search

JupiterOne-Archives / graph-tenable-io

A graph conversion tool for https://www.tenable.com/products/tenable-io
Mozilla Public License 2.0
2 stars 7 forks source link

Add tenable spec #117

Closed ndowmon closed 3 years ago

ndowmon commented 3 years ago

FWIW we are currently in the process of making a big conversion in this integration anyway, but it's a good opportunity to review the data model here.

Here's the J1 Vuln data model: https://support.jupiterone.io/hc/en-us/articles/360041429733-Data-Model-for-Vulnerability-Management

Current: Screen Shot 2021-08-24 at 10 03 51 AM

Proposed: Screen Shot 2021-08-24 at 10 32 03 AM

ndowmon commented 3 years ago

Updated the vuln data model:

Screen Shot 2021-08-31 at 4 29 01 PM

Also added toImplementSpec() matcher.

ceelias commented 3 years ago

That test addition is a solid add!

I think this is consistent with what we discussed. I like that you added the relationship between the Account and the Asset.

Not sure it makes a big difference here but we did discuss earlier about whether or not the Agent should be both a HostAgent and a Scanner. Based off what you currently have I don't think it should also be a Scanner, since it doesn't have any SCAN relationships and that makes sense to me.

That makes me think that the Agent shouldn't have theIDENTIFIED relationship and that should just be left for the Scanner. What're your thoughts here?

Another thing I want to bring back up is the discussion of what the Asset should be. I think for now we should go with Record but I think we should consider creating an Asset class since we would like to enforce some consistency between these types.

What do you think the Host mapping should map to for the filter? Do you think we should include Device as target as well? These things don't need to be decided upon right now, but just wanted to throw that out there.

ndowmon commented 3 years ago

That makes me think that the Agent shouldn't have the IDENTIFIED relationship and that should just be left for the Scanner. What're your thoughts here?

Seems OK to me. There's definitely some weirdness happening with scanners & agents... we'll have to discuss when it comes to implementing them.

Another thing I want to bring back up is the discussion of what the Asset should be. I think for now we should go with Record but I think we should consider creating an Asset class since we would like to enforce some consistency between these types.

In this case, there won't be consistency between this integration and other vuln scanners, so the _class consistency is not as critical. I assume (read: hope) that users will be filtering based on _type here to be more precise (in most cases, I think it makes the most sense to filter based on _type).

What do you think the Host mapping should map to for the filter? Do you think we should include Device as target as well? These things don't need to be decided upon right now, but just wanted to throw that out there.

When we get to building these mapped relationships, we are going to need to build a number of different filters. We'll cross that bridge when we get there 😄