Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
[ Edited ]
Adviser
Posts: 137
Registered: ‎09-09-2015
Adviser
Posts: 137

Hi there,

 

Infoblox and Tenable Security Center together enable security and incident response teams to leverage the integration of vulnerability scanners , IPAM and DNS security to enhance visibility, manage assets, ease compliance and automate remediation. This video shows how the integration with Tenable Security Center works using Outbound API NIOS 8.2 feature.

 

 

All necessary templates are attached to this post. The templates are provided “as-is”, please check them in you Lab environment and modify for your needs before implementing them in production.

 

The templates require Extensible Attributes, described in the table below. It is recommended to inherit attributes with the default values from the network view level

Extensible Attribute

Description

TNBL_Sync

Defines if an object should be synced with Tenable SC. Possible values: true, false

TNBL_SyncTime

Contains date/time when the object was synchronized, updated by the assets management template

TNBL_AddNet

Defines if a network should be added to assets. Possible values: true, false. If TNBL_AddNet is false but TNBL_Sync is true, TNBL_AssetIPID and TNBL_AssetHostID  will be updated.

TNBL_AddRange

Defines if a range should be added to assets. Possible values: true, false. If TNBL_AddNet is false but TNBL_Sync is true, TNBL_AssetIPID and TNBL_AssetHostID  will be updated.

TNBL_ScanOnEvnt

Defines if an asset should be scanned if RPZ or DNS Tunneling events were triggered

TNBL_ScanOnAdd

Defines if an asset should be scanned immediately after creation

TNBL_ScanTemplate

Defines a Tenable SC active scan which should be used for scans initiated by Infoblox. List of possible values should match active scan names on Tenable SC.

TNBL_ScanTemplateID

Internal attribute, which is used to store an active scan id.

TNBL_AssetIP

Defines a Static IP List name. List of possible values should match names of static IP lists on Tenable SC.

TNBL_AssetIPID

Internal attribute, which is used to store a static IP list id.

TNBL_AssetHost

Defines a Static DNS Names List name. List of possible values should match names of static DNS Names lists on Tenable SC.

TNBL_AssetHostID

Internal attribute, which is used to store a static DNS Name list id.

TNBL_ScanTime

Contains a date when an asset was scanned last time by a request from Infoblox

TNBL_AddByHostname

Defines if a host should be synced with Tenable SC using a hostname. Possible values: true, false

 

You can use attached PHP script to create these EAs (do not forget to update $NIOS_baseURL, $NIOS_User, $NIOS_PWD, $data variables based on your configuration)

 

The detailed description how the templates work and how to configure the integration you can find in these posts:

 

Any feedback and/or questions are appreciated and very welcome.

BR,

Vadim Pavlov

 

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
Adviser
Posts: 137
Registered: ‎09-09-2015
Adviser
Posts: 137

Tenable Scan template (TenableScan.json.txt) was updated.

 

BR,

Vadim

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
Member
Posts: 2
Registered: ‎06-14-2018
bzzzrick
Member
Posts: 2

FYI re: php script... an adition of the following cURL optional parameter might be needed to allow the PHP script to work correctly, also, don't forget to uncomment out the cURL extension in the file php.ini  (extension=curl) if php gives a curl_init() function not found error:

 

    CURLOPT_SSL_VERIFYHOST => false,

 

So the entire definition of curl_setopt_array() from TNBL_create_EAs.php looks like this:

 

#extensibleattributedef

  $ch = curl_init();
  curl_setopt_array($ch,array(
    CURLOPT_USERPWD => $NIOS_User . ":" . $NIOS_PWD,
    CURLOPT_CUSTOMREQUEST => "POST",
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false,
   CURLOPT_VERBOSE => true,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => array('Content-Type: application/json')
    )
  );

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
Adviser
Posts: 137
Registered: ‎09-09-2015
Adviser
Posts: 137

Good catch!

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
Techie
Posts: 2
Registered: ‎05-28-2014
SLiu
Techie
Posts: 2

Hi , 

  I am trying to build the environment on NIOS 6.4.0 with Tenable SC 5.9.0.

  The Asset is not limited to the IP trigger the RPZ/Network . The scan job would scan all networks in the Asset, Do I miss anything ? 

 

 

 

2019-03-15_17-08-19.png2019-03-15_17-09-29.png

 

 

 

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
Techie
Posts: 7
Registered: ‎10-26-2017
jhciotti
Techie
Posts: 7

I think it is worth noting that you are on a very old version of NIOS. Per the Deployment Guide, you need to be at 8.2 at a minimum. You also need the Security Ecosystem License which is not supported in that version.

 

From the Guide requirements:

 

Infoblox:

1. NIOS 8.2 or higher

2. Security Ecosystem License

3. Outbound API integration templates

4. Prerequisites for the templates (e.g. configured and set extensible attributes)

Jason Ciotti
Federal Sales Systems Engineer
jciotti@infobloxfederal.com
Highlighted
Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH TENABLE SECURITY CENTER
Adviser
Posts: 137
Registered: ‎09-09-2015
Adviser
Posts: 137

Looks like there is a typo. You are running NIOS 8.4.0.

Do not define asset group in a scan IP, define a dummy IP instead.

Unfortunately Tenable some limitations if you want to a trigger scan for a single IP so the scan process work this way:

- a scan template should be created and it should contain all required configuration. It must be configured with a dummy IP (e.g. 10.0.0.1) as a scan target instead of an asset group.

- OutAPI copies the scan template.

- OutAPI replace the dummy IP with an IP which should be scanned.

- OutAPI execute the scan.

 

Vadim

 

Showing results for 
Search instead for 
Do you mean