You can add a Tenable SecurityCenter scanner to enable IBM®
QRadar® to collect host and
vulnerability information through the Tenable API.
Before you begin
Verify the location of the API on your Tenable SecurityCenter.A server certificate is
required to support HTTPS connections.
QRadar supports certificates with
the following file extensions:
.crt,
.cert, or
.der. To copy a certificate to the
/opt/qradar/conf/trusted_certificates directory, choose one of the following options:
- Manually copy the certificate to the /opt/qradar/conf/trusted_certificates
directory by using SCP or SFTP.
- SSH into the Console or managed host and retrieve the certificate by using the following
command: /opt/qradar/bin/getcert.sh <IP or Hostname> <optional port - 443
default>. A certificate is then downloaded from the specified hostname or IP and placed
into /opt/qradar/conf/trusted_certificates directory in the appropriate
format.
Procedure
- Click the Admin tab.
- Click the VA Scanners icon, and then click
Add.
- In the Scanner Name field, type a name to identify the
scanner.
-
From the Managed Host list, select an option that is based on one of the
following platforms:
- On the QRadar
Console, select the
managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is
hosted in the cloud, the QRadar Console can be
used as the managed host. Otherwise, select the data gateway that is responsible for communicating
with the scanner device.
- From the Type list, select Tenable
SecurityCenter.
- In the Server Address field, type the IP address of the Tenable
SecurityCenter.
-
In the API Location field, type the path to the API on the Tenable
SecurityCenter.
The default path to the API file for SecurityCenter Version 4 is
sc4/request.php.
The default path to the API file for SecurityCenter Version 5 is rest.
-
From the API Version list, select the version for your SecurityCenter.
Tip: Support for Tenable SecurityCenter (Tenable.sc) on
QRadar is limited to the versions
supported by Tenable. For more information, see
Tenable Software Release Lifecycle Matrix
(https://tenable.my.salesforce.com/sfc/p/#300000000pZp/a/3a000000gPnK/Gu5PvUfKyV_gL0LdpNGgSdJ0PLKk15KPFcucY_BGlek).
-
In the User Name field, type the username to access the Tenable
SecurityCenter API.
-
In the Password field, type the password to access the Tenable
SecurityCenter API.
- Enable or disable the Allow Untrusted Certificates parameter,
which is based on the certificate type you use.
If you enable the
Allow
Untrusted Certificates parameter, the scanner can accept self-signed and otherwise
untrusted certificates that are located within the
/opt/qradar/conf/trusted_certificates/ directory. If you disable the parameter,
the scanner trusts only certificates that are signed by a trusted signer.
Tip: By
default, this parameter is enabled for existing scanners and disabled for new
scanners.
-
Configure a CIDR range for the scanner.
-
In the CIDR ranges field, type the CIDR range for the scan or click
Browse to select a CIDR range from the network list.
-
Click Add.
- Optional: If you receive insufficient memory errors in the scanner's error
logs, configure the Vulnerability Flush Threshold parameter, which sets the
maximum number of vulnerabilities to store in the memory. This value can be adjusted to fit the
available memory that is allocated to the scanners. To find this parameter, click the plus sign (+)
in the upper left on the scanner's configuration page.
If the number of vulnerabilities is high and the scanner memory is unable to store the default
value of 500,000, reducing the value to 5000 - 25000 can resolve memory storage issues. The minimum
value is 1,000, and the maximum value is 500,000.
Tip: If the Vulnerability Flush Threshold value is less than the
default, the scans can take longer to complete.
Tip: Set the Age field to greater than 60
to receive a large number of events or hosts. Set the Age field to less than
10 to receive fewer events or hosts.
- Click Save.
- On the Admin tab, click Deploy
Changes.
What to do next
You are now ready to create a scan schedule. See Scheduling a vulnerability scan.