Tenable Integration - scheduled job

kris29 · ‎03-03-2022

Hi folks,

I have two questions about VR Tenable integration. The screenshot is from PDI.

1. Can someone explain me the difference between Tenable.io and Tenable.sc?
2. Which scheduled job should I keep active to import daily data from Tenable to SN?

Chris McDevitt · ‎11-04-2022

Hi,

There is a "hierarchy" to vulnerabilities.

At the top of the hierarchy is the CWE. The authoritative source for CWE is mitre.org, so we grab it from the source.

Then comes the CVE (which points to a CWE) and the authoritative source again is mitre.org, so we grab it from the source.

Then comes the Tenable Plugins (Points to the CVE). Tenable custom vulnerability definitions. So we grab that next.

Tenable Asset is a way to pull what Tenable knows about your environment. More about this in a minute.

For whatever reason, this is the way the Tenable API works: Pull the Fix vulnerabilities, then pull the open vulnerabilities. More about this in a minute.

The backfill job is complicated to explain, but the way Tenable works makes this necessary.

Tenable scan credentials are necessary if you wish to conduct rescans via ServiceNow.

A Vulnerable Item is made up of a Vulnerability + a Configuration Item (i.e. an Asset).

Pulling in the Assets matches or creates a Configuration Item

The incoming vulnerabilities are combined with the CI's to creat the VIT.

The Vulnerability part of the VIT points to 1 or more CVE, which points to one or more CWE.

View solution in original post

Randy Ritzer · ‎03-03-2022

Tenable can be deployed two ways, in a Cloud based SAAS service IO and as an on premise console SC. The question about which one or both to keep active is unique to your environment. You need to work closely with whomever runs Tenable in your shop. You also want to discuss with them very carefully how much data you bring over. Info level vulnerabilities aren't very useful in ServiceNow and will add a lot of data. In general start small and grow how much you bring in.

Chris McDevitt · ‎03-03-2022

Hi,

Integrations the Big Picture (The order you should run them)....

1. CWE Comprehensive 2000 Integration.

2. NIST National Vulnerability Database Integration - API (CVE only)

3. Tenable.xx Plugin integration

4. Tenable.xx Asset

5. Tenable.xx Fixed -> It then calls Tenable.xx Open

6. (If you have Tenable.sc) Tenable.sc Backfill (every three or so days)

7. Tenable.xx scan credentials (Weekly or so...)

AJ5 · ‎11-03-2022

Hi Chris,

Can you explain each of these or point me to a link where i can find the information for each of the jobs listed below. I am wondering why are they broken down by Plugin, Asset, Fixed, Open. I was assuming there would be only one connector for all, but looks like thats not the case.