Configure a Tenable Nessus Scan

Required User Role: Standard, Scan Manager, or Administrator

Before you begin:

• You must create a CyberArk Secrets Manager workload with API key authentication which has read access to the secrets you plan to use.

To configure scans:

1. Log in to Tenable Nessus.

2. In the upper-right corner, click + New Scan.

   The Scan Templates page appears.

3. Select a Scan Template.

   The scan configuration page appears.

4. In the Name box, type a name for the scan.
5. In the Targets box, type an IP address, hostname, or range of IP addresses.

6. (Optional) Add a description, folder location, scanner location, and specify target groups.

7. Click the Credentials tab.

   The Credentials pane appears.

8. Select a credential with support for CyberArk Secrets Manager as an authentication type. For example, SSH, Windows or SNMP (in the Host category), or Database, Nutanix Prism Central, VMware vCenter API or VMware ESXi SOAP API.

   The Settings options appear.

9. In the Authentication Type drop-down box, click CyberArk Secrets Manager.

   The CyberArk Secrets Manager options appear.

10. Configure each option for the CyberArk Secrets Manager authentication type.

    Option	Description	Required
    CyberArk Secrets Manager Host	The CyberArk Secrets Manager IP address or DNS address.	Yes
    CyberArk Secrets Manager Port	The port on which the CyberArk API communicates. By default, Tenable uses 443.	Yes
    CyberArk Secrets Manager Login Name	The login name used to authenticate to CyberArk Secrets Manager. For workload (host) authentication, it is the workload (host) ID with the prefix host/. For example, a host data/MyWorkload would use host/data/MyWorkload.	Yes
    CyberArk Secrets Manager API Key	The API key of the workload or login.	Yes
    CyberArk Secrets Manager Authentication Base URL	This value is combined with the login name to form the authentication API endpoint. The default value is /api/authn/conjur. For example, a secret ID of MySecret and vault path of variable/data/vault/MyVault would result in the following request endpoint: /api/secrets/conjur/variable/data/vault/MyVault/MySecret	No
    CyberArk Secrets Manager Kind	The kind of resource which contains the secret. In most configurations, this should be the literal string variable.	Yes
    CyberArk Secrets Manager Credential ID	This is the unique identifier of the Secrets Manager variable which contains the credential. In most configurations, this value should begin with data/ It may include the path to the CyberArk Vault as well. For example, to retrieve a secret named MySecret from the vault named MyVault, use: data/vault/MyVault/MySecret	Yes
    Domain	Windows Only: the domain to use for authentication.	Required if Kerberos is enabled.
    Fetch Domain	Windows Only: pull the value of the Windows domain from the CyberArk Secrets Manager API.	No
    Kerberos Target Authentication	If enabled, Kerberos authentication is used to log in to the specified target.	No
    Key Distribution Center (KDC)	(Required if Kerberos Target Authentication is enabled.) This host supplies the session tickets for the user.	Yes
    KDC Transport	The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.	No
    Realm	(Required if Kerberos Target Authentication is enabled.) SSH Only: the realm to use for Kerberos authentication.	Yes
    SSL	Use SSL for secure communications.	Yes
    Verify SSL Certificate	Validate the SSL certificate. Recommended.	No

11.  Click Save.