SaltStack SecOps Vulnerability supports importing security scans generated by a variety of third-party vendors. This includes importing scan files from Tenable, Rapid7, Qualys, and Kenna Security, or through a Tenable.io connector.
You can import a third-party security scan directly into SaltStack Config and remediate the security advisories it identified using SaltStack SecOps Vulnerability. You can import this scan as an alternative to running an assessment in SaltStack SecOps Vulnerability. See Running an assessment for more information about running a standard assessment.
When you import a third-party scan into a security policy, SaltStack Config matches your minions to the nodes that were identified by the scan. The Import Staging workspace displays the list of advisories that can be imported and another list showing the advisories that cannot be imported currently. The list of unsupported advisories includes an explanation of why they cannot be imported.
The security policy dashboard lists the advisories identified by the third-party scan, as well as whether each advisory is supported or unsupported for remediation.
Importing a third-party security scan from a file
To import a security scan from a third-party such as Tenable:
- In your third-party tool, run a scan and export the scan in one of the supported file formats. See Supported file formats for more information. For specific instructions on running a scan or exporting the required file from a third party, refer to the third party’s help documentation.
When running the scan, make sure to pick a scanner that is in the same network as the nodes you want to target. Then, indicate the IP addresses you want to scan.
- In SaltStack Config, make sure you have downloaded SaltStack SecOps Vulnerability content.
- In the SaltStack SecOps Vulnerability workspace, create a security policy targeting the same nodes that were included in the third-party scan. See Creating a policy for more information.
Note: Ensure that the nodes you scanned in your third-party tool are also included as targets in this security policy. Otherwise, when you import the scan, SaltStack SecOps Vulnerability cannot match the targeted minions to the IP addresses identified by your third-party tool.
- In the policy dashboard, click the Policy Menu and select Import Vendor Scan Data.
This opens the Import Staging workspace.
Note: If the Import Vendor Scan Data menu option is unavailable, you might not have permission to import a third-party scan into SaltStack Config. Contact your administrator for access. See Roles and permissions for more information. - Click Import > File Import and select your third-party vendor. Then select the file to upload your third-party scan.
The import status timeline shows the status of your import. SaltStack SecOps Vulnerability is now mapping your minions to the nodes that were identified by the scan. It will also map the identified advisories to your minions. Depending on the number of advisories and affected nodes, this process could take some time. You can navigate away while this continues in the background.
When the import finishes processing, the Import Staging workspace displays an import summary and two tables: a list of Supported Vulnerabilities and a list of Unsupported Vulnerabilities. Supported vulnerabilities are the advisories that are available for remediation. Unsupported vulnerabilities are the advisories that cannot currently be remediated. The list of unsupported vulnerabilities includes an explanation of why they cannot be imported.
You can filter the advisories by column if needed. For example, you might filter advisories by severity to choose which ones to remediate. If a column header includes a filter icon , you can filter the results by that column type. Click the icon and select a filter option from the menu or type the text you want to filter by.
Note: Third-party security scans might include additional data that does not display by default on the Import Staging workspace. To display this data, click the Show Columns button and click the checkbox next to the data you want to display. - Click Import All Supported to import all the supported advisories. Alternatively, you can click the checkbox next to specific advisories from the Supported Vulnerabilities table and click Import Selected to import a smaller selection.
The selected advisories are imported to SaltStack SecOps Vulnerability and appear as an assessment in the policy dashboard. The policy dashboard also displays Imported from under the policy title to indicate that the latest assessment was imported from your third-party tool. You can now remediate these advisories. See Remediating advisories for more information.
Note: For best results, try to shorten the amount of time that lapses from the time you run a third-party scan to the time you import the scan into SaltStack Config.
Importing scan results from a connector
To import a security scan from a connector:
- In your third-party tool, run a scan and make sure to pick a scanner that is in the same network as the nodes you want to target. Then, indicate the IP addresses you want to scan.
- In SaltStack Config, make sure you have downloaded SaltStack SecOps Vulnerability content.
- In the SaltStack SecOps Vulnerability workspace, create a security policy targeting the same nodes that were included in the third-party scan. See Creating a policy for more information.
Note:
Ensure that the nodes you scanned in your third-party tool are also included as targets in this security policy. Otherwise, when you import the scan, SaltStack SecOps Vulnerability cannot match the targeted minions to the IP addresses identified by your third-party tool.
- In the policy dashboard, click the Policy Menu and select Import Vendor Scan Data.
This opens the Import Staging workspace.
Note: If the Import Vendor Scan Data menu option is unavailable, you might not have permission to import a third-party scan into SaltStack Config. Contact your administrator for access. For more information, see Roles and permissions. - Click Import > API Import and select the third party.
Note: If no connector is available, the menu directs you to the Connectors settings workspace. See Connectors for more information.
To ensure your policy contains the latest scan data, make sure to rerun your import after each scan. SaltStack SecOps Vulnerability does not poll the third party for the latest scan data automatically.
The import status timeline shows the status of your import. SaltStack SecOps Vulnerability is now mapping your minions to the nodes that were identified by the scan. It will also map the identified advisories to your minions. Depending on the number of advisories and affected nodes, this process could take some time. You can navigate away while this continues in the background.
Note: If the import fails, this could be due to an authentication error, or some other error. Make sure to verify you have entered the correct keys.If you find the keys are correct, the next step in troubleshooting is to view the RaaS log. This log is available to admin users only, and contains the response from PyTenable. For more on understanding PyTenable errors, see the PyTenable documentation.If you’re not able to access the RaaS log, contact your administrator for assistance.When the import finishes processing, the Import Staging workspace displays an import summary and two tables: a list of Supported Vulnerabilities and a list of Unsupported Vulnerabilities. Supported vulnerabilities are the advisories that are available for remediation. Unsupported vulnerabilities are the advisories that cannot currently be remediated. The list of unsupported vulnerabilities includes an explanation of why they cannot be imported.
You can filter the advisories by column if needed. For example, you might filter advisories by severity to choose which ones to remediate. If a column header includes a filter icon , you can filter the results by that column type. Click the icon and select a filter option from the menu or type the text you want to filter by.
Note: Third-party security scans might include additional data that does not display by default on the Import Staging workspace. To display this data, click the Show Columns button and click the checkbox next to the data you want to display. - Click Import All Supported to import all the supported advisories. Alternatively, you can select specific advisories from the Supported Vulnerabilities table and click Import Selected to import a smaller selection.
The selected advisories are imported to SaltStack SecOps Vulnerability and appear as an assessment in the policy dashboard. The policy dashboard also displays Imported from under the policy title to indicate that the latest assessment was imported from your third-party tool. You can now remediate these advisories. See Remediating advisories for more information.
Note: For best results, try to shorten the amount of time that lapses from the time you run a third-party scan to the time you import the scan into SaltStack Config.
Importing a third-party scan through the command line
If you have RaaS user access, you can import a third-party scan in the CLI. Importing through the CLI is recommended if the scan file is especially large. Before importing using the CLI, ensure you are familiar with the process of importing the scan through the UI as the process will be similar. For more information, see Importing a third-party security scan.
After you’ve exported the scan from your third-party tool, and created a security policy in SaltStack SecOps Vulnerability, you can import the scan in the CLI using the following command, replacing the placeholder arguments as needed:
raas third_party_import "filepath" third_party_tool security_policy_name
In the previous command, you would replace filepath with the file location of the exported file, third_party_tool with the name of your third-party tool, and security_policy_name with the name of your security policy. For example, you might use the following command when importing from Tenable:
raas third_party_import "/my_folder/my_tenable_scan.nessus" tenable my_security_policy