Initiate rescan for the Tenable.io integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 8 minutes to read

    • Verify that your vulnerable items have been remediated between scheduled scanning cycles by initiating rescans in the Tenable platform. You can initiate a rescan on-demand for vulnerable items for the Tenable.io product from your ServiceNow AI Platform® instance.

    Before you begin

    Roles required: sn_vul.write_all or sn_vul.write_assigned

    Verify your scanner is activated before you begin. Navigate to Vulnerability Response > Vulnerability Scanning > Scanners.

    About this task

    Note:
    Tenable.io does not support launching rescan on agent based machines.

    To help reduce the overhead and volume involved with scheduled, full scans, as a remediation owner, IT specialist, vulnerability analyst, or vulnerability manager, you can initiate targeted rescans on-demand. you can scan for specific vulnerabilities on assets (configuration items) in your environments. You can initiate rescans from vulnerable item (VI), remediation tasks (VUL), third-party entry (TPE), or discovered item (SDI) records from your ServiceNow AI Platform instance. Rescans permit you to verify that your remediation activities, patches, and other actions have successfully fixed specific vulnerabilities on your configuration items (CIs).

    Note:
    When requesting rescan from your ServiceNow AI Platform® instance, selecting the Vulnerability Response Integration with Tenable credentials is optional. The ServiceNow® Tenable.io Scan Credential Integration imports and updates scanner credentials from the Tenable.io product in your instance. This integration runs weekly to import and securely store your Tenable credentials data.

    Note that this imported data does not include Tenable passwords or other sensitive Tenable account information.

    The following information describes the credentials you import so that your users can see them as needed from your ServiceNow AI Platform instance:
    • Credentials created with the Tenable.io administrator user role are available to users across all your organizations.
    • Credentials created with the Tenable.io organizational users role are only available to users within that organization. These credentials are not imported into the ServiceNow AI Platform for users outside of the creator’s organization unless they are shared with the user's account being used to connect to the instance.

      See the Tenable.io documentation website for more information.

    • The Tenable.io Template Integration and the Tenable.io Scan Credential Integration are required to be activated prior to initiating rescans. To view more information about the Scan Credential Integration, navigate to Tenable Vulnerability Integration > Integrations > Tenable.io Scan Credential Integration.
      By default, the Template and scan Credential Integrations are deactivated. When you enter your credentials for Tenable.io, all Tenable.io integrations are automatically activated. To manually activate or deactivate these integrations:
      1. Navigate to All > Tenable Vulnerability Integration > Administration > Integrations.
      2. On the list that is displayed, locate the Tenable.io integration records you want.
      3. Open each record and select the Active check box to activate the integration.
      4. Click Update to save your changes.
      5. Return to the Setup Assistant to continue with your configuration for the Tenable Vulnerability Integration with Vulnerability Response.

    See Configure the Tenable Vulnerability Integration using Setup Assistant for more information about configuring the Tenable.io and Tenable.sc products.

    Say your entire environment is scanned once every three weeks. The most recent full scan was completed a week ago, but you applied a patch yesterday to fix a critical vulnerability. Due to the nature of this vulnerability, you cannot wait two weeks for the next scheduled scan to verify that it has been remediated. To verify that your patch successfully fixed a critical vulnerability discovered during an earlier scan, you can initiate a targeted rescan from your ServiceNow AI Platform for Tenable.io vulnerable items.

    You can view updated results on the records you initiated the scans from after the next scheduled import of the Fixed Vulnerabilities Integration.

    During integration execution, multiple processes are generated, and data is received in the form of pages. Each process can contain one or more import queue entries with attached data in pages. These entries must process the data within the one-hour time limit. However, if the payload size is large, the processing time may exceed one hour or get stuck, resulting in an integration timeout error. The integration continues to process the data despite the timeout error. To avoid this miscommunication, starting from version 18.2.4 of Vulnerability Response, timestamps (heartbeats) are sent periodically to indicate if the queue is active and processing data. The Last Record Processed field in the Import Queue Entry page is updated based on the count of records the import queue creates or updates. In case an import queue entry exceeds the one-hour time limit, the system checks the Last Record Processed field to see if it is also older than one hour. If it is, this indicates that the import queue entry is stuck, and it is timed out to prevent any further delays in processing.
    Note:
    The Last Record Processed field is updated based on what is defined in the following system properties:
    • sn_sec_cmn.record_threshold_heartbeat: Defines the number of processed records, after which the heartbeat (timestamp) is sent to the import queue entry.
    • sn_sec_cmn.maximum_heartbeat_delay: Defines the time after which the import queue entry must be timed out.

    Procedure

    1. Navigate to All > Vulnerability Response > Vulnerable items.
    2. Locate the vulnerable item record that you want to trigger a rescan from and open it.
      Note:
      If you are using the Tenable.io Scanner, you can only initiate rescans for VIs with Tenable.io as the source. Verify Tenable.io is displayed in the Source column on the VI List views, or in the Source fields on individual records. You can use the condition builder to group VIs by Source. Or, if the Source column is not displayed on the VI List view, in the upper left of the list, click the Personalize List icon (Gear icon) and use the Slushbucket to move Source from Available to Selected.
    3. Alternatively, navigate to All > Vulnerability Response > Remediation Tasks or Vulnerability Response > Libraries > Third-Party for the records that you want to use for the rescan.

      Depending on your choice, the Rescan button is available on the following records:

      • On a single VI record, the VI must be in any state other than Closed. For multiple VI records, all the VIs must be from the Tenable.io product and in any state other than Closed.
      • For remediation task records, only remediation tasks in any state other than Closed are supported. All the associated VIs must be in any state other than Closed and use Tenable.io as the source.
      • On a third-party entry (TPE) record, the record must have at least one associated VI record from the Tenable.io product in any state other than Closed.
      • On Discovered Items records, the record must have at least one associated VI record from the Tenable.io product in any state other than Closed.
      • From the Vulnerable items list, you can select individual vulnerable items that you want to rescan. Use the Actions on selected rows menu in the lower left of the screen to launch the rescan. You are prompted to enter your credentials.
    4. In the upper right of a record, click Rescan.
      You are prompted to choose the instance or instances for the rescan and the scanner credentials you want to use to access the scanner. The displayed credentials are those imported by the Tenable.io Scan Credential Integration.
    5. In the dialog, select the instance and or instances and the credential types that you want to use.

      In the following image, one integration instance, Tenable.io is displayed. If you have more than one Tenable.io instance, they are all displayed under the Tenable.io section on the form.

      Tenable.io scan credentials and integration instances displayed
      FieldDescription
      Tenable.io instance Choose a Tenable.io integration instance that you want to initiate the rescan from.

      All your integration instances for Tenable.io are displayed. If a VI exists in more than one integration instance, you can use this filter to limit or expand the instances you want to scan.

      Note:
      If you choose to rescan VIs from a remediation task record for a single integration instance, only the active VIs that are associated with that remediation task, for that instance, using the credential(s) that you select are scanned.
      Scanner credentials type filter Use this filter to display credentials by type.
      Pane with Scanner Credentials, Tenable.io instance, Scanner credentials type These are the available scanner credentials imported from the Tenable.io products.

      Choose one or more credentials to use for the scan.
    6. Click Request Rescan.

      A message is displayed that indicates your scan is being processed and a parent scan record is created. Status for all the child scans can be found at any time under the Scan related lists on the VI, remediation task, TPE, and SDI records you used to launch the rescans. In the message, click View details to view the status of the rescan and view any other rescans launched from a given record.

      The State field on the parent scan record is marked as complete after all the child scans are successfully completed. The child scans import data. Each scan supports a unique combination of integration instance, TPE, IP, and Network ID. You might see multiple child scans on a parent scan record. For example, the maximum number of IP Addresses a child scan can support is 1000. If there are 1002 IPs for a vulnerable item, two child scans are created and listed on the Scans related list to support the request. The parent scan record is a container for the child scans and its state of reflects the status of the child scans.

      Your ServiceNow AI Platform® instance tracks the rescan status until it successfully completes, or, until the set tracking period times out, whichever happens first. The time-out does not stop the scan. The time-out refers to when the ServiceNow AI Platform® stopped tracking your rescan status, not when the actual rescan stopped. All VIs that have transitioned, or will transition, to Closed/Fixed are imported with the next scheduled import of the Tenable.io Fixed Vulnerabilities Integration.

      For scans that error out, you can check the child scans on the parent scan record. View the error in the response payload of the child scan.

      You can view updated results on the records you initiated the scans from after the next scheduled import of the Fixed Vulnerabilities Integration.