Tenable.io Connector

Page Contents

Benefits

Tenable.io is a scanning tool that allows organizations to identify vulnerabilities and other risks across their various IT assets.

This connector streamlines the assessment of vulnerability management controls by empowering your audit team to fetch vulnerability scan reports and other evidence in a single click. Auditors can pull data directly from Tenable.io without having to rely on the company's infosec or IT professional to provide it.

This eliminates the time auditors spend waiting on control owners to fulfill evidence requests, and it eliminates the hassle of chasing down requests. As an added bonus, it also removes the burden on control owners to fulfill evidence requests manually, since your audit team can now bypass them completely.

Setting the Connection

To set up a connection to Tenable.io, complete the following steps:

1. Generate an API key and it's corresponding secret. These values must come from the Tenable.io website.

2. Access the selected ZenGRC connector by following the instructions at Introduction to ZenConnect.

3. Enter the API values in the form and click Next.
   
   
   

   Open

   

Creating a Fetcher

Tenable.io fetchers generate exports from previous scans and retrieve them as attachments on ZenGRC Requests.

To create a fetcher, complete the following steps:

1. After setting the connection, click Add new fetcher.
   
   
   

   Open

   

   
   
   
   

2. Complete fields by utilizing definitions in the next documentation section.

3. When the fields are complete, click Create.

4. The fetchers are now ready to add to controls and requests. Working with Fetchers, Controls, and Requests.

Field Definitions:

• Number of Assets per Chunk: Integer Input. The maximum number of vulnerabilities per exported chunk. Note that this number does not represent the number of assets per chunk. Instead, it is equal to the number of assets times the number of vulnerabilities on each asset. The range of supported chunk sizes is a minimum of 50 (the default size) to a maximum of 5,000. If you specify a value outside this range, the system uses the upper- or lower-bound value.

• CIDR Range: Text Input. Restricts search for vulnerabilities to assets assigned an IP address within the specified CIDR range. For example, 0.0.0.0/0 restricts the search to 0.0.0.1 and 255.255.255.254.

• Plugin Family: Multiselect Dropdown. The plugin family of the exported vulnerabilities. If your request omits this parameter, the export includes all vulnerabilities, regardless of plugin family.
  
  

• Network ID: Dropdown. The ID of the network object associated with scanners that detected the vulnerabilities you want to export. The default network ID is 00000000-0000-0000-0000-000000000000.

• State: Multiselect Dropdown. The state of the vulnerabilities you want the export to include. Supported values are open, reopened, and fixed.

• Severity: Multiselect Dropdown. The severity of the vulnerabilities to include in the export. Defaults to all severity levels. The severity of a vulnerability is defined using the Common Vulnerability Scoring System (CVSS) base score. Supported array values are:

  • info—The vulnerability has a CVSS score of 0.

  • low—The vulnerability has a CVSS score between 0.1 and 3.9.

  • medium—The vulnerability has a CVSS score between 4.0 and 6.9.

  • high—The vulnerability has a CVSS score between 7.0 and 9.9.

  • critical—The vulnerability has a CVSS score of 10.0.

Adding Evidence Fetchers to Controls and Requests

After a fetcher pulls data into ZenGRC, the information must be attached and mapped to a control. Then it can be added to a request. For more information on this process, please review the following documentation - Working with Fetchers, Controls, and Requests.

List of Controls Supported by Vulnerability Scan Report Fetchers