Introducing the new Tenable Source Plugin

Ştefan Muraru • June 6, 2024

Tenable offers cybersecurity solutions that help organizations identify, assess, and manage vulnerabilities across their IT and operational technology environments, enhancing overall cyber resilience.

The new Tenable CloudQuery Source Plugin enhances cloud security by enabling comprehensive vulnerability management and asset visibility, empowering organizations to proactively identify and mitigate risks in their cloud environments.

With the latest release, the CloudQuery Tenable Source Plugin supports fetching the following resources:

Vulnerability Management (TVM) data
- Discovered assets into the tenable_tvm_assets table.
- Compliance findings into the tenable_tvm_compliance_findings table.
- Plugins that were used for vulnerability assessment, into the tenable_tvm_plugins table.
- Scans into the tenable_tvm_scans table.
- Vulnerabilities into the tenable_tvm_vulnerabilities table.
Platform Users into the tenable_users table.

Use cases #

Let's look at a few use cases to help you get started.

Severe vulnerabilities #

It's crucial to stay on top of known vulnerabilities in your code, especially the higher the severity. You can use this SQL query below to pull out all open high & critical vulnerabilities.

select
    output, severity
from
    tenable_tvm_vulnerabilities as v
where
    v.severity_id >= 3 and v.state = 'OPEN'

In this example, we're using Postgres as our destination as it allows us to use some advanced SQL querying methods against our vulnerability data from Tenable.

Remember you can always add more filters, so you can easily find which assets need fixing. For example, to group vulnerability findings by assets, you can run the following query:

select
    a.id as asset_id,
    a.fqdns as asset_fqdn,
    count(*) as count
from
    tenable_tvm_vulnerabilities as v
    join tenable_tvm_assets as a on v.asset_id = a.id
where
    v.severity_id >= 3 and v.state = 'OPEN'
group by a.id, a.fqdns

Asset inventory alerts #

It's tough keeping track of all assets in your inventory, especially on multiple cloud providers with multiple accounts, distributed amongst multiple teams. However, Tenable's discovery through Nessus scans can build up an inventory of those assets. Next, it's as easy as running the following query to retrieve the assets tied to a specific platform:

select
    *
from
    tenable_tvm_assets as a
where
    'gcp-instance' = ANY (a.system_types);

Or, going further, you can setup alert notifications by using the results of the following query that searches for GCP instances that were first discovered in the last week:

select
    a.fqdns as asset_fqdn,
    a.ipv4s as asset_ipv4,
    a.ipv6s as asset_ipv6,
    a.gcp_zone as asset_gcp_zone,
    a.gcp_project_id as asset_gcp_project_id,
    a.gcp_instance_id as asset_gcp_instance_id
from
    tenable_tvm_assets as a
where
    a.first_seen >= now() - interval '1 week'
    and 'gcp-instance' = ANY (a.system_types);

Getting Started #

To get started syncing Tenable data, see the Tenable source plugin documentation for instructions.

Incremental data #

To prevent repeated syncing of the same data CloudQuery supports incremental tables. We designed part of the Tenable tables to be incremental, as the size of audit logs can quickly get out of control, especially for the tenable_tvm_vulnerabilities one.

To take advantage of this feature be sure to add the backend_options field to your sync spec.

For example, to sync from Tenable to Postgres you could use the following config (remember to update the versions and add your own credentials):

kind: source
spec:
  name: tenable
  path: cloudquery/tenable
  registry: cloudquery
  version: "v2.x.x"
  tables:
    - "*"
  destinations: ["postgresql"]
  backend_options:
    table_name: "cq_state_tenable"
    connection: "@@plugins.postgresql.connection"
  spec:
    access_key: "${TENABLE_ACCESS_KEY}"
    secret_key: "${TENABLE_SECRET_KEY}"
---
kind: destination
spec:
  name: postgresql
  path: cloudquery/postgresql
  registry: cloudquery
  version: "v8.x.x"
  spec:
    connection_string: "${POSTGRES_DSN}"

Ready to dive deeper?

Join the CloudQuery Discord community to connect with other users and experts.

You can also try out CloudQuery locally with our quick start guide or explore CloudQuery Cloud (currently in beta) for a more scalable solution.