Tenable.io

Overview


Use the Tenable.io integration to manage scans and asset vulnerabilities.

This integration was integrated and tested with the November 2018 release of Tenable.io.

Configure Tenable.io on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Tenable.io.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • URL
    • Access Key
    • Secret Key
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get a list of scans: tenable-io-list-scans
  2. Launch a scan: tenable-io-launch-scan
  3. Get a scan report: tenable-io-get-scan-report
  4. Get information for a vulnerability: tenable-io-get-vulnerability-details
  5. Get a list of vulnerabilities for an asset: tenable-io-get-vulnerabilities-by-asset
  6. Check the status of a scan: tenable-io-get-scan-status

1. Get a list of scans


Retrieves a list of scans from the Tenable platform.

Base Command
tenable-io-list-scans
Input
Argument Name Description Required
folderId The ID of the folder whose scans should be listed. Scans are stored in specific folders on Tenable, e.g., : folderId=8 Optional
lastModificationDate Limit the results to those that have only changed since this time (YYYY-MM-DD) Optional
Context Output
Path Type Description
TenableIO.Scan.Id number The unique ID of the scan
TenableIO.Scan.Name string The name of the scan
TenableIO.Scan.Target string The targets to scann
TenableIO.Scan.Status string The status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped)"
TenableIO.Scan.StartTime date The scheduled start time for the scan
TenableIO.Scan.EndTime date The scheduled end time for the scan
TenableIO.Scan.Enabled boolean If true, the schedule for the scan is enabled
TenableIO.Scan.Type string The type of scan ("local", "remote", or "agent")
TenableIO.Scan.Owner string The owner of the scan.
TenableIO.Scan.Scanner string The scanner assigned for the scan
TenableIO.Scan.Policy string The policy assigned for the scan
TenableIO.Scan.CreationDate date The creation date for the scan (in Unix time)
TenableIO.Scan.LastModificationDate date The last modification date for the scan (in Unix time)
Command Example
!tenable-io-list-scans
Human Readable Output

Tenable.io - List of Scans

FolderId Id Name Targets Status StartTime EndTime Enabled Type Owner Scanner Policy CreationDate LastModificationDate
8 20 artTest anorton.ddns.net completed Tue Sep 18 15:12:47 2018 Tue Sep 18 15:23:53 2018 false ps owner@demisto.com US Cloud Scanner Basic Network Scan Tue Sep 18 15:12:47 2018 Tue Sep 18 15:23:53 2018
15 13 Test 2 www.google.com completed Wed Oct 31 14:36:45 2018 Wed Oct 31 16:41:45 2018 true ps owner@demisto.com US Cloud Scanner PCI Quarterly External Scan Wed Oct 31 14:36:45 2018 Wed Oct 31 16:41:45 2018
8 10 Test Scan - 1 216.75.62.8, 80.82.77.139, 60.191.38.77 running Mon Nov 12 12:31:17 2018 false ps owner@demisto.com US Cloud Scanner Advanced Network Scan Mon Nov 12 12:31:17 2018 Mon Nov 12 12:31:47 2018
7 15 Test 3 - Prasen 192.168.1.1-192.168.1.255,www.google.com,93.174.93.1-93.174.93.255, 82.211.30.0/24, www.google.com completed Tue Jul 3 23:00:36 2018 Wed Jul 4 01:59:44 2018 true ps owner@demisto.com US Cloud Scanner Advanced Network Scan Tue Jul 3 23:00:36 2018 Wed Jul 4 01:59:44 2018
- 22 z empty false owner@demisto.com US Cloud Scanner Advanced Network Scan

Inactive Web Applications Scans - Renew WAS license to use these scans

Id Name Status Enabled Type Owner CreationDate LastModificationDate
18 Test - Web canceled false webapp owner@demisto.com Thu Jul 19 11:13:03 2018 Thu Jul 19 11:17:51 2018

2. Launch a scan


Launches a scan with existing or custom targets. You can specify custom targets in the command arguments.

Base Command
tenable-io-launch-scan
Input
Argument Name Description Required
scanId The ID of the scan to launch Required
scanTargets If specified, these targets will be scanned instead of the default. Value can be an array where each index is a target, or an array with a single index of comma separated targets. Optional
Context Output
Path Type Description
TenableIO.Scan.Id number The unique ID of the scan
TenableIO.Scan.Targets string The targets to scan
TenableIO.Scan.Status string The status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped")
Command Example
!tenable-io-launch-scan scan-id="10" scan-targets="216.75.62.8, 80.82.77.139, 60.191.38.77"
Human Readable Output

The requested scan was launched successfully

Id Targets Status
10 216.75.62.8, 80.82.77.139, 60.191.38.77 pending

3. Get a scan report


Retrieves a scan report for the specified scan.

Base Command
tenable-io-get-scan-report
Input
Argument Name Description Required
scanId The ID of the scan to retrieve Required
detailed If true, the report will also contain remediation and host information for the specified scan. Otherwise, the report will only contain vulnerabilities. Optional
info Return the basic details of the specified scan Optional
Context Output
Path Type Description
TenableIO.Scan.Id number The unique ID of the scan
TenableIO.Scan.Name string The name of the scan
TenableIO.Scan.Targets string The targets to scan
TenableIO.Scan.Status string The status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped"
TenableIO.Scan.StartTime string The scheduled start time for the scan
TenableIO.Scan.EndTime string The scheduled end time for the scan
TenableIO.Scan.Scanner string The scanner assigned to the scan
TenableIO.Scan.Policy string The policy assigned to the scan
TenableIO.Vulnerabilities.Id string The unique ID of the vulnerability
TenableIO.Vulnerabilities.Name string The name of the vulnerability
TenableIO.Vulnerabilities.Severity number The severity level of the vulnerability
TenableIO.Vulnerabilities.Description string The description of the vulnerability
TenableIO.Vulnerabilities.Synopsis string A brief summary of the vulnerability
TenableIO.Vulnerabilities.Solution string Information on how to fix the vulnerability
TenableIO.Vulnerabilities.FirstSeen date When the vulnerability was first seen
TenableIO.Vulnerabilities.LastSeen date When the vulnerability was last seen
TenableIO.Vulnerabilities.VulnerabilityOccurences number A count of the vulnerability occurrences
TenableIO.Assets.Hostname string The name of the host
TenableIO.Assets.Score number The overall score for the host
TenableIO.Assets.Critical number The percentage of critical findings on the host
TenableIO.Assets.High number The number of high findings on the host
TenableIO.Assets.Medium number The number of medium findings on the host
TenableIO.Assets.Low number The number of low findings on the host
TenableIO.Remediations.Id string The unique ID of the remediation
TenableIO.Remediations.Description string Specific information related to the vulnerability and steps to remediate
TenableIO.Remediations.AffectedHosts number The number of hosts affected
TenableIO.Remediations.AssociatedVulnerabilities number The number of vulnerabilities associated with the remedy
Command Example
!tenable-io-get-scan-report scan-id="10" detailed="yes" info="yes"
Human Readable Output

Scan basic info

Id Name Targets Status StartTime EndTime Scanner Policy
10 Test Scan - 1 216.75.62.8, 80.82.77.139, 60.191.38.77 completed Mon Nov 12 12:31:17 2018 Mon Nov 12 12:36:03 2018 US Cloud Scanner Advanced Network Scan

Vulnerabilities

Id Name Severity Description Synopsis Solution FirstSeen LastSeen VulnerabilityOccurences
10881 SSH Protocol Versions Supported None This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. A SSH server is running on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 2
10114 ICMP Timestamp Request Remote Date Disclosure None The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.
It is possible to determine the exact time set on the remote host. Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 46
110723 No Credentials Provided None Nessus was unable to execute credentialed checks because no credentials were provided. Nessus was able to find common ports used for local checks, however, no credentails were provided in the scan policy. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 8
25220 TCP/IP Timestamps Supported None The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. The remote service implements TCP timestamps. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
70657 SSH Algorithms and Languages Supported None This script detects which algorithms and languages are supported by the remote service for encrypting communications. An SSH server is listening on this port. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 19
71049 SSH Weak MAC Algorithms Enabled Low The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.
The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms. Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 5
53335 RPC portmapper (TCP) None The RPC portmapper is running on this port.

The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.
An ONC RPC portmapper is running on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
70658 SSH Server CBC Mode Ciphers Enabled Low The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
The SSH server is configured to use Cipher Block Chaining. Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 5
11154 Unknown Service Detection: Banner Retrieval None Nessus was unable to identify a service on the remote host even though it returned a banner of some type. There is an unknown service running on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 75
12053 Host Fully Qualified Domain Name (FQDN) Resolution None Nessus was able to resolve the fully qualified domain name (FQDN) of the remote host. It was possible to resolve the name of the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 98
45590 Common Platform Enumeration (CPE) None By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
It was possible to enumerate CPE names that matched on the remote system. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 78
10884 Network Time Protocol (NTP) Server Detection None An NTP server is listening on port 123. If not securely configured, it may provide information about its version, current date, current time, and possibly system information. An NTP server is listening on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
10267 SSH Server Type and Version Information None It is possible to obtain information about the remote SSH server by sending an empty authentication request. An SSH server is listening on this port. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 38
81052 Openswan < 2.6.36 IKE Packet NULL Pointer Dereference Remote DoS Medium The remote host is running a version of Openswan prior to version 2.6.36. It is, therefore, affected by a remote denial of service vulnerability due to a NULL pointer dereference flaw. A remote attacker, using a specially crafted ISAKMP message with an invalid KEY_LENGTH attribute, can cause a denial of service. The remote host is affected by a remote denial of service vulnerability. Upgrade to Openswan 2.6.36 or later. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
81053 Openswan < 2.6.37 Cryptographic Helper Use-After-Free Remote DoS Medium The remote host is running a version of Openswan prior to version 2.6.37. It is, therefore, affected by a remote denial of service vulnerability due to a use-after-free flaw in the cryptographic helper handler. A remote attacker can exploit this issue to cause a denial of service. The remote host is affected by a remote denial of service vulnerability. Upgrade to Openswan version 2.6.37 or later. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
66334 Patch Report None The remote host is missing one or more security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date. The remote host is missing several patches. Install the patches listed below. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 18
11935 IPSEC Internet Key Exchange (IKE) Version 1 Detection None The remote host seems to be enabled to do Internet Key Exchange (IKE) version 1. This is typically indicative of a VPN server. VPN servers are used to connect remote hosts into internal resources.

Make sure that the use of this VPN endpoint is done in accordance with your corporate security policy.

Note that if the remote host is not configured to allow the Nessus host to perform IKE/IPSEC negotiations, Nessus won't be able to detect the IKE service.

Also note that this plugin does not run over IPv6.
A VPN server is listening on the remote port. If this service is not needed, disable it or filter incoming traffic to this port. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 2
11936 OS Identification None Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. It is possible to guess the remote operating system. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 56
46215 Inconsistent Hostname and IP Address None The name of this machine either does not resolve or resolves to a different IP address.

This may come from a badly configured reverse DNS or from a host file in use on the Nessus scanning host.

As a result, URLs in plugin output may not be directly usable in a web browser and some web tests may be incomplete.
The remote host's hostname is not consistent with DNS information. Fix the reverse DNS or host file. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 58
19506 Nessus Scan Information None This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.
- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- Whether credentialed or third-party patch management checks are possible.
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.
This plugin displays information about the Nessus scan. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 187
22964 Service Detection None Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. The remote service could be identified. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 30
90317 SSH Weak Algorithms Supported Medium Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys. The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. Contact the vendor or consult product documentation to remove the weak ciphers. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
11219 Nessus SYN scanner None This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
It is possible to determine which TCP ports are open. Protect your target with an IP filter. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 324
54615 Device Type None Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). It is possible to guess the remote device type. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 14
39520 Backported Security Patch Detection (SSH) None Security patches may have been 'backported' to the remote SSH server without changing its version number.

Banner-based checks have been disabled to avoid false positives.

Note that this test is informational only and does not denote any security problem.
Security patches are backported. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
11111 RPC Services Enumeration None By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. An ONC RPC service is running on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 32
10223 RPC portmapper Service Detection None The RPC portmapper is running on this port.

The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.
An ONC RPC portmapper is running on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 1
117886 Local Checks Not Enabled (info) None Nessus did not enable local checks on the remote host. This does not necessarily indicate a problem with the scan. Credentials may not have been provided, local checks may not be available for the target, the target may not have been identified, or another issue may have occurred that prevented local checks from being enabled. See plugin output for details.

This plugin reports informational findings related to local checks not being enabled. For failure information, see plugin 21745 :
'Authentication Failure - Local Checks Not Run'.
Local checks were not enabled. 2018-10-25T12:51:05.830Z 2018-11-12T12:34:11.622Z 1

Vulnerabilities - Missing From Workbench

Id VulnerabilityOccurences Severity
27576 1 0
60020 1 0
33930 1 0

Assets

Hostname Score Critical High Medium Low
216.75.62.8 24 0 0 0 0
80.82.77.139 23 0 0 0 0
60.191.38.77 332 0 0 3 2

Remediations

Id Description AffectedHosts AssociatedVulnerabilities
68e52411b3ca69f756a5a7fc219a3d71 Openswan < 2.6.37 Cryptographic Helper Use-After-Free Remote DoS: Upgrade to Openswan version 2.6.37 or later. 1 1

4. Get information for a vulnerability


Retrieves details for the specified vulnerability.

Base Command
tenable-io-get-vulnerability-details
Input
Argument Name Description Required
vulnerabilityId The unique ID of the vulnerability Required
Context Output
Path Type Description
TenableIO.Vulnerabilities.Name string The name of the vulnerability
TenableIO.Vulnerabilities.Severity number Integer [0-4] indicating how severe the vulnerability is, where 0 is info only
TenableIO.Vulnerabilities.Type string The type of the vulnerability
TenableIO.Vulnerabilities.Family string Object containing plugin information such as family, type, and publication and modification dates.
TenableIO.Vulnerabilities.Description string The description of the vulnerability
TenableIO.Vulnerabilities.Synopsis string A brief summary of the vulnerability
TenableIO.Vulnerabilities.Solution string Information on how to fix the vulnerability
TenableIO.Vulnerabilities.FirstSeen date When the vulnerability was first seen
TenableIO.Vulnerabilities.LastSeen date When the vulnerability was last seen
TenableIO.Vulnerabilities.PublicationDate date The publication date of the vulnerability
TenableIO.Vulnerabilities.ModificationDate date The last modification date for the vulnerability (in Unix time)
TenableIO.Vulnerabilities.VulnerabilityOccurences number A count of the vulnerability occurrences
TenableIO.Vulnerabilities.CvssVector string The Common Vulnerability Scoring System vector
TenableIO.Vulnerabilities.CvssBaseScore string The Common Vulnerability Scoring System allotted base score
TenableIO.Vulnerabilities.Cvss3Vector string The Common Vulnerability Scoring System version 3 vector
TenableIO.Vulnerabilities.Cvss3BaseScore string The Common Vulnerability Scoring System version 3 allotted base score
Command Example
!tenable-io-get-vulnerability-details vulnerability-id=10881
Human Readable Output

Vulnerability details - 10881

Name Severity Type Family Description Synopsis FirstSeen LastSeen PublicationDate ModificationDate VulnerabilityOccurences
SSH Protocol Versions Supported None remote General This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. A SSH server is running on the remote host. 2018-07-03T22:08:05.242Z 2018-11-12T12:34:11.622Z 2002-03-06T00:00:00Z 2017-05-30T00:00:00Z 2

5. Get a list of vulnerabilities for an asset


Returns a list of the vulnerabilities recorded for a given asset. Maximum number of returned vulnerabilities is 5,000.

Base Command
tenable-io-get-vulnerabilities-by-asset
Input
Argument Name Description Required
hostname Hostname of the asset Optional
ip IP of the asset Optional
dateRange The number of days of data prior to and including today that should be returned Optional
Context Output
Path Type Description
TenableIO.Assets.Hostname number Hostname of the asset
TenableIO.Assets.Vulnerabilities number A list of all the vulnerability IDs associated with the asset
TenableIO.Vulnerabilities.Id number The vulnerability unique ID
TenableIO.Vulnerabilities.Name string The name of the vulnerability
TenableIO.Vulnerabilities.Severity number Integer [0-4] indicating how severe the vulnerability is, where 0 is info only.
TenableIO.Vulnerabilities.Family string The vulnerability family
TenableIO.Vulnerabilities.VulnerabilityOccurences number The number of times the vulnerability was found
TenableIO.Vulnerabilities.VulnerabilityState string The current state of the reported vulnerability ("Active", "Fixed", "New", etc.)
Command Example
!tenable-io-get-vulnerabilities-by-asset hostname=debian8628.aspadmin.net
Human Readable Output

Vulnerabilities for asset debian8628.aspadmin.net

Id Name Severity Family VulnerabilityOccurences VulnerabilityState
11111 RPC Services Enumeration None Service detection 4 Active
11219 Nessus SYN scanner None Port scanners 2 Active
10114 ICMP Timestamp Request Remote Date Disclosure None General 1 Active
10223 RPC portmapper Service Detection None RPC 1 Active
10267 SSH Server Type and Version Information None Service detection 1 Resurfaced
10881 SSH Protocol Versions Supported None General 1 Resurfaced
10884 Network Time Protocol (NTP) Server Detection None Service detection 1 Active
11936 OS Identification None General 1 Resurfaced
12053 Host Fully Qualified Domain Name (FQDN) Resolution None General 1 Active
19506 Nessus Scan Information None Settings 1 Resurfaced
22964 Service Detection None Service detection 1 Resurfaced
25220 TCP/IP Timestamps Supported None General 1 Resurfaced
39520 Backported Security Patch Detection (SSH) None General 1 Resurfaced
45590 Common Platform Enumeration (CPE) None General 1 Resurfaced
46215 Inconsistent Hostname and IP Address None Settings 1 Active
53335 RPC portmapper (TCP) None RPC 1 Active
54615 Device Type None General 1 Resurfaced
70657 SSH Algorithms and Languages Supported None Misc. 1 Resurfaced
110723 No Credentials Provided None Settings 1 Resurfaced
117886 Local Checks Not Enabled (info) None Settings 1

6. Check the status of a scan


Checks the status of a specific scan using the scan ID. Possible statuses include: "Running", "Completed", and "Empty" (Ready to run).

Base Command
tenable-io-get-scan-status
Input
Argument Name Description Required
scanId The unique ID of the scan Required
Context Output
Path Type Description
TenableIO.Scan.Id string The unique ID of the scan
TenableIO.Scan.Status string The status of the scan
Command Example
!tenable-io-get-scan-status scan-id=10
Human Readable Output

Scan status for 10

Status Id
completed 10