Configuring Tenable.io as a Provider for CloudGuard

This section describes how to configure Tenable.io as a provider for CloudGuard. When configured, Tenable.io sends events to CloudGuard, which then shows CloudGuard's Events page.

Important - CloudGuard supports findings only for AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. EC2Closed Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers.. Currently, there is no support for GCPClosed Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. or AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®..

Configuring Tenable.io to Send Events

Tenable.io integration allows findings in Tenable.io to be synced into CloudGuard, as long as the asset corresponding with the finding in Tenable.io exists in CloudGuard.

To send Tenable.io alerts to CloudGuard:

  1. From your Tenable account, navigate to Settings > Users.

  2. Create a new Tenable user, with the role Administrator.

  3. Select the New user. The New user window opens.

  4. Select API keys > click Generate.

  5. Copy the API Access Key and Secret Key.

  6. In CloudGuard, from the left menu go to Settings > Configuration > Integrations.

  7. In the Vulnerability Security Scanner section, click Tenable.

    The Tenable sliding window opens.

  8. Create the configuration.

Viewing Tenable.io Events

When your Tenable.io account is configured to send events to CloudGuard, the events show on the CloudGuard Threat & Security Events page. Only events for entities that are part of an environment that is onboarded to CloudGuard show.

To see Tenable.io events in CloudGuard:

  1. In CloudGuard, navigate to Events > Threat & Security Events.

  2. In the Filter, select Source > Tenable.io. If it does not show as an option, then it is not configured correctly. Make sure you did the configuration steps correctly.

    The filtered list of events shows events from Tenable.io. To see more details, expand the event.

Building Rules and Queries Based on Tenable.io Findings

You can build CloudGuard Posture Management rules with conditions based on findings received from Tenable.io.

Example GSL rule that checks for instances in an environment for which external findings are sourced from Tenable.io.

Instance should not have externalFindings.findings with [ findingSource='Tenable.io']