Tenable SecurityCenter and its API

SecurityCenter is an enterprise level vulnerability management product of Tenable Network Security. As the name implies, the it is designed to be the center of Tenable security infrastructure. SecurityCenter takes data from other Tenable products: Passive Vulnerability Scanner (PVS), Log Correlation Engine (LCE), Nessus, and provides a powerful GUI interface for searching and reporting. Sounds familiar? Well, yes, it is something like SIEM, but with a strong emphasis on Vulnerability Management.

Tenable SecurityCenter 5

I’ve took this screenshot from SC5 video presentation in Spanish.

In this post, I certainly will not fully cover SC functionality and all the features of its API. I just would like to pay tribute to a convenient asset mechanism of SecurityCenter and show very basic operation of SecurityCenter API: retrieving the results of the vulnerability scanning (as I did it for Nessus in “Retrieving scan results through Nessus API“).

As in the Nessus case, to scan something with SecurityCenter you need to set a list of hosts or range of ip-addresses. But in SecurityCenter, you can also very easily make groups of hosts (Assets), which will be updated dynamically according to the fresh scan results. For example, Windows hosts, hosts with detected OpenSSL vulnerabilities, hosts with expired SSL certificate. You can do this with just a few clicks.

Add SC Asset

Tenable offers a variety of templates for creating assets list:

  • Client Applications – Identify systems with client centric applications installed.
  • Collected Data – Identify devices that have collected system configuration data such as patch level and user credentials.
  • Compliance – Identify devices that have been checked for compliance against a specific audit file.
  • Device Behavior – Identify devices that share common traffic patterns and/or open ports.
  • Infrastructure Technology – Identify systems that are used for network communications infrastructure such as routers, switches, and access points.
  • OS – Use plugins, CPE strings, and/or other mechanisms to identify common operating systems.
  • Server Applications – Identify systems with server centric applications such as database services, email services, and directory services.
  • Virtual Technology – Identify systems with virtualization technology or virtual management applications installed.
  • Vulnerabilities – Identify devices or applications based on the presence of a specified severity and/or vulnerability.

If no template suit you, there are more powerful tools (Dynamic) or it may sometimes be necessary to make just a static list (dns/ip):

  • Static IP List
  • DNS Name List
  • Combination
  • Dynamic
  • Import Asset

Nessus Template Scanning policies are in fact some variation of Advanced Scan policy (see “Tenable Nessus: registration, installation, scanning and reporting“). In the same way all SecurityCenter Asset templates are in fact variations of the Dynamic Asset, which allows you to specify very tricky nested criterias.

SecurityCenter Dynamic Asset

You can just view assets as a flat list and do various other things. For example, easily make a scan task for them or display information (only for particular assets, not all the systems) in convenient dashboards.

Add SecurityCenter dashboard

SecurityCenter graphical tools are very comfortable and beautiful. However, it is clear how they actually work. In fact it is the same Nessus scan results, just presented in a different form (not to taking into consideration PVS and LCE). You can make all the same by analyzing raw Nessus scan repoкts with your own scripts. Making some scripting might make sense if you, for example, cant use SecurityCenter for the all your hosts, because it is too expansive, and scan most critical hosts with SC, and the others with separate Nessus,

Let’s see how to retrieve the raw scan results from SecurityCenter with API. SecurityCenter API description is publicly available here: https://docs.tenable.com/sccv/api/index.htm. You do not have to pay anything extra to use it.

SecurityCenter API manual

Nessus and SecurityCenter are the products of one company. It would be logical to see some API very similar to the Nessus API. But not really. In fact, it is all so different. It seems that these APIs was made by completely different development teams.

You can see the difference right from the authorization. To authorize in you need Security Manager account. We need to get the session key and cookies.

$ curl -s -k -X POST -d '{"username":"sc_user","password":"sc_password"}' -c sc_cookie.txt https://sc.corporation.com/rest/token

{"type":"regular","response":{"token":1130200994,"unassociatedCert":"false"},"error_code":0,"error_msg":"","warnings":[],"timestamp":1470939046}

Here is what is contained in sc_cookie.txt, if you’re curious:

$ cat sc_cookie.txt
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

sc.corporation.com FALSE / TRUE 0 TNS_SESSIONID bf4469c10e131108b1de0a1f4a66487e

For each request, you should add session key to the header and use cookie file.

Now we can get the list of scans. In fact, almost all of the API requests are something like “show me this big table.” By default, SC doesn’t show all of the fields. You can specify which fields you want to see in parameter fields of a particular GET-request. In order to select a scan interested for us, we need these fields: name, description, status and finishTime.

curl -s -k -X GET -H "X-SecurityCenter: 1130200994" -H 'Content-Type: application/json' -b sc_cookie.txt https://sc.corporation.com/rest/scanResult?fields=name,description,status,finishTime | python -m json.tool

{
    "error_code": 0,
    "error_msg": "",
    "response": {
        "manageable": [
            {
                "description": "",
                "finishTime": "1468491230",
                "id": "1201",
                "name": "LONDON_USERS",
                "status": "Completed"
            },
            {
                "description": "",
                "finishTime": "1468679415",
                "id": "1104",
                "name": "PARIS_USERS",
                "status": "Completed"
            },
            ...
            {
                "description": "",
                "finishTime": "1470236912",
                "id": "1174",
                "name": "LONDON_SERVERS",
                "status": "Completed"
            }
        ],
        "usable": [
            {
                "description": "",
                "finishTime": "1468491230",
                "id": "1201",
                "name": "LONDON_USERS",
                "status": "Completed"
            },
            {
                "description": "",
                "finishTime": "1468679415",
                "id": "1104",
                "name": "PARIS_USERS",
                "status": "Completed"
            },
            ...
            {
                "description": "",
                "finishTime": "1470236912",
                "id": "1174",
                "name": "LONDON_SERVERS",
                "status": "Completed"
            }
        ]
    },
    "timestamp": 1470939236,
    "type": "regular",
    "warnings": []
}

As you can see, there is a flat list of all scans not grouped in any way. We can select the scan by the name and timestamp when it was completed. And we don’t need to get some history_id, like we did in Nessus, or something like that. Moreover, we do not even have to wait until report file will be ready for download. Isn’t it cool?

$ curl -s -k -X POST -H "X-SecurityCenter: 1130200994" -H 'Content-Type: application/json' -b sc_cookie.txt https://sc.corporation.com/rest/scanResult/1201/download > 1201.zip

$ unzip 1201.zip

Archive: 1201.zip
inflating: 1201.nessus

This file is in the same Nessus v2 report format.

cat 1201.nessus | head

<?xml version="1.0" ?>
<NessusClientData_v2>
<Policy><policyName>CREDENTIAL_SCAN</policyName>
<Preferences><ServerPreferences><preference><name>max_simult_tcp_sessions</name>
<value>unlimited</value>
</preference>
<preference><name>use_mac_addr</name>
<value>no</value>
</preference>
<preference><name>sc_version</name>

Thus, all of the scripts that you used to analyze Nessus scans will work for scans reports retrieved from SecurityCenter without any modifications.

13 thoughts on “Tenable SecurityCenter and its API

  1. Pingback: Qualys Vulnerability Management GUI and API | Alexander V. Leonov

  2. Pingback: New Vulners.com services for Linux Security Audit and Vulnerability Alerting | Alexander V. Leonov

  3. Janusz

    I tried the command to obtain my token using my username, password, and /rest/token and it didn’t work for me. I get back:
    {“type”:”regular”,”response”:””,”error_code”:13,”error_msg”:”This request is not
    properly formatted.”,”warnings”:[],”timestamp”:1478642237}

    Reply
    1. Alexander Leonov Post author

      Hello Janusz! It is probably because WordPress changes quotation marks in the examples by default. My fault, I forgot to uses <code> to suppress it. Fixed it now. Could you try it once again?

      Reply
  4. Omar

    Alexander,

    Outside the use of the analysis call, is there a way for the API to pull and download existing reports results?

    Reply
    1. Alexander Leonov Post author

      Hello Omar,

      Did you mean standard SecurityCenter reports, such as “Critical and Exploitable Vulnerabilities Report”? I have not worked with them a lot. To use them you need to use “rest/report” API call not documented in official manual.

      Reply
  5. Pingback: Custom Vulnerability Management Reports | Alexander V. Leonov

  6. Pingback: Seccubus installation and GUI overview | Alexander V. Leonov

  7. Pingback: ZeroNights16: Enterprise Vulnerability Management | Alexander V. Leonov

  8. Pingback: Installing Nessus for SecurityCenter on laptop | Alexander V. Leonov

  9. Pingback: Tenable Nessus: registration, installation, scanning and reporting | Alexander V. Leonov

  10. Pingback: Tracking software versions using Nessus and Splunk | Alexander V. Leonov

  11. Saurabh

    I want to get the all the vulnerability List for every vulnerability summary in JSON format using curl command. Could you please help me with that?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *