Set up Device Security and Cortex XSOAR for Tenable Security Center Integration

Table of Contents

Set up Tenable Security Center for Integration

Perform a Vulnerability Scan Using Tenable Security Center

Set up Device Security and Cortex XSOAR for Tenable Security Center Integration

Configure integration instances and jobs to import device and vulnerability data from Tenable Security Center into Device Security.

Where Can I Use This?	What Do I Need?
Device Security (Managed by Strata Cloud Manager) (Legacy) IoT Security (Standalone portal)	One of the following subscriptions: Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical) Device Security X subscription One of the following Cortex XSOAR setups: A free, cohosted, limited-featured Cortex XSOAR instance AND A free Cortex XSOAR Engine (on-premises integration) A full-featured Cortex XSOAR server

Where Can I Use This?

What Do I Need?

Device Security (Managed by Strata Cloud Manager)
(Legacy) IoT Security (Standalone portal)

One of the following subscriptions:

Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
Device Security X subscription

One of the following Cortex XSOAR setups:

A free, cohosted, limited-featured Cortex XSOAR instance
AND
A free Cortex XSOAR Engine (on-premises integration)
A full-featured Cortex XSOAR server

Configure Device Security with a Tenable Security Center integration instance and jobs to import scanners, device details, and vulnerability information into Device Security. After creating a Tenable Security Center integration instance and running a job to get scanners and profiles, you can also initiate a vulnerability scan on Tenable Security Center from Device Security.

To set up Device Security to integrate through a cloud-hosted Cortex XSOAR instance with an on-premises Tenable Security Center instance, you must also add a Cortex XSOAR engine to your network. If you're integrating with a cloud instance of Tenable Security Center, you don't need to install a Cortex XSOAR engine.

Cortex XSOAR Engine Installation

An on-premises Cortex XSOAR engine facilitates communications between the Cortex XSOAR cloud and an on-premises Tenable Security Center. To install a free Cortex XSOAR engine, follow the instructions to Install a Cortex XSOAR Engine. For more information about general operating systems and hardware requirements, see the Cortex XSOAR Administrator Guide.

We recommend downloading the Cortex XSOAR engine using the shell installer script and installing it on a Linux machine. This simplifies the deployment by automatically installing all required dependencies and also enables remote engine upgrades.

The on-premises firewall must allow the Cortex XSOAR engine to form HTTPS connections on TCP port 443 to the Cortex cloud at https://<your-domain>.iot.demisto.live/. You can see the URL of your Cortex XSOAR instance when you log in to Device Security and click Integrations and then click Launch Cortex XSOAR. It’s visible in the address bar of the web page displaying the Cortex XSOAR interface.

To create an Cortex XSOAR engine, access the Cortex XSOAR interface (from Device Security, click Integrations and then click Launch Cortex XSOAR). In the Cortex XSOAR UI, click SettingsEngines+ Create New Engine. Choose Shell as the type.

For Cortex XSOAR engine installation instructions, see Engine Installation.

For help troubleshooting Cortex XSOAR engines, including installations, upgrades, connectivity, and permissions, see Troubleshoot Engines and Troubleshoot Integrations Running on Engines.

Configure Device Security and Cortex XSOAR

Log in to Device Security and from there access the Tenable SC instance settings in Cortex XSOAR.
1. Log in to Device Security and then click Integrations.
  Device Security uses Cortex XSOAR to integrate with Tenable Security Center, and the settings you must configure to integrate with it are in the Cortex XSOAR interface.
2. Launch Cortex XSOAR.
  
  The Cortex XSOAR interface opens in a new browser window.
3. Click Settings in the left navigation menu, and search for Tenable to locate it among other instances.
Configure the settings for a Tenable SC integration instance.
1. Click the active integration instance settings icon, or click Add instance, to open the settings panel.
2. Enter the following settings and leave the others at their default values:
  Name: Use the default name of the integration instance.
  Server URL: Enter the URL of your Tenable Security Center management system.
  Access Key: Enter the access key for Cortex XSOAR to access your Tenable Security Center.
  Secret Key: Enter the secret key for Cortex XSOAR to access your Tenable Security Center.
  Optional Vulnerability Severity Level Filter: Select the severity levels for vulnerabilities that you want to import from Tenable Security Center to Device Security. Be default, Device Security imports only vulnerabilities with a severity level of Critical.
  Optional Learn Device Software Components: Select if you want to learn about software components running on the devices from Tenable Security Center.
  Optional Last Seen: Enter the time range in days that you want to get vulnerability or device information when running a Tenable Security Center integration job. The job polls for all vulnerabilities or devices identified or updated in the specified time. By default, the Tenable Security Center jobs retrieve devices or vulnerabilities last seen in the past seven days.
  Optional Run on Single engine: Choose the Cortex XSOAR engine you want to use if you're connecting to an on-premises Tenable Security Center.
3. When finished, click Test or Test resultsRun test to test the integration instance.
  
  If the test is successful, a Success message appears. If not, check that the settings were entered correctly, and then test the configuration again.
4. After the test succeeds, click Save & exit to save your changes and close the settings panel.
Enable the Tenable Security Center integration instance.
Create a job for Cortex XSOAR to send and receive information from Tenable Security Center.

Depending on whether you want to update device details or get vulnerability information, select the appropriate playbook when configuring the job. If you want to run multiple playbooks, you must create separate jobs, one for each playbook. You can also create multiple jobs if you have multiple integration instances.
1. Click Jobs in the sidebar, and then click New Job to create a new Cortex XSOAR job.
2. Configure the following settings in the New Job panel:
  Optional Recurring: Select this if you want to periodically run the job. Clear it if you want to run the job on-demand.
  Optional Every: If you selected Recurring, enter a number and set the interval value (Minutes, Hours, Days, or Weeks) and select the days on which to run the job. If you don't select specific days, then the job will run every day by default. This determines how often Cortex XSOAR queries Tenable Security Center to send and receive information. You can configure Queue Handling to determine what happens if a new job starts while an old job is still running.
  Name: Enter a name for the job.
  Playbook: Select the playbook depending on the type of job you're configuring. You can select one of the following playbooks when integrating with Tenable Security Center:
  Get Tenable SC Policies, Repositories and Reports - PANW IoT Security 3rd Party Integration – Import Tenable Security Center assets to Device Security. Run this job before initiating a scan, or else Device Security won’t be able to learn information from the Tenable Security Center scan.
  Import Tenable SC Host Assets to PANW IoT Security Cloud – Import devices from Tenable Security Center to Device Security.
  Import Tenable SC Open Vulnerabilities to PANW IoT Security cloud – Get a list of all confirmed vulnerabilities.
  Tag Tenable SC Assets with PANW IoT Security Categories – Add a tag to all devices in Tenable Security Center with their corresponding device category in Device Security. Devices can only have one category tag. You can use the category tag to filter devices when running vulnerability scans in Tenable Security Center.
  Integration Instance Name: Enter the instance name of the integration instance you created.
3. Click Create new job and verify that the job appears in the Jobs list
Enable the job and run it.

Check the Job Status for the job you created. If it's Disabled, select its checkbox and then click Enable.

You can immediately run the job by selecting it and clicking Run now. Otherwise, if you scheduled a recurring job, then the enabled job will run as scheduled.
Return to Device Security and check the status of the Tenable Security Center integration.
An integration instance can be in one of the following four states, which Device Security displays in the Status column on the Integrations page:
- Active — the integration was configured and enabled and is functioning properly.
  Disabled — either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Error — the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
- Inactive — the integration was configured and enabled but no job has run for at least the past 60 minutes.
When you see that the status of an integration instance is Active, its setup is complete.