WIXLIB

Deployment GuideIntegration with Tenable.io

TABLE OF CONTENTSINTRODUCTION .3PREREQUISITES .3KNOWN LIMITATIONS .3BEST PRACTICES .4CONFIGURATION .4WORKFLOW . 4BEFORE YOU GET STARTED . 4Download Templates from the Infoblox Community Web-Site. 4Extensible Attributes . 5Editing Session Variables . 6Supported Notification. 6Infoblox Permissions . 7TENABLE.IO CONFIGURATION. 7Configure Permissions. 7Create a Target Group . 9Create a Scan Template . 10Generate API Keys . 11INFOBLOX NIOS CONFIGURATION . 12Check if the Security Ecosystem License is Installed. 12Add/Upload Templates . 12Modifying Templates . 14Add a Rest API Endpoint . 15Adding Token . 16Add a Notification . 17CHECK THE CONFIGURATION . 19Address Object Management Test . 19SUMMARY . 22Integration with Tenable.io2

IntroductionInfoblox and Tenable.io together help empower actionable insight into your entire infrastructure’s securityrisks, allowing for you to quickly and accurately identify, investigate, and prioritize vulnerabilities andmisconfigurations in your modern IT environment.Infoblox provides Tenable.io with resources such as IP addresses, Hosts, and potential threats and inexchange Tenable.io gets improved management on assets and the ability to automatically trigger scanswhen security events occur. The integration with Infoblox and Tenable.io allows for quicker remediationand more insight into the entire network.Note that all Images in this document were taken in NIOS 8.4PrerequisitesThe following are prerequisites for the integration using Outbound API notifications:Infoblox: Infoblox:oNIOS 8.3 or higher.oSecurity Ecosystem License.oOutbound API integration templates.oPrerequisites for the templates (e.g. configured and set extensible attributes).oPre-configured services: DNS, DHCP, RPZ, ADP and Threat Analytics.oNIOS API user with the following permissions (access via API only):§All Network Views – RW.§All Hosts – RW.§All IPv4 Networks – RW.§All IPv6 Networks – RW.§All IPv4 Ranges – RW.§All IPv6 Ranges – RW.§All IPv4 DHCP Fixed Addresses/Reservations – RW.§All IPv6 DHCP Fixed Addresses/Reservations – RW. Tenable.iooAccount with standard permissionsKnown LimitationsThe current templates support DNS Firewall (RPZ), Threat Insight (DNS Tunneling), Advanced DNSProtection, Network IPv4, Network IPv6, Range IPv4, Range IPv6, Host IPv4, Host IPv6, Fixed addressIPv4, Fixed address IPv6 and Lease events only. The asset management template does not supportdelete or modify events and does not delete or modify IP’s or Host’s from Tenable.io due to limitationswith Tenable.io API. If additional templates become available, they will be found on the Infobloxcommunity site.Integration with Tenable.io3

Best practicesOutbound API templates can be found on the Infoblox community site on the partners integration page.After registering an account, you can subscribe to the relevant groups and forums. If additional templatescome out, they will be found on the Infoblox community site.For production systems, it is highly recommended to set the log level for an endpoint to “Info” or higher(“Warning”, “Error”).Please refer to the Infoblox NIOS Administrator’s Guide about other best practices, limitations and anydetailed information on how to develop notification templates. The NIOS Administrator’s Guide can befound through the Help panel in your Infoblox GUI, or on the Infoblox Support portal.ConfigurationWorkflowTenable.io:1. Configure Permissions2. Create a Target Group3. Create a Scan template.4. Generate API KeysInfoblox:1. Install the Security Ecosystem license if it was not installed.2. Check that the necessary services and features are properly configured and enabled, includingDNS, DHCP, RPZ, ADP and Threat Analytics.3. Create the required Extensible Attributes.4. Download (or create your own) notification templates (Tenable IO Assets.txt,Tenable IO Security.txt, Tenable IO Session.txt, Tenable IO Logout.txt,Tenable IO Login.txt) from the Infoblox community website.5. Add the templates.6. Add a REST API Endpoint.7. Add Notifications.8. Emulate an event, check Rest API Endpoint debug log and/or verify changes on the grid.Before you get StartedDownload Templates from the Infoblox Community Web-SiteOutbound API templates are an essential part of the configuration. Templates fully control the integrationand steps required to execute the outbound notifications. Detailed information on how to developtemplates can be found in the NIOS Administrator’s guide.Infoblox does not distribute any templates (out-of-the-box) with the NIOS releases. Templates areavailable on the Infoblox community web-site. Templates for the Tenable.io integration will be located inthe “Partners Integrations”. You can find other templates posted in the “API & Integration” forum.Templates may require additional extensible attributes, parameters or WAPI credentials to be created ordefined. The required configuration should be provided with a template. Don’t forget to apply any changesrequired by the template before testing a notification.Integration with Tenable.io4

Extensible AttributesFor this integration, the following Extensible Attributes need to be created on the grid.Table 1. Extensible AttributesExtensible AttributesDescriptionTypeTNBL IO Add by HostnameDefines if a host should be synced withTenable.io using a hostname. The hostnameshould be resolvable by Tenable.io.ListTNBL IO Last ScanContains a date when an asset was scannedlast time by a request from InfobloxStringTNBL IO ScanDefines if an asset should be scanned if RPZ,ADP or DNS Tunneling events are triggeredListDefines if an asset should be scannedimmediately after creationListTNBL IO Scan TemplateDefines a Tenable.io active scan which shouldbe used for scans initiated by Infoblox. List ofpossible values should match active scannames on Tenable.io.StringTNBL IO SyncDefines if an object should be synced withTenable.io.ListTNBL IO Sync TimeContains date/time when the object wassynchronized.StringTNBL IO Target GroupDefines a target group in Tenable.io that holdsthe assets to be scanned by Tenable.io.StringTNBL IO Scan On Add(true, false)(true, false)(true, false)(true, false)Editing Instance VariablesTenable.io templates use instance variables to adjust the templates’ behavior. Instance variables can beentered through the grid GUI at “Grid” à “Ecosystem” à “Notification” and then selecting thenotification you created at “Edit” à “Templates”.Table 2. Instance VariablesInstance VariableIntegration with Tenable.ioDescription5

Add Discovery Datatrue or false. Defines if a Discovered device should be added toTenable.ioScan Discovery Datatrue or false. Defines if a Discovered device should be scannedwhen added to Tenable.ioDiscovery Scan TemplateDefines a Tenable.io active scan which should be used for scansinitiated by Infoblox for Discovery events.Discovery Target GroupDefines a target group in Tenable.io that holds the assets to bescanned by Tenable.ioEditing Session VariablesThe Tenable IO Session template uses two session variables to login to the Tenable.io instance.Session variables can be entered through the grid GUI at “Grid” à “Ecosystem” à “OutboundEndpoint” and then selecting the endpoint you created at “Edit” à “Session Management”.Table 3. Session VariablesSession VariableDescriptionaccessKeyA Token that is required to leverage the Tenable.io API.secretKeyA Token that is required to leverage the Tenable.io API.Supported NotificationA notification can be considered as a "link" between a template, an endpoint and an event. In thenotification properties, you define which event triggers the notification, which template is executed andwith which API endpoint NIOS will establish the connection to. The Tenable.io templates support a subsetof available notifications (refer to the limitations chapter in this guide for more details). In order to simplifythe deployment, only create required notifications and use the relevant filters. It is highly recommendedto configure deduplication for RPZ events and exclude a feed that is automatically populated by ThreatAnalytics.Table 4. Supported NotificationsNotificationDescriptionDNS RPZDNS queries that are malicious or unwantedDNS TunnelingData exfiltration that occurs on the networkIntegration with Tenable.io6

ADPDNS queries that are malicious or unwantedDHCP LeasesLease events that occur on the networkObject Change Network IPv4Added/Deleted IPv4 network objects.Object Change Network IPv6Added/Deleted network IPv6 objects.Object Change Range IPv4Added/Deleted Host IPv4 objects.Object Change Range IPv6Added/Deleted Host IPv6 objects.Object Change Fixed Address IPv4Added/Deleted fixed/reserved IPv4 objects.Object Change Fixed Address IPv6Added/Deleted fixed/reserved IPv6 objects.Object Change Host Address IPv4Added/Deleted Host IPv4 objects.Object Change Host Address IPv6Added/Deleted Host IPv6 objects.Infoblox PermissionsThe Infoblox and Tenable.io integration requires a few permissions for the integration to work. Navigateto “Administration” à “Administrators” and add a “Roles”, “Permissions”, “Groups” and“Admins” to include permissions that are required for the integrations. When creating a new group, underthe “Groups” tab, select the “API” interface under the “Allowed Interfaces” category.Tenable.io ConfigurationConfigure PermissionsIn order to configure permissions:1. Navigate to “Settings” à “Users” and click “New User”.Integration with Tenable.io7

2. Insert the name and password and enter the Role with permissions levels set to Standard orhigher.3. Navigate to “Settings” à “Groups” and click “New Group”.Integration with Tenable.io8

4. Enter a name for a Group that is not currently being used and click “Add”.5. Inside the Created Group select “Manage Users” and then click “Add Users”.6. Click the “User” dropdown and select the user created for the API.Create a Target Group7. Navigate to “Scans” à “Target Groups” and select “New Group”.8. Enter a name for a target group that isn’t being used and for Targets enter any default value for aplace holder.Integration with Tenable.io9

9. Under permissions add a group with at least standard permissions and click the drop down nextto the user and choose “Can scan” then click “Save”.Create a Scan TemplateIn order to create a scan template:1. Navigate to “Scans” à “My Scans” and select “New Scan”.2. On the “Scan Templates” page select the appropriate Scanner template you wish to use.3. Insert a name that isn’t being used and choose the “Target Group” you created to add assetsfrom Infoblox to.Integration with Tenable.io10

Note: you can configure any other setting as needed.4. Click Save when you are finished configuring the scan template.Generate API KeysIn order to Generate API Keys:1. Navigate to the image for your profile and select “My Account”.2. Navigate to “API Keys” and click “Generate”.Integration with Tenable.io11

3. Here you will find the “Access Key” and the “Secret Key”.Infoblox NIOS ConfigurationCheck if the Security Ecosystem License is InstalledSecurity Ecosystem License is a “Grid Wide” License. Grid wide licenses activate services on allappliances in the same Grid.In order to check if the license was installed navigate to “Grid” à “Licenses” à “Grid Wide”.Add/Upload TemplatesIn order to upload/add templates:1. Navigate to “Grid” à “Ecosystem” à “Templates” and click “ ” or “ Add Template”.Integration with Tenable.io12