Tenable.io Connector Guide
Summary: How to set up and use the Tenable.io connector in Ivanti Neurons for RBVM.
Overview
The Ivanti Neurons for RBVM platform supports client connector configurations to provide a scheduled upload of the Tenable.io vulnerability data. The connector configuration page will display the details of the latest connector data pull. This connector allows customers to gain visibility into their overall risk due to vulnerabilities in their hosts and web applications and enables a more straightforward, more efficient way to manage those vulnerabilities.
Connector Configuration
Prerequisites
- Requires an active subscription to Ivanti Neurons for RBVM.
- Requires an active subscription to Tenable.io.
- URL used to access the instance of Tenable.io.
User Setup
In order to connect Ivanti Neurons for RBVM to Tenable.IO, an API user will need to be created with the following minimum access:
- Requires STANDARD [32] user role.
- Requires CAN VIEW [16] user permissions.
Connections
The following API calls are performed during a connector run to pull security vulnerabilities from Tenable.IO into Ivanti Neurons for RBVM.
|
API Type |
Endpoint |
|---|---|
|
Get All Assets |
/assets/export/ |
|
Get All Scans |
/scans/ |
|
Get All User Policies |
/policies/ |
|
Get All Policy Templates |
/editor/policy/templates |
|
Get All Vulnerabilities |
/vulns/export/ |
|
Get All Networks |
/networks |
|
Get All Tags |
/tags/values |
Platform Setup
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type tenable.io to find the connector.
Locate tenable.io on the page and click Configuration.
In the new window under Connection, complete the required fields, as described below.
-
Name: The connector’s name.
-
Location (URL): The URL to access the specific instance of Tenable Nessus or the Tenable.io link.
-
Access Key: Username used to access the connected system.
-
Secret Key: Password used to access the connected system.
-
Network: Network that will contain the new Tenable.io assets.
After completing the login credentials form, click the Test Credentials button.
If the credentials test is successful, the Schedule connector wizard will appear.
By default, the connector is enabled. The following schedules are available.
NOTE: All time selections are based on 24-hour GMT time.
Daily: Configures the connector to run at a set daily interval.
Weekly: Configures the connector to run at a set weekly interval.
Monthly: Configures the connector to run on a set date every month.
Determine the Oldest Scan Data Pull for the initial data synchronization. This can be set to pull between 30 days and 1 year. The setting will only apply for the first time the connector is run.
Optional Configurations
Tenable.io has its own asset tag system that can be replicated in the platform. Enable this feature under Connector Specific Options.
The informational plugins identified by Tenable Nessus scans may be included in the data synchronization, or users may choose to filter the input. The new connector setting for informational plugins will allow users to include or exclude specific plugins.
Tenable.io users may not want all the assets and findings imported to the platform. Tenable recommends that users create a user or access group for the connector that includes only the desired assets. This method of controlling information flow is preferred. The new connector also allows for filtering the inputs by tags or networks.
Click the Save button to save the configuration and view the configured connector.
Editing a Connector Configuration
Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.
Utilizing the Connector
The data from Tenable.io is ingested into Ivanti Neurons as Hosts and Host Findings. The Scanner Name associated with these scans is NESSUS. Scanner Name can be used as a filter in both the Hosts and Host Findings views.
Assets
All assets from the Tenable Vulnerability Management (Formerly Tenable.io) connector are shown in the Hosts view in Ivanti Neurons.
-
Any active assets within the oldest pull date range listed in Tenable.io are shown in the Hosts view.
-
Both IP address and hostname are extracted from the Tenable.io API.
-
In the Host Detail, the Scanner is listed as NESSUS under the Sources section.
Findings
All findings from the Tenable.io scan file are shown in the Host Findings view in Ivanti Neurons for RBVM.
This connector includes several scanner-specific fields that are viewable in the detail pane, list view columns, filters, and exports:
-
Nessus CVSS v3.0 Base Score
-
Nessus CVSS v2.0 Base Score
-
Nessus MAC Addresses
-
Nessus Network Name
-
Nessus Asset Status
-
Nessus IPv4 Addresses
-
Nessus Severity ID
-
Nessus CVSS v3.0 Temporal Score
-
Nessus CVSS v2.0 Temporal Score
-
Nessus Default Severity ID
-
Nessus IPV6 Addresses
-
Nessus Hostnames
-
scannerUUID
-
Nessus Operating Systems
Severity Mapping
|
Severity |
CVSSv2 Range |
CVSSv3 Range |
|---|---|---|
|
Critical |
The plugin's highest vulnerability CVSSv2 score is 10.0. |
The plugin's highest vulnerability CVSSv3 score is between 9.0 and 10.0. |
|
High |
The plugin's highest vulnerability CVSSv2 score is between 7.0 and 9.9. |
The plugin's highest vulnerability CVSSv3 score is between 7.0 and 8.9. |
|
Medium |
The plugin's highest vulnerability CVSSv2 score is between 4.0 and 6.9. |
The plugin's highest vulnerability CVSSv3 score is between 4.0 and 6.9. |
|
Low |
The plugin's highest vulnerability CVSSv2 score is between 0.1 and 3.9. |
The plugin's highest vulnerability CVSSv3 score is between 0.1 and 3.9. |
|
Info |
The plugin's highest vulnerability CVSSv2 score is 0 or the plugin does not search for vulnerabilities. |
The plugin's highest vulnerability CVSSv3 score is 0 or the plugin does not search for vulnerabilities. |
Source: CVSS vs. VPR (Tenable Vulnerability Management)
Connector Data Mapping
This table maps the high-level fields from Tenable.io with that of the Ivanti Neurons for RBVM platform.
|
Section |
Platform Field |
Tenable.io Field |
Filter |
|---|---|---|---|
|
Hosts
|
First Discovered On |
asset.first_seen |
Yes |
|
Last Discovered On |
asset.last_seen |
Yes |
|
|
Asset Tag |
asset.tags.key:asset.tags.value |
Yes |
|
|
IP Address |
plugin.asset.ipv4 |
Yes |
|
|
HostName |
plugin.asset.hostname. |
Yes |
|
|
FQDN |
asset.FQDNs |
Yes |
|
|
Operating System -> Name |
asset.operating_systems |
Yes |
|
|
Host UUID |
asset.id |
Yes |
|
|
Nessus AWS Instance ID |
asset.aws_ec2_instance_id |
Yes |
|
|
Nessus Azure VM ID |
asset.azure_vm_id |
Yes |
|
|
Nessus CVSS v3.0 Base Score |
plugin.cvss3_base_score |
Yes |
|
|
Nessus CVSS v3.0 Temporal Score |
plugin.cvss3_temporal_score |
Yes |
|
|
Nessus CVSS v2.0 Base Score |
plugin.cvss_base_score |
Yes |
|
|
Nessus CVSS v2.0 Temporal Score |
plugin.cvss_temporal_score |
Yes |
|
|
Nessus Default Severity |
plugin.severity_default_id |
Yes |
|
|
Nessus Severity |
plugin.severity |
Yes |
|
|
Nessus VPR |
plugin.vpr.score |
Yes |
|
|
Nessus Google Cloud Instance ID |
asset.gcp_instance_id |
Yes |
|
|
Nessus Last Authenticated Scan Date |
asset.last_authenticated_scan_date |
Yes |
|
|
Nessus Network Name |
asset.network_name |
Yes |
|
|
Nessus Netbios Names |
asset.netbios_name |
Yes |
|
|
Nessus Operating Systems |
asset.operating_system |
Yes |
|
|
Nessus FQDNs |
asset.FQDNs |
Yes |
|
|
Nessus Hostnames |
asset.hostnames |
Yes |
|
|
Nessus IPV4 addresses |
asset.ipv4 |
Yes |
|
|
Nessus IPV6 addresses |
asset.ipv6 |
Yes |
|
|
Nessus Mac Addresses |
asset.macaddress |
Yes |
|
|
Host Findings
|
HostName |
asset.hostname |
Yes |
|
Nessus UUID |
asset.uuid |
Yes |
|
|
IP Address |
asset.ipv4 |
Yes |
|
|
Operating System |
asset.operating_system |
Yes |
|
|
Plugin Output |
plugin.output |
Yes |
|
|
Nessus CVSS v3.0 Base Score |
plugin.cvss3_base_score |
Yes |
|
|
Nessus CVSS v3.0 Temporal Score |
plugin.cvss3_temporal_score |
Yes |
|
|
Nessus CVSS v2.0 Base Score |
plugin.cvss_base_score |
Yes |
|
|
Nessus CVSS v2.0 Temporal Score |
plugin.cvss_temporal_score |
Yes |
|
|
Plugin Description |
plugin.description |
Yes |
|
|
Scanner plugin |
plugin.id |
Yes |
|
|
Plugin Name |
plugin.name |
Yes |
|
|
Possible Solution |
plugin.solution |
Yes |
|
|
Plugin Output |
plugin.synopsis |
Yes |
|
|
Port |
plugin.port.port |
Yes |
|
|
Service |
plugin.port.protocol |
Yes |
|
|
Scanner Reported Severity |
plugin.severity |
Yes |
|
|
Nessus Default Severity |
plugin.severity_default_id |
Yes |
|
|
First Discovered on |
plugin.first_found |
Yes |
|
|
Last Discovered on |
plugin.last_found |
Yes |
|
|
Source Status |
plugin.state |
Yes |
|
|
Nessus Reason Recast |
plugin.recast_reason |
No |
|
|
Nessus Reason Accepted |
plugin.recast_reason |
No |
|
|
Suppression Value |
plugin.severity_modification_type |
Yes |