Can you manually import Tenable Nessus Results??

Donald Small1 · ‎10-05-2018

We are looking at the Security Operations module for possible deployment within our environment. We use Tenable for vulnerability scanning. WITHOUT using the Tenable.io® for Vulnerability Response plugin available in the store, can you manually import the Tenable Nessus results? My guess is that it would be handled the same as any other data set import, but I have been asked to verify.

Is there anyone out there doing this today with Tenable?

Thanks in advance!

Chris McDevitt · ‎10-01-2019

Donald,

There are a few tricky things when importing items. First, is the CI matching rules which need to be triggered. Next, you will need to trigger the Assignment Rules, and finally the Risk Scoring. Once that is done you will need to trigger Grouping. I believe these concepts are covered in the Vulnerability Response Implementation class, but not the details.... which are somewhat complex and implemented in Script Includes.

Hope this helps...

View solution in original post

mkemp · ‎10-05-2018

Donald,

We are doing it today, we use Nessus Pro and export scan results as CSV (Nessus size limitations 50 MB) into the SecOps modlue.

There is some data transformations that will need to be wrote, we used a 3rd party for the implementation of SecOps and Vulnerability. There is an email processing rule that takes the CSV does a data transformation on it and ingest the vulnerabilities.

We also looked at using the Nessus API via CURL but it was going to be more work on the data transformations, as where the CSV does some formatting for you.

Just an FYI, Qualys is a supported scanner that will work with other SecOps functions.

CMDB should be solid!!!!!!

Alexander36 · ‎09-25-2019

Hello mkemp,

I would like to know a littel more about your solution to import results from a CSV.

I am implementing a solution to import results from manual pentesting. This results come in Excel. I am exporting the Excel to CSV and importing the CSV to ServiceNow using REST API. The import works well except for one thing. The matching with a CI.

Comparing this manual import with Rapid7integration, I see some differences. In the Rapid7 integrations there are some lookup rules that helps ServiceNow to match the VIT with CI. With this lookup rules, if the CI doesn't exist ServiceNow create a unmatched CI. If the CI exist, ServiceNow match the VIT woth the parent CI. For example, if you have an IP, ServiceNow will match the VIT with the server, or the service.

In case of manual import, if the CI doesn't exist, the unmatched CI is not created. And if the CI exists, ServiceNow match the VIT with the CI, and not with the parent CI.

I would like to simulate the Rapid7 lookup rules in my manual import of vulnerabilities. Do you have solved this problem?

Thank you in advance

Best regards

mkemp · ‎09-30-2019

We hired professional services to write the data transforms, but we use the imports to create the VIT if the ip address from the scan import pairs with a CI in CMDB it will be matched if not we just create the VIT and we have to manually add the CI if needed.

We are emailing in the results and then the transform runs against the csv files.

Chris McDevitt · ‎10-01-2019

Donald,

There are a few tricky things when importing items. First, is the CI matching rules which need to be triggered. Next, you will need to trigger the Assignment Rules, and finally the Risk Scoring. Once that is done you will need to trigger Grouping. I believe these concepts are covered in the Vulnerability Response Implementation class, but not the details.... which are somewhat complex and implemented in Script Includes.

Hope this helps...