Tenable.sc integrations with the Vulnerability Response application

  • Release version: Australia
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Tenable.sc integrations with the Vulnerability Response application

    The Tenable.sc integrations within the Vulnerability Response application enable ServiceNow customers to efficiently import, manage, and update vulnerability and asset data from Tenable.sc, a vulnerability management product. Starting with Vulnerability Response v20.0, the system identifies scanned assets by displaying an "Agent exists" status, which confirms scan authenticity. These integrations support multi-source setups, allowing deployment of multiple Tenable.io and Tenable.sc instances across the environment for comprehensive vulnerability intelligence.

    Show full answer Show less

    Tenable.sc is an on-premises integration that optionally uses a MID Server when Tenable.sc and the ServiceNow AI Platform are in the same environment, and requires a MID Server if they are in different environments.

    Key Features

    • Tenable.sc Assets Integration: Divided into Open Assets and Fixed Assets integrations to prevent duplicate discovered items by distinguishing current vulnerabilities (Open) from mitigated or fixed issues (Fixed). It imports comprehensive asset data, creates or updates configuration items (CIs), and applies query filters to limit imported data.
    • Tenable.sc Plugin Integration: Retrieves and updates plugin data to ensure vulnerability identifiers (Ten IDs) are current and imports only active vulnerabilities by coordinating with the Plugins API.
    • Tenable.sc Fixed Vulnerabilities Integration: Imports vulnerability data filtered by severity, creating or updating vulnerable items (VIs) for open or reopened detections and optionally creating VIs for fixed detections if enabled. This integration also manages asset and third-party data and triggers the Open Vulnerabilities Integration sequentially.
    • Tenable.sc Open Vulnerabilities Integration: Triggered after the Fixed Vulnerabilities integration, it imports active vulnerabilities and manages associated assets and third-party entries, excluding specific family IDs by default.
    • Tenable.sc Scan Credential Integration: Retrieves and imports scan credentials from Tenable.sc, storing them for use during scan requests initiated from ServiceNow. This integration runs on a weekly schedule.
    • Tenable.sc Backfill Vulnerabilities Integration: An optional backfill process that imports any missed open and fixed vulnerabilities from the past seven days to ensure data completeness. It is inactive by default due to potential performance impact.
    • User Authentication: Supported via ServiceNow AI Platform for Tenable.sc version 5.13 and later; required for earlier versions. Token expiration is automatically handled without user intervention, ensuring continuous integration operation.

    Practical Considerations for ServiceNow Customers

    • Multi-source support and multiple integration instances allow tailored deployment to fit complex environments.
    • Use of MID Server depends on deployment topology between Tenable.sc and ServiceNow AI Platform.
    • Configurable query filters help limit data imports to relevant vulnerabilities and assets, optimizing performance.
    • Enabling fixed vulnerability VIs provides visibility into remediated issues but may affect import performance.
    • Backfill integration should be activated cautiously due to potential performance impact and is inactive by default.
    • Scheduling integrations to avoid overlap with active scans improves performance and data accuracy.
    • Authentication tokens are managed automatically, reducing maintenance effort.

    Next Steps

    To implement these integrations, install and configure the Vulnerability Response Integration with Tenable application via the Setup Assistant. Prepare your environment by understanding the requirements and configuring the appropriate MID Server and authentication settings based on your deployment scenario.

    The Tenable.sc integrations in the Vulnerability Response Integration with Tenable application.

    Starting with Vulnerability Response v20.0, if an asset is scanned by an agent, the "Agent exists" column in the Discovered Items list displays the value as "true." This indicates that the scan is authentic.

    List of Tenable.sc integrations

    Multi-source is supported for all the Tenable.io and Tenable.sc integrations. You can add and deploy multiple instances of the following integrations across your environment from Setup Assistant in Vulnerability Response. You can also install and configure the Vulnerability Response Integration with Tenable application from Setup Assistant.

    • Tenable.sc is an on-premises integration that gives you the option to use a MID Server if the Tenable.sc product and your ServiceNow AI Platform instance are in the same environment.
    • If the Tenable.sc product and your ServiceNow AI Platform instance aren’t in the same environment, you’re required to use a MID Server.
    Table 1. Tenable.sc integrations
    Integration Description
    Tenable.sc Assets Integration
    To avoid creating duplicate discovered items with imported asset data, the Asset Integration of the Tenable.sc product is comprised of two integrations.
    The Tenable.sc Open Assets Integration
    This integration imports vulnerability data about your assets that Tenable considers Cumulative (current), or Open. The vulnerable items (VIs) that are created in your instance with this imported asset data are considered open, that is, in the Open state. These vulnerable items require investigation and might need remediation.
    The Tenable.sc Fixed Assets Integration
    This integration imports vulnerability data about your assets that Tenable considers Mitigated (no longer vulnerable) or Fixed. The vulnerable items for these assets transition from the Open state to the Closed/Fixed state in your instance, because the results of scans show they’re no longer vulnerable.
    • Retrieves all asset data from the Tenable.sc product and processes it in your instance.
    • Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share IP address.
    • Coordinates the REST message calls to the Assets API.
    • The output of this integration is discovered items.
    • The Tenable query filter that you select in the Setup Assistant also applies to the Tenable.sc Assets Integration. Only the assets with the vulnerabilities that match the conditions of the query filter are imported.
    Tenable.sc Plugin Integration
    • Retrieves the plugin data from the Tenable.sc product. Retrieved data are based on the date that the plugins were last updated by a Tenable.sc integration run.
    • This import ensures that the Tenable.sc Identifiers (Ten IDs) are current and only active vulnerabilities are imported.
    • Coordinates the REST message calls to the Plugins API.
    • The output of this integration is third-party vulnerabilities.
    Tenable.sc Fixed Vulnerabilities Integration
    • Retrieves vulnerability data based on severity filters from the Tenable.sc product and processes it in your instance. Vulnerable items are created for detection records which are in the Open and Reopened states, because these records require remediation. Existing vulnerable items are updated by Vulnerability Response if detections are Fixed, but vulnerable items aren’t created for Fixed detections by default, because Tenable considers Fixed vulnerabilities Mitigated.
    • When the flag Create vulnerable times for Fixed Vulnerability detections is activated in Setup Assistant, it creates VIs in the Fixed state so you have visibility into the detections that created them. As VIs are created for Fixed detections that don’t exist in your instance, this might negatively impact your import performance. You may prefer to leave this feature deactivated so that Fixed detections only update the states of existing vulnerable items.
    • Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share IP address.
    • Coordinates the REST message calls to the Vulnerabilities API.

    The output of this integration is Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don't exist.

    This integration run is a scheduled run. It’s a chained integration which means after a run is successfully completed, the Tenable.sc Open Vulnerabilities Integration described next is triggered.

    Note:
    By default, the family IDs 0 and 39 are excluded from this integration.
    Tenable.sc Open Vulnerabilities Integration
    • This integration is triggered on successful completion of the Tenable.sc Fixed Vulnerabilities Integration.
    • Retrieves vulnerability data based on the query filters selected from the Tenable.sc product and processes it in your instance.
    • Creates corresponding vulnerable items for active vulnerabilities.
    • Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share IP address.
    • Coordinates the REST message calls to the Vulnerabilities API.
    • The output of this integration is Update/Create new vulnerable items (VIs) if they don’t exist. It also creates configuration items and third-party entries if they don't exist.
    Note:
    By default, the family IDs 0 and 39 are excluded from this integration.
    Tenable.sc Scan Credential Integration
    • This integration retrieves the scan credentials configured in Tenable.sc.
    • Coordinates the REST message calls to the Credentials API.
    • The output of this integration is scan credentials populated in table, [sn_vul_tenable_scan_credential].
    • The imported credentials are used to access the scanner when scan requests are initiated from the ServiceNow AI Platform.
    • This integration is scheduled to run weekly.
    Tenable.sc Backfill Vulnerabilities Integration
    • This backfill integration imports any open and fixed vulnerabilities that might have been missed during an import.
    • This integration imports both open and fixed vulnerabilities from the last seven days to update your detections and vulnerable items.
    • This integration might impact your performance.
    • This integration is inactive by default.
    • To update your vulnerability data and avoid potential performance problems, you might prefer to schedule the Tenable.sc Fixed Vulnerabilities and Open Vulnerabilities Integrations to run when no other scans are running.
    • The output of this integration is:
      • Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don't exist.
      • to Update/Create new vulnerable items (VIs) if they don’t exist. It also creates configuration items and third-party entries if they don't exist.

    User authentication and Tenable.sc

    User authentication is supported by your ServiceNow AI Platform® instance and version 5.13 of the Tenable.sc product. User authentication is required if you’re using version 5.12 and earlier of the Tenable.sc product.

    When you select user authentication for the Tenable.sc integrations, tokens might expire and be replaced during integration runs. In the Notes column on the Vulnerability Integration Run record (VIN), the following message is displayed for a process when a token expires, Error: Token validation is failed. No action is required if this message is displayed. Expired tokens are automatically refreshed in the background and the message doesn’t indicate a pause or error with the integration process.