Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Tenable Security Center

Integration points

Protocol Information collected Used for
Tenable.sc API Vulnerability scan data Security and Compliance

Tenable.sc (Security Center) API Integration

FortiSIEM can pull vulnerability scan data via the Tenable.sc API.

Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableSC-Vuln-Detected.

Configuring Tenable.sc for FortiSIEM

Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc.

Configuring FortiSIEM

Use the API Key and Secret in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create a Tenable.sc credential:
    1. Enter a Name for the credential.
    2. Choose Device Type = Tenable Tenable Security Center (Vendor = Tenable, Model = Security Center).
    3. Choose Access Protocol = Tenable.sc API.
    4. Choose Pull Interval = 60 minutes.
    5. Enter the User Name for the account.
    6. Enter the Password for the account.
    7. Click Save.
  4. Enter an IP range to Credential Association:
    1. Enter the host's IP or Hostname.
    2. Select the credential created in Step 3 from the drop-down list.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity.
  6. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API.

To test for received Tenable.sc events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the Tenable.sc entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from Tenable.sc in the last 15 minutes. You can modify the time interval to get more events.

Sample Events

[TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=22,[appTransportProto]=tcp,[eventSeverity]=1,[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161,[vulnCvssBaseScore]=2.6,[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote,[threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.,[vulnCVESummary]=The SSH server is configured to use Cipher Block Chaining.,[nessusPluginOutput]= The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc

[TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=0,[appTransportProto]=tcp,[eventSeverity]=0,[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,[vulnDesc]=According to the MAC address of its network adapter, the remote host is a Xen virtual machine.,[fileName]=xen_detect.nasl,[vulnType]=combined,[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in agreement with your organization's security policy.,[vulnCVESummary]=The remote host is a Xen virtual machine.

Tenable Security Center

Integration points

Protocol Information collected Used for
Tenable.sc API Vulnerability scan data Security and Compliance

Tenable.sc (Security Center) API Integration

FortiSIEM can pull vulnerability scan data via the Tenable.sc API.

Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableSC-Vuln-Detected.

Configuring Tenable.sc for FortiSIEM

Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc.

Configuring FortiSIEM

Use the API Key and Secret in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create a Tenable.sc credential:
    1. Enter a Name for the credential.
    2. Choose Device Type = Tenable Tenable Security Center (Vendor = Tenable, Model = Security Center).
    3. Choose Access Protocol = Tenable.sc API.
    4. Choose Pull Interval = 60 minutes.
    5. Enter the User Name for the account.
    6. Enter the Password for the account.
    7. Click Save.
  4. Enter an IP range to Credential Association:
    1. Enter the host's IP or Hostname.
    2. Select the credential created in Step 3 from the drop-down list.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity.
  6. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API.

To test for received Tenable.sc events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the Tenable.sc entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from Tenable.sc in the last 15 minutes. You can modify the time interval to get more events.

Sample Events

[TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=22,[appTransportProto]=tcp,[eventSeverity]=1,[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161,[vulnCvssBaseScore]=2.6,[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote,[threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.,[vulnCVESummary]=The SSH server is configured to use Cipher Block Chaining.,[nessusPluginOutput]= The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc

[TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=0,[appTransportProto]=tcp,[eventSeverity]=0,[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,[vulnDesc]=According to the MAC address of its network adapter, the remote host is a Xen virtual machine.,[fileName]=xen_detect.nasl,[vulnType]=combined,[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in agreement with your organization's security policy.,[vulnCVESummary]=The remote host is a Xen virtual machine.