Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Tenable.io] Tweaks to Tenable.io integration #7671

Closed
jamiehynds opened this issue Sep 6, 2023 · 5 comments · Fixed by #7689 or #7696
Closed

[Tenable.io] Tweaks to Tenable.io integration #7671

jamiehynds opened this issue Sep 6, 2023 · 5 comments · Fixed by #7689 or #7696
Assignees
@efd6
Labels
Integration:Tenable.io

Comments

@jamiehynds
Copy link

Based on feedback from Tenable, some tweaks need to be applied in order to get our integration validated.

  • Asset & Vuln data streams pull frequency : Adjust the default interval to 24 hours and adjust titles from 'logs' to 'data', e.g. Collect asset logs from Tenable.io becomes ' Collect asset data from Tenable.io'

  • Plugin Data Pull - Adjust initial & daily pull to 24hr, set to default off

  • Scanner Pull - Remove

  • Scans pull - Adjust cadence to 24hr, set to default off

Tenable has also rebranded Tenable.io to Tenable Vulnerability Management. Can please adjust the title, description and all references of Tenable.io to Tenable Vulnerability Management.

The logo for the integration also needs to be changed:
Tenable-Logo2021
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6 efd6 self-assigned this Sep 7, 2023
@efd6 efd6 mentioned this issue Sep 7, 2023
Merged
4 tasks
@efd6 efd6 closed this as completed in #7689 Sep 7, 2023
@jamiehynds
Copy link
Author

jamiehynds commented Sep 7, 2023
edited

Sorry @efd6 , while we're working on this package - two additional changes if you don't mind.

  • @timestamp needs to be changed from "tenable_io.vulnerability.indexed" (aka. tenable_io.vulnerability.first_found) to "tenable_io.vulnerability.last_found"

  • Fingerprint needs to be enabled again. Probably on the same fields as Tenable.sc is using.

The vulnerability data is unusable today. Especially for dashboards, because @timestamp is the time that the vulnerability was FIRST seen. This can be years ago. cc @LaZyDK

Another issue rasied here, but not sure how we tackle it: #5762

@jamiehynds jamiehynds reopened this Sep 7, 2023
@LaZyDK
Copy link
Contributor

LaZyDK commented Sep 7, 2023

For now we have used a custom pipeline to fix the data in Tenable.io to look and behave like Tenable.sc.

[
  {
    "fingerprint": {
      "fields": [
        "tenable_io.vulnerability.plugin.id",
        "host.ip",
        "tenable_io.vulnerability.last_found",
        "tenable_io.vulnerability.port.value",
        "tenable_io.vulnerability.plugin.modification_date"
      ],
      "target_field": "_id",
      "method": "MurmurHash3",
      "ignore_failure": true
    }
  },
  {
    "set": {
      "ignore_failure": true,
      "field": "@timestamp",
      "copy_from": "tenable_io.vulnerability.last_found"
    }
  }
]

@efd6
Copy link
Contributor

efd6 commented Sep 7, 2023

No worries.

@efd6 efd6 mentioned this issue Sep 7, 2023
Merged
4 tasks
@meganlear meganlear mentioned this issue Sep 7, 2023
Closed
@LaZyDK
Copy link
Contributor

LaZyDK commented Sep 7, 2023

Above closes #5762

@efd6 efd6 closed this as completed in #7696 Sep 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Integration:Tenable.io
Projects
None yet
Milestone
No milestone
4 participants
@LaZyDK @elasticmachine @jamiehynds @efd6