Configure Rule-Based Scanning

In QRadar, you can create a rule based on SIEM data. If the rule conditions are present, a scan launches on the requested IP address. You can also right-click an IP address in QRadar to initiate a scan. When scans launch, rules with the associated IP address scan Tenable Vulnerability Management and Tenable Security Center.

A background script runs periodically to launch scans on the IP address. The default time for run is 1200 seconds.

Complete the following steps to create a rule in your Tenable application for IBM QRadar SIEM .

To create a rule:

  1. On the IBM QRadar SIEM console, click the button.

    The Menu options appear.

  2. Click Offenses.

    The Offenses menu appears.

  3. In the Offenses menu, click Rules.

    The Rules page appears.

  4. In the Rules menu, click Actions.

    A drop-down box appears.

  5. Select one of the New Rule options.

    The Rule Wizard window appears.

  6. Click Next.

    Note: If you experience difficulties with user interface elements, problems may exist with your browser. Try again from a different browser.

  7. Select the source where the rules are generated.

  8. Click Next.

    The Rule Wizard: Rule Response window appears.

Rule Wizard: Rule Response Configuration

  1. In the Rule Response section, click the check box for Ensure the detected event is part of an offense.

  2. Click the check box for Add to a Reference Set.

    A drop-down appears.

  3. Caution: Without the Ensure the detected event is part of an offense and Add to a Reference Set settings enabled, QRadar cannot create an event in the All Offenses category of the Offenses tab of the dashboard. The All Offenses category is where you can review the vulnerabilities you set the rules for.

  4. Add the Tenable source IP.

    1. In the drop-down, select Tenable Vulnerability Management scan IP or Tenable Security Center scan IP.


    If you want to launch a scan for source IP and destination for both Tenable Vulnerability Management and Tenable Security Center, you must create four rules:

    • Scan source IP with Tenable Vulnerability Management
    • Scan source IP with Tenable Security Center
    • Scan destination IP with Tenable Vulnerability Management
    • Scan destination IP with Tenable Security Center.
  5. After you make your rules selections, click Finish.

Tip: You can check your active scans launched from the IBM QRadar SIEM integration in the Tenable App Dashboard tab in the QRadar user interface.