Use case: Automatically importing vulnerability scan files
TrueSight Automation Console integrates with TrueSight Orchestration to automatically import vulnerability scan files from a Nessus Tenable server to TrueSight Automation Console.
Overview
For finding vulnerabilities affecting assets in your environment, you can use various vulnerability management systems such as Qualys, Nessus, and Rapid7. You export scan results from these systems and then import them into TrueSight Automation Console. Operators perform this process manually at regular intervals. By integrating with TrueSight Orchestration, the process of downloading the scan results file and uploading it to Automation Console can be completely automated. For more information, see Scans.
As of now, auto-import of vulnerability scan files is available for Tenable Nessus vulnerability management system only.
What do I need to get started?
- A user account with privileges to access Automation Console and Nessus Tenable server.
- A user account with privileges to install and configure TrueSight Orchestration Platform and Content.
A supported TrueSight Orchestration Platform version installed on a different host than Automation Console.
For compatible versions, see System requirements.
How to automatically import vulnerability scan files?
This topic describes the steps to configure TrueSight Orchestration content required for the use case and then automatically import the vulnerability scan files based on a schedule.
1. Install the TrueSight Orchestration – Vulnerability Management module.
The Vulnerability Management module includes a core module and a configuration module. The core module contains the workflow process that executes actions and the configuration module stores all the connection and configuration data. While installing the module, you also need to install additional utility modules in TrueSight Orchestration.
For details, see Installing the Vulnerability Management module.
2. Configure and enable/activate adapters and modules in the Vulnerability Management module.
After installing, you must configure the adapters and modules required for the use case.
For details, see Configuring content for the Vulnerability Management module.
3. View results of the scan file in TrueSight Automation Console.
Based on the schedule defined in TrueSight Orchestration, a workflow is triggered that downloads vulnerability scan files from the Tenable server, and imports them into TrueSight Automation Console. After a successful import, scan files are deleted from the download location on the TrueSight Orchestration – Configuration Distribution Peer host.
How do I identify the file in Tenable?
Each Tenable scan file has an ID. When a scan file is automatically imported in TrueSight Automation Console, the Scan ID appears on the Manage > Imports page, with the scan file name. You can match the IDs with the IDs in Tenable.
What happens if a scan file is already imported in TrueSight Automation Console?
If a scan file already exists, such files are not imported. Duplicate files are skipped and only unique files are imported.
Assets and risks data appears in the Assets > Scanned Assets and Risks > Vulnerabilities pages. Vulnerabilities are automatically mapped to remediation content, such as patches, NSH scripts, deploy jobs, and so on. On the Risks > Vulnerabilities page, you can view these results for each vulnerability:
- Vulnerability name, ID, source, and severity
- CVE IDs associated with vulnerabilities
- Mapping status, whether mapped or unmapped, with remediation content
- Remediation content
- Number of impacted assets for each vulnerability
For details, see Working with risks .
After successful mapping, you can plan your remediation for the vulnerabilities.
Comments
Log in or register to comment.