Skip to main content

Rapid7 Feed Ingestion

  • March 26, 2026
  • 2 replies
  • 29 views
GuyIncognito
Forum|alt.badge.img

New to Google SecOps, so I might not be looking in the right place, hoping to get some help.

I setup 2 Feeds to pull from the Rapid7 Insight Cloud console one  for assets and one for vulnerabilities.
 

https://docs.cloud.google.com/chronicle/docs/reference/feed-management-api#rapid7-insight


Data started to be ingested but there does not appear to be individual vulnerability findings per system.

There’s vulnerability definitions which just give you information on a vulnerability and then there is the asset information along with vulnerability information such as it has 10 critical but no information on what they are. There does seem to be a new[] and remediated[] field which is always empty even in the raw event.

Am I missing something to be able to get the actual vulnerability finding information? How have you configured your console to ingest this data?

2 replies

SoarAndy
Staff
Forum|alt.badge.img+12
  • SoarAndy
  • Staff
  • March 27, 2026

I don’t know this log type, is it event data, or entity/context data?
 

If Entity Context data, do you see raw data with:
graph.metadata.source_type = “ENTITY_CONTEXT”

GuyIncognito
Forum|alt.badge.img
  • GuyIncognito
  • Author
  • New Member
  • March 27, 2026

I don’t know this log type, is it event data, or entity/context data?
 

If Entity Context data, do you see raw data with:
graph.metadata.source_type = “ENTITY_CONTEXT”

Hi ​@SoarAndy , when I run a search for my two namespaces for Rapid7, I do see ENTITY_CONTEXT. On each event I see the tab on the right for the RAW_LOG.

Below is a sample of an expected Rapid7 API call to pull back details on an asset and the vulnerabilities on it. This puts them into 3 buckets: same (no change between comparison times), new (newly added vulnerabilities since comparison time) and remediated (removed vulnerabilities since comparison time).

https://help.rapid7.com/insightvm/en-us/api/integrations.html#tag/Asset/operation/getIntegrationAsset


For every single RAW_LOG entry going back 3 weeks the values of my events are “new”:[],, “remediated”:[], and there is no “same” (which it’s possible to ignore and not pull back in the API.

It also seems that the default parser from Google isn’t accounting for New, Same or Remediated.

But I believe it isn’t even pulling that additional vulnerability information. Based on all of this, I don’t see how anyone could use this addon as it doesn’t seem to be configured to pull the actual vulnerability findings.

Is there somewhere I can see the exact execution of the API calls to see what is being requested?
 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.