Tenable.sc

The configuration required for Tenable Security Center is minimal.

  • Each severity and pluginType must be listed.

  • Provide the host address and port of the local TenableSC instance.

There is no need to set the interval more frequently than the frequency Tenable.SC is scanning the network.

If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global Configuration and Policy Settings

Attention

The Nessus (Tenable Security Center) user you’re using to provide an ‘access_key’ and ‘secret_key’ must have “Security Management” rights. Do not use an “admin” user.

# Enable TenableSC Integration
tenable_sc:
  enabled:                          false
  interval_hours:                   24
  access_key:
  secret_key:
  severity:                         "4,3,2,1"
  pluginType:                       "Active,Passive,Event"
  address:
  port:                             443
  request_limit:                    50000

Important

This integration will query Tenable.SC, and create an input file (cve_data.csv) with CVE information to enrich the corelight_suricata.log file. To use this file, an additional Zeek package is required on the sensor.

Input File

Below is a sample input file created by this integration, using tab separated values.

#fields  ip     hostname  cve_list
192.168.2.186   mbp       CVE-2021-1234,CVE-2021-4321
192.168.2.133   mbp       CVE-2021-1234,CVE-2021-4321
3.19.25.148     f5        CVE-2020-5902