Get a risk-based view of your entire attack surface so you can quickly identify, investigate and prioritize vulnerabilities.
Managed in the cloud and powered by Nessus technology, Tenable.io provides comprehensive vulnerability coverage with the ability to predict which security issues to remediate first. It’s a complete end-to-end vulnerability management solution.
For information on the differences between the Tenable.io and Nessus API Importer connectors, see the Nessus API Importer vs Tenable.io Connector Comparison Chart.
If you have been using the Nessus API Importer connector, Cisco recommends that you delete those Nessus API Importer connectors after running the new Tenable.io connector. The two Tenable connectors collect very similar data via 2 different approaches. It is best to minimize duplicate data collection that might confuse the end-users of the data.
Platform support:
The Tenable.io connector supports the following Tenable interface only:
- API interface to Tenable.io’s cumulative database
For other supported Tenable integrations, refer to the following information:
Prerequisites
- The API user must have Tenable Administrator role access to use this connector (per Tenable’s requirements) to access their cumulative database.
- If the API user does not have the Administrator role, you will see “403 Forbidden” errors when you attempt to run the connector.
-
The connector will import only the assets which the service account has view permissions for. A targeted scope or the full environment can be imported, but either way the account must have its asset permissions explicitly defined in the Access Control tile in Tenable.IO. The user account needs the “Can View” permission, and all objects which are to be imported into Cisco Vulnerability Management need to be selected, whether it be “All Assets” or a certain tag or group of tags.
Configuring Your Tenable Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Vulnerability Management section, click Tenable.io.
4. On the Tenable.io page, enter the following information:
- Name: Enter a name for the connector, or leave it as Tenable.io.
- Access Key and Secret Key: Enter the access key and secret key for your Tenable.io API.
- Host: Set the Host location for the Tenable.io instance. This is typically cloud.tenable.com:443.
- Schedule: Select the frequency that you’d like your Connector to run.
-
Include Tenable Unlicensed Assets and Vulnerabilities. Select this option.
* By default, this option is not selected. When you do not select it, unlicensed assets and vulnerabilities are not exported into Cisco Vulnerability Management.
* Pulls in assets and vulnerabilities that are not considered “licensed” by Tenable. These tend to be plugins excluded from license limits or assets older than 90 days. For more details, refer to the License information from Tenable. - Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.
5. Click Save and Verify.
Vulnerability Date Information
In Cisco Vulnerability Management, you will notice several dates in the Vulnerabilities tab. When importing your Tenable data, the following criteria is used to populate these date fields.
- "Found" in Cisco Vulnerability Management is when Tenable.io first detected the vulnerability and maps to the ‘first_found’ field in Tenable.
- "Last Seen" in Cisco Vulnerability Management is the last date Tenable.io detected the vulnerability and maps to the ‘last_found’ field in Tenable.
- "Created" within Cisco Vulnerability Management is the date the vulnerability was passed to Cisco Vulnerability Management through the Tenable integration. This date is not the result of a mapping from a field from Tenable.
Tenable Connector API Calls
The following API calls are performed during a connector run to retrieve the Tenable information and import it into Cisco Vulnerability Management.
For Asset endpoint details, refer to the information from Tenable.
- Exports all hosts that Tenable scans have seen in the last 90 days.
- Pulls all Host asset tags.
- Tenable deleted and terminated assets are ignored.
For Vulnerabilities endpoint details, refer to the information from Tenable.
- Pulls vulnerability data and associates it with the imported assets.
- Exports all vulnerabilities of assets seen by Tenable scans in the last 90 days.
|
Tenable Field |
Cisco Vulnerability Management Field |
Notes |
|
plugin_name |
Name |
|
|
plugin_id |
Scanner IDs |
|
|
plugin_description |
Description |
See Also Related CVE IDs Related BugTraq IDs Other Security Standard Reference IDs |
|
plugin_solution + plugin_output |
Solution/Fix |
|
|
patch_publication_date |
Fix Published |
|
|
severity |
Scanner Score |
(1-10) Informational - 1 SeverityLow - 3 SeverityMedium - 5 SeverityHigh - 8 SeverityCritical -10 |
|
status (default = open) |
Vulnerability Status |
Only maps open/closed vulnerabilities. This connector will not autoclose a vulnerability. Closing a vulnerability requires a close status inbound from Tenable. |
|
vuln > output |
Details / Synopsis |
|
|
cves |
CVE |
|
|
vuln > port |
Ports |
|
|
last_found |
Last Seen |
|
|
first_found |
Found |
|
|
N/A |
Created |
Date the vulnerability was first imported to Cisco Vulnerability Management. Not mapped to a scanner field. |
|
operating_system |
Operating System |
|
|
id |
External ID |
|
|
fqdns |
FQDN |
We map fqdn from Tenable to fqdn in Cisco Vulnerability Management. FQDN should be used as the primary locator for deduplication purposes. This behavior differs from the Nessus API Importer connector. For the Nessus API Importer, fqdn in Cisco Vulnerability Management is left blank. Instead, it depends on the Hostname as a primary locator. When transitioning from the Nessus API Importer connector to the Tenable.io connector, locator order should be reconsidered to place FQDN higher than Hostname. |
|
ipv4s |
IP Address |
|
|
hostnames |
Hostname |
If there is no hostname provided by Tenable, hostname will be left blank in Cisco Vulnerability Management. |
|
mac_addresses |
MAC Address |
|
|
netbios_names |
NetBIOS |
|
|
aws_ec2_name |
EC2 Locator |
|
|
Tags Asset Groups |
Tags |
All of these items are converted to tags within Cisco Vulnerability Management. |
Comments
Please sign in to leave a comment.