Tenable Integration - scheduled job

kris29
Tera Contributor

Hi folks,

I have two questions about VR Tenable integration. The screenshot is from PDI.

1. Can someone explain me the difference between Tenable.io and Tenable.sc?
2. Which scheduled job should I keep active to import daily data from Tenable to SN?

find_real_file.png

1 ACCEPTED SOLUTION

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Hi,

There is a "hierarchy" to vulnerabilities.

At the top of the hierarchy is the CWE. The authoritative source for CWE is mitre.org, so we grab it from the source.

Then comes the CVE (which points to a CWE) and the authoritative source again is mitre.org, so we grab it from the source.

Then comes the Tenable Plugins (Points to the CVE). Tenable custom vulnerability definitions. So we grab that next.

Tenable Asset is a way to pull what Tenable knows about your environment. More about this in a minute.

For whatever reason, this is the way the Tenable API works: Pull the Fix vulnerabilities, then pull the open vulnerabilities. More about this in a minute.

The backfill job is complicated to explain, but the way Tenable works makes this necessary.

Tenable scan credentials are necessary if you wish to conduct rescans via ServiceNow.

A Vulnerable Item is made up of a Vulnerability + a Configuration Item (i.e. an Asset).

Pulling in the Assets matches or creates a Configuration Item

The incoming vulnerabilities are combined with the CI's to creat the VIT.

The Vulnerability part of the VIT points to 1 or more CVE, which points to one or more CWE. 

 

 

 

 

View solution in original post

18 REPLIES 18

Randy Ritzer
Tera Expert

Tenable can be deployed two ways, in a Cloud based SAAS service IO and as an on premise console SC.  The question about which one or both to keep active is unique to your environment.  You need to work closely with whomever runs Tenable in your shop.  You also want to discuss with them very carefully how much data you bring over.  Info level vulnerabilities aren't very useful in ServiceNow and will add a lot of data.  In general start small and grow how much you bring in.

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Hi,

Integrations the Big Picture (The order you should run them)....

1. CWE Comprehensive 2000 Integration. 

2. NIST National Vulnerability Database Integration - API (CVE only)

3. Tenable.xx Plugin integration

4. Tenable.xx Asset

5. Tenable.xx Fixed -> It then calls Tenable.xx Open

6. (If you have Tenable.sc) Tenable.sc Backfill (every three or so days)

7. Tenable.xx scan credentials (Weekly or so...)

 

 

Hi Chris,

Can you explain each of these or point me to a link where i can find the information for each of the jobs listed below. I am wondering why are they broken down by Plugin, Asset, Fixed, Open. I was assuming there would be only one connector for all, but looks like thats not the case. 

 

 

1. CWE Comprehensive 2000 Integration. 

2. NIST National Vulnerability Database Integration - API (CVE only)

3. Tenable.xx Plugin integration

4. Tenable.xx Asset

5. Tenable.xx Fixed -> It then calls Tenable.xx Open

6. (If you have Tenable.sc) Tenable.sc Backfill (every three or so days)

7. Tenable.xx scan credentials (Weekly or so...)

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Hi,

There is a "hierarchy" to vulnerabilities.

At the top of the hierarchy is the CWE. The authoritative source for CWE is mitre.org, so we grab it from the source.

Then comes the CVE (which points to a CWE) and the authoritative source again is mitre.org, so we grab it from the source.

Then comes the Tenable Plugins (Points to the CVE). Tenable custom vulnerability definitions. So we grab that next.

Tenable Asset is a way to pull what Tenable knows about your environment. More about this in a minute.

For whatever reason, this is the way the Tenable API works: Pull the Fix vulnerabilities, then pull the open vulnerabilities. More about this in a minute.

The backfill job is complicated to explain, but the way Tenable works makes this necessary.

Tenable scan credentials are necessary if you wish to conduct rescans via ServiceNow.

A Vulnerable Item is made up of a Vulnerability + a Configuration Item (i.e. an Asset).

Pulling in the Assets matches or creates a Configuration Item

The incoming vulnerabilities are combined with the CI's to creat the VIT.

The Vulnerability part of the VIT points to 1 or more CVE, which points to one or more CWE.