Get a risk-based view of your entire attack surface so you can quickly identify, investigate and prioritize vulnerabilities.
Managed in the cloud and powered by Nessus technology, Tenable.io provides comprehensive vulnerability coverage with the ability to predict which security issues to remediate first. It’s a complete end-to-end vulnerability management solution.
For information on the differences between the Tenable.io and Nessus API Importer connectors, please see the Nessus API Importer vs Tenable.io Connector Comparison Chart.
If you have been using the Nessus API Importer connector, it is recommended to delete those Nessus API Importer connectors after running the new Tenable.io connector. The two Tenable connectors collect very similar data via 2 different approaches. It is best to minimize duplicate data collection that might confuse your end-users of the data.
Platform support:
The Tenable.io connector supports the following Tenable interface only:
- API interface to Tenable.io’s cumulative database
For other supported Tenable integrations, see the following:
User prerequisites/Tenable.io setup:
- API User must have Tenable Standard role access to use this connector (per Tenable’s requirements) in order to access their cumulative database.
- If the API user does not have correct role, you will see “403 Forbidden” errors when you attempt to run the connector. If you encounter issues, try using Administrator role.
-
The connector will import only the assets which the service account has view permissions for. A targeted scope or the full environment can be imported, but either way the account must have its asset permissions explicitly defined in the Access Control tile in Tenable.IO. The user account needs the “Can View” permission, and all objects which are to be imported into Cisco Vulnerability Management need to be selected, whether it be “All Assets” or a certain tag or group of tags.
Configuring Your Tenable Connector in Cisco Vulnerability Management
Once you select the Tenable.io icon from the Connectors page, you will see a screen like this:
- Enter a Name for the connector.
- Enter your Tenable.io API Access Key and Secret Key.
- Set the Host location for the Tenable.io instance. This is typically cloud.tenable.com:443.
- Select the frequency that you want to run your Tenable.io Connector in the Schedule buttons section.
- Select Include Tenable Unlicensed Assets and Vulnerabilities
- By default, this is unchecked. Unlicensed assets and vulnerabilities are not exported into Cisco Vulnerability Management.
- Pulls in assets and vulnerabilities that are not considered “licensed” by Tenable. These tend to be plugins excluded from license limits or assets older than 90 days.
- https://docs.tenable.com/tenableio/Content/GettingStarted/Licenses.htm
- Asset Inactivity Limit (days)
- Save & Verify
Vulnerability Date Information
Within Cisco Vulnerability Management, you will notice several dates in the Vulnerabilities tab. When importing your Tenable data, the following criteria is used to populate these date fields.
- "Found" within Cisco Vulnerability Management is when Tenable.io first detected the vulnerability and maps to the ‘first_found’ field in Tenable
- "Last Seen" within Cisco Vulnerability Management is the last date Tenable.io detected the vulnerability and maps to the ‘last_found’ field in Tenable
- "Created" within Cisco Vulnerability Management is the date the vulnerability was passed to Cisco Vulnerability Management via the Tenable integration. This date is not the result of a mapping from a field from Tenable.
Tenable Connector API Calls
The following API calls are performed during a connector run to retrieve the Tenable information and import it into the Cisco Vulnerability Management Platform.
- Asset endpoint (https://developer.tenable.com/reference/exports-assets-request-export)
- Exports all hosts seen by Tenable scans in the last 90 days.
- Pulls all Host asset tags.
- Tenable deleted and terminated assets are ignored.
- Vulnerabilities endpoint (https://developer.tenable.com/reference/exports-vulns-request-export)
- Pulls vulnerability data and associates it with the imported assets.
- Exports all vulnerabilities of assets seen by Tenable scans in the last 90 days.
Tenable Field |
Cisco Vulnerability Management Field |
Notes |
plugin_name |
Name |
|
plugin_id |
Scanner IDs |
|
plugin_description |
Description |
seeAlso Related CVE IDs Related BugTraq IDs Other Security Standard Reference IDs |
plugin_solution + plugin_output |
Solution/Fix |
|
patch_publication_date |
Fix Published |
|
severity |
Scanner Score |
(1-10) Informational - 1 SeverityLow - 3 SeverityMedium - 5 SeverityHigh - 8 SeverityCritical -10 |
status (default = open) |
Vulnerability Status |
Only maps open/closed vulnerabilities. This connector will not autoclose a vulnerability. Closing a vulnerability requires a close status inbound from Tenable. |
vuln > output |
Details / Synopsis |
|
cves |
CVE |
|
vuln > port |
Ports |
|
last_found |
Last Seen |
|
first_found |
Found |
|
N/A |
Created |
Date the vulnerability was first imported to Cisco Vulnerability Management. Not mapped to a scanner field. |
operating_system |
Operating System |
|
id |
External ID |
|
fqdns |
FQDN |
We map fqdn from Tenable to fqdn in Cisco Vulnerability Management. FQDN should be used as the primary locator for deduplication purposes. This behavior differs from the Nessus API Importer connector. For the Nessus API Importer, fqdn in Cisco Vulnerability Management is left blank. Instead, it depends on the Hostname as a primary locator. When transitioning from the Nessus API Importer connector to the Tenable.io connector, locator order should be reconsidered to place FQDN higher than Hostname. |
ipv4s |
IP Address |
|
hostnames |
Hostname |
If there is no hostname provided by Tenable, hostname will be left blank in Cisco Vulnerability Management. |
mac_addresses |
MAC Address |
|
netbios_names |
NetBIOS |
|
aws_ec2_name |
EC2 Locator |
|
Tags Asset Groups |
Tags |
All of these items are converted to tags within Cisco Vulnerability Management. |
Comments
Please sign in to leave a comment.