Tenable Security Center v1.0.0

About the connector

Tenable Security Center is a comprehensive vulnerability analytics solution that provides complete visibility into the security posture of your distributed and complex IT infrastructure.

This document provides information about the Tenable Security Center connector, which facilitates automated interactions, with a Tenable Security Center server using FortiSOAR™ playbooks. Add the Tenable Security Center connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list and details of all the completed scans for a specified time duration, retrieving information about asset(s) that are associated with a specified scan, and retrieving information about the vulnerabilities associated with a particular asset.

Note: CyberSponse recommends that you create a separate API-enabled Tenable Security Center account for the Tenable Security Center connector and also allow multiple and parallel API sessions. This helps the Tenable Security Center connector perform API queries seamlessly, as the connector might simultaneously execute multiple API queries.

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.10.2-225 and later

Compatibility with Tenable Security Center Versions: 5.6.1 and later

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

• You must have the URL of the Tenable Security Center server to which you will connect and perform the automated operations and the credentials to access that server.
• To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™ , on the Connectors page, select the Tenable Security Center connector and click Configure to configure the following parameters:

Parameter	Description
Server URL	URL of the Tenable Security Center server to which you will connect and perform the automated operations.
Username	Username used to connect to the Tenable Security Center server to which you will connect and perform automated operations.
Password	Password used to connect to the Tenable Security Center server to which you will connect and perform automated operations.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function	Description	Annotation and Category
List Completed Scans	Retrieves a list and details of all the completed scans based on the time duration, such as the last 24 hours, or last 3 days, that you specify.	search_scans Investigation
List Assets	Retrieves information about asset(s) that are associated with a specified scan based on the scan name and scan ID that you specify.	get_endpoints Investigation
List Asset Vulnerabilities	Retrieves information about the vulnerabilities associated with a specified asset based on the IP/MAC/Hostname that you specify.	get_vulnerabilities Investigation

operation: List Completed Scans

Input parameters

Parameter

Description

Completion Time

Specify the time duration for which you want to retrieve the list of all the completed scans. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable Security Center server. Choose from the following options: Last Fetch, Last 24 Hours, Last 3 Days, Last 5 Days, Last 7 Days, Last 15 Days, Last 25 Days, Last 30 Days, Last 50 Days, Last 60 Days, Last 90 Days, Last 120 Days, and Last 180 Days. Last Fetch means the last time you have collected data from Tenable Security Center. Note: By default, this is set to Last 7 Days.

Output

The JSON output contains a list and details of all the completed scans for the time duration you have specified.

Note: The JSON response contains a name_id_mapping dictionary that contains the scan name and scan ID. This information is required when you want to fetch assets associated with a specific scan, You can fetch assets associated with a specific scan using the List Assets step. You can also customize the JSON response as per your requirement.

Following image displays a sample output that contains a name_id_mapping dictionary:

operation: List Assets

Input parameters

Parameter	Description
Scan Information	Scan name and Scan ID based on which you want to retrieve associated asset(s). By default, this is set to {{ vars.name_id_mapping }}.

Output

The JSON output contains information about asset(s) that are associated with a scan based on the scan name and scan ID that you have specified.

Following image displays a sample output:

operation: List Asset Vulnerabilities

Input parameters

Parameter	Description
IP/MAC/Hostname	IP/MAC/Hostname for which you want to retrieve vulnerabilities.
Scan ID	(Optional) ID of the scan based on which you want to retrieve vulnerabilities for the IP/MAC/Hostname you have specified. Note: If you provide the Scan ID then you must also provide the Scan Name. This means that if you are providing scan information then you must provide both the Scan ID and the Scan Name.
Scan Name	(Optional) Name of the Scan based on which you want to retrieve vulnerabilities for the IP/MAC/Hostname you have specified. Note: If you provide the Scan Name then you must also provide the Scan ID.

Note: The Tenable Security Center connector first tries to pull the vulnerabilities information using the IP/MAC/Hostname that you have provided. If the connector fails to report vulnerabilities, only then will it utilize the Scan ID and the Scan Name to pull IP Address specific vulnerabilities from Tenable Security Center.

Output

The JSON output contains information about the vulnerabilities associated with a specified asset based on the IP/MAC/Hostname that you have specified.

Following image displays a sample output:

Included playbooks

The Sample-Tenable Security Center-1.0.0 playbook collection comes bundled with the Tenable Security Center connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tenable Security Center connector.

• 1.1 List Completed Scan
  • 1.2 List Scan Specific Asset
    • 1.3 Handle Assets in CyOPs
• 2.1 Create Incident > List Asset Vulnerabilities
• 2.1 Update Incident > List Asset Vulnerabilities
  • 2.2 Handle Vulnerabilities in CyOPs

Notes about the bundled playbooks:

The 1.1, 1.2 and 1.3 playbooks fetch the latest and completed scan information and assets associated with each scan from Tenable Security Center. These playbooks also create and update the scan(s) and asset(s) record in FortiSOAR™ as per information retrieved from Tenable Security Center and builds relationships among scans and asset records.

The 2.1 Create Incident > List Asset Vulnerabilities playbook collects all the vulnerabilities associated with specific assets from Tenable Security Center. This playbook gets triggered when a user creates an incident record and provide asset information, i.e. IP/MAC/Hostname of an asset, in the Source field. Ensure that the related asset record is present in FortiSOAR™ to execute this playbook successfully.

The 2.1 Update Incident > List Asset Vulnerabilities playbook fetches all vulnerabilities when a user adds or links one or more assets to an incident.

The 2.2 Handle Vulnerabilities in CyOPs playbook cleans up of stale vulnerability records, creates new vulnerabilities, and builds relations among vulnerabilities and assets.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.