Tenable.sc Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 5.25.0 |
| Compatible with Tenable.io API Versions | >=6.4.5 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The Tenable.sc Action integration captures vulnerability data from Tenable.sc for submitted ThreatQ Asset types as well as removes relationships for Assets no longer deemed vulnerable.
The integration provides the following action:
- Tenable.sc Vulnerability Remediation - retrieves vulnerability analysis results for IP Address Assets and unrelates the ones that are related to the Asset that are no longer vulnerable.
The action is compatible with ThreatQ Asset object types and returns enriched Vulnerability objects.
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A data collection containing at least one Asset object type.
- Tenable.sc hostname/Ip address, API Access Key, and API Secret Key.
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the action zip file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the action zip file using one of the following methods:
- Drag and drop the zip file into the dialog box
- Select Click to Browse to locate the zip file on your local machine
ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.
You will still need to configure the action.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description Tenable.sc Host Enter the Hostname or IP Address of the Tenable.sc server API Access Key Enter the API Access Key generated in the Tenable.sc account settings, API Secret Key Enter the API Secret Key generated in the Tenable.sc account settings. Objects per run Enter the maximum number of objects to submit per run. Enable SSL Verification Enable this for the action to validate the host-provided SSL certificate. Disable Proxies Enable this option if the action should not honor proxies set in the ThreatQ UI.
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The following action is available:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Tenable.sc Vulnerability Remediation | Unrelates vulnerabilities that are not present in analysis results. | Asset | N/A |
Tenable.sc Vulnerability Remediation
The Tenable.sc Vulnerability Remediation action submits IP Address Assets to Tenable.sc in order to obtain vulnerability data. If the Assets have related Vulnerabilities in TQ that are not found in analysis results, then the Vulnerability is unrelated and the Vulnerability State attribute is set to Fixed.
POST "{host}/rest/analysis"
Tenable.sc Vulnerabilities are retrieved in two different requests, one for vulnerabilities(tool="vulnipsummary") and another for CVEs (tool="cveipdetail").
Vulnerabilities Requests
Sample Request:
{
"query": {
"endOffset": 10,
"filters": [
{
"filterName": "ip",
"operator": "=",
"value": "1.50.134.231"
}
],
"startOffset": 0,
"tool": "vulnipsummary",
"type": "vuln"
},
"sourceType": "cumulative",
"type": "vuln"
}Sample Response:
{
"type": "regular",
"response": {
"totalRecords": "4",
"returnedRecords": 4,
"startOffset": "0",
"endOffset": "10",
"matchingDataElementCount": "4",
"results": [
{
"pluginID": "11356",
"total": "1",
"severity": {
"id": "4",
"name": "Critical",
"description": "Critical Severity"
},
"name": "NFS Exported Share Information Disclosure",
"pluginDescription": "At least one of the NFS shares exported by the remote server could be mounted by the scanning host. An attacker may be able to leverage this to read (and possibly write) files on remote host.\n\nNote: Shares protected by an ACL that includes the IP of the Nessus host will not be tested.",
"repositoryID": "2",
"hosts": [
{
"iplist": "1.50.134.231",
"uuidIPsList": "",
"repository": {
"id": "2",
"name": "Staged-Large",
"description": "",
"dataFormat": "IPv4"
}
}
],
"family": {
"id": "28",
"name": "RPC",
"type": "active"
}
}
]
},
"error_code": 0,
"error_msg": "",
"warnings": [],
"timestamp": 1732194773
}CVEs Requests
Sample Request:
{
"query": {
"endOffset": 10,
"filters": [
{
"filterName": "ip",
"operator": "=",
"value": "1.50.134.231"
}
],
"startOffset": 0,
"tool": "cveipdetail",
"type": "vuln"
},
"sourceType": "cumulative",
"type": "vuln"
}Sample Response:
{
"type": "regular",
"response": {
"totalRecords": "84",
"returnedRecords": 10,
"startOffset": "0",
"endOffset": "10",
"matchingDataElementCount": "84",
"results": [
{
"cveID": "CVE-1999-0632",
"total": "1",
"hosts": [
{
"repositoryID": "2",
"iplist": [
{
"ip": "1.50.134.231",
"uuid": "957d8559-504b-4337-a7b6-262bd85dab8e",
"hostUUID": "",
"macAddress": "",
"netbiosName": "",
"dnsName": "jaij320cpqbwvjh6.example.demo"
}
]
}
]
}
]
},
"error_code": 0,
"error_msg": "",
"warnings": [],
"timestamp": 1732529590
}ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| N/A | vulnerability.attribute | Vulnerability State | N/A | Fixed |
Attribute is set to Fixed only when it is unrelated from the Asset |
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 1 min |
| Vulnerabilities | 33 |
| Vulnerability Attributes | 33 |
Use Case Example
- A user submits a collection of IP Address Assets to the Tenable.sc API using the Tenable.sc Vulnerability Remediation action.
- The Tenable.sc API queries vulnerability data for the specified IP Address.
- The action verifies if all the related Tenable.sc vulnerabilities existing in ThreatQ are still present in the Tenable response. If they are not present, it means that they have been remediated. The action will then unrelate the vulnerability and will set the vulnerability Vulnerability State attribute to Fixed.
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Tenable.sc Action Guide v1.0.0 | 5.25.0 or Greater |