Overview
About Tenable.sc
Get a risk-based view of your IT, security and compliance posture so you can quickly identify, investigate and prioritize your most critical assets and vulnerabilities.
Managed on-premises and powered by Nessus technology, the Tenable.sc suite of products provides the industry's most comprehensive vulnerability coverage with real-time continuous assessment of your network. It’s your complete end-to-end vulnerability management solution.
Why integrating Tenable.sc into the Vulcan platform?
The Tenable.sc Connector by Vulcan integrates with the Tenable.sc platform to pull and ingest host-type assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority based on your business context.
Tenable.sc Connector details
The Vulcan Platform ingests Tenable.sc hosts and vulnerabilities through API.
Supported products | |
Category | Vulnerability Assessment |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from Tenable.sc to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the connector, make sure to:
Use an organizational user only for the integration (such as a Security Manager, Important: The Admin user CANNOT be used as the integration user in the connector setup. The use of an Admin user for the integration will result in configuration failure.
Enable API Key Authentication in Tenable.sc
Log in to Tenable.sc using an organizational user with the appropriate permissions to generate API.
Go to System > Configuration > Security.
In the Authentication Settings section, click Allow API Keys to enable the toggle.
Click Submit.
Generate Tenable.sc Client API and Secret Key
Log in to Tenable.sc using an organizational user with appropriate permissions to generate API.
Go to Users > Users.
Create a dedicated user to be used by the Vulcan platform.
Select the user for which you want to generate an API key.
Click API Keys and then click Generate API Key.
Click Generate.
Your API Key window appears, displaying the access key and secret key, to be used when creating the connector. Save the keys somewhere safe.
Configuring the Tenable.sc Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Tenable.sc icon.
Set up the connector as follows:
First, insert the Servel URL of your Tenable.sc instance.
Next, insert the API Access and Secret Keys you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Tenable.sc instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. You can review the sync status under Log.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the Tenable.sc icon shows Connected, the connection is complete.
Tenable.sc in the Vulcan Platform
Locating Tenable.sc vulnerabilities in the Vulcan Platform
As Tenable.sc discovers vulnerabilities, the Vulcan Platform Connector imports those vulnerabilities for reporting and action. You can view vulnerabilities via Connector by using the relevant filter:
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities.
Click on the Search or filter vulnerabilities search box, start typing "Connector" or "Vulnerability source" or scroll to find these options and select one.
Locate Tenable.sc on the vulnerability source/Connector list and click to filter results.
Click on any vulnerability to view further information.
Locating Tenable.sc Host assets in the Vulcan Platform
To find all retrieved host assets from Tenable.sc:
Open the Vulcan Cyber dashboard and navigate to Assets.
Click on the Hosts tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the Tenable.sc option to view all synced assets.
Automating actions on vulnerabilities detected by Tenable.sc
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and Tenable.sc Connector.
Click here to learn how to create automation in the Vulcan Cyber Platform.
From Tenable.sc to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Tenable.sc through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform.
Hosts mapping
Tenable.sc field | Vulcan field | Value Example |
if uuid length == 36 then uuid else repository_id|ip|dnsName | Asset uniqueness criteria | 111|210.31.112.21|qa3app01 |
dnsName | Asset Name | _gateway.lxd |
repository.name repository.id uuid scan_methods (if lastAuthRun then "Authenticated". If lastUnauthRun then "UnAuthenticated". if repository.dataFormat == 'agent' then "Agent") | Asset Details | Staged-Large 111 12974588-943b-461d-9b15-bcca4264c6b1 - - Authenticated Nessus Scan |
Host | Asset Type |
|
ip | Asset IP | 10.238.64.1 |
os or osCPE | Asset OS | centos |
os or osCPE | Asset OS Version | 7 |
first seen in vulcan | Asset Created date |
|
max(lastAuthRun, lastUnauthRun) | Asset Last seen date |
|
macAddress | Asset Multiple mac addresses |
|
- | Asset Packages | Propagated from asset-vulnerability connection |
repository.name tags ownerGroup groups target_group | Asset Tags - Vendor’s tags |
|
pluginID | Vulnerability uniqueness criteria | 10267 |
pluginName | Vulnerability Title | SSH Server Type and Version Information |
cvssV3BaseScore or baseScore (See Vulnerability Score Mapping) | Vulnerability Score | vulnerable |
description | Vulnerability Description | It is possible to obtain information about the remote SSH server by sending an empty authentication request |
baseScore cvssV3BaseScore pluginModDate pluginPubDate family.name pluginID vpr cpe (also mapped to Vulcan’s affected_packages and packages_cluster_details) | Vulnerability Details | 9.0 9.0 - - CentOS Local Security Checks 10267
- |
cve | Vulnerability CVE/S | CVE-1999-0524 |
cvssV3Vector or cvssVector | Vulnerability CVSS attack vector |
|
asset id + pluginID | Asset-Vulnerability connection uniqueness criteria |
|
firstSeen | Asset-Vulnerability connection First seen |
|
lastSeen | Asset-Vulnerability connection Last seen |
|
pluginText port protocol | Asset-Vulnerability connection Info tool tip (from Assets screen) | <plugin_output>The remote clock is synchronized with the local clock.\n</plugin_output> 88 TCP |
solution | Solution uniqueness criteria | 10267 |
Fix for pluginName | Solution Title | Fix for ICMP Timestamp Request Remote Date Disclosure |
solution | Solution Description | Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). |
Vulnerability status mapping
Tenable.sc status | Vulcan status |
Cumulative | Vulnerable |
Patched | Fixed |
- | Ignored - false positive |
acceptRisk =1 | Ignored risk acknowledged |
Vulnerability score mapping
Tenable.sc score | Vulcan score |
10 | Critical |
7 | High |
5 | Medium |
3 | Low |
0 | Informational |
Status update mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the Tenable.sc connector for the Tenable.sc vulnerabilities and assets ingested into the Vulcan Platform.
Update type | Mechanism |
Archiving Assets | Assets are archived in Vulcan if the assets aren't retrieved from the vendor platform on the next sync. |
Change of vulnerability instances status from "Vulnerable" to "Fixed" | Vulnerability status in Vulcan changes to "fixed" upon the status change to "patched" on the vendor's side. |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only when the next scheduled connector sync time is complete.
API
API Endpoints in use
API version: 6.0
API | Use in Vulcan | Permissions required |
{{server_url}}/rest/analysis | Assets (host), asset enrichment, vulnerabilities and solutions | None |
{{server_url}}/rest/asset | Asset enrichment | None |
Data Validation
How to Validate and Compare Data Between Tenable.sc and Vulcan Platform
Ensure accurate data synchronization between Tenable.sc and the Vulcan platform with the following steps:
Matching assets count
In Tenable.sc:
Click on "Assets."
Navigate to "Host Assets."
Confirm that the assets count in Tenable.sc matches the assets count in Vulcan.
Matching Vulnerabilities Instances Count
In Tenable.sc:
Click on a specific asset in Tenable.sc.
Examine the related findings count (AKA, vulnerability instances) for that asset.
Unique Vulnerabilities Count:
In Tenable.sc:
Click on "Analysis."
Navigate to "Vulnerabilities."
Confirm that the count of unique pluginIDs in the cumulative vulnerabilities list matches the count of unique vulnerabilities in the Vulcan platform.
