Closed raballestasr closed 4 years ago
SteveMcGrath
commented
4 years ago No, the exports APIs do not have that ability. The only additional filter that can be used is cidr_range.
https://pytenable.readthedocs.io/en/stable/io.html#tenable.io.exports.ExportsAPI.vulns
Note that while scan uuid is scored in the vuln document, I wouldn't consider it reliable, as it's only reporting the last observed scan uuid, not all.
raballestasr
commented
4 years ago Thanks for your quick reply. I will look into that.
raballestasr
commented
4 years ago Hi I tried filtering by cidr_range, but that won't work for me as we have many targets and their IPs may change, etc., I tried using tags: I tagged my scan 'region:latam-pci' and modified these lines in transform.py:
# if the source instance is a Tenable.io object, then we will initiate
# the appropriate export calls.
if isinstance(self._src, TenableIO):
live = self._src.exports.assets(
updated_at=observed_since,
chunk_size=self.config['tenable'].get('chunk_size', 1000),
tags = [('region', 'latam-pci')]
)
deleted = self._src.exports.assets(
deleted_at=observed_since,
chunk_size=self.config['tenable'].get('chunk_size', 1000),
tags = [('region', 'latam-pci')]
)
terminated = self._src.exports.assets(
terminated_at=observed_since,
chunk_size=self.config['tenable'].get('chunk_size', 1000),
tags = [('region', 'latam-pci')]
)
However, upon a first run, I don't think it's working. Do I need to add the filtering criteria anywehere else in the code? Again, thanks in advance.
raballestasr
commented
4 years ago I also added the tags in the following lines:
# generate a an export for the open and reopened vulns that match
# the criticality rating described. Then pass the export iterator
# to the create_issues method.
vpr = None
if self.config['tenable'].get('tio_vpr_thresh'):
vpr = {'gte': self.config['tenable'].get('tio_vpr_thresh')}
vulns = self._src.exports.vulns(
last_found=observed_since,
severity=self.config['tenable']['tio_severities'],
num_assets=self.config['tenable'].get('chunk_size', 1000),
vpr=vpr,
tags = [('region', 'latam-pci')]
)
self.create_issues(vulns)
# generate a an export for the fixed vulns that match the
# criticality rating described. Then pass the export iterator to
# the close_issues method.
closed = self._src.exports.vulns(
last_fixed=observed_since,
state=['fixed'],
severity=self.config['tenable']['tio_severities'],
num_assets=self.config['tenable'].get('chunk_size', 1000),
tags = [('region', 'latam-pci')])
self.close_issues(closed)Add the following to your config under the tenable definition:
tio_tags:
- key: TAG_KEY_NAME
value: TAG_VALUE_NAME
From tenable.io? My organization is world-wide scale, and as a tenable admin, which is required for exporting, I have access to all the vulnerabilities everywhere, but I am only interested in a small portion of those. Is there a way to only export the vulnerabilities from certain scans (by scan UUID or name, for example) from within the integration? I've been looking at the code but I'm not certain. If maybe you know how to set these limitations from within tenable.io, I would appreciate your insights. I´m quite new to tenable. Thanks again in advance.