If your investigation shows that you did not meet both of these prerequisites, you’ll need to check your credentials (or use a stronger credential set) and run the investigation again.After your investigation finishes, you can only report a vulnerable result for an authenticated check as a potential false positive if the scan successfully applied credentials and if the system fingerprint returned a certainty value of 1.0. Authenticated checks - The accuracy of authenticated vulnerability checks depends on whether the Scan Engine can successfully authenticate to the target asset with the credentials you’ve specified and how certain it is about identifying the asset’s software.Check type prerequisitesĪny vulnerable result that you want to report as a potential false positive must meet some prerequisites based on its check type: Your user role must have the Manage Vulnerability Investigations permission assigned to create new investigations, submit eligible results to Rapid7, and close investigations. InsightVM has two permissions related to false positive investigations (also detailed on the Managing Users and Authentication page): You must meet the following requirements to run false positive investigations. Help Rapid7 prioritize true false positive candidates by reporting those investigations that are not related to inadequate credentials or scan template coverage.Take action on configuration suggestions provided by investigation results to ensure that your scanning configuration is in the best position to scan accurately going forward.When using false positive investigations, keep these goals in mind: This tool should not be used as a means to clear inaccurate results that are due to known scan misconfigurations. You must perform this due diligence before we allow you to report potential false positives to the Rapid7 Support team for further investigation. The design intent of the false positive investigation tool is to help you identify how your scanning configuration (which includes the presence and strength of credentials and the coverage of your scan template) could be producing inaccurate results and suggest changes to correct it. This means any investigation you submit for a vulnerable result includes all detected instances of that vulnerability on the asset (if more than one instance is found). Like regular scans, you can run investigations immediately or schedule them to run automatically at a later time.įalse positive investigations are vulnerability finding-based. The investigation tool sends false positive report packages to Rapid7 in XML format. If this rescan produces the same vulnerable result as before with all prerequisites satisfied, you can report the result as a potential false positive. This rescan uses the Full Audit without Web Spider built-in scan template with enhanced logging enabled. How false positive investigations workĪn investigation is a rescan of the affected asset that's limited to the vulnerability check in question. This gives us the chance to fix the vulnerability check and make sure your assessment results are as accurate as possible. You should report false positives to Rapid7 immediately if they appear in your results. False positives can appear due to an error in check logic or changes in the target software that the check is not designed to handle. What is a false positive?Ī “false positive” is when InsightVM incorrectly determines that a target asset is vulnerable to a specific vulnerability check. If your investigation shows that the result could be a false positive, you can report the findings to the Rapid7 Support team in a single mouse-click.īy the time you’re ready to create your case in the Customer Portal, the Support team will already have the information they need to troubleshoot the issue. InsightVM allows you to investigate vulnerable results as potential false positives directly from the Security Console.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |