Tenable Security Center
Integration version: 15.0
Integrate Tenable Security Center with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration inputs
To configure the integration, use the following parameters:
| Parameters | |
|---|---|
Server Address |
Required The address of the Tenable Security Center server to use in the integration. |
Username |
Required Username to sign in to the Tenable Security Center server. |
Password |
Required Password to sign in to the Tenable Security Center server. |
Verify SSL |
Optional If selected, verifies that the SSL certificate for the connection to the Tenable server is valid. Selected by default. |
Actions
Add IP To IP List Asset
Add an IP to IP list asset in Tenable Security Center.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Asset Name | String | N/A | Yes | Specify the name of the IP list asset to which you want to add new IPs. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"type": "regular",
"response": {
"id": "41",
"name": "api_test_5",
"type": "static",
"description": "",
"tags": "qweqwe",
"context": "",
"status": "0",
"createdTime": "1606129689",
"modifiedTime": "1606129689",
"ioSyncStatus": "Not Synced",
"ioFirstSyncTime": "-1",
"ioLastSyncSuccess": "-1",
"ioLastSyncFailure": "-1",
"ioSyncErrorDetails": null,
"typeFields": {
"definedIPs": "203.0.113.1,203.0.113.10"
},
"repositories": [
{
"ipCount": "-1",
"repository": {
"id": "1",
"name": "Example-Repository",
"description": ""
}
}
],
"ipCount": -1,
"groups": [],
"assetDataFields": [],
"canUse": "true",
"canManage": "true",
"creator": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"owner": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"ownerGroup": {
"id": "0",
"name": "Full Access",
"description": "Full Access group"
},
"targetGroup": {
"id": -1,
"name": "",
"description": ""
},
"template": {
"id": -1,
"name": "",
"description": ""
}
},
"error_code": 0,
"error_msg": "",
"warnings": [],
"timestamp": 1606129688
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If no IP entities: No IP addresses were added to the
IP List Asset {0}.format(name)
If not static code 200 (is_success = false): print "Error executing action "Add IP to IP List Asset". Reason: {0}''.format(error_msg) |
General |
Create IP List Asset
Create an IP list asset in Tenable Security Center. Requires at least one IP entity for a successful execution.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | Specify the name for the IP list asset. |
| Description | String | N/A | No | Specify the description of the IP list asset. |
| Tag | String | N/A | No | Specify the tag of the IP list asset. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"type": "regular",
"response": {
"id": "41",
"name": "api_test_5",
"type": "static",
"description": "",
"tags": "qweqwe",
"context": "",
"status": "0",
"createdTime": "1606129689",
"modifiedTime": "1606129689",
"ioSyncStatus": "Not Synced",
"ioFirstSyncTime": "-1",
"ioLastSyncSuccess": "-1",
"ioLastSyncFailure": "-1",
"ioSyncErrorDetails": null,
"typeFields": {
"definedIPs": "203.0.113.1,203.0.113.10"
},
"repositories": [
{
"ipCount": "-1",
"repository": {
"id": "1",
"name": "Example-Repository",
"description": ""
}
}
],
"ipCount": -1,
"groups": [],
"assetDataFields": [],
"canUse": "true",
"canManage": "true",
"creator": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"owner": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"ownerGroup": {
"id": "0",
"name": "Full Access",
"description": "Full Access group"
},
"targetGroup": {
"id": -1,
"name": "",
"description": ""
},
"template": {
"id": -1,
"name": "",
"description": ""
}
},
"error_code": 0,
"error_msg": "",
"warnings": [],
"timestamp": 1606129688
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
If no IP entities: print "At least 1 IP entity should be available in order to create an IP List Asset'.
If not static code 200 (is_success = false): print "Error executing action "Create IP List Asset". Reason: {0}''.format(error_msg) |
General |
Enrich IP
Get information about IP addresses and enrich them.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Repository Name | String | N/A | The repository name. |
Run on
This action runs on the IP Address entity.
Action results
Entity enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| macAddress | Returns if it exists in JSON result |
| severityLow | Returns if it exists in JSON result |
| links | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| last scan | Returns if it exists in JSON result |
| severityCritical | Returns if it exists in JSON result |
| total | Returns if it exists in JSON result |
| severityAll | Returns if it exists in JSON result |
| mcafeeGUID | Returns if it exists in JSON result |
| policyName | Returns if it exists in JSON result |
| uuid | Returns if it exists in JSON result |
| lastAuthRun | Returns if it exists in JSON result |
| severityInfo | Returns if it exists in JSON result |
| osCPE | Returns if it exists in JSON result |
| uniqueness | Returns if it exists in JSON result |
| dnsName | Returns if it exists in JSON result |
| repository | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| description | Returns if it exists in JSON result |
| name | Returns if it exists in JSON result |
| lastUnauthRun | Returns if it exists in JSON result |
| biosGUID | Returns if it exists in JSON result |
| tpmID | Returns if it exists in JSON result |
| score | Returns if it exists in JSON result |
| hasPassive | Returns if it exists in JSON result |
| pluginSet | Returns if it exists in JSON result |
| hasCompliance | Returns if it exists in JSON result |
| severityHigh | Returns if it exists in JSON result |
| netbiosName | Returns if it exists in JSON result |
| severityMedium | Returns if it exists in JSON result |
| os | Returns if it exists in JSON result |
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult":
{
"macAddress": "",
"severityLow": "0",
"links": [],
"ip": "203.0.113.1",
"lastScan": "1549425224",
"severityCritical": "0",
"total": "2",
"severityAll": "0,0,0,0,2",
"mcafeeGUID": "",
"policyName": "1e2e4247-0de7-56d5-8026-34ab1f3150ef-1130313/Basic Discovery Scan",
"uuid": "",
"lastAuthRun": "",
"severityInfo": "2",
"osCPE": "",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "example.com",
"repository":
{
"id": "1",
"description": "",
"name": "repository"
},
"lastUnauthRun": "1549363419",
"biosGUID": "",
"tpmID": "",
"score": "0",
"hasPassive": "No",
"pluginSet": "201902020242",
"hasCompliance": "No",
"severityHigh": "0",
"netbiosName": "",
"severityMedium": "0",
"os": ""
},
"Entity": "203.0.113.1"
}
]
Get Related Assets
Get assets that are related to an IP address.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Repository Name | String | N/A | The repository name. |
Run on
This action runs on the IP Address entity.
Action results
Entity enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| id | Returns if it exists in JSON result |
| name | Returns if it exists in JSON result |
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult":
[
{
"id": "0",
"description": "All defining ranges of the Group in whose context this Asset is being evaluated.",
"name": "All Defined Ranges"
}, {
"id": "2",
"description": "This asset uses the Scan Summary plugin to detect if a host has been scanned by Nessus. The Scan Summary plugin contains the list of tests conducted during the most recent scan.",
"name": "Systems that have been Scanned"
}, {
"id": "13",
"description": "Leverage Nessus plugin 10180 (Ping the remote host) and Nessus plugin 12503 (Host Fully Qualified Domain Name (FQDN) Resolution) to find hosts that don't have a resolvable FQDN in DNS.",
"name": "Scanned Hosts Not in DNS"
}
],
"Entity": "203.0.113.1"
}
]
Get Report
Get report content by ID or name.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Report ID | String | N/A | Report ID number.Can be found at the report URL. |
Run On
This action runs on all entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"pubSites":
[
"https://example.com",
"https://example.net"
]
}
Get Scan Results
Wait for scan to complete and get results of the scan.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Scan Result ID | String |
N/A | The scan results ID. |
Run on
This action runs on all entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"severity_summary":
[
{
"count": "0",
"severity":
{
"id": "4",
"name": "Critical",
"description": "Critical Severity"
}
}, {
"count": "0",
"severity":
{
"id": "3",
"name": "High",
"description": "High Severity"
}
}, {
"count": "3",
"severity":
{"id": "2",
"name": "Medium",
"description": "Medium Severity"
}}
],
"results":
[
{
"name": "DNS Server Recursive Query Cache Poisoning Weakness",
"family": "DNS",
"hostTotal": "1",
"pluginID": "10539",
"total": "1",
"severity": "Medium"
}, {
"name": "DNS Server Spoofed Request Amplification DDoS",
"family": "DNS",
"hostTotal": "1",
"pluginID": "35450",
"total": "1",
"severity": "Medium"
}, {
"name": "SSL Medium Strength Cipher Suites Supported",
"family": "General",
"hostTotal": "1",
"pluginID": "42873",
"total": "1",
"severity": "Medium"
}
]
}
Get Vulnerabilities for IP
Get vulnerabilities and severity summary for an IP address.
Parameters
N/A
Run on
This action runs on the IP Address entity.
Action results
Entity enrichment
| Enrichment Field Name | Logic-When to apply |
|---|---|
| macAddress | Returns if it exists in JSON result |
| protocol | Returns if it exists in JSON result |
| uuid | Returns if it exists in JSON result |
| family | Returns if it exists in JSON result |
| pluginInfo | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
| pluginID | Returns if it exists in JSON result |
| severity | Returns if it exists in JSON result |
| repository | Returns if it exists in JSON result |
| uniqueness | Returns if it exists in JSON result |
| dnsName | Returns if it exists in JSON result |
| port | Returns if it exists in JSON result |
| netbiosName | Returns if it exists in JSON result |
| name | Returns if it exists in JSON result |
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult":
[
{
"macAddress": "",
"protocol": "TCP",
"uuid": "",
"family": "Web Servers",
"pluginInfo": "10107 (443/6) HTTP Server Type and Version",
"ip": "203.0.113.1",
"pluginID": "10107",
"severity": "Info",
"repository": "repo",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "example.com",
"port": "443",
"netbiosName": "",
"name": "HTTP Server Type and Version"
}, {
"macAddress": "",
"protocol": "UDP",
"uuid": "",
"family": "DNS",
"pluginInfo": "10539 (53/17) DNS Server Recursive Query Cache Poisoning Weakness",
"ip": "203.0.113.1",
"pluginID": "10539",
"severity": "Medium",
"repository": "repo",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "exaample.com",
"port": "53",
"netbiosName": "",
"name": "DNS Server Recursive Query Cache Poisoning Weakness"
}, {
"macAddress": "",
"protocol": "TCP",
"uuid": "",
"family": "General",
"pluginInfo": "10863 (443/6) SSL Certificate Information",
"ip": "203.0.113.1",
"pluginID": "10863",
"severity": "Info",
"repository": "repo",
"uniqueness": "repositoryID,ip,dnsName",
"dnsName": "example.com",
"port": "443",
"netbiosName": "",
"name": "SSL Certificate Information"
}
],
"Entity": "203.0.113.1"
}
]
Ping
Test connectivity.
Run on
This action runs on all entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
Scan IPs
Initiate a scan of IP addresses.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Scan name | String | N/A | The name of the scan to create. |
| Policy Name | String | N/A | The name of the policy. |
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| scan_result_id | N/A | N/A |
Run Asset Scan
Execute Asset Scan in Tenable Security Center.
Where To Find Policy ID And Repository ID
For Policy ID:
- Navigate to
https://INSTANCE_IP_ADDRESS/#policies. - Select the policy that you want to use in action.
- In the URL, you will be able to see an ID of that policy.
For Repository ID:
- Navigate to
https://INSTANCE_IP_ADDRESS/#repositories. - Select the repository that you want to use in action.
- In the URL, you will be able to see an ID of that repository.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Scan Name | N/A | Yes | Specify the name for the scan. | |
| Asset Name | String | N/A | Yes | Specify the name of the asset that should be scanned. |
| Policy ID | Integer | N/A | Yes | Specify the ID of the policy that should be used in the scan. |
| Repository ID | Integer | N/A | Yes | Specify the ID of the repository that should be used in the scan. |
| Description | String | N/A | No | Specify the description for the scan. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"type": "regular",
"response": {
"id": "11",
"name": "Scan Name",
"description": "",
"ipList": "",
"type": "policy",
"dhcpTracking": "false",
"classifyMitigatedAge": "0",
"emailOnLaunch": "false",
"emailOnFinish": "false",
"timeoutAction": "import",
"scanningVirtualHosts": "false",
"rolloverType": "template",
"status": "0",
"createdTime": "1606132784",
"modifiedTime": "1606132784",
"maxScanTime": "3600",
"reports": [],
"assets": [
{
"id": "38",
"name": "api_test_1",
"description": ""
}
],
"credentials": [],
"numDependents": "0",
"schedule": {
"id": -1,
"objectType": -1,
"type": "now",
"start": "",
"repeatRule": "",
"enabled": "true",
"nextRun": -1,
"dependent": {
"id": -1,
"name": "",
"description": ""
}
},
"policy": {
"id": "1000002",
"context": "",
"name": "Host Discovery",
"description": "",
"tags": "",
"owner": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"ownerGroup": {
"id": "0",
"name": "Full Access",
"description": "Full Access group"
}
},
"policyPrefs": [
{
"name": "MODE|discovery",
"value": "host_enumeration"
},
{
"name": "description",
"value": ""
},
{
"name": "display_unreachable_hosts",
"value": "no"
},
{
"name": "log_live_hosts",
"value": "yes"
},
{
"name": "name",
"value": "Host Discovery"
},
{
"name": "reverse_lookup",
"value": "no"
}
],
"repository": {
"id": "1",
"name": "Example-Repository",
"description": ""
},
"canUse": "true",
"canManage": "true",
"plugin": {
"id": -1,
"name": "",
"description": ""
},
"zone": {
"id": -1,
"name": "",
"description": ""
},
"ownerGroup": {
"id": "0",
"name": "Full Access",
"description": "Full Access group"
},
"creator": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"owner": {
"id": "1",
"username": "security_manager",
"firstname": "Manager",
"lastname": "Security"
},
"scanResultID": "34"
},
"error_code": 0,
"error_msg": "",
"warnings": [],
"timestamp": 1606132783
}
Case wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook
execution: If asset not found: print "Error executing action "Run Asset Scan". Reason: Asset {0} was not found in Tenable Security Center. ''.format(name) If not static code 200 (is_success = false): print "Error executing action "Run Asset Scan". Reason:{0}".format(error_msg) |
General |
Connectors
Tenable Security Center Connector
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| DeviceProductField | String | device_product | The field name used to determine the device product. |
| EventClassId | String | name | The field name used to determine the event name (sub-type). |
| PythonProcessTimeout | String | 60 | The timeout limit (in seconds) for the python process running current script. |
| Server Address | String | null | N/A |
| Username | String | null | N/A |
| Password | Password | null | N/A |
| Use SSL | Checkbox | Unchecked | N/A |
| Max Days Backwards | Integer | 1 | The amount of days back, from which you would like to fetch data. |
| Limit Per Cycle | Integer | 10 | The amount of alerts ingested into the connector in each execution cycle. |
| Proxy Server Address | String | null | The address of the proxy server to use. |
| Proxy Username | String | null | The proxy username to authenticate with. |
| Proxy Password | Password | null | The proxy password to authenticate with. |
Connector rules
The connector supports proxies.