Adding a Tenable SecurityCenter scan

You can add a Tenable SecurityCenter scanner to enable IBM® QRadar® to collect host and vulnerability information through the Tenable API.

Before you begin

Verify the location of the API on your Tenable SecurityCenter.
A server certificate is required to support HTTPS connections. QRadar supports certificates with the following file extensions: .crt, .cert, or .der. To copy a certificate to the /opt/qradar/conf/trusted_certificates directory, choose one of the following options:
  • Manually copy the certificate to the /opt/qradar/conf/trusted_certificates directory by using SCP or SFTP.
  • SSH into the Console or managed host and retrieve the certificate by using the following command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443 default>. A certificate is then downloaded from the specified hostname or IP and placed into /opt/qradar/conf/trusted_certificates directory in the appropriate format.

Procedure

  1. Click the Admin tab.
  2. Click the VA Scanners icon, and then click Add.
  3. In the Scanner Name field, type a name to identify the scanner.
  4. From the Managed Host list, select an option that is based on one of the following platforms:
    • On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
    • On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
  5. From the Type list, select Tenable SecurityCenter.
  6. In the Server Address field, type the IP address of the Tenable SecurityCenter.
  7. In the API Location field, type the path to the API on the Tenable SecurityCenter.

    The default path to the API file for SecurityCenter Version 4 is sc4/request.php.

    The default path to the API file for SecurityCenter Version 5 is rest.

  8. From the API Version list, select the version for your SecurityCenter.
    Tip: Support for Tenable SecurityCenter (Tenable.sc) on QRadar is limited to the versions supported by Tenable. For more information, see Tenable Software Release Lifecycle Matrix (https://tenable.my.salesforce.com/sfc/p/#300000000pZp/a/3a000000gPnK/Gu5PvUfKyV_gL0LdpNGgSdJ0PLKk15KPFcucY_BGlek).
  9. In the User Name field, type the username to access the Tenable SecurityCenter API.
  10. In the Password field, type the password to access the Tenable SecurityCenter API.
  11. Enable or disable the Allow Untrusted Certificates parameter, which is based on the certificate type you use.
    If you enable the Allow Untrusted Certificates parameter, the scanner can accept self-signed and otherwise untrusted certificates that are located within the /opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter, the scanner trusts only certificates that are signed by a trusted signer.
    Tip: By default, this parameter is enabled for existing scanners and disabled for new scanners.
  12. Configure a CIDR range for the scanner.
    1. In the CIDR ranges field, type the CIDR range for the scan or click Browse to select a CIDR range from the network list.
    2. Click Add.
  13. Optional: If you receive insufficient memory errors in the scanner's error logs, configure the Vulnerability Flush Threshold parameter, which sets the maximum number of vulnerabilities to store in the memory. This value can be adjusted to fit the available memory that is allocated to the scanners. To find this parameter, click the plus sign (+) in the upper left on the scanner's configuration page.

    If the number of vulnerabilities is high and the scanner memory is unable to store the default value of 500,000, reducing the value to 5000 - 25000 can resolve memory storage issues. The minimum value is 1,000, and the maximum value is 500,000.

    Tip: If the Vulnerability Flush Threshold value is less than the default, the scans can take longer to complete.
    Tip: Set the Age field to greater than 60 to receive a large number of events or hosts. Set the Age field to less than 10 to receive fewer events or hosts.
  14. Click Save.
  15. On the Admin tab, click Deploy Changes.

What to do next

You are now ready to create a scan schedule. See Scheduling a vulnerability scan.