Nessus API Importer

August 22, 2024 18:07

Tenable's Nessus is an on-premises vulnerability scanner designed to make vulnerability scanning easy and simple. Use the Nessus API Importer to ingest your Nessus vulnerability scan information into Cisco Vulnerability Management to assist you in reducing risk across your environment. The Nessus API Importer is a generic Importer designed to import data from Tenable Nessus, or Tenable.io.

Important: Cisco strongly suggests using the Tenable.io connector with Tenable.io data instead of using the Nessus API Importer. The benefits of this connector include the following:

Simplified configuration. The Tenable.io connector uses the Tenable cumulative DB. Individual scan IDs are no longer required.
Improved run-time performance. During our tests, Cisco has seen the Tenable.io connector run twice as fast as Nessus API Importer connector runs, when running with very similar datasets.

For information on the differences between the two connectors, see the Nessus API Importer vs Tenable.io Connector Comparison Chart. If you currently use the Nessus API Importer connector today and want to migrate to use the Tenable.io connector, contact your CX representative or Cisco Support to learn about the recommended approach.

Prerequisites

Access Key and Secret Key
Access to the API
If you are using on-premises Tenable Nessus, you will need to have the Virtual Tunnel or Agent deployed in your network.

Configuring the Tenable Importer in Cisco Vulnerability Management

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Nessus Importer.

4. On the Nessus API Importer page, enter the following information:

Name: Enter a name for the connector, or leave it as Nessus API Importer.
Access Key: Enter the Access Key or the service account you want to use.
Secret Key: Enter the Secret Key for the service account you want to use.
Note: Username and Password will be deprecated by Tenable as announced around 09/2020.
Host: Enter the Host information for your scanner. Note: When you enter the host IP and port number, you do not need to prefix it with "https://". For example: cloud.tenable.com:443.
Scan List: Select the scans you want to import. (The Scan List box will populate after you enter the AccessKey, and Secret Key, and the Host information.
Schedule: Select the frequency that you’d like your Connector to run.
Asset Inactivity Limit (days): Enter a time in days for the connector level asset inactivity limit.

5. Click Save and Verify.

What Tenable items are synchronized with Cisco Vulnerability Management items?

Tenable Importer Field	Cisco Vulnerability Management Field	Notes
plugin_name	Name
plugin_id	Identifier (Vulnerability)
plugin_description	Description	+'seeAlso' + ‘Related CVE IDs’ + 'Related BugTraq IDs' + 'Other Security Standard Reference IDs'
plugin_solution + plugin_output	Solution/Fix
patch_publication_date	Fix Published
severity	scanner_score	(1-10) Informational - 1 SeverityLow - 3 SeverityMedium - 5 SeverityHigh - 8 SeverityCritical -10
status (default = open)	Vulnerability Status	Only maps open/closed vulnerabilities. We will autoclose any vulnerability not seen on the next connector import (by the same connector).
vuln > output	Details / Synopsis
cves	CVE
vuln > port	Ports
last_found	Last Seen
first_found	Found On
N/A	Created	Date the vulnerability was first imported to Cisco Vulnerability Management. Not mapped to a scanner field.
operating_system	OS
host_uuid	external_id
host-fqdn	hostname
host-ip	ip_address
mac-address	MAC_address
netbios-name	NetBios
Tags Asset Groups	Tags	All of these items are converted to tags within Cisco Vulnerability Management.

Note: For the XML Connector, there will not be any Tags imported.

What Tenable items are turned into Cisco Vulnerability Management Tags?

The following metadata from Tenable will be converted into tags in Cisco Vulnerability Management. These tags can be used during search queries or to create Risk Meter groups.

Tags
Asset Groups

Vulnerability Date Information

In Cisco Vulnerability Management you will notice several dates in the Vulnerabilities tab. When importing your Tenable data, the following criteria are used to populate those date fields.

“Found” in Cisco Vulnerability Management is when the scanner first found the vulnerability.
“Last Seen” in Cisco Vulnerability Management is the most recent date that the Tenable scanner found the vulnerability.
“Created” in Cisco Vulnerability Management is the date the vulnerability was first imported into Cisco Vulnerability Management.

Optional Settings

The following settings can be enabled for Tenable Importer connectors. To get these settings enabled or for more information, contact Cisco Support, or your Customer Success Engineer.

Incremental Imports (Tenable.io only)

If you’d like to import only the data that has changed since the last time the connector was run, ask your CS team or Cisco Support to enable incremental imports. This will help with connector run time, as Cisco Vulnerability Management is no longer asking for all data, but just the data that has changed since our last run. (Note: For the first run of a new connector, Cisco Vulnerability Management will need to conduct a full import, even if this is enabled.)

Ignore Scanner Last Seen Time

Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

Skip Tags

This setting enables you to not create any Tags in based on the scanner metadata.

Tenable Skip Tags

This setting will allow you to not create any Tags in Cisco Vulnerability Management based on the Tenable.io Scan metadata.

Tag Reset

This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.

How Many times the Connector Tries

Once you've started the connector, Cisco Vulnerability Management will invoke the scan Export up to 3 times, pausing 1 second in-between each try.
Attempt the scan Download up to 180 times, pausing 60 seconds in-between each try.
If the data is not finished processing, and the scan report cannot be downloaded into Cisco Vulnerability Management after these tries, the connector will automatically fail and will not restart until the next scheduled connector run. An administrator can start a manual run in Cisco Vulnerability Management.

API Calls

…/policies
…/scans
…/scans/{scan_id}/export
…/scans/{scan_id}/export/{file_id}/download
…/scans/{scan_id}/history
…/assets/{asset_uuid} && fetch ‘tags'

Additional Assistance

Contact Support if you require any additional assistance with the Nessus Importer.