Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Tenable Security Center

Integration Points

Protocol Information collected Used for
Tenable.sc API Vulnerability scan data Security and Compliance

Tenable.sc (Security Center) API Integration

FortiSIEM can pull vulnerability scan data via the Tenable.sc API.

Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableSC-Vuln-Detected.

Configuration

Configuring Tenable.sc for FortiSIEM

Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc.

Configuring FortiSIEM

Use the API Key and Secret in the previous step to enable FortiSIEM access.

Define Tenable Security Center Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Tenable Tenable Security Center
      Access Protocol Tenable.sc API
      Pull Interval Choose the Pull Interval (Default 60 minutes).
      Port

      Enter the Port number. (Default 443)

      User Name Enter the User Name for the Tenable Security Center account.
      Password

      Enter the Password for the Tenable Security Center user name account.

      Description Description of the device.
  • Create IP Range to Credential Association, Test Connectivity and Pull Events

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the host's IP address or host name in the IP/Host Name field.
      2. Select the name of the credential created in Define Tenable Security Center Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API.

    To test for received Tenable.sc events:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Tenable.sc entry and click Report.
    3. The system will take you to the ANALYTICS tab and run a query to display the events received from Tenable.sc in the last 15 minutes. You can modify the time interval to get more events.

    Sample Events

    [TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=22,[appTransportProto]=tcp,[eventSeverity]=1,[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161,[vulnCvssBaseScore]=2.6,[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote,[threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.,[vulnCVESummary]=The SSH server is configured to use Cipher Block Chaining.,[nessusPluginOutput]= The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc

    [TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=0,[appTransportProto]=tcp,[eventSeverity]=0,[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,[vulnDesc]=According to the MAC address of its network adapter, the remote host is a Xen virtual machine.,[fileName]=xen_detect.nasl,[vulnType]=combined,[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in agreement with your organization's security policy.,[vulnCVESummary]=The remote host is a Xen virtual machine.

    Tenable Security Center

    Integration Points

    Protocol Information collected Used for
    Tenable.sc API Vulnerability scan data Security and Compliance

    Tenable.sc (Security Center) API Integration

    FortiSIEM can pull vulnerability scan data via the Tenable.sc API.

    Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableSC-Vuln-Detected.

    Configuration

    Configuring Tenable.sc for FortiSIEM

    Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc.

    Configuring FortiSIEM

    Use the API Key and Secret in the previous step to enable FortiSIEM access.

    Define Tenable Security Center Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a new credential:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Tenable Tenable Security Center
      Access Protocol Tenable.sc API
      Pull Interval Choose the Pull Interval (Default 60 minutes).
      Port

      Enter the Port number. (Default 443)

      User Name Enter the User Name for the Tenable Security Center account.
      Password

      Enter the Password for the Tenable Security Center user name account.

      Description Description of the device.
  • Create IP Range to Credential Association, Test Connectivity and Pull Events

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the host's IP address or host name in the IP/Host Name field.
      2. Select the name of the credential created in Define Tenable Security Center Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API.

    To test for received Tenable.sc events:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Tenable.sc entry and click Report.
    3. The system will take you to the ANALYTICS tab and run a query to display the events received from Tenable.sc in the last 15 minutes. You can modify the time interval to get more events.

    Sample Events

    [TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=22,[appTransportProto]=tcp,[eventSeverity]=1,[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161,[vulnCvssBaseScore]=2.6,[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote,[threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.,[vulnCVESummary]=The SSH server is configured to use Cipher Block Chaining.,[nessusPluginOutput]= The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc

    [TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online,[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=0,[appTransportProto]=tcp,[eventSeverity]=0,[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,[vulnDesc]=According to the MAC address of its network adapter, the remote host is a Xen virtual machine.,[fileName]=xen_detect.nasl,[vulnType]=combined,[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in agreement with your organization's security policy.,[vulnCVESummary]=The remote host is a Xen virtual machine.