Tenable.sc¶
The configuration required for Tenable Security Center is minimal.
Each severity and pluginType must be listed.
Provide the host address and port of the local TenableSC instance.
There is no need to set the integration interval more frequently than the frequency Tenable.SC is scanning the network.
If the interval_hours
is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings
Once downloaded, this data will be used to create an Input Framework file that can be used by a Zeek script to generate new logs, or enrich existing logs, such as the suricata_corelight.log.
The input file will be published with any other input files from other integrations (if there are any). If “input” is enabled in the “push_content” settings, the file will automatically get pushed to the Fleet Manager policy and/or all sensors in the policy. See Push content settings for more details.
Attention
The Nessus (Tenable Security Center) user you’re using to provide an access_key
and secret_key
must have Security Management rights. Do not use an admin user.
Settings¶
tenable_sc:
enabled: false
interval_hours: 24
access_key:
secret_key:
severity: "4,3,2,1"
pluginType: "Active,Passive,Event"
address:
port: 443
request_limit: 50000
Input file¶
The following is a sample input file created by this integration, using tab-separated values.
#fields ip hostname host_uid machine_domain os_version source cve_list
192.168.2.186 mbp - - - Tenable.SC CVE-2021-1234,CVE-2021-4321
192.168.2.133 mbp - - - Tenable.SC CVE-2021-1234,CVE-2021-4321
3.19.25.148 f5 - - - Tenable.SC CVE-2020-5902
192.168.12.212 skynet - - - Tenable.SC CVE-2020-12313,CVE-2016-1585,CVE-2022-36227,CVE-2022-45884,CVE-2023-22995,CVE-2022-38457
Important
To use this file, an additional Zeek package is required on the sensor.
suricata_corelight log¶
A typical suricata_corelight.log provides content like the example below:
{
_path: suricata_corelight
_system_name: Lab-AP200
_write_ts: 2023-08-01T01:22:20.096550Z
alert.action: allowed
alert.category: Attempted Information Leak
alert.gid: 1
alert.metadata: [ [-]
created_at:2023_07_28
updated_at:2023_07_28
]
alert.rev: 1
alert.severity: 2
alert.signature: **CONTROL** curl User-Agent Outbound CVE-2020-12313
alert.signature_id: 1000000
community_id: 1:hfVPB4FWl48hOvuIzwyVBvzWBwY=
flow_id: 11005288195832
id.orig_h: 192.168.12.212
id.orig_p: 48086
id.resp_h: 3.160.22.77
id.resp_p: 80
id.vlan: 12
pcap_cnt: 0
service: http
suri_id: Sp5Hxvr0blDf
ts: 2023-08-01T01:22:20.092276Z
tx_id: 0
uid: CUWMCe4TJo8pS41Rnj
}
If the Zeek package is loaded, the suricata_corelight.log will be enriched with additional content provided by the integration, like the example below:
{
orig_vulnerable_host.cve: CVE-2020-12313
orig_vulnerable_host.host_uid:
orig_vulnerable_host.hostname: skynet
orig_vulnerable_host.os_version:
orig_vulnerable_host.source: Tenable.SC
}
Note
Field names begin with “orig” or “resp” to identify which host is referenced.