Tenable Integration - scheduled job

kris29 · ‎03-03-2022

Hi folks,

I have two questions about VR Tenable integration. The screenshot is from PDI.

1. Can someone explain me the difference between Tenable.io and Tenable.sc?
2. Which scheduled job should I keep active to import daily data from Tenable to SN?

Chris McDevitt · ‎11-04-2022

Hi,

There is a "hierarchy" to vulnerabilities.

At the top of the hierarchy is the CWE. The authoritative source for CWE is mitre.org, so we grab it from the source.

Then comes the CVE (which points to a CWE) and the authoritative source again is mitre.org, so we grab it from the source.

Then comes the Tenable Plugins (Points to the CVE). Tenable custom vulnerability definitions. So we grab that next.

Tenable Asset is a way to pull what Tenable knows about your environment. More about this in a minute.

For whatever reason, this is the way the Tenable API works: Pull the Fix vulnerabilities, then pull the open vulnerabilities. More about this in a minute.

The backfill job is complicated to explain, but the way Tenable works makes this necessary.

Tenable scan credentials are necessary if you wish to conduct rescans via ServiceNow.

A Vulnerable Item is made up of a Vulnerability + a Configuration Item (i.e. an Asset).

Pulling in the Assets matches or creates a Configuration Item

The incoming vulnerabilities are combined with the CI's to creat the VIT.

The Vulnerability part of the VIT points to 1 or more CVE, which points to one or more CWE.

View solution in original post

AJ5 · ‎11-06-2022

Thanks much Chris! As always your posts are very helpful to the community!

Do you have any recommendations on how the scheduled jobs should be organized? Can they all run parallelly or they should run off business hours? also, does it need to be in the same order or any constraints that the next job shouldn't start until the previous one is complete.

1. CWE Comprehensive 2000 Integration.

2. NIST National Vulnerability Database Integration - API (CVE only)

3. Tenable.xx Plugin integration

4. Tenable.xx Asset

5. Tenable.xx Fixed -> It then calls Tenable.xx Open

6. (If you have Tenable.sc) Tenable.sc Backfill (every three or so days)

7. Tenable.xx scan credentials (Weekly or so...)

Chris McDevitt · ‎11-07-2022

Hi,

After the first run, the integration runs are pretty quick.

- Run them off hours

- Run them in this order

1. CWE (Daily)

2. NIST (Daily)

3. Tenable Plugin (Daily)

4. Tenable Asset (Weekly)

5. Fixed (Daily)

6. Backfill (every three days)

7. Scan Credentials (Weekly)

So #5 Fixed... Find a "quiet time" for the scanner. What I mean is to find a time that Tenable has finished processing all of its data for that day, then run the import (or the quietest time possible).

AJ5 · ‎11-07-2022

Thank you Chris for your suggestion!

Saurav Bhardwa2 · ‎05-01-2024

Hello @Chris McDevitt ,

I am using the OOB tenable plugin to pull the VULs data from Tenable, but CVEs data is coming empty, it's only pulling the CVE number but rest of the attributes are blank.

Could you please tell me which is the schedule job responsible for pulling the CVE's data?

Chris McDevitt · ‎05-01-2024

Hi,

First, you will need to get an NVD API key:

https://nvd.nist.gov/developers/request-an-api-key

Then, get and configure the "Vulnerability Response Integration with NVD" from the SN Store

https://store.servicenow.com/sn_appstore_store.do#!/store/application/1c7480a9e81ce81080a59cc8eb1960...