Windows Integration

To configure Tenable Vulnerability Management with CyberArk using Windows integration:

1. Log in to Tenable Vulnerability Management.

2. In the upper-left corner, click the button.

   The left navigation plane appears.

3. In the left navigation plane, click Settings.

   The Settings page appears.

4. Click the Credentials widget.

   The Credentials page appears. The credentials table lists the managed credentials you have permission to view.

5. Click the button next to the Credentials title.

   The credential form plane appears.

6. In the Host section, click Windows.

   The selected credential options appear.

7. In the Authentication Method drop-down, select CyberArk.

   The CyberArk options appear.

8. Configure the CyberArk credentials.

   Option	Description	Required
   CyberArk Host	The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string.	yes
   Port	The port on which the CyberArk API communicates. By default, Tenable uses 443.	yes
   AppID	The Application ID associated with the CyberArk API connection.	yes
   Client Certificate	The file that contains the PEM certificate used to communicate with the CyberArk host.	no
   Client Certificate Private Key	The file that contains the PEM private key for the client certificate.	yes, if private key is applied
   Client Certificate Private Key Passphrase	The passphrase for the private key, if required.	yes, if private key is applied
   Get credential by	The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.	yes
   Username	(If Get credential by is Username) The username of the CyberArk user to request a password from.	no
   Safe	The CyberArk safe the credential should be retrieved from.	no
   Address	The option should only be used if the Address value is unique to a single CyberArk account credential.	no
   Account Name	(If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential.	no
   Use SSL	If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.	no
   Verify SSL Certificate	If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.	no

   CyberArk credential field mapping to the CyberArk Accounts detail view in the CyberArk console:

   

   Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable Vulnerability Management User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).

9.  Click Save.

Verification

1. To verify the integration is working, click the Launch button to initiate an on-demand scan.

2. After the scan completes, click the scan to view the results.

3. Look for Plugin ID 10394. This validates that the authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.