Set up Device Security and XSOAR for Tenable Vulnerability Management Integration

Table of Contents

Set up Tenable Vulnerability Management for Integration

Perform a Vulnerability Scan Using Tenable

Set up Device Security and XSOAR for Tenable Vulnerability Management Integration

Set up Device Security and Cortex XSOAR to integrate with Tenable Vulnerability Management.

Where Can I Use This?	What Do I Need?
Device Security (Managed by Strata Cloud Manager) (Legacy) IoT Security (Standalone portal)	One of the following subscriptions: Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical) Device Security X subscription One of the following Cortex XSOAR setups: A free, cohosted, limited-featured Cortex XSOAR instance A full-featured Cortex XSOAR server

Where Can I Use This?

What Do I Need?

Device Security (Managed by Strata Cloud Manager)
(Legacy) IoT Security (Standalone portal)

One of the following subscriptions:

Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
Device Security X subscription

One of the following Cortex XSOAR setups:

A free, cohosted, limited-featured Cortex XSOAR instance
A full-featured Cortex XSOAR server

Log in to Device Security and from there access Tenable settings in Cortex XSOAR.
1. Log in to Device Security and then click Integrations.
2. Device Security uses Cortex XSOAR to integrate with Tenable Vulnerability Management, and the settings you must configure to integrate with it are in the Cortex XSOAR interface. To access these settings, click Launch Cortex XSOAR.
  The Cortex XSOAR interface opens in a new browser window.
3. Click Settings in the left navigation menu, and search for Tenable to locate it among other instances.
Configure the settings for the Tenable Vulnerability Management integration instance.
1. Click the active integration instance settings icon (
  
  ), or click Add instance, to open the settings panel.
2. Enter the following settings and leave the others at their default values:
  Name: Use the default name of the integration instance.
  
  Don’t change the default integration instance name. The Cortex XSOAR jobs that support vulnerability scans from the Device Details page in the Device Security portal rely on Cortex XSOAR playbooks that refer to this integration instance name specifically.
  
  URL: https://cloud.tenable.com
  Access Key: Enter the Tenable Vulnerability Management access key text string.
  Secret Key: Enter the secret key text string.
  Optional IoT Vertical Filter for Asset Export: Select the types of device category verticals that you want to include when exporting Device Security assets to Tenable Vulnerability Management. By default, Device Security exports all device types.
  Optional Tenable Severity Filter for Vulnerability Import: Select the severity levels for vulnerabilities that you want to import from Tenable Vulnerability Management to Device Security. By default, Device Security imports only vulnerabilities with a severity level of Critical.
  Optional Learn Device Software Components: Select if you want the import job to include information about software components running on the devices from Tenable Vulnerability Management.
  Optional Include Only Licensed Assets: Select if you want the import job to learn only licensed assets.
  Optional Last Seen: Enter the time range in days that you want to get vulnerability or device information when running a Tenable Vulnerability Management integration job. The job polls for all vulnerabilities or devices identified or updated in the specified time. By default, the Tenable Vulnerability Management jobs retrieve devices or vulnerabilities last seen in the past seven days.
3. When finished, click Run test or Test.
  If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.
4. After the test succeeds, click Save & exit to save your changes and close the settings panel.
Create jobs for Cortex XSOAR to send and receive information from Tenable Vulnerability Management.

Depending on whether you want to send device details or get vulnerability information, select the appropriate playbook when configuring the job. If you want to run multiple playbooks, you must create separate jobs, one for each playbook. You can also create multiple jobs if you have multiple integration instances.
1. Click Jobs in the sidebar, and then click New Job to create a new Cortex XSOAR job.
2. Configure the following settings in the New Job panel:
  Optional Recurring: Select this if you want to periodically run the job. Clear it if you want to run the job on-demand.
  Optional Every: If you selected Recurring, enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. If you don't select specific days, then the job will run every day by default. This determines how often Cortex XSOAR queries Rapid7 to send and receive information.
  You can configure Queue Handling to determine what happens if a new job starts while an old job is still running.
  Name: Enter a name for the job.
  Playbook: Select the playbook depending on the type of job you're configuring. You can select one of the following playbooks when integrating with Rapid7:
  Import Tenable IO Assets to PANW IoT — Import assets from Tenable Vulnerability Management, including hosts, scan data, agents, and scanners, to Device Security.
  Import Tenable IO Open Vulnerabilities to PANW IoT — Get all known open vulnerabilities from Tenable Vulnerability Management.
  Tag Tenable IO Assets to PANW IoT Categories — Add a tag to all devices in Tenable Vulnerability Management with their corresponding device category verticals in Device Security. Devices can only have one category vertical tag. You can use the category vertical tag to filter devices when running vulnerability scans in Tenable Vulnerability Management.
  Export PANW IoT Devices to Tenable IO — Send device information from Device Security to Tenable Vulnerability Management. If a device does not exist in Tenable Vulnerability Management, then this job creates a new device in Tenable Vulnerability Management and automatically adds the device category vertical tag. By default, Device Security exports devices from all device categories unless you specify the IoT Vertical Filter for Asset Export when configuring the integration instance.
  Integration Instance Name: Enter the instance name of the integration instance you created.
3. Click Create new job and verify that the job appears in the Jobs list.
Enable the job and run it.

Check the Job Status for the job you created. If it's Disabled, select its checkbox and then click Enable.

You can immediately run the job by selecting it and clicking Run now. Otherwise, if you scheduled a recurring job, then the enabled job will run as scheduled.
Return to Device Security and check the status of the Tenable integration instance.
XSOAR automatically runs a preconfigured job for Tenable integration and reports the integration instance to Device Security, which displays it on the Integrations page. The integration instance can be in one of the following four states as shown in the Status column on the Integrations page:
- Disabled means that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Error means that the integration was configured and enabled but isn't functioning properly, possibly due to a configuration error or network condition.
- Inactive means that the integration was configured and enabled but no job has run for at least the past 60 minutes.
- Active means that the integration was configured and enabled and is functioning properly.
When you see that the status of the Tenable instance has changed from Disabled to Active, its setup is complete.