Tenable Nessus Vulnerability Scanner
What is Discovered and Monitored
Protocol |
Metrics collected |
Used for |
---|---|---|
Nessus API |
Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence |
Security Monitoring |
Event Types
In ADMIN > Device Support > Event Types, search for "nessus" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCES > Reports, search for "nessus" in the main content panel Search... field to see the reports associated with this device.
Configuration
To configure a Tenable Nessus Security Scanner, take the following steps:
-
Deploy a Nessus server (5, 6, 7, or 8).
-
Generate an API key. For Nessus 7 or Nessus 8, obtain the Access Key and Secret Key.
Note: If using Nessus (5) or Nessus 6, create a username and password that FortiSIEM can use to access the API and make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user. -
Add a target device IP that will be scanned.
-
Login to the FortiSIEM GUI.
-
Navigate to CMDB > Devices.
-
Add the target device IP to CMDB > Devices in FortiSIEM.
-
Navigate to ADMIN > Setup, and click the Credentials tab.
-
In Step 1: Enter Credentials, click New:
-
Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
-
Enter these Nessus credential settings in the Access Method Definition dialog box and click Save:
Setting Value Name <set name> Device Type Choose the appropriate device type:
-Tenable Nessus Security Scanner
-Tenable Nessus6 Security Scanner
-Tenable Nessus7 Security Scanner
-Tenable Nessus8 Security ScannerAccess Protocol The access protocol will auto populate based off the device type selected:
-Nessus API
-Nessus6 API
-Nessus7 API
-Nessus8 APIPull Interval (minutes) 5 (default 60 minutes) Port 8834 User Name (for Nessus and 6) A user who has permission to access the device over the API Password (for Nessus and 6) The password associated with the user Access Key (for Nessus7 and 8) Obtain the Access Key from Nessus Secret Key (for Nessus7 and 8) Obtain the Secret Key from Nessus
-
-
In Step 2: Enter IP Range to Credential Associations, click New.
-
Select the credential you created earlier from the Credentials drop-down list.
-
In the IP/Host Name field, enter the IP/IP Range or Host Name.
-
Click Save.
-
-
Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start the polling.
-
Navigate to ADMIN > Setup > Pull Events. The yellow star besides the Nessus pull job should turn the color green.
-
Scan the target device IP in the Nessus server, and export the scan report.
-
Navigate to ANALYTICS in FortiSIEM, and query the Nessus events with the condition
Event Type = Nessus-Vuln-Detected
. -
Compare the events in the FortiSIEM with the scan report exported from the Nessus server.
Note that the severity matching rule between Nessus8 and AO Event are as follows:
Nessus Status |
FortiSIEM Event Severity Number |
---|---|
Critical | Event Severity 10 |
High | Event Severity 9 |
Medium | Event Severity 6 |
Low | Event Severity 2 |
None | Event Severity 3 |
If Vulnerability CVE ID in FortiSIEM events is not NULL
, the target device IP will be added to INCIDENTS > Risk in FortiSIEM.