Tenable.io ingest all severity with special plugin filter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Seeking for best practice/practical solution on this requirement.
We need to ingest all severity (CRITICAL, HIGH, MEDIUM, LOW, INFO) in Tenable.io but we need to filter the INFO to specific plugin id only.
Things done so far:
- Added custom filter on HTTP request - it only ingests INFO - FAILED
- Customized script include 'TenableIOVulnerabilitiesIntegration' - it only ingests INFO - FAILED
Last resort is to ingest everything and auto-close INFO != specific plugin id using Business Rule which is not the best solution as it creates unnecessary load.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
We do this same thing for certain Tenable Info level plugins. We run a separate export job for it like you said with a filter on the Info plugins. Not sure why it would fail outside of seeing specific error message(s). Here's the filter we use for reference:
{"filters": {
"plugin_id": [19506, 110095, 104410, 117885, 110385, 110723],
"severity": ["info"],
"state": ["open", "reopened", "fixed"]
}}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello @kevin_m & @QM_SSJ4 ,
In general, depending on which volume were talking about and what the exact use case is, please look into the possibility of using exclusion rules, which will allow you to import all severities as detections, but then define more specific criteria to decide what will actually end up creating a Vulnerable Item for further triaging.
The exclusion rules will then flag the detection with the applied exclusion rules and no VIT will be created for the findings that meet your criteria.
This way you should be able to revert any unrequired customizations.
Let me know if this helps.
