Current ThreatQ Version Filter
 

Tenable.io Operation

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Tenable.io Operation is an enrichment operation used to search for vulnerable assets in Tenable.io. The operation offers the option to add any discovered assets to ThreatQ and relate them to the CVE.

The operation provides the following action:

  • Search for Vulnerable Assets - retrieves threat data information for a submitted CVE.  

Prerequisites

Review the following prerequisites before attempting to install or upgrade the operation:

  • Tenable.io Account
    • Tenable.io Secret Key
    • Tenable.io Access Key
  • Asset system object.  

Asset Object

The integration requires the Asset object.  The Asset installation files are included with the integration download on the ThreatQ Marketplace.  The Asset object must be installed prior to installing the integration.  

You do not have to install the Asset object if you are running ThreatQ version 5.10.0 or greater as the object has been seeded as a default system object.

See the Custom Objects topic for steps on how to install the required custom object.

Installation

The operation requires that the Asset custom object be installed on your ThreatQ instance prior to installing the operation if your are on ThreatQ version 5.9.0 or earlier.  Attempting to install or upgrade the operation without the Asset custom object will cause the installation process to fail.  See the Prerequisites chapter for more details.    

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Operation option from the Type dropdown (optional).
  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Hostname The hostname of Tenable.io. 
    Access Key The API access key for Tenable.io.
    Secret Key The API secret key for Tenable.io.
    Auto Discovered Assets to ThreatQ Check this box to automatically add any discovered assets to ThreatQ. The assets will be added as an Asset object.
    Asset Creation Options Select how Assets will be ingested in ThreatQ.  Options include:
    • Create a single Asset using the first IPv4 Address
    • Create a single Asset using the first FQDN
    • Create a single Asset using the first FQDN & IPv4 Address (default)
    • Create Assets for each IPv4, IPv6, and FQDN

    This parameter will add IPv4s, IPv6s, and FQDNs as attributes of the Asset regardless of the option you select.
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following action:

Action Description Object Type Object Subtype
Search for Vulnerable Assets Search for Vulnerable Assets Indicators CVE

The action utilizes two endpoints:

Search for Vulnerable Assets

The Search for Vulnerable Assets retrieves vulnerable assets for a CVE system object. 

GET https://<Tenable.io Host>/workbenches/vulnerabilities

Sample Request:

{
  "filter.0.quality": "eq",
  "filter.0.filter": "plugin.attributes.cve.raw",
  "filter.0.value": "CVE-2019-17053",
  "filter.search_type": "and"
}

Sample Response:

{
  "total_asset_count": 0,
  "vulnerabilities": [
    {
      "accepted_count": 0,
      "counts_by_severity": [
        {
          "count": 2,
          "value": 3
        }
      ],
      "recasted_count": 0,
      "plugin_name": "CentOS 7 : kernel (CESA-2020:4060)",
      "cvss3_base_score": 8.1,
      "count": 2,
      "cvss_base_score": 9.3,
      "vulnerability_state": "Active",
      "plugin_family": "CentOS Local Security Checks",
      "vpr_score": 6.7,
      "severity": 3,
      "plugin_id": 141619
    }
  ],
  "total_vulnerability_count": 2
}

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples
response.vulnerabilities[].severity Vulnerability.Attribute Severity NA High
response.vulnerabilities[].vpr_score Vulnerability.Attribute Vulnerability Priority Rating NA 6.7
response.vulnerabilities[].plugin_name Vulnerability.Attribute Plugin Name NA CentOS 7 : kernel (CESA-2020:4060)
response.vulnerabilities[].count Vulnerability.Attribute Vulnerable Hosts NA 2
response.vulnerabilities[].plugin_family Vulnerability.Attribute Plugin Family NA CentOS Local Security Checks

Search for Assets Vulnerable for the Specific CVE 

The following example demonstrates the action for a specified CVE.

GET https://<Tenable.io Host>/workbenches/assets/vulnerabilities

Request:

{
  "filter.0.quality": "eq",
  "filter.0.filter": "plugin.attributes.cve.raw",
  "filter.0.value": "CVE-2019-17053",
  "filter.search_type": "and"
}

Response:

{
  "total_asset_count": 2,
  "assets": [
    {
      "agent_name": [],
      "ipv4": [
        "10.13.0.107",
        "192.168.122.1"
      ],
      "id": "00519c43-f57a-4b49-a2c6-53f426478059",
      "fqdn": [],
      "ipv6": [
        "fe80:0:0:0:6ed6:27a2:3b5b:eed9"
      ],
      "severities": [
        {
          "level": 0,
          "name": "Info",
          "count": 0
        },
        {
          "level": 1,
          "name": "Low",
          "count": 0
        },
        {
          "level": 2,
          "name": "Medium",
          "count": 0
        },
        {
          "level": 3,
          "name": "High",
          "count": 1
        },
        {
          "level": 4,
          "name": "Critical",
          "count": 0
        }
      ],
      "last_seen": "2021-02-10T22:20:41.260Z",
      "netbios_name": [],
      "total": 1
    },
    {
      "agent_name": [],
      "ipv4": [
        "172.18.0.1",
        "10.13.0.147"
      ],
      "id": "cfa68026-6409-4b89-a7bf-667f2fae9a6f",
      "fqdn": [],
      "ipv6": [
        "fe80:0:0:0:dca7:17ff:fedb:f15c",
        "fe80:0:0:0:981b:caff:fef0:aa29",
        "fe80:0:0:0:3874:4ff:feed:f33a",
        "fe80:0:0:0:42:f8ff:fe7e:b0f3",
        "fe80:0:0:0:16ed:7dde:cc7f:d7dd",
        "fe80:0:0:0:3bf4:f4ab:9433:cd29"
      ],
      "severities": [
        {
          "level": 0,
          "name": "Info",
          "count": 0
        },
        {
          "level": 1,
          "name": "Low",
          "count": 0
        },
        {
          "level": 2,
          "name": "Medium",
          "count": 0
        },
        {
          "level": 3,
          "name": "High",
          "count": 1
        },
        {
          "level": 4,
          "name": "Critical",
          "count": 0
        }
      ],
      "last_seen": "2021-02-10T22:20:41.260Z",
      "netbios_name": [],
      "total": 1
    }
  ]
}

ThreatQuotient provides the following default mapping for the parsed data from this endpoint:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.assets[].ipv4[] Asset.Value IPv4 Address N/A 172.18.0.1 N/A
.assets[].fqdn[] Asset.Value FQDN N/A 10.13.0.147 N/A
.assets[].ipv6 Asset.Value IPv6 Address N/A fe80:0:0:0:dca7:17ff:fedb:f15c N/A
.assets[].agent_name[] Asset.Attribute N/A N/A homenet_agent N/A
.assets[].netbios_name[] Asset.Attribute NetBIOS Name N/A NA N/A
.assets[].total Asset.Attribute Total Vulnerabilities N/A NA N/A
.assets[].severities[].level Asset.Attribute Severity N/A 3 if count > 0

Change Log

  • Version 1.3.1
    • Added a new configuration option, Asset Creation Options, that allows you to select how Assets are ingested into the ThreatQ platform.  
  • Version 1.3.0
    • Resolved an issue where the integration failed to ingest Asset system objects.
    • Updated the value of ingested Assets.  See the default mapping for parsed data under the Search for Assets Vulnerable for the Specific CVE section of this guide for further details.    
  • Version 1.2.0
    • Updated the Attribute list to Asset objects in ThreatQ.  
  • Version 1.1.0
    • Added the ability to create and relate Asset objects in ThreatQ.  The Asset custom object is required for this - see the Prerequisites chapter for more details.  
    • Added improved logging and messaging in the ThreatQ UI.
  • Version 1.0.0
    • Initial release

PDF Guides

 

Document ThreatQ Version
Tenable.io Operation Guide v1.3.1 4.40.0 or Greater
Tenable.io Operation Guide v1.3.0 4.40.0 or Greater
Tenable.io Operation Guide v1.2.0 4.40.0 or Greater
Tenable.io Operation Guide v1.1.0 4.40.0 or Greater
Tenable.io Operation Guide v1.0.0 3.6.0 or Greater