cancel
Showing results for 
Search instead for 
Did you mean: 

Importing Vulnerability information from Tenable SecurityCenter

I am currently running ESM version 9.3.2 and I am looking at incorporating vulnerability scan information from Tenable Security Center into ESM.  While I see there is a parser and a mechanism to import Tenable Nessus Scanners, I do not see a parser for the action.  I do not think this is a big problem since the architecture is such that any scan that is initiated from the SC to a remote Nessus scanner is then captured (imported) to the Security Center application.  Effectively and Nessus Enterprise manager.

The question I do have is does anyone have experience with working with the Tenable Nessus Vulnerability Scanner Parser and can provide not only the configuration details, but also the location of either the necessary XML or NBE file format.  Any insight/experience would be greatly appreciated.

6 Replies
Regis
Level 12
Report Inappropriate Content
Message 2 of 7

Re: Importing Vulnerability information from Tenable SecurityCenter

First, my condolences,  as there's no supported way to get there from here.   Yet.

Now the good news:  I felt your pain and escalated to the point that McAfee and Tenable now have a partnership and apparently there is work being done on the nitro team to write a connector against the SC API.

The problem with the XML .Nessus parser is that Tenable's  XML export from Nessus and  the XML export from the SC database differ in one very important way:   the latter lacks values HOST_END tag pair.  This causes the ESM parser to puke.  If you wish to hack it with some scripting, you could  post-process the  nightly nessus v2 xml exports (which you can schedule in SC as a repository export)  and populate the missing field  with a date of your choosing and it might work today with ESM's nessus xml parser.

Specifically,  in a nessus v2 from security center you'll see <tag name="HOST_END"></tag>.  In contrast, an export from Nessus directly, you'll see something like <tag name="HOST_END">Mon Jun  2 11:59:13 2014</tag>

The ESM parser cares about this.

 

Feel free to contact your sales rep, or if you're  a platinum customer your TAM and inquire about the status of PER 27691 McAFee ESM support for Tenable Security Center using Security Center API .

Highlighted

Re: Importing Vulnerability information from Tenable SecurityCenter

Thank you for your insight and information.

Re: Importing Vulnerability information from Tenable SecurityCenter

Were you ever able to successfully import the VA scan data from Tenable Security Center into the SIEM? If so, what configuration did you have to use? Any insight into this would be helpful, as we are receiving the error "no data retrieved". We are using ESM 9.4.2, and Tenable Security Center 4.8.2.

Thanks!

Re: Importing Vulnerability information from Tenable SecurityCenter

Has this question been answered for anyone by their support?

Thank you!

Regis
Level 12
Report Inappropriate Content
Message 6 of 7

Re: Importing Vulnerability information from Tenable SecurityCenter

Not to my knowledge.  The latest I recall on this was a mention at FOCUS that was a bit oblique saying to the effect that this relationship may soon get better between Tenable and McAfee?   I didn't press, but boy it'd sure be nice for this to work, especially with MVM finally getting killed and "no, use our [rather awful] vuln manager!"  no longer being in the realm of possibility.

One way I have seen it work is to take a nessus v2 export out of security center,  post process that with a script that populated the date field in there that ESM seems to need as I described above,  and then bring that into esm.    But I haven't implemented as I was hoping for a real fix from Intel at some point that'd be less clunky.    But that was over a year ago...    

TA22
Level 7
Report Inappropriate Content
Message 7 of 7

Re: Importing Vulnerability information from Tenable SecurityCenter

Hi ,

 

I have client that is currently using ESM version 9.6.1 and we will be upgrading to version 10.3 in the near future.

 

Can someone please let me know if there is a pre-made device template available on the newer version, or is this an ongoing problem ?

 

Thanks

 

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community