: diffie-hellman-group-exchange-sha1",
"protocol": "tcp",
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable-version"
}
],
"since": "2020-09-04T01:20:40.822Z",
"status": "vulnerable"
}
]
}
]
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
IP | ASSETID | ID | INSTANCES | RESULTS | SINCE | STATUS |
---|---|---|---|---|---|---|
1.1.1.1 | *** | ***e-***-name-mismatch | 1 | [ The subject common name found in the X.509 certificate does not seem to match the scan target:
", | 9/4/2020 1:20:40 AM | vulnerable |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Asset Vulnerability By IPs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Get Asset Vulnerability By IPs failed. Status Code: 400. Message: The supplied credentials are invalid. |
Get Report Status
Returns the details for a generation of a report.
READER NOTE
Report ID is a required parameter to run this command.
Run the Create Scan Report command to obtain Report ID. Report ID can be found in the returned key fields.
Input
Input Parameter | Required/Optional | Description | Example |
Report ID | Required | The ID of the report to retrieve generation details. Report ID can be obtained using the Create Scan Report command. | 2*** |
Instance ID | Optional | The ID of the report instance. | latest |
Output
The primary response data from the API request.
SAMPLE DATA
{
"generated": "2020-07-22T22:36:05.815Z",
"id": 21,
"links": [
{
"href": "https://1.1.1.1:3780/api/***/reports/***/history/latest",
"rel": "self"
},
{
"href": "https://1.2.3.4:3780/api/***/reports/***/history/latest/output",
"rel": "Download"
}
],
"size": {
"bytes": 459901,
"formatted": "449.1 KB"
},
"status": "complete",
"uri": "https://1.1.1.1:3780/reports/***/***/Document.pdf"
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customized the context data from the original Rapid7 InsightVM API response by adding the "id" and "status" fields.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
{
"id": 2***,
"status": "complete"
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID | STATUS |
---|---|
2*** | complete |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Report Status failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The specified scan with identifier '1000' in the 'scans' scope does not exist. |
Error Sample Data Get Report Status failed. Status Code: 404. Message: The specified scan with identifier '1000' in the 'scans' scope does not exist. |
Get Scans
Returns all accessible scans.
READER NOTE
If insufficient permissions have been granted, the command will run successfully with no results.
Input
Input Parameter | Required/Optional | Description | Example |
Limit | Optional | The maximum number of results to return per page. The default value is 10, and the maximum value is 100. | 2 |
Sort | Optional | The criteria to sort the records by, in the format: property[,ASC|DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters. | id,asc |
Active | Optional | The option to only return actively running scans, when set to True. If set to False, only past scans will be returned. The default value is True. | False |
Output
The primary response data from the API request.
SAMPLE DATA
{
"resources": [
{
"assets": 0,
"duration": "PT1M53.073S",
"endTime": "2021-08-20T18****:****:****:***::****.612Z",
"engineId": 3,
"engineName": "Local scan engine",
"id": 37,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/scans/37",
"rel": "self"
},
{
"id": 3,
"href": "https://***.***.***.***:3780/api/3/scan_engines/3",
"rel": "Scan Engine"
},
{
"href": "https://***.***.***.***:3780/api/3/sites/3",
"rel": "Site"
}
],
"scanName": "API Scan - 2021-08-20T18:11:24Z",
"scanType": "Manual",
"siteId": 3,
"siteName": "TestSite",
"startTime": "2021-08-20T18:11:24.539Z",
"startedByUsername": "N/A",
"status": "finished",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
},
{
"assets": 0,
"duration": "PT1M21.39S",
"endTime": "2021-08-20T18:15:31.341Z",
"engineId": 3,
"engineName": "Local scan engine",
"id": 38,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/scans/38",
"rel": "self"
},
{
"id": 3,
"href": "https://***.***.***.***:3780/api/3/scan_engines/3",
"rel": "Scan Engine"
},
{
"href": "https://***.***.***.***:3780/api/3/sites/3",
"rel": "Site"
}
],
"scanName": "API Scan - 2021-08-20T18:14:09Z",
"scanType": "Manual",
"siteId": 3,
"siteName": "TestSite",
"startTime": "2021-08-20T18:14:09.951Z",
"startedByUsername": "N/A",
"status": "finished",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
}
],
"page": {
"number": 0,
"size": 2,
"totalResources": 42,
"totalPages": 21
},
"links": [
{
"href": "https://***.***.***.***:3780/api/3/scans?active=false&page=0&size=2&sort=id,asc",
"rel": "first"
},
{
"href": "https://***.***.***.***:3780/api/3/scans?active=false&page=0&size=2&sort=id,asc",
"rel": "self"
},
{
"href": "https://***.***.***.***:3780/api/3/scans?active=false&page=1&size=2&sort=id,asc",
"rel": "next"
},
{
"href": "https://***.***.***.***:3780/api/3/scans?active=false&page=20&size=2&sort=id,asc",
"rel": "last"
}
]
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.resources in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"assets": 0,
"duration": "PT1M53.073S",
"endTime": "2021-08-20T18****:****:****:***::****.612Z",
"engineId": 3,
"engineName": "Local scan engine",
"id": 37,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/scans/37",
"rel": "self"
},
{
"id": 3,
"href": "https://***.***.***.***:3780/api/3/scan_engines/3",
"rel": "Scan Engine"
},
{
"href": "https://***.***.***.***:3780/api/3/sites/3",
"rel": "Site"
}
],
"scanName": "API Scan - 2021-08-20T18:11:24Z",
"scanType": "Manual",
"siteId": 3,
"siteName": "TestSite",
"startTime": "2021-08-20T18:11:24.539Z",
"startedByUsername": "N/A",
"status": "finished",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
},
{
"assets": 0,
"duration": "PT1M21.39S",
"endTime": "2021-08-20T18:15:31.341Z",
"engineId": 3,
"engineName": "Local scan engine",
"id": 38,
"links": [
{
"href": "https://***.***.***.***:3780/api/3/scans/38",
"rel": "self"
},
{
"id": 3,
"href": "https://***.***.***.***:3780/api/3/scan_engines/3",
"rel": "Scan Engine"
},
{
"href": "https://***.***.***.***:3780/api/3/sites/3",
"rel": "Site"
}
],
"scanName": "API Scan - 2021-08-20T18:14:09Z",
"scanType": "Manual",
"siteId": 3,
"siteName": "TestSite",
"startTime": "2021-08-20T18:14:09.951Z",
"startedByUsername": "N/A",
"status": "finished",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"AssetIDs": "\"[0,0]\"",
"Criticals": "\"[0,0]\"",
"Moderates": "\"[0,0]\"",
"Severes": "\"[]\"",
"Totals": "\"[0,0]\"",
"ScanIDs": "\"[***,***]\"",
"ScanNames": "\"[\\\"API Scan - 2021-08-20T18:11:24Z\\\",\\\"API Scan - 2021-08-20T18:14:09Z\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ASSETS | DURATION | ENDTIME | ENGINEID | ENGINENAME | ID | LINKS | SCANNAME | SCANTYPE | SITEID | SITENAME | STARTTIME | STARTEDBYUSERNAME | STATUS | VULNERABILITIES |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | PT1M53.073S | 8/20/2021 6:13:17 PM | *** | Local scan engine | *** | [ | API Scan - 2021-08-20T18:11:24Z | Manual | *** | TestSite | 8/20/2021 6:11:24 PM | N/A | finished | { |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Scans failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Get Scans failed. Status Code: 400. Message: The supplied credentials are invalid. |
List Report Templates
Returns all available report templates.
Input
N/A
Output
The primary response data from the API request.
SAMPLE DATA
{
"resources": [
{
"builtin": true,
"description": "Provides comprehensive details about discovered assets, vulnerabilities, and users.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/audit-report",
"rel": "self"
}
],
"name": "Audit Report",
"sections": [
"CoverPage",
"ExecutiveSummary",
"ScanSettings",
"SystemOverview",
"VulnerabilityDetailListing",
"ServiceListing",
"UserGroupListing",
"DatabaseListing",
"FileSystemListing",
"PolicyEvaluation",
"SpideredWebsite"
],
"type": "document"
},
{
"builtin": true,
"description": "Compares current scan results to those of an earlier baseline scan.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/baseline-comparison",
"rel": "self"
}
],
"name": "Baseline Comparison",
"sections": [
"CoverPage",
"ExecutiveSummary",
"BaselineComparison"
],
"type": "document"
},
{
"builtin": true,
"description": "Includes a basic set of data fields for vulnerability check results in CSV format.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/basic-vulnerability-check-results",
"rel": "self"
}
],
"name": "Basic Vulnerability Check Results (CSV)",
"type": "export"
},
{
"builtin": true,
"description": "Provides a high-level view of security data, including general results information and statistical charts.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/executive-overview",
"rel": "self"
}
],
"name": "Executive Overview",
"sections": [
"CoverPage",
"ExecutiveSummary",
"BaselineComparison"
],
"type": "document"
},
{
"builtin": true,
"description": "Provides information and metrics about 10 discovered vulnerabilities with the highest risk scores.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/highest-risk-vulns",
"rel": "self"
}
],
"name": "Highest Risk Vulnerabilities",
"sections": [
"CoverPage",
"TOC",
"HighestRiskVulnerabilities"
],
"type": "document"
},
{
"builtin": true,
"description": "Serves as a cover sheet for the completed set of PCI-mandated reports.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-attestation-v12",
"rel": "self"
}
],
"name": "PCI Attestation of Scan Compliance",
"sections": [
"PCIAttestationReportV12"
],
"type": "document"
},
{
"builtin": true,
"description": "PCI-mandated compliance summary with overview of Pass/Fail results, statistical charts, and vulnerability metrics.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-executive-summary-v12",
"rel": "self"
}
],
"name": "PCI Executive Summary",
"sections": [
"CoverPage",
"PCIScanInformationV12",
"PCIAssetVulnerabilitiesComplianceOverviewV12",
"PCIComponentComplianceSummaryV12",
"PCIVulnerabilitiesNotedV12",
"PCISpecialNotesV12"
],
"type": "document"
},
{
"builtin": true,
"description": "Provides detailed, sorted scan information about each asset discovered in a PCI scan.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-host-details-v12",
"rel": "self"
}
],
"name": "PCI Host Details",
"sections": [
"CoverPage",
"TOC",
"PCIScanInformationV12",
"PCIAssetVulnerabilitiesComplianceOverviewV12",
"PCIHostDetailsV12"
],
"type": "document"
},
{
"builtin": true,
"description": "Provides a PCI-mandated listing of details, metrics, and Pass/Fail score for every vulnerability discovered in a PCI scan.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-vuln-details-v12",
"rel": "self"
}
],
"name": "PCI Vulnerability Details",
"sections": [
"CoverPage",
"TOC",
"PCIScanInformationV12",
"PCIAssetVulnerabilitiesComplianceOverviewV12",
"PCIVulnerabilityIndexV12"
],
"type": "document"
},
{
"builtin": true,
"description": "Shows detailed results for each policy rule scanned on an asset, including the percentage of policy rules that assets comply with and test results for each rule.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/policy-details",
"rel": "self"
}
],
"name": "Policy Details",
"type": "file"
},
{
"builtin": true,
"description": "Lists results for standard policy scans (AS/400, Oracle, Domino, Windows Group, CIFS/SMB account). Does not include Policy Manager results.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/policy-eval",
"rel": "self"
}
],
"name": "Policy Evaluation",
"sections": [
"CoverPage",
"PolicyEvaluation"
],
"type": "document"
},
{
"builtin": true,
"description": "Shows results for each tested policy, including the numbers and percentages of compliant assets, and the percentage of policy rules that assets comply with.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/policy-summary",
"rel": "self"
}
],
"name": "Policy Compliance Status",
"type": "file"
},
{
"builtin": true,
"description": "Lists top remediations as prioritized by vulnerability-related criteria that you select.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/prioritized-remediations",
"rel": "self"
}
],
"name": "Top Remediations",
"type": "file"
},
{
"builtin": true,
"description": "Lists top remediations as prioritized by vulnerability-related criteria that you select. Also provides steps for each remediation and lists each affected asset.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/prioritized-remediations-with-details",
"rel": "self"
}
],
"name": "Top Remediations with Details",
"type": "file"
},
{
"builtin": true,
"description": "Lists information about new assets discovered within a specific time period. This allows you to track changes to your network environment over time.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/r7-discovered-assets",
"rel": "self"
}
],
"name": "Newly Discovered Assets",
"type": "file"
},
{
"builtin": true,
"description": "Shows vulnerability exception activity during a specified time frame.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/r7-vulnerability-exceptions",
"rel": "self"
}
],
"name": "Vulnerability Exception Activity",
"type": "file"
},
{
"builtin": true,
"description": "Provides detailed remediation instructions for each discovered vulnerability.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/remediation-plan",
"rel": "self"
}
],
"name": "Remediation Plan",
"sections": [
"CoverPage",
"SystemOverview",
"RiskAssessment",
"RemediationPlan"
],
"type": "document"
},
{
"builtin": true,
"description": "Lists test results for each discovered vulnerability, including how it was verified.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/report-card",
"rel": "self"
}
],
"name": "Report Card",
"sections": [
"CoverPage",
"VulnerabilityReportCardByNode",
"VulnerabilityIndex"
],
"type": "document"
},
{
"builtin": true,
"description": "Grades sets of assets based on risk and provides data and statistics for determining risk factors.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/risk-scorecard",
"rel": "self"
}
],
"name": "Risk Scorecard",
"type": "file"
},
{
"builtin": true,
"description": "Shows results for each asset against the selected policies' rules, including the percentage of policy rules that assets comply with.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/rule-breakdown-summary",
"rel": "self"
}
],
"name": "Policy Rule Breakdown Summary",
"type": "file"
},
{
"builtin": true,
"description": "Lists top policy compliance remediations as prioritized by policies that you select.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-policy-remediations",
"rel": "self"
}
],
"name": "Top Policy Remediations",
"type": "file"
},
{
"builtin": true,
"description": "Lists top policy compliance remediations as prioritized by policies that you select. Also provides steps for each remediation and lists each affected asset.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-policy-remediations-with-details",
"rel": "self"
}
],
"name": "Top Policy Remediations with Details",
"type": "file"
},
{
"builtin": true,
"description": "Lists risk scores, total vulnerabilities, and malware and exploit exposures for 10 assets with the highest risk scores.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-riskiest-assets",
"rel": "self"
}
],
"name": "Top 10 Assets by Vulnerability Risk",
"type": "file"
},
{
"builtin": true,
"description": "Lists total vulnerabilities and malware and exploit exposures for 10 assets with the most vulnerabilities.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-vulnerable-assets",
"rel": "self"
}
],
"name": "Top 10 Assets by Vulnerabilities",
"type": "file"
},
{
"builtin": true,
"description": "Tracks trends for vulnerabilities found, assets scanned, malware kit and exploit exposures, severity levels, and vulnerability age over a date range that you select.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/vulnerability-trends",
"rel": "self"
}
],
"name": "Vulnerability Trends",
"type": "file"
}
],
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates",
"rel": "self"
}
]
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.resources in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"builtin": true,
"description": "Provides comprehensive details about discovered assets, vulnerabilities, and users.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/audit-report",
"rel": "self"
}
],
"name": "Audit Report",
"sections": [
"CoverPage",
"ExecutiveSummary",
"ScanSettings",
"SystemOverview",
"VulnerabilityDetailListing",
"ServiceListing",
"UserGroupListing",
"DatabaseListing",
"FileSystemListing",
"PolicyEvaluation",
"SpideredWebsite"
],
"type": "document"
},
{
"builtin": true,
"description": "Compares current scan results to those of an earlier baseline scan.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/baseline-comparison",
"rel": "self"
}
],
"name": "Baseline Comparison",
"sections": [
"CoverPage",
"ExecutiveSummary",
"BaselineComparison"
],
"type": "document"
},
{
"builtin": true,
"description": "Includes a basic set of data fields for vulnerability check results in CSV format.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/basic-vulnerability-check-results",
"rel": "self"
}
],
"name": "Basic Vulnerability Check Results (CSV)",
"type": "export"
},
{
"builtin": true,
"description": "Provides a high-level view of security data, including general results information and statistical charts.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/executive-overview",
"rel": "self"
}
],
"name": "Executive Overview",
"sections": [
"CoverPage",
"ExecutiveSummary",
"BaselineComparison"
],
"type": "document"
},
{
"builtin": true,
"description": "Provides information and metrics about 10 discovered vulnerabilities with the highest risk scores.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/highest-risk-vulns",
"rel": "self"
}
],
"name": "Highest Risk Vulnerabilities",
"sections": [
"CoverPage",
"TOC",
"HighestRiskVulnerabilities"
],
"type": "document"
},
{
"builtin": true,
"description": "Serves as a cover sheet for the completed set of PCI-mandated reports.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-attestation-v12",
"rel": "self"
}
],
"name": "PCI Attestation of Scan Compliance",
"sections": [
"PCIAttestationReportV12"
],
"type": "document"
},
{
"builtin": true,
"description": "PCI-mandated compliance summary with overview of Pass/Fail results, statistical charts, and vulnerability metrics.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-executive-summary-v12",
"rel": "self"
}
],
"name": "PCI Executive Summary",
"sections": [
"CoverPage",
"PCIScanInformationV12",
"PCIAssetVulnerabilitiesComplianceOverviewV12",
"PCIComponentComplianceSummaryV12",
"PCIVulnerabilitiesNotedV12",
"PCISpecialNotesV12"
],
"type": "document"
},
{
"builtin": true,
"description": "Provides detailed, sorted scan information about each asset discovered in a PCI scan.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-host-details-v12",
"rel": "self"
}
],
"name": "PCI Host Details",
"sections": [
"CoverPage",
"TOC",
"PCIScanInformationV12",
"PCIAssetVulnerabilitiesComplianceOverviewV12",
"PCIHostDetailsV12"
],
"type": "document"
},
{
"builtin": true,
"description": "Provides a PCI-mandated listing of details, metrics, and Pass/Fail score for every vulnerability discovered in a PCI scan.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/pci-vuln-details-v12",
"rel": "self"
}
],
"name": "PCI Vulnerability Details",
"sections": [
"CoverPage",
"TOC",
"PCIScanInformationV12",
"PCIAssetVulnerabilitiesComplianceOverviewV12",
"PCIVulnerabilityIndexV12"
],
"type": "document"
},
{
"builtin": true,
"description": "Shows detailed results for each policy rule scanned on an asset, including the percentage of policy rules that assets comply with and test results for each rule.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/policy-details",
"rel": "self"
}
],
"name": "Policy Details",
"type": "file"
},
{
"builtin": true,
"description": "Lists results for standard policy scans (AS/400, Oracle, Domino, Windows Group, CIFS/SMB account). Does not include Policy Manager results.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/policy-eval",
"rel": "self"
}
],
"name": "Policy Evaluation",
"sections": [
"CoverPage",
"PolicyEvaluation"
],
"type": "document"
},
{
"builtin": true,
"description": "Shows results for each tested policy, including the numbers and percentages of compliant assets, and the percentage of policy rules that assets comply with.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/policy-summary",
"rel": "self"
}
],
"name": "Policy Compliance Status",
"type": "file"
},
{
"builtin": true,
"description": "Lists top remediations as prioritized by vulnerability-related criteria that you select.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/prioritized-remediations",
"rel": "self"
}
],
"name": "Top Remediations",
"type": "file"
},
{
"builtin": true,
"description": "Lists top remediations as prioritized by vulnerability-related criteria that you select. Also provides steps for each remediation and lists each affected asset.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/prioritized-remediations-with-details",
"rel": "self"
}
],
"name": "Top Remediations with Details",
"type": "file"
},
{
"builtin": true,
"description": "Lists information about new assets discovered within a specific time period. This allows you to track changes to your network environment over time.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/r7-discovered-assets",
"rel": "self"
}
],
"name": "Newly Discovered Assets",
"type": "file"
},
{
"builtin": true,
"description": "Shows vulnerability exception activity during a specified time frame.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/r7-vulnerability-exceptions",
"rel": "self"
}
],
"name": "Vulnerability Exception Activity",
"type": "file"
},
{
"builtin": true,
"description": "Provides detailed remediation instructions for each discovered vulnerability.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/remediation-plan",
"rel": "self"
}
],
"name": "Remediation Plan",
"sections": [
"CoverPage",
"SystemOverview",
"RiskAssessment",
"RemediationPlan"
],
"type": "document"
},
{
"builtin": true,
"description": "Lists test results for each discovered vulnerability, including how it was verified.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/report-card",
"rel": "self"
}
],
"name": "Report Card",
"sections": [
"CoverPage",
"VulnerabilityReportCardByNode",
"VulnerabilityIndex"
],
"type": "document"
},
{
"builtin": true,
"description": "Grades sets of assets based on risk and provides data and statistics for determining risk factors.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/risk-scorecard",
"rel": "self"
}
],
"name": "Risk Scorecard",
"type": "file"
},
{
"builtin": true,
"description": "Shows results for each asset against the selected policies' rules, including the percentage of policy rules that assets comply with.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/rule-breakdown-summary",
"rel": "self"
}
],
"name": "Policy Rule Breakdown Summary",
"type": "file"
},
{
"builtin": true,
"description": "Lists top policy compliance remediations as prioritized by policies that you select.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-policy-remediations",
"rel": "self"
}
],
"name": "Top Policy Remediations",
"type": "file"
},
{
"builtin": true,
"description": "Lists top policy compliance remediations as prioritized by policies that you select. Also provides steps for each remediation and lists each affected asset.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-policy-remediations-with-details",
"rel": "self"
}
],
"name": "Top Policy Remediations with Details",
"type": "file"
},
{
"builtin": true,
"description": "Lists risk scores, total vulnerabilities, and malware and exploit exposures for 10 assets with the highest risk scores.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-riskiest-assets",
"rel": "self"
}
],
"name": "Top 10 Assets by Vulnerability Risk",
"type": "file"
},
{
"builtin": true,
"description": "Lists total vulnerabilities and malware and exploit exposures for 10 assets with the most vulnerabilities.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/top-vulnerable-assets",
"rel": "self"
}
],
"name": "Top 10 Assets by Vulnerabilities",
"type": "file"
},
{
"builtin": true,
"description": "Tracks trends for vulnerabilities found, assets scanned, malware kit and exploit exposures, severity levels, and vulnerability age over a date range that you select.",
"id": "***************************************",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/report_templates/vulnerability-trends",
"rel": "self"
}
],
"name": "Vulnerability Trends",
"type": "file"
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"IDs": "\"[\\\"audit-report\\\",\\\"baseline-comparison\\\",\\\"basic-vulnerability-check-results\\\",\\\"executive-overview\\\",\\\"highest-risk-vulns\\\",\\\"pci-***-v12\\\",\\\"pci-***-v12\\\",\\\"pci-*ls-v12\\\**",\\\"pci***-v12\\\",\\\"policy-details\\\",\\\"policy-eval\\\",\\\"policy-summary\\\",\\\"prioritized-remediations\\\",\\\"prioritized-remediations-with-details\\\",\\\"r7-discovered-assets\\\",\\\"r7-vulnerability-exceptions\\\",\\\"remediation-plan\\\",\\\"report-card\\\",\\\"risk-scorecard\\\",\\\"rule-breakdown-summary\\\",\\\"top-policy-remediations\\\",\\\"top-policy-remediations-with-details\\\",\\\"top-riskiest-assets\\\",\\\"top-vulnerable-assets\\\",\\\"vulnerability-trends\\\"]\"",
"Names": "\"[\\\"Audit Report\\\",\\\"Baseline Comparison\\\",\\\"Basic Vulnerability Check Results (CSV)\\\",\\\"Executive Overview\\\",\\\"Highest Risk Vulnerabilities\\\",\\\"PCI Attestation of Scan Compliance\\\",\\\"PCI Executive Summary\\\",\\\"PCI Host Details\\\",\\\"PCI Vulnerability Details\\\",\\\"Policy Details\\\",\\\"Policy Evaluation\\\",\\\"Policy Compliance Status\\\",\\\"Top Remediations\\\",\\\"Top Remediations with Details\\\",\\\"Newly Discovered Assets\\\",\\\"Vulnerability Exception Activity\\\",\\\"Remediation Plan\\\",\\\"Report Card\\\",\\\"Risk Scorecard\\\",\\\"Policy Rule Breakdown Summary\\\",\\\"Top Policy Remediations\\\",\\\"Top Policy Remediations with Details\\\",\\\"Top 10 Assets by Vulnerability Risk\\\",\\\"Top 10 Assets by Vulnerabilities\\\",\\\"Vulnerability Trends\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
BUILTIN | DESCRIPTION | ID | LINKS | NAME | SECTIONS | TYPE |
---|---|---|---|---|---|---|
True | Provides comprehensive details about discovered assets, vulnerabilities, and users. | audit-report | [ | Audit Report | [ | document |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Report Templates failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data List Report Templates failed. Status Code: 400. Message: The supplied credentials are invalid. |
List Scan Engines
Returns engine pools available for scanning.
Input
N/A
Output
The primary response data from the API request.
SAMPLE DATA
{
"resources": [
{
"id": 2,
"links": [
{
"href": "https://1.2.2.2:3780/api/3/scan_engines/2",
"rel": "self"
},
{
"href": "https://1.1.1.1:3780/api/3/scan_engines/2/sites",
"rel": "Sites"
},
{
"id": 2,
"href": "https://1.2.3.4:3780/api/3/scan_engine_pools/2/engines",
"rel": "Engine Pool Engines"
}
],
"name": "Default Engine Pool"
}
],
"links": [
{
"href": "https://1.1.1.1:3780/api/3/scan_engine_pools",
"rel": "self"
}
]
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.resources in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"id": 2,
"links": [
{
"href": "https://1.2.2.2:3780/api/3/scan_engines/2",
"rel": "self"
},
{
"href": "https://1.1.1.1:3780/api/3/scan_engines/2/sites",
"rel": "Sites"
},
{
"id": 2,
"href": "https://1.2.3.4:3780/api/3/scan_engine_pools/2/engines",
"rel": "Engine Pool Engines"
}
],
"name": "Default Engine Pool"
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"IDs": "\"[***]\"",
"Names": "\"[\\\"Default Engine Pool\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID | LINKS | NAME |
---|---|---|
*** | [ | Default Engine Pool |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Scan Engines failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data List Scan Engines failed. Status Code: 400. Message: The supplied credentials are invalid. |
List Scan Templates
Returns all scan templates.
Input
N/A
Output
The primary response data from the API request.
SAMPLE DATA
{
"resources": [
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs CIS policy compliance tests with application-layer auditing on supported CIS benchmarked systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
2***,
2***
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
***,
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "***",
"policy": {
"enabled": [
***,
***
],
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs DISA policy compliance tests with application-layer auditing on supported DISA benchmarked systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***,
***
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
***,
***,
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "DISA",
"policy": {
"enabled": [
***,
***
],
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Local",
"Patch",
"Policy"
],
"enabled": []
},
"unsafe": true
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a basic network audit of all systems using both safe and unsafe (denial-of-service) checks. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***,
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***,
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-***"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Denial of service",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {},
"description": "Performs a discovery scan to identify live assets on the network, including host name and operating system. No further enumeration, policy or vulnerability scanning will be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***,
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***,
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
***,
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"additionalPorts": [
161,
500,
31400,
5353,
123,
1900
],
"ports": "custom"
}
}
},
"discoveryOnly": true,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Discovery Scan",
"policyEnabled": false,
"telnet": {},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {},
"description": "Performs a fast and cursory discovery scan to identify live assets on high speed networks, including host name and operating system. Packets are sent at a very high rate which may trigger IPS/IDS sensors, SYN flood protection and exhaust states on stateful firewalls. No further enumeration, policy or vulnerability scanning will be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***,
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***,
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 6,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT1.25S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
***,
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"additionalPorts": [
***,
***
],
"ports": "custom"
}
}
},
"discoveryOnly": true,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Discovery Scan - Aggressive",
"policyEnabled": false,
"telnet": {},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***,
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***,
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"method": "SYN",
"ports": "all"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Exhaustive",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs FDCC policy compliance tests with application-layer auditing on all Windows XP and Windows Vista systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
135,
139,
445
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
135,
139,
445
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "FDCC",
"policy": {
"enabled": [
5,
4,
3,
2,
1
],
"recursiveWindowsFSSearch": false,
"storeSCAP": true
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***,
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***,
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Full audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "A full audit scan with enhanced logging enabled and web spidering disabled. Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": true,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Full audit enhanced logging without Web Spider",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Does not include web spidering. Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Full audit without Web Spider",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a HIPAA audit of all systems using only safe checks. Settings appropriate for auditing compliance will be enabled as per HIPAA section 164.312 (\"Technical Safeguards\"). Any conditions resulting in inadequate access control, inadequate auditing, loss of integrity, inadequate authentication, or inadequate transmission security (encryption) will be flagged.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "HIPAA compliance",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveContent": "\\b\\d{3}-\\d{2}-\\d{4}\\b",
"sensitiveField": "(p|pass)(word|phrase|wd|code)|(s|soc|social)(s|sec|security)(n|no|num|number)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": [
"DNS",
"Database",
"FTP",
"Lotus Notes/Domino",
"Mail",
"SSH",
"TFTP",
"Telnet",
"VPN",
"Web"
]
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs an in-depth penetration test of public-facing servers. All common internet services will be scanned, including web, FTP, mail (SMTP/POP/IMAP/Lotus Notes), DNS, database, telnet, SSH, and VPN services. In-depth patch/hotfix checking and policy compliance audits will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": false,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 10,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Internet DMZ audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": [
"RPM"
]
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
]
},
"description": "Performs an audit of Linux systems for the proper installation of RPM patches. For greatest success, administrative credentials should be used when performing Linux RPM scans.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
113,
22,
23
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Linux RPMs",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": [
"Microsoft hotfix"
]
},
"unsafe": false
},
"database": {},
"description": "Performs an audit of Microsoft Windows systems for the proper installation of hotfixes and service packs. For greatest success, administrative credentials should be used when performing Microsoft hotfix scans.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Microsoft hotfix",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": true,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a Payment Card Industry (PCI) Approved Scanning Vendor (ASV) compliance audit. This template uses all known safe checks, including potential checks and web application scanning.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": false,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"method": "SYN",
"ports": "all"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 5,
"maxScanProcesses": 1,
"name": "PCI ASV External Audit",
"policyEnabled": false,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": false,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0.36S",
"responseTimeout": "PT2M",
"threadsPerServer": 5
},
"testCommonUsernamesAndPasswords": true,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/31.0 Chrome/37.0.2049.0 Safari/537.36"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [
"database-open-access"
],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a Payment Card Industry (PCI) audit intended for the internal discovery of assets. This template includes all network-based vulnerabilities, web application scanning, and specifically excludes potential vulnerabilities as well as vulnerabilities specific to the external perimeter.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 450
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"method": "SYN",
"ports": "all"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 10,
"maxScanProcesses": 1,
"name": "PCI Internal Audit",
"policyEnabled": false,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": false,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0.36S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": true,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/31.0 Chrome/37.0.2049.0 Safari/537.36"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Local",
"Patch",
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing the product to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
8080,
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Penetration test",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Metasploit",
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "\nThis is a \"polite,\" or less aggressive, network audit of sensitive Supervisory Control And Data Acquisition (SCADA) systems, using only safe checks. Packet block delays have been increased; time between sent packets has been increased; protocol handshaking has been disabled; and simultaneous network access to assets has been restricted.\n ",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": false,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 4,
"scanDelay": {
"maximum": "PT2S",
"minimum": "PT1S"
},
"timeout": {
"initial": "PT5S",
"maximum": "PT5S",
"minimum": "PT5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 5,
"maxScanProcesses": 1,
"name": "SCADA audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": true
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 1
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false,
"userAgent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Local",
"Patch",
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a non-intrusive network audit of all systems using only safe checks. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT1S",
"minimum": "PT0.4S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Safe network audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a Sarbanes-Oxley (SOX) audit of all systems using only safe checks. The SOX compliance audit will highlight threats to digital data integrity, data access auditing, accountability, and availability, as mandated in Section 302 (\"Corporate Responsibility for Fiscal Reports\"), Section 404 (\"Management Assessment of Internal Controls\"), and Section 409 (\"Real Time Issuer Disclosures\") respectively.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Sarbanes-Oxley compliance",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Test",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": false,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 450
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "TestScanTemplate",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 10000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs USGCB policy compliance tests with application-layer auditing on all Windows 7 systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
***
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "USGCB",
"policy": {
"enabled": [
***
],
"recursiveWindowsFSSearch": false,
"storeSCAP": true
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": [
"Web"
]
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
]
},
"description": "Performs an audit of all web servers and web applications. Suitable for scanning both public-facing and internal web servers, including application servers, ASP's, CGI scripts, etc. Patch checking and policy compliance audits will not be performed. Note that the Web Audit will not scan FTP servers, mail servers, or database servers. For that, you may want to use the Internet DMZ Audit instead.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": false,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 10,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "https://*****.com/***",
"tcp": {
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "***************************************",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Web audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
}
],
"links": [
{
"href": "https://***.***.***.***:3780/api/3/scan_templates",
"rel": "self"
}
]
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.resources in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs CIS policy compliance tests with application-layer auditing on supported CIS benchmarked systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
****,
*****
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
*****,
*****
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "cis",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "CIS",
"policy": {
"enabled": [
*****,
*****
],
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs DISA policy compliance tests with application-layer auditing on supported DISA benchmarked systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
****,
*****
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
*****,
*****
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "disa",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "DISA",
"policy": {
"enabled": [
*****,
*****
],
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Local",
"Patch",
"Policy"
],
"enabled": []
},
"unsafe": true
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a basic network audit of all systems using both safe and unsafe (denial-of-service) checks. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
****,
****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "dos-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Denial of service",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {},
"description": "Performs a discovery scan to identify live assets on the network, including host name and operating system. No further enumeration, policy or vulnerability scanning will be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"additionalPorts": [
*****
],
"ports": "custom"
}
}
},
"discoveryOnly": true,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "discovery",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Discovery Scan",
"policyEnabled": false,
"telnet": {},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {},
"description": "Performs a fast and cursory discovery scan to identify live assets on high speed networks, including host name and operating system. Packets are sent at a very high rate which may trigger IPS/IDS sensors, SYN flood protection and exhaust states on stateful firewalls. No further enumeration, policy or vulnerability scanning will be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 6,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT1.25S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"additionalPorts": [
****
],
"ports": "custom"
}
}
},
"discoveryOnly": true,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "aggressive-discovery",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Discovery Scan - Aggressive",
"policyEnabled": false,
"telnet": {},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"method": "SYN",
"ports": "all"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "exhaustive-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Exhaustive",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs FDCC policy compliance tests with application-layer auditing on all Windows XP and Windows Vista systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
135,
139,
445
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
135,
139,
445
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "fdcc-1_2_1_0",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "FDCC",
"policy": {
"enabled": [
5,
4,
3,
2,
1
],
"recursiveWindowsFSSearch": false,
"storeSCAP": true
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "full-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Full audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "A full audit scan with enhanced logging enabled and web spidering disabled. Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": true,
"id": "full-audit-enhanced-logging-without-web-spider",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Full audit enhanced logging without Web Spider",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Does not include web spidering. Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "full-audit-without-web-spider",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Full audit without Web Spider",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a HIPAA audit of all systems using only safe checks. Settings appropriate for auditing compliance will be enabled as per HIPAA section 164.312 (\"Technical Safeguards\"). Any conditions resulting in inadequate access control, inadequate auditing, loss of integrity, inadequate authentication, or inadequate transmission security (encryption) will be flagged.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "hipaa-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "HIPAA compliance",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveContent": "\\b\\d{3}-\\d{2}-\\d{4}\\b",
"sensitiveField": "(p|pass)(word|phrase|wd|code)|(s|soc|social)(s|sec|security)(n|no|num|number)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": [
"DNS",
"Database",
"FTP",
"Lotus Notes/Domino",
"Mail",
"SSH",
"TFTP",
"Telnet",
"VPN",
"Web"
]
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs an in-depth penetration test of public-facing servers. All common internet services will be scanned, including web, FTP, mail (SMTP/POP/IMAP/Lotus Notes), DNS, database, telnet, SSH, and VPN services. In-depth patch/hotfix checking and policy compliance audits will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": false,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 10,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "internet-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Internet DMZ audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": [
"RPM"
]
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
]
},
"description": "Performs an audit of Linux systems for the proper installation of RPM patches. For greatest success, administrative credentials should be used when performing Linux RPM scans.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
113,
22,
23
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "linux-rpm",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Linux RPMs",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": [
"Microsoft hotfix"
]
},
"unsafe": false
},
"database": {},
"description": "Performs an audit of Microsoft Windows systems for the proper installation of hotfixes and service packs. For greatest success, administrative credentials should be used when performing Microsoft hotfix scans.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
*****
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "microsoft-hotfix",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Microsoft hotfix",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": true,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a Payment Card Industry (PCI) Approved Scanning Vendor (ASV) compliance audit. This template uses all known safe checks, including potential checks and web application scanning.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": false,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"method": "SYN",
"ports": "all"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "pci-audit",
"maxParallelAssets": 5,
"maxScanProcesses": 1,
"name": "PCI ASV External Audit",
"policyEnabled": false,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": false,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0.36S",
"responseTimeout": "PT2M",
"threadsPerServer": 5
},
"testCommonUsernamesAndPasswords": true,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/31.0 Chrome/37.0.2049.0 Safari/537.36"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [
"database-open-access"
],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a Payment Card Industry (PCI) audit intended for the internal discovery of assets. This template includes all network-based vulnerabilities, web application scanning, and specifically excludes potential vulnerabilities as well as vulnerabilities specific to the external perimeter.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
****,
****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
***,
***
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 450
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"method": "SYN",
"ports": "all"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "pci-internal-audit",
"maxParallelAssets": 10,
"maxScanProcesses": 1,
"name": "PCI Internal Audit",
"policyEnabled": false,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": false,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0.36S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": true,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/31.0 Chrome/37.0.2049.0 Safari/537.36"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Local",
"Patch",
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing the product to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
*****,
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "pentest-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Penetration test",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Metasploit",
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "\nThis is a \"polite,\" or less aggressive, network audit of sensitive Supervisory Control And Data Acquisition (SCADA) systems, using only safe checks. Packet block delays have been increased; time between sent packets has been increased; protocol handshaking has been disabled; and simultaneous network access to assets has been restricted.\n ",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": false,
"maximum": 0,
"minimum": 0
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 4,
"scanDelay": {
"maximum": "PT2S",
"minimum": "PT1S"
},
"timeout": {
"initial": "PT5S",
"maximum": "PT5S",
"minimum": "PT5S"
}
},
"service": {
"serviceNameFile": "default-services-scada.properties",
"tcp": {
"additionalPorts": [
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "scada",
"maxParallelAssets": 5,
"maxScanProcesses": 1,
"name": "SCADA audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": true
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 1
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false,
"userAgent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [
"Local",
"Patch",
"Policy"
],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a non-intrusive network audit of all systems using only safe checks. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****,
*****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT1S",
"minimum": "PT0.4S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-1040"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "network-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Safe network audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
],
"postgres": "template1"
},
"description": "Performs a Sarbanes-Oxley (SOX) audit of all systems using only safe checks. The SOX compliance audit will highlight threats to digital data integrity, data access auditing, accountability, and availability, as mandated in Section 302 (\"Corporate Responsibility for Fiscal Reports\"), Section 404 (\"Management Assessment of Internal Controls\"), and Section 409 (\"Real Time Issuer Disclosures\") respectively.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
****
],
"treatTcpResetAsAsset": true,
"udpPorts": [
*****,
*****
]
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"additionalPorts": [
"1-***"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "sox-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Sarbanes-Oxley compliance",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Test",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": false,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 450
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
"1-*****"
],
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "well-known"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "testscantemplate",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "TestScanTemplate",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 10000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": false
},
"webEnabled": true
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": []
},
"correlate": false,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
""
]
},
"description": "Performs USGCB policy compliance tests with application-layer auditing on all Windows 7 systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 4,
"ipFingerprintingEnabled": false,
"sendArpPings": true,
"sendIcmpPings": true,
"tcpPorts": [
*****
],
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 0,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"tcp": {
"additionalPorts": [
***
],
"method": "SYN",
"ports": "custom"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "usgcb-1_2_1_0",
"maxParallelAssets": 10,
"maxScanProcesses": 10,
"name": "USGCB",
"policy": {
"enabled": [
***
],
"recursiveWindowsFSSearch": false,
"storeSCAP": true
},
"policyEnabled": true,
"telnet": {
"characterSet": "US-ASCII"
},
"vulnerabilityEnabled": false,
"webEnabled": false
},
{
"checks": {
"categories": {
"disabled": [],
"enabled": [
"Web"
]
},
"correlate": true,
"individual": {
"disabled": [],
"enabled": []
},
"potential": false,
"types": {
"disabled": [],
"enabled": []
},
"unsafe": false
},
"database": {
"oracle": [
"ORCL",
"IASDB",
"OEMREP",
"XE",
"ixos",
"CTM4_0",
"CTM4_1",
"CTM4_6",
"CTM4_7",
"ARIS",
"MSAM",
"VPX",
"OPENVIEW",
"OVO",
"SA0",
"SA1",
"SA2",
"SA3",
"SA4",
"SA5",
"SA6",
"SA7",
"SA8",
"SA9",
"SAA",
"SAB",
"SAC",
"SAD",
"SAE",
"SAF",
"SAG",
"SAH",
"SAI",
"SAJ",
"SAK",
"SAL",
"SAM",
"SAN",
"SAO",
"SAP",
"SAQ",
"SAR",
"SAS",
"SAT",
"SAU",
"SAV",
"SAW",
"SAX",
"SAY",
"SAZ"
]
},
"description": "Performs an audit of all web servers and web applications. Suitable for scanning both public-facing and internal web servers, including application servers, ASP's, CGI scripts, etc. Patch checking and policy compliance audits will not be performed. Note that the Web Audit will not scan FTP servers, mail servers, or database servers. For that, you may want to use the Internet DMZ Audit instead.",
"discovery": {
"asset": {
"collectWhoisInformation": false,
"fingerprintMinimumCertainty": 0.16,
"fingerprintRetries": 0,
"ipFingerprintingEnabled": true,
"sendArpPings": true,
"sendIcmpPings": false,
"treatTcpResetAsAsset": true
},
"performance": {
"packetRate": {
"defeatRateLimit": true,
"maximum": 15000,
"minimum": 2000
},
"parallelism": {
"maximum": 10,
"minimum": 0
},
"retryLimit": 3,
"scanDelay": {
"maximum": "PT0S",
"minimum": "PT0S"
},
"timeout": {
"initial": "PT0.5S",
"maximum": "PT3S",
"minimum": "PT0.5S"
}
},
"service": {
"serviceNameFile": "default-services.properties",
"tcp": {
"method": "SYN",
"ports": "well-known"
},
"udp": {
"ports": "none"
}
}
},
"discoveryOnly": false,
"enableWindowsServices": false,
"enhancedLogging": false,
"id": "web-audit",
"maxParallelAssets": 100,
"maxScanProcesses": 10,
"name": "Web audit",
"policy": {
"recursiveWindowsFSSearch": false,
"storeSCAP": false
},
"policyEnabled": true,
"telnet": {},
"vulnerabilityEnabled": true,
"web": {
"dontScanMultiUseDevices": true,
"includeQueryStrings": false,
"paths": {
"honorRobotDirectives": false
},
"patterns": {
"sensitiveField": "(p|pass)(word|phrase|wd|code)"
},
"performance": {
"httpDaemonsToSkip": [
"Agranat-EmWeb",
"Allegro-Software-RomPager",
"cisco-IOS",
"CUPS",
"DigitalV6-HTTPD",
"EMWHTTPD",
"ESWeb",
"EWS-NIC3",
"HP JetDirect",
"HP Web Jetadmin",
"HP-ChaiServer",
"HP-ChaiSOE",
"IOS",
"JetDirect",
"RAC_ONE_HTTP",
"Rapid Logic",
"RMC Webserver",
"Virata-EmWeb"
],
"maximumDirectoryLevels": 6,
"maximumForeignHosts": 100,
"maximumLinkDepth": 6,
"maximumPages": 3000,
"maximumRetries": 2,
"maximumTime": "PT0S",
"responseTimeout": "PT2M",
"threadsPerServer": 3
},
"testCommonUsernamesAndPasswords": false,
"testXssInSingleScan": true,
"userAgent": "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
},
"webEnabled": true
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"IDs": "\"[\\\"cis\\\",\\\"disa\\\",\\\"dos-audit\\\",\\\"discovery\\\",\\\"aggressive-discovery\\\",\\\"exhaustive-audit\\\",\\\"fdcc-1_2_1_0\\\",\\\"full-audit\\\",\\\"full-audit-enhanced-logging-without-web-spider\\\",\\\"full-audit-without-web-spider\\\",\\\"hipaa-audit\\\",\\\"internet-audit\\\",\\\"linux-rpm\\\",\\\"microsoft-hotfix\\\",\\\"pci-audit\\\",\\\"pci-internal-audit\\\",\\\"pentest-audit\\\",\\\"scada\\\",\\\"network-audit\\\",\\\"sox-audit\\\",\\\"testscantemplate\\\",\\\"usgcb-1_2_1_0\\\",\\\"web-audit\\\"]\"",
"Names": "\"[\\\"CIS\\\",\\\"DISA\\\",\\\"Denial of service\\\",\\\"Discovery Scan\\\",\\\"Discovery Scan - Aggressive\\\",\\\"Exhaustive\\\",\\\"FDCC\\\",\\\"Full audit\\\",\\\"Full audit enhanced logging without Web Spider\\\",\\\"Full audit without Web Spider\\\",\\\"HIPAA compliance\\\",\\\"Internet DMZ audit\\\",\\\"Linux RPMs\\\",\\\"Microsoft hotfix\\\",\\\"PCI ASV External Audit\\\",\\\"PCI Internal Audit\\\",\\\"Penetration test\\\",\\\"SCADA audit\\\",\\\"Safe network audit\\\",\\\"Sarbanes-Oxley compliance\\\",\\\"TestScanTemplate\\\",\\\"USGCB\\\",\\\"Web audit\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CHECKS | DATABASE | DESCRIPTION | DISCOVERY | DISCOVERYONLY | ENABLEWINDOWSSERVICES | ENHANCEDLOGGING | ID | MAXPARALLELASSETS | MAXSCANPROCESSES | NAME | POLICY | POLICYENABLED | TELNET | VULNERABILITYENABLED | WEBENABLED | WEB |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
{ | { | Performs CIS policy compliance tests with application-layer auditing on supported CIS benchmarked systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned. | False | False | False | cis | 10 | 10 | CIS | True | { | False | False |
|
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Scan Templates failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data List Scan Templates failed. Status Code: 400. Message: The supplied credentials are invalid. |
List Site
Retrieves a paged resource of accessible sites.
READER NOTE
If the user used to establish the connection does not have sufficient permissions, the command will be successful with no results. In this case, verify that the user has permission to access all sites.
Input
Input Parameter | Required/Optional | Description | Example |
Limit | Optional | The maximum number of results to return per page. The maximum value is 500. | 10 |
Sort | Optional | The criteria to sort the records by, in the format: property[,ASC|DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters. | id,asc |
Output
The primary response data from the API request.
D3 customizes the Raw Data by extracting the data from path $.resources in API returned JSON.
SAMPLE DATA
[
{
"assets": 0,
"id": 5,
"importance": "normal",
"links": [
{
"href": "https://1.1.1.1:3780/api/3/sites/5",
"rel": "self"
}
],
"name": "1",
"riskScore": 0,
"scanEngine": 3,
"scanTemplate": "full-audit-without-web-spider",
"type": "static",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
},
{
"assets": 0,
"id": 8,
"importance": "normal",
"links": [
{
"href": "https://1.1.1.1:3780/api/3/sites/8",
"rel": "self"
}
],
"name": "1234",
"riskScore": 0,
"scanEngine": 3,
"scanTemplate": "full-audit-without-web-spider",
"type": "static",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
},
{
"assets": 0,
"id": 7,
"importance": "normal",
"links": [
{
"href": "https://1.2.3.4:3780/api/3/sites/7",
"rel": "self"
}
],
"name": "2",
"riskScore": 0,
"scanEngine": 3,
"scanTemplate": "full-audit-without-web-spider",
"type": "static",
"vulnerabilities": {
"critical": 0,
"moderate": 0,
"severe": 0,
"total": 0
}
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the context data obtained from the original Rapid7 InsightVM API response by including specific fields such as "assets", "id", "importance", "name", "riskScore", "scanEngine", "scanTemplate", "type", "critical", "moderate", "severe" and "total."
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"id": 5,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 8,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 7,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 3,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 2,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 158356,
"mac": null,
"critical": 11,
"exploits": null,
"malwareKits": null,
"moderate": 154,
"severe": 264,
"total": 429
},
{
"id": 6,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 9,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 11,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 10,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
},
{
"id": 12,
"ip": null,
"os": null,
"rawRiskScore": null,
"riskScore": 0,
"mac": null,
"critical": 0,
"exploits": null,
"malwareKits": null,
"moderate": 0,
"severe": 0,
"total": 0
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"assetIDs": "\"[5,8,7,3,2,6,9,11,10,12]\"",
"ips": "\"[\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID | IP | OS | RAWRISKSCORE | RISKSCORE | MAC | CRITICAL | EXPLOITS | MALWAREKITS | MODERATE | SEVERE | TOTAL |
---|---|---|---|---|---|---|---|---|---|---|---|
5 | 0 | 0 | 0 | 0 | 0 | ||||||
8 | 0 | 0 | 0 | 0 | 0 | ||||||
7 | 0 | 0 | 0 | 0 | 0 | ||||||
3 | 0 | 0 | 0 | 0 | 0 | ||||||
2 | 158356 | 11 | 154 | 264 | 429 | ||||||
6 | 0 | 0 | 0 | 0 | 0 | ||||||
9 | 0 | 0 | 0 | 0 | 0 | ||||||
11 | 0 | 0 | 0 | 0 | 0 | ||||||
10 | 0 | 0 | 0 | 0 | 0 | ||||||
12 | 0 | 0 | 0 | 0 | 0 |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Site failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data List Site failed. Status Code: 400. Message: The supplied credentials are invalid. |
Search Asset
Searches and returns accessible assets matching the given search criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Limit | Optional | The maximum number of results to return per page. The maximum value is 100. Default value is 10. | 10 |
Sort | Optional | The criteria to sort the records by, in the format: property[,ASC|DESC]. The default sort order is ascending. Multiple sort criteria can be specified using multiple sort query parameters. | id,asc |
Filters | Optional | The array of search filters to match assets. Every filter defines two required properties: field and operator. The field is the name of an asset property that is being filtered on. The operator is a type and property-specific operation performed on the filtered property. For the list of available fields and operators, refer to the Search Criteria subsection under the Overview section of the InsightVM API (v3) documentation. | [ { "field": "ip-address", "operator": "in-range", "lower": "1.1.1.1", "upper": "1.2.3.4" } ] |
Output
The primary response data from the API request.
D3 customizes the Raw Data by extracting the data from path $.resources in API returned JSON.
SAMPLE DATA
[
{
"addresses": [
{
"ip": "***.***.***.***",
"mac": "****:****:****:***::****"
}
],
"assessedForPolicies": false,
"assessedForVulnerabilities": true,
"history": [
{
"date": "2020-09-04T01****:****:****:***::****.822Z",
"scanId": 14,
"type": "SCAN",
"version": 1
}
],
"id": *****,
"ip": "***.***.***.***",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36",
"rel": "self"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/software",
"rel": "Software"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/files",
"rel": "Files"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/users",
"rel": "Users"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/user_groups",
"rel": "User Groups"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/databases",
"rel": "Databases"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services",
"rel": "Services"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/tags",
"rel": "Tags"
}
],
"mac": "****:****:****:***::****",
"os": "Linux 3.10",
"osFingerprint": {
"cpe": {
"part": "o",
"product": "linux_kernel",
"targetHW": "arm64",
"v2.2": "cpe:/o:linux:linux_kernel:3.10.0::~~~~arm64~",
"v2.3": "cpe:2.3:o:linux:linux_kernel:3.10.0:*:*:*:*:*:arm64:*",
"vendor": "linux",
"version": "3.10.0"
},
"description": "Linux 3.10",
"family": "Linux",
"id": 6,
"product": "Linux",
"systemName": "Linux",
"type": "General",
"vendor": "Linux",
"version": "3.10"
},
"rawRiskScore": 4123.30615,
"riskScore": 4123.30615,
"services": [
{
"configurations": [
{
"name": "https://*****.com/***",
"value": "none,***@example.com"
}
{
"name": "https://*****.com/***",
"value": "2.0"
},
{
"name": "https://*****.com/***",
"value": "***************************************"
}
],
"family": "OpenSSH",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/22",
"rel": "self"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/22/configurations",
"rel": "Configurations"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/22/databases",
"rel": "Databases"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/22/users",
"rel": "Users"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/22/user_groups",
"rel": "User Groups"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/22/web_applications",
"rel": "Web Applications"
}
],
"name": "SSH",
"port": *****,
"product": "OpenSSH",
"protocol": "tcp",
"vendor": "OpenBSD",
"version": "7.4"
},
{
"configurations": [
{
"name": "sslv3",
"value": "false"
},
{
"name": "tlsv1_0",
"value": "false"
},
{
"name": "tlsv1_1",
"value": "false"
},
{
"name": "tlsv1_2",
"value": "false"
}
],
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/161",
"rel": "self"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/161/configurations",
"rel": "Configurations"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/161/databases",
"rel": "Databases"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/161/users",
"rel": "Users"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/161/user_groups",
"rel": "User Groups"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/161/web_applications",
"rel": "Web Applications"
}
],
"name": "SNMP",
"port": *****,
"protocol": "tcp"
},
{
"configurations": [
{
"name": "https://*****.com/***",
"value": "Apache"
},
{
"name": "https://*****.com/***",
"value": "Apache"
},
{
"name": "ssl",
"value": "true"
},
{
"name": "https://*****.com/***",
"value": "[Path does not chain with any of the trust anchors]"
},
{
"name": "https://*****.com/***",
"value": "test@example.com, CN=localhost.localdomain, OU=MyOrg, O=MyCompany, L=Seattle, ST=WA, C=--"
},
{
"name": "https://*****.com/***",
"value": "RSA"
},
{
"name": "https://*****.com/***",
"value": "2048"
},
{
"name": "https://*****.com/***",
"value": "Sat, 03 Aug 2030 ****:****:****:***::**** UTC"
},
{
"name": "https://*****.com/***",
"value": "Wed, 05 Aug 2020 ****:****:****:***::**** UTC"
},
{
"name": "https://*****.com/***",
"value": "true"
},
{
"name": "https://*****.com/***",
"value": "*****"
},
{
"name": "https://*****.com/***",
"value": "***************************************"
},
{
"name": "https://*****.com/***",
"value": "*****"
},
{
"name": "https://*****.com/***",
"value": "test@example.com, CN=localhost.localdomain, OU=MyOrg, O=MyCompany, L=Seattle, ST=WA, C=--"
},
{
"name": "https://*****.com/***",
"value": "false"
},
{
"name": "https://*****.com/***",
"value": "true"
},
{
"name": "https://*****.com/***",
"value": "3"
},
{
"name": "https://*****.com/***",
"value": "tlsv1_1,tlsv1_2"
},
{
"name": "sslv2",
"value": "false"
},
{
"name": "sslv3",
"value": "false"
},
{
"name": "tlsv1_0",
"value": "false"
},
{
"name": "tlsv1_1",
"value": "true"
},
{
"name": "https://*****.com/***",
"value": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
},
{
"name": "https://*****.com/***",
"value": "RENEGOTIATION_INFO,EC_POINT_FORMATS"
},
{
"name": "tlsv1_2",
"value": "true"
},
{
"name": "https://*****.com/***",
"value": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"
},
{
"name": "https://*****.com/***",
"value": "RENEGOTIATION_INFO,EC_POINT_FORMATS"
},
{
"name": "verbs-1",
"value": "GET"
},
{
"name": "verbs-2",
"value": "HEAD"
},
{
"name": "verbs-3",
"value": "OPTIONS"
},
{
"name": "verbs-4",
"value": "POST"
},
{
"name": "verbs-5",
"value": "TRACE"
},
{
"name": "verbs-count",
"value": "5"
}
],
"family": "Apache",
"links": [
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/443",
"rel": "self"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/443/configurations",
"rel": "Configurations"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/443/databases",
"rel": "Databases"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/443/users",
"rel": "Users"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/443/user_groups",
"rel": "User Groups"
},
{
"href": "https://***.***.***.***:3780/api/3/assets/36/services/tcp/443/web_applications",
"rel": "Web Applications"
}
],
"name": "HTTPS",
"port": *****,
"product": "HTTPD",
"protocol": "tcp",
"vendor": "Apache"
}
],
"vulnerabilities": {
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 6,
"severe": 4,
"total": 10
}
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the context data obtained from the original Rapid7 InsightVM API response by including specific fields such as "id", "ip", "os", "rawRiskScore", "riskScore", "mac", "critical", "exploits", "malwareKits", "moderate", "severe" and "Total"id", "ip", "os", "rawRiskScore", "riskScore", "mac", "critical", "exploits", "malwareKits", "moderate", "severe" and "Total"."
SAMPLE DATA
[
{
"id": ****,
"ip": "***.***.***.***",
"os": "Linux 3.10",
"rawRiskScore": 4123.30615,
"riskScore": 4123.30615,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 6,
"severe": 4,
"total": 10
},
{
"id": *****,
"ip": "***.***.***.***",
"os": "Linux 3.2",
"rawRiskScore": 888.237427,
"riskScore": 888.237427,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 2,
"severe": 1,
"total": 3
},
{
"id": *****,
"ip": "***.***.***.***",
"os": "Microsoft Windows Server 2016 Standard Edition",
"rawRiskScore": 7785.04443,
"riskScore": 7785.04443,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 1,
"malwareKits": 0,
"moderate": 6,
"severe": 11,
"total": 17
},
{
"id": *****,
"ip": "***.***.***.***",
"os": "Google Linux 7.1.2",
"rawRiskScore": 3763.78027,
"riskScore": 3763.78027,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 3,
"severe": 5,
"total": 8
},
{
"id": *****,
"ip": "***.***.***.***",
"os": "Linux 3.2",
"rawRiskScore": 5011.52051,
"riskScore": 5011.52051,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 1,
"malwareKits": 0,
"moderate": 7,
"severe": 8,
"total": 15
},
{
"id": ****,
"ip": "***.***.***.***",
"os": "Ubuntu Linux 16.04",
"rawRiskScore": 26718.5664,
"riskScore": 26718.5664,
"mac": "****:****:****:***::****",
"critical": 9,
"exploits": 3,
"malwareKits": 0,
"moderate": 37,
"severe": 80,
"total": 126
},
{
"id": *****,
"ip": "***.***.***.***",
"os": "Linux 3.2",
"rawRiskScore": 5832.49316,
"riskScore": 5832.49316,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 1,
"malwareKits": 0,
"moderate": 7,
"severe": 9,
"total": 16
},
{
"id": ****,
"ip": "***.***.***.***",
"os": "Linux 3.2",
"rawRiskScore": 589.321045,
"riskScore": 589.321045,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 2,
"severe": 2,
"total": 4
},
{
"id": ******,
"ip": "***.***.***.***",
"os": "Check Point GAiA OS",
"rawRiskScore": 5031.47998,
"riskScore": 5031.47998,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 1,
"malwareKits": 0,
"moderate": 5,
"severe": 7,
"total": 12
},
{
"id": ****,
"ip": "***.***.***.***",
"os": "Linux 3.10",
"rawRiskScore": 3494.95776,
"riskScore": 3494.95776,
"mac": "****:****:****:***::****",
"critical": 0,
"exploits": 0,
"malwareKits": 0,
"moderate": 5,
"severe": 4,
"total": 9
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"assetIDs": "\"[***,***,***,***,***,***,***]\"",
"ips": "\"[\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\",\\\"***.***.***.***\\\"]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
ID | IP | OS | RAWRISKSCORE | RISKSCORE | MAC | CRITICAL | EXPLOITS | MALWAREKITS | MODERATE | SEVERE | TOTAL |
---|---|---|---|---|---|---|---|---|---|---|---|
3*** | 1.1.1.1 | Linux 3.10 | 4123.30615 | 4123.30615 | 00:0C:00:B0:CA:0F | 0 | 0 | 0 | 6 | 4 | 10 |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search Asset failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Search Asset failed. Status Code: 400. Message: The supplied credentials are invalid. |
Start Site Scan
Initiates a scan for the specified site.
READER NOTE
Template ID and Engine ID are optional parameters to run this command.
Run the List Scan Template command to obtain Template ID. Template IDs can be found in the returned raw data at the path $.resources[*].id.
Run the List Users command to obtain Engine ID. Engine IDs can be found from the returned raw data at the path $.resources[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Scan Name | Required | The user-driven scan name for the scan. | newscanname |
Targeted Name | Required | The name of the targeted scan site. | s*** |
Hosts | Required | The hosts to include as a part of the scan. This should be a mixture of IP addresses and hostnames as a string array. | ["1.1.1.100"] |
Template ID | Optional | The ID of the scan template. Template ID can be obtained using the List Scan Template command. | cis |
Engine ID | Optional | The ID of the scan engine. Scan engine ID can be obtained using the List Scan Engine command. | 3 |
Output
The primary response data from the API request.
SAMPLE DATA
{
"links": [
{
"href": "https://1.1.1.1:3780/api/3/scans",
"rel": "self"
},
{
"href": "https://1.2.3.4:3780/api/3/scans/7",
"rel": "Report"
}
],
"id": ***
}
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
{
"id": ***
}
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"id": "\"{\\\"id\\\":***}\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
id | *** |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Start Site Scan failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Start Site Scan failed. Status Code: 400. Message: The supplied credentials are invalid. |
Stop Scan
Updates the status of the specified scans to stop.
READER NOTE
The parameter Scan IDs is required to run this command.
Run the Start Site Scan or Get Scans commands to obtain Scan ID. Scan ID can be found from the Start Site Scan command returned raw data at the path $.id; or the Get Scans command returned raw data at the path $[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Scan IDs | Required | The IDs of the scans to stop. Scan IDs can be obtained using the Start Site Scan or Get Scans command. | [3***] |
Output
The primary response data from the API request.
SAMPLE DATA
[
{
"links": [
{
"href": "https://1.1.1.1:3780/api/3/scans/33/stop",
"rel": "self"
}
],
"scanid": ***,
"status": "stopped"
}
]
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customized the context data from the original Rapid7 InsightVM API response by adding the "scanid" and "status" fields.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
[
{
"scanid": ***,
"status": "stopped"
}
]
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
{
"IDs": "\"[***]\""
}
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
Successful
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
SCANID | STATUS |
---|---|
*** | stopped |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Stop Scan failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Stop Scan failed. Status Code: 400. Message: The supplied credentials are invalid. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
SAMPLE DATA
Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Rapid7 InsightVM portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The supplied credentials are invalid. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: The supplied credentials are invalid. |
Deprecated Commands
The following commands have been deprecated with new design commands, the old version command has "(Deprecated)". Please use the newly designed commands if you are new to this integration. Please see the list for the deprecated commands:
Create Scan Report (Deprecated); Create Site (Deprecated).
Deprecated commands share the same permissions as newly designed commands.