Before you get started
- Shirly Tsang
Analytics
Download Templates from the Infoblox Community Website
Outbound API templates are an essential part of the configuration. Templates fully control the integration and steps required to execute the outbound notifications. Detailed information on how to develop templates can be found in the NIOS Administrator’s guide.
Infoblox does not distribute any templates (out-of-the-box) with the NIOS releases. Templates are available on the Infoblox community website. Templates for the Tenable.io integration are located in the Partner Integrations. You can find other templates posted in the API & Integration forum.
Templates may require additional Extensible Attributes, parameters or WAPI credentials to be created or defined. The required configuration should be provided with a template. Don’t forget to apply any changes required by the template before testing a notification
Extensible Attributes
For this integration, the following Extensible Attributes need to be created on the grid.
Table 1. Extensible Attributes
Extensible Attributes | Description | Type |
TNBL_IO_Add_by_Hostname | Whether or not using a host’s name as the target name is desired (otherwise will use its IP as the target name). The hostname should be resolvable by Tenable.io. | List (true, false) |
TNBL_IO_Last_Scan | Timestamp when target was last scanned by Tenable.io. | String |
TNBL_IO_Scan_On_Add | Whether or not a target will be scanned upon creation. | List (true, false) |
TNBL_IO_Scan | Whether or not a target will be scanned after a security event. | List (true, false) |
TNBL_IO_Sync | Whether or adding the target to the Target Group list of targets is desired. | List (true, false) |
TNBL_IO_Scan_Template | Name of the scan that will scan the target. It must match an active scan on Tenable.io. | String |
TNBL_IO_Asset_Sync | Whether or not syncing asset events with Tenable.io is desired. | List (true, false) |
TNBL_IO_Sync_Time | Timestamp when the asset was added to Tenable.io. | String |
TNBL_IO_Target_Group | A target group allows you to set permissions on which targets (FQDNs, CIDR notations, ranges, or IP addresses) users can scan. | String |
Editing Instance Variables
Tenable.io templates use instance variables to adjust the templates’ behavior. Instance variables can be entered through the grid GUI at Grid → Ecosystem → Notification and then selecting the notification you created at Edit → Templates.
Table 2. Instance Variables
Instance Variable | Description | Type |
Add_Discovery_Data | Whether or adding the target to the Target Group list of targets is desired. | String (true, false) |
Scan_Discovery_Data | Whether or not a target will be scanned upon creation. | String (true, false) |
Discovery_Asset_Sync | Whether or not syncing asset events with Tenable.io is desired. | String (true, false) |
Discovery_Scan_Template | Name of the scan that will scan the target. It must match an active scan on Tenable.io. | String |
Discovery_Target_Group | A target group allows you to set permissions on which targets (FQDNs, CIDR notations, ranges, or IP addresses) users can scan. | String |
Editing Session Variables
The Tenable_IO_Session template uses two session variables to login to the Tenable.io instance. Session variables can be entered through the grid GUI at Grid → Ecosystem → Outbound Endpoint and then selecting the endpoint you created at Edit → Session Management.
Table 3. Session Variables
Session Variable | Description |
accessKey | A Token that is required to leverage the Tenable.io API. |
secretKey | A Token that is required to leverage the Tenable.io API. |
Supported Notifications
A notification can be considered as a link between a template, an endpoint and an event. In the notification properties, you define which event triggers the notification, which template is executed and with which API endpoint NIOS will establish the connection to. The Tenable.io templates support a subset of available notifications (refer to the limitations chapter in this guide for more details). In order to simplify the deployment, only create required notifications and use the relevant filters. It is highly recommended to configure deduplication for RPZ events and exclude a feed that is automatically populated by Threat Analytics.
Table 4. Supported Notifications
Notification | Description |
DNS RPZ | DNS queries that are malicious or unwanted |
DNS Tunneling | Data exfiltration that occurs on the network |
ADP | DNS queries that are malicious or unwanted |
DHCP Leases | Lease events that occur on the network |
Object Change Network IPv4 | Added/Deleted IPv4 network objects |
Object Change Network IPv6 | Added/Deleted network IPv6 objects |
Object Change Range IPv4 | Added/Deleted Host IPv4 objects |
Object Change Range IPv6 | Added/Deleted Host IPv6 objects |
Object Change Fixed Address IPv4 | Added/Deleted fixed/reserved IPv4 objects |
Object Change Fixed Address IPv6 | Added/Deleted fixed/reserved IPv6 objects |
Object Change Host Address IPv4 | Added/Deleted Host IPv4 objects |
Object Change Host Address IPv6 | Added/Deleted Host IPv6 objects |
Object Change Discovery Data | Discovery data |
Infoblox Permissions
The Infoblox and Tenable.io integration requires a few permissions for the integration to work. Navigate to Administration → Administrators and add Roles, Permissions, Groups and Admins to include permissions that are required for the integrations. When creating a new group, under the Groups tab, select the API interface under the Allowed Interfaces category.