Tenable
Actions for Tenable.io
Send to Tenable IO Assets. Sends a custom set of Lucidum data to Tenable IO to import as assets.
Launch Tenable IO Scan. Launches a scan in Tenable IO with a specified list of assets.
Add to Tenable IO Target Group. Adds a list of assets to a target group in Tenable IO. A target group includes a list of targets to scan.
Use Cases
Below are the possible use cases for this action:
If you want to run Lucidum “headless”, you can send relevant data to Tenable.io on a regular schedule.
You can send data to Elasticsearch to be indexed, searched, and analyzed.
Prerequisites
Before you can execute actions on Tenable.io, you must first create an account on Tenable.io and retrieve the following:
API Key ID
API Key Secret (value of the key)
https://www.elastic.co/guide/en/cloud/current/ec-api-keys.html
Workflows
Tenable.io Configuration
Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.
Host. The hostname of the Tenable server. For Tenable IO, the default value is https://cloud.tenable.com.
Access Key. Enter the value for the API Key that you generated in the previous section.
Access Secret. Enter the value for the API Secret that you generated in the previous section.
Max # of Records per Payload. The maximum number of records to send to Tenable.io in each action. The default value is “50”.
Verify SSL. For future use. The default value is “False”.
Create or Edit an Action
You can create the following types of Actions for Tenable.io:
Send to Tenable.io Index. Sends a custom set of Lucidum data to Tenable.io.
To create an action for Tenable.io:
Go to the Create a New Action page.
In the General step, enter values in these fields:
Action Type. Select from the pulldown options. Choices are:
Send to Tenable IO Assets. Sends a custom set of Lucidum data to Tenable IO to import as assets.
Launch Tenable IO Scan. Launches a scan in Tenable IO with a specified list of assets.
Add to Tenable IO Target Group. Adds a list of assets to a target group in Tenable IO. A target group includes a list of targets to scan.
Configuration Name. Select an action configuration from the pulldown options.
Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.
Description. Description of the action.
Click the Next (>) icon.
The Modify Filters page appears.
In the Modify Filters page, enter the following:
Type of Data. This field determines the type of base query that will populate the chart. Choices are
Asset. Retrieve information about assets.
Asset-IP Mapping. Lucidum uses proprietary machine-learning algorithms to align each asset with an IP address. You can retrieve information about these asset/IP pairs.
User. Retrieve information about users.
User-IP Mapping. Lucidum uses proprietary machine-learning algorithms to align each user with an IP address. You can retrieve information about these user/IP pairs.
Vulnerability. Retrieve information about vulnerabilities.
Time Range. This field determines whether the base query that populates the chart will use current data or historical data. Choices are:
Current. The default value is from the present day to 7 days old.
Historical. The default value is from 8 days old to 30 days old.
NOTE: You can customize or view the Time Range values in Settings > System Settings > Data Settings.
Current uses the value of Data Lookback in Days.
Historical uses the value of Data Retention in Days.
Click Configure Filters.
In the Refine Scope page, you define the query for the assets or users that the action will act upon. For existing actions, this field displays the query for this action. For details on creating and editing queries in Lucidum, see the section on Building Queries.
Click the Apply (page and pencil) icon.
Click the Next (>) icon.
The Schedule page appears.
In the Schedule page, enter:
Schedule Type. Define the schedule for the action. Choices are:
Recurrence. Specify a frequency for the recurring schedule.
After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.
Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.
Click the Next (>) icon.
The Details step appears. The fields in this page differ depending upon the Tenable action you selected in the General step.
In the Details page, enter the following:
Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query in the Filters field, you can select these fields in the Query Results page > Edit Column button.
Action-specific field. This field differs depending on the action you selected in the General step.
Tenable.io Target Source Identifier. If you selected the Action Type “Send to Tenable IO Assets”, supply a source identifier. The data sent to Tenable will be labeled with this identifier. For example “lucidum_assets”.
Tenable.io Scan Name. If you selected the Action Type “Launch Tenable IO Scan”, specify the name of the scan (already configured in Tenable.io)
Tenable.io Target Group Name. If you selected the Action Type “Add to Tenable IO Target Group”, specify the name of the target group (already configured in Tenable.io)
De-dupe Previous Jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). You can specify integers between 0 and the number specified in Settings > System Settings > General > Data Settings > Action Result Retention in Days. This setting specifies the number of days that Lucidum stores action results.
If you specify “0” (zero), Lucidum includes all the records from the query in each delivery to AWS S3.
If you specify “1” (one), Lucidum examines the previous webhook payload and excludes records for asset IDs or user IDs that were sent in the delivery to AWS S3.
If you specify “2” (two), Lucidum examines the last two webhook payloads and excludes records for asset IDs or user IDs that were sent in the previous two deliveries to AWS S3.