Tenable Security Center

Integration version: 15.0

Integrate Tenable Security Center with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration inputs

To configure the integration, use the following parameters:

Parameters
Server Address Required

The address of the Tenable Security Center server to use in the integration.

Username Required

Username to sign in to the Tenable Security Center server.

Password Required

Password to sign in to the Tenable Security Center server.

Verify SSL Optional

If selected, verifies that the SSL certificate for the connection to the Tenable server is valid.

Selected by default.

Actions

Add IP To IP List Asset

Add an IP to IP list asset in Tenable Security Center.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Asset Name String N/A Yes Specify the name of the IP list asset to which you want to add new IPs.

Run on

This action runs on the IP Address entity.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "type": "regular",
    "response": {
        "id": "41",
        "name": "api_test_5",
        "type": "static",
        "description": "",
        "tags": "qweqwe",
        "context": "",
        "status": "0",
        "createdTime": "1606129689",
        "modifiedTime": "1606129689",
        "ioSyncStatus": "Not Synced",
        "ioFirstSyncTime": "-1",
        "ioLastSyncSuccess": "-1",
        "ioLastSyncFailure": "-1",
        "ioSyncErrorDetails": null,
        "typeFields": {
            "definedIPs": "203.0.113.1,203.0.113.10"
        },
        "repositories": [
            {
                "ipCount": "-1",
                "repository": {
                    "id": "1",
                    "name": "Example-Repository",
                    "description": ""
                }
            }
        ],
        "ipCount": -1,
        "groups": [],
        "assetDataFields": [],
        "canUse": "true",
        "canManage": "true",
        "creator": {
            "id": "1",
            "username": "security_manager",
            "firstname": "Manager",
            "lastname": "Security"
        },
        "owner": {
            "id": "1",
            "username": "security_manager",
            "firstname": "Manager",
            "lastname": "Security"
        },
        "ownerGroup": {
            "id": "0",
            "name": "Full Access",
            "description": "Full Access group"
        },
        "targetGroup": {
            "id": -1,
            "name": "",
            "description": ""
        },
        "template": {
            "id": -1,
            "name": "",
            "description": ""
        }
    },
    "error_code": 0,
    "error_msg": "",
    "warnings": [],
    "timestamp": 1606129688
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If static code 200(is_success = true): print "Successfully added the following IPs to the IP List Asset {0} in Tenable Security Center:\n{1}".format(name, entity.identifier)

If no IP entities: No IP addresses were added to the IP List Asset {0}.format(name)

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Add IP to IP List Asset". Reason: {0}''.format(error.Stacktrace)


If asset not found: print "Error executing action "Add IP to IP List Asset". Reason: Asset {0} was not found in Tenable Security Center. ''.format(error.Stacktrace)

If not static code 200 (is_success = false): print "Error executing action "Add IP to IP List Asset". Reason: {0}''.format(error_msg)

General

Create IP List Asset

Create an IP list asset in Tenable Security Center. Requires at least one IP entity for a successful execution.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name for the IP list asset.
Description String N/A No Specify the description of the IP list asset.
Tag String N/A No Specify the tag of the IP list asset.

Run on

This action runs on the IP Address entity.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "type": "regular",
    "response": {
        "id": "41",
        "name": "api_test_5",
        "type": "static",
        "description": "",
        "tags": "qweqwe",
        "context": "",
        "status": "0",
        "createdTime": "1606129689",
        "modifiedTime": "1606129689",
        "ioSyncStatus": "Not Synced",
        "ioFirstSyncTime": "-1",
        "ioLastSyncSuccess": "-1",
        "ioLastSyncFailure": "-1",
        "ioSyncErrorDetails": null,
        "typeFields": {
            "definedIPs": "203.0.113.1,203.0.113.10"
        },
        "repositories": [
            {
                "ipCount": "-1",
                "repository": {
                    "id": "1",
                    "name": "Example-Repository",
                    "description": ""
                }
            }
        ],
        "ipCount": -1,
        "groups": [],
        "assetDataFields": [],
        "canUse": "true",
        "canManage": "true",
        "creator": {
            "id": "1",
            "username": "security_manager",
            "firstname": "Manager",
            "lastname": "Security"
        },
        "owner": {
            "id": "1",
            "username": "security_manager",
            "firstname": "Manager",
            "lastname": "Security"
        },
        "ownerGroup": {
            "id": "0",
            "name": "Full Access",
            "description": "Full Access group"
        },
        "targetGroup": {
            "id": -1,
            "name": "",
            "description": ""
        },
        "template": {
            "id": -1,
            "name": "",
            "description": ""
        }
    },
    "error_code": 0,
    "error_msg": "",
    "warnings": [],
    "timestamp": 1606129688
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If static code 200(is_success = true): print "Successfully created new IP List Asset {0} with the following IPs in Tenable Security Center:\n{1}".format(name, entity.identifier)

If no IP entities: print "At least 1 IP entity should be available in order to create an IP List Asset'.


The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Create IP List Asset". Reason: {0}''.format(error.Stacktrace)

If not static code 200 (is_success = false): print "Error executing action "Create IP List Asset". Reason: {0}''.format(error_msg)

General

Enrich IP

Get information about IP addresses and enrich them.

Parameters

Parameter Type Default Value Description
Repository Name String N/A The repository name.

Run on

This action runs on the IP Address entity.

Action results

Entity enrichment
Enrichment Field Name Logic-When to apply
macAddress Returns if it exists in JSON result
severityLow Returns if it exists in JSON result
links Returns if it exists in JSON result
ip Returns if it exists in JSON result
last scan Returns if it exists in JSON result
severityCritical Returns if it exists in JSON result
total Returns if it exists in JSON result
severityAll Returns if it exists in JSON result
mcafeeGUID Returns if it exists in JSON result
policyName Returns if it exists in JSON result
uuid Returns if it exists in JSON result
lastAuthRun Returns if it exists in JSON result
severityInfo Returns if it exists in JSON result
osCPE Returns if it exists in JSON result
uniqueness Returns if it exists in JSON result
dnsName Returns if it exists in JSON result
repository Returns if it exists in JSON result
ip Returns if it exists in JSON result
description Returns if it exists in JSON result
name Returns if it exists in JSON result
lastUnauthRun Returns if it exists in JSON result
biosGUID Returns if it exists in JSON result
tpmID Returns if it exists in JSON result
score Returns if it exists in JSON result
hasPassive Returns if it exists in JSON result
pluginSet Returns if it exists in JSON result
hasCompliance Returns if it exists in JSON result
severityHigh Returns if it exists in JSON result
netbiosName Returns if it exists in JSON result
severityMedium Returns if it exists in JSON result
os Returns if it exists in JSON result
Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
[
{
"EntityResult":
{
"macAddress": "",
"severityLow": "0",
"links": [],
"ip": "203.0.113.1",
"lastScan": "1549425224",
"severityCritical": "0",
"total": "2",
"severityAll": "0,0,0,0,2",
"mcafeeGUID": "",
"policyName": "1e2e4247-0de7-56d5-8026-34ab1f3150ef-1130313/Basic Discovery Scan",
"uuid": "",
"lastAuthRun": "",
"severityInfo": "2",
"osCPE": "",
"uniqueness": "repositoryID,ip,dnsName",
 "dnsName": "example.com",
"repository":
          {
"id": "1",
"description": "",
"name": "repository"
          },
"lastUnauthRun": "1549363419",
"biosGUID": "",
"tpmID": "",
"score": "0",
"hasPassive": "No",
"pluginSet": "201902020242",
"hasCompliance": "No",
"severityHigh": "0",
"netbiosName": "",
"severityMedium": "0",
"os": ""
},
"Entity": "203.0.113.1"
}
]

Get assets that are related to an IP address.

Parameters

Parameter Type Default Value Description
Repository Name String N/A The repository name.

Run on

This action runs on the IP Address entity.

Action results

Entity enrichment
Enrichment Field Name Logic-When to apply
id Returns if it exists in JSON result
name Returns if it exists in JSON result
Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
[
{
"EntityResult":
[
{
"id": "0",
"description": "All defining ranges of the Group in whose context this Asset is being evaluated.",
"name": "All Defined Ranges"
}, {
"id": "2",
"description": "This asset uses the Scan Summary plugin to detect if a host has been scanned by Nessus. The Scan Summary plugin contains the list of tests conducted during the most recent scan.",
"name": "Systems that have been Scanned"
}, {
"id": "13",
"description": "Leverage Nessus plugin 10180 (Ping the remote host) and Nessus plugin 12503 (Host Fully Qualified Domain Name (FQDN) Resolution) to find hosts that don't have a resolvable FQDN in DNS.",
"name": "Scanned Hosts Not in DNS"
}
],
"Entity": "203.0.113.1"
}
]

Get Report

Get report content by ID or name.

Parameters

Parameter Type Default Value Description
Report ID String N/A Report ID number.Can be found at the report URL.

Run On

This action runs on all entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
"pubSites":
[
"https://example.com",
"https://example.net"
]
}

Get Scan Results

Wait for scan to complete and get results of the scan.

Parameters

Parameter Type Default Value Description
Scan Result ID

String

N/A The scan results ID.

Run on

This action runs on all entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result

{
"severity_summary":
[
{
"count": "0",
"severity":
{
"id": "4",
"name": "Critical",
"description": "Critical Severity"
}
}, {
"count": "0",
"severity":
{
"id": "3",
"name": "High",
"description": "High Severity"
}
}, {
"count": "3",
"severity":
{"id": "2",
"name": "Medium",
"description": "Medium Severity"
}}
],
"results":
[
{
"name": "DNS Server Recursive Query Cache Poisoning Weakness",
"family": "DNS",
"hostTotal": "1",
"pluginID": "10539",
"total": "1",
"severity": "Medium"
}, {
"name": "DNS Server Spoofed Request Amplification DDoS",
"family": "DNS",
"hostTotal": "1",
"pluginID": "35450",
"total": "1",
"severity": "Medium"
}, {
"name": "SSL Medium Strength Cipher Suites Supported",
"family": "General",
"hostTotal": "1",
"pluginID": "42873",
"total": "1",
"severity": "Medium"
}
]
}

Get Vulnerabilities for IP

Get vulnerabilities and severity summary for an IP address.

Parameters

N/A

Run on

This action runs on the IP Address entity.

Action results

Entity enrichment
Enrichment Field Name Logic-When to apply
macAddress Returns if it exists in JSON result
protocol Returns if it exists in JSON result
uuid Returns if it exists in JSON result
family Returns if it exists in JSON result
pluginInfo Returns if it exists in JSON result
ip Returns if it exists in JSON result
pluginID Returns if it exists in JSON result
severity Returns if it exists in JSON result
repository Returns if it exists in JSON result
uniqueness Returns if it exists in JSON result
dnsName Returns if it exists in JSON result
port Returns if it exists in JSON result
netbiosName Returns if it exists in JSON result
name

Returns if it exists in JSON result

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
[
{
"EntityResult":
[
{
"macAddress": "",
"protocol": "TCP",
"uuid": "",
"family": "Web Servers",
"pluginInfo": "10107 (443/6) HTTP Server Type and Version",
"ip": "203.0.113.1",
"pluginID": "10107",
"severity": "Info",
"repository": "repo",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "example.com",
"port": "443",
"netbiosName": "",
"name": "HTTP Server Type and Version"
}, {
"macAddress": "",
"protocol": "UDP",
"uuid": "",
"family": "DNS",
"pluginInfo": "10539 (53/17) DNS Server Recursive Query Cache Poisoning Weakness",
"ip": "203.0.113.1",
"pluginID": "10539",
"severity": "Medium",
"repository": "repo",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "exaample.com",
"port": "53",
"netbiosName": "",
"name": "DNS Server Recursive Query Cache Poisoning Weakness"
}, {
"macAddress": "",
"protocol": "TCP",
"uuid": "",
"family": "General",
"pluginInfo": "10863 (443/6) SSL Certificate Information",
"ip": "203.0.113.1",
"pluginID": "10863",
"severity": "Info",
"repository": "repo",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "example.com",
"port": "443",
"netbiosName": "",
"name": "SSL Certificate Information"
}
],
"Entity": "203.0.113.1"
}
]

Ping

Test connectivity.

Run on

This action runs on all entities.

Action results

Script result
Script Result Name Value Options Example
null N/A N/A

Scan IPs

Initiate a scan of IP addresses.

Parameters

Parameter Type Default Value Description
Scan name String N/A The name of the scan to create.
Policy Name String N/A The name of the policy.

Run on

This action runs on the IP Address entity.

Action results

Script result
Script Result Name Value Options Example
scan_result_id N/A N/A

Run Asset Scan

Execute Asset Scan in Tenable Security Center.

Where To Find Policy ID And Repository ID

For Policy ID:

  1. Navigate to https://INSTANCE_IP_ADDRESS/#policies.
  2. Select the policy that you want to use in action.
  3. In the URL, you will be able to see an ID of that policy.

For Repository ID:

  1. Navigate to https://INSTANCE_IP_ADDRESS/#repositories.
  2. Select the repository that you want to use in action.
  3. In the URL, you will be able to see an ID of that repository.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Scan Name N/A Yes Specify the name for the scan.
Asset Name String N/A Yes Specify the name of the asset that should be scanned.
Policy ID Integer N/A Yes Specify the ID of the policy that should be used in the scan.
Repository ID Integer N/A Yes Specify the ID of the repository that should be used in the scan.
Description String N/A No Specify the description for the scan.

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "type": "regular",
    "response": {
        "id": "11",
        "name": "Scan Name",
        "description": "",
        "ipList": "",
        "type": "policy",
        "dhcpTracking": "false",
        "classifyMitigatedAge": "0",
        "emailOnLaunch": "false",
        "emailOnFinish": "false",
        "timeoutAction": "import",
        "scanningVirtualHosts": "false",
        "rolloverType": "template",
        "status": "0",
        "createdTime": "1606132784",
        "modifiedTime": "1606132784",
        "maxScanTime": "3600",
        "reports": [],
        "assets": [
            {
                "id": "38",
                "name": "api_test_1",
                "description": ""
            }
        ],
        "credentials": [],
        "numDependents": "0",
        "schedule": {
            "id": -1,
            "objectType": -1,
            "type": "now",
            "start": "",
            "repeatRule": "",
            "enabled": "true",
            "nextRun": -1,
            "dependent": {
                "id": -1,
                "name": "",
                "description": ""
            }
        },
        "policy": {
            "id": "1000002",
            "context": "",
            "name": "Host Discovery",
            "description": "",
            "tags": "",
            "owner": {
                "id": "1",
                "username": "security_manager",
                "firstname": "Manager",
                "lastname": "Security"
            },
            "ownerGroup": {
                "id": "0",
                "name": "Full Access",
                "description": "Full Access group"
            }
        },
        "policyPrefs": [
            {
                "name": "MODE|discovery",
                "value": "host_enumeration"
            },
            {
                "name": "description",
                "value": ""
            },
            {
                "name": "display_unreachable_hosts",
                "value": "no"
            },
            {
                "name": "log_live_hosts",
                "value": "yes"
            },
            {
                "name": "name",
                "value": "Host Discovery"
            },
            {
                "name": "reverse_lookup",
                "value": "no"
            }
        ],
        "repository": {
            "id": "1",
            "name": "Example-Repository",
            "description": ""
        },
        "canUse": "true",
        "canManage": "true",
        "plugin": {
            "id": -1,
            "name": "",
            "description": ""
        },
        "zone": {
            "id": -1,
            "name": "",
            "description": ""
        },
        "ownerGroup": {
            "id": "0",
            "name": "Full Access",
            "description": "Full Access group"
        },
        "creator": {
            "id": "1",
            "username": "security_manager",
            "firstname": "Manager",
            "lastname": "Security"
        },
        "owner": {
            "id": "1",
            "username": "security_manager",
            "firstname": "Manager",
            "lastname": "Security"
        },
        "scanResultID": "34"
    },
    "error_code": 0,
    "error_msg": "",
    "warnings": [],
    "timestamp": 1606132783
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:
If static code 200(is_success = true): print "Successfully started asset scan {0} in Tenable Security Center.".format(name)

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Run Asset Scan". Reason: {0}''.format(error.Stacktrace)

If asset not found: print "Error executing action "Run Asset Scan". Reason: Asset {0} was not found in Tenable Security Center. ''.format(name)

If not static code 200 (is_success = false): print "Error executing action "Run Asset Scan". Reason:{0}".format(error_msg)

General

Connectors

Tenable Security Center Connector

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Type Default Value Description
DeviceProductField String device_product The field name used to determine the device product.
EventClassId String name The field name used to determine the event name (sub-type).
PythonProcessTimeout String 60 The timeout limit (in seconds) for the python process running current script.
Server Address String null N/A
Username String null N/A
Password Password null N/A
Use SSL Checkbox Unchecked N/A
Max Days Backwards Integer 1 The amount of days back, from which you would like to fetch data.
Limit Per Cycle Integer 10 The amount of alerts ingested into the connector in each execution cycle.
Proxy Server Address String null The address of the proxy server to use.
Proxy Username String null The proxy username to authenticate with.
Proxy Password Password null The proxy password to authenticate with.

Connector rules

The connector supports proxies.