Tenable.sc

The configuration required for Tenable Security Center is minimal.

  • Each severity and pluginType must be listed.

  • Provide the host address and port of the local TenableSC instance.

There is no need to set the integration interval more frequently than the frequency Tenable.SC is scanning the network.

If the interval_hours is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Configuration settings

Once downloaded, this data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the suricata_corelight.log.

The input file will be published with any other input files from other integrations (if there are any). If “input” is enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.

Attention

The Nessus (Tenable Security Center) user you’re using to provide an access_key and secret_key must have Security Management rights. It is not recommended to use an admin user.

Settings

tenable_sc:
  enabled:                          false
  interval_hours:                   24
  access_key:
  secret_key:
  severity:                         "4,3,2,1"
  pluginType:                       "Active,Passive,Event"
  address:
  port:                             443
  request_limit:                    50000
  ignore_tls: false

Input file

The input file contains the following information (if it’s available):

  • IP address (required)

  • Hostname

  • Host Unique ID: Provided by the vulnerability details response data’s 'uuid' field.

  • Machine domain

  • OS version

  • Endpoint information source (required)

  • Customer ID

  • CVE list

The following is a sample input file created by this integration, using tab-separated values.

#fields ip      hostname  host_uid    machine_domain    os_version    source        cid    cve_list
192.168.2.186   mbp       -           -                 -             Tenable.SC    -      CVE-2021-1234,CVE-2021-4321
192.168.2.133   mbp       -           -                 -             Tenable.SC    -      CVE-2021-1234,CVE-2021-4321
3.19.25.148     f5        -           -                 -             Tenable.SC    -      CVE-2020-5902
192.168.12.212  skynet    -           -                 -             Tenable.SC    -      CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457

Attention

The Tenable.SC integrations only create Input Framework files to be loaded on sensors. Additional Zeek scripts are required to be loaded on the sensors to use this data. If you enable these integrations, Corelight-update will upload the input files to the sensor. But if the desired script isn’t available on the sensor, the input data won’t be used.

See Zeek package management for information about using Corelight-update to manage Zeek package bundles.

See Zeek-CVE-Enrichment for an example of a Zeek package that can use this data.