runZero integrates with Tenable Security Center (previously Tenable.sc) by importing data from the Tenable Security Center API.
Getting started with Tenable Security Center
To set up an integration with Tenable Security Center, you’ll need to:
- Create an API key for a user that has access to view and query vulnerabilities in Tenable Security Center.
- Configure the Tenable Security Center credential in runZero.
- Choose whether to configure the integration as a scan probe or connector task.
- Activate the integration to pull your data into runZero.
Before you can set up the Tenable Security Center integration:
- Verify that you have runZero Enterprise.
- Make sure you have administrator access to the Tenable Security Center portal.
Step 1: Create an API key
- Log in to Tenable Security Center with an Administrator account.
- Make sure API key authentication is enabled
- Go to Users > Users.
- Check the box for the user you want to create an API key for. Note: The API key will have the same access as the user you select. Make sure the user has access to view and query vulnerabilities in the desired organization.
- At the top of the table, click the API Keys > Generate API Key option.
- Click Generate to create the API token, and then download or copy it.
Step 2: Add the Tenable Security Center credential to runZero
- Go to the Credentials page in runZero. Provide a name for the credentials, like
Tenable Security Center.
- Choose Tenable Security Center Access & Secret from the list of credential types.
- Generate your Tenable Security Center API key as directed in Step 1, and then provide the following information:
- Access key - Your 64-character Tenable Security Center access key.
- Secret key - Your 64-character Tenable Security Center secret key.
- If you want other organizations to be able to use this credential, select the
Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
- Save the credential.
You’re now ready to set up and activate the connection to bring in data from Tenable Security Center.
Step 3: Choose how to configure the Tenable Security Center integration
The Tenable Security Center integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync. If you are integrating with an internal Tenable Security Center instance, we recommend setting up a connector to run from one of your explorers. Otherwise, if you are integrating with an external-facing Tenable Security Center instance, you can set up a connector to run from the cloud. If you are self-hosting runZero, you can run the connector from an explorer or from your runZero host, whichever can reach your Tenable Security Center install.
Step 4: Set up and activate the integration to sync data
After you add your credential, you’ll need to sync your data from Tenable Security Center.
Step 4a: Configure the Tenable Security Center integration as a connector task
A connection requires you to specify a schedule which determines when the sync occurs.
- Activate a connection to Tenable Security Center. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.
- Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
- Configure the
Tenable Security Center query mode setting (optional).
Define filters to define a filter based on vulnerability severity and risk level.
Note: Much of the host information provided by Tenable is from Info-level plugins, so if you only import higher levels of severity you may not see much information about assets.
Use existing query ID to provide the Tenable Security Center query to use.
Note: The query must be the
Vulnerability type and use the
Vulnerability Detail List tool.
- Set the Fingerprint only toggle to
Yes if you want vulnerability records to be ingested for fingerprint analysis but not stored in your runZero vulnerability inventory (optional).
- Enter a name for the task, like
Tenable Security Center sync (optional).
- Choose the Explorer to perform this connector task from (optional).
- Choose the site you want to configure the connector for.
- Enter a description for the task (optional).
- Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
- Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.
Step 4b: Configure the Tenable Security Center integration as a scan probe
You can run the Tenable Security Center integration as a scan probe so that the runZero Explorer will pull your vulnerability data into the runZero Console.
In a new or existing scan configuration:
- Ensure that the
TENABLESECURITYCENTER option is set to
Yes in the
Probes and SNMP tab and change any of the default options if needed.
- Optionally, set the severity and risk levels for ingested vulnerability scan results or provide a query ID.
- Set the correct
TenableSecurityCenter credential to
Yes in the
Step 5: View Tenable Security Center assets and vulnerabilities
After a successful sync, you can go to your inventory to view your Tenable Security Center assets. These assets will have a Tenable icon listed in the Source column.
The Tenable Security Center integration gathers details about vulnerabilities detected in addition to enriching asset inventory data. Go to Inventory > Vulnerabilities to view the vulnerability data provided by Tenable Security Center.
To filter by Tenable Security Center assets, consider running the following queries:
Click into each asset or vulnerability to see its individual attributes. runZero will show you the attributes gathered from the Tenable Security Center API.