ITSM Configuration and Schedule Import

Note:Tenable does not, currently, support Domain Separation in the Tenable for ITSM application.

This document describes how to configure Tenable for ITSM.

Note: The ITSM app only pulls in Critical and High vulnerabilities. If you require more flexibility/customization, you can upgrade to the free Tenable for Vulnerability Response application.

Note: The ServiceNow configuration only supports Tenable.sc versions 5.7 and later.

The ITSM integration configuration allows ServiceNow to poll and retrieve vulnerability data from Tenable.io/Tenable.sc.

Before you begin:

You must be logged in with a ServiceNow account that has the x_tsirm_tio_itsm.admin role to perform the setup process.

Note: You must completely configure and tune Tenable for Assets to correctly match Tenable Assets with ServiceNow CIs. If you do not do this first, you will have issues with ITSM.

To setup the ITSM integration configuration, you must:

Create the ServiceNow and Tenable.io ITSM Connector

  1. Log in to ServiceNow.
  2. Go to the Tenable Connector Application.
  3. In the left navigation panel, click Connectors.
  4. Click the Tenable connector you want to use: Tenable.io or Tenable.sc.

    The Tenable Connector page appears.

  5. Scroll to the Scheduled Jobs section.
  6. Click New.

    The Tenable Scheduled Import page appears.

    By default, the Tenable Product and Connector fields populate with the Tenable application/connector you selected in step 3.

  7. From the Tenable Application drop-down box, select Tenable for ITSM.

    Tenable.io

    Tenable.sc

  8. From the Import Export drop-down box, select Import. Import is selected by default.
  9. In the Name text box, type a name for the import.
  10. Configure the options for your import.

    Option Description
    Initial Run - Historical Data The amount of time (in days) of how far back you want to pull data.
    Run Fixed Query on Initial Run Pulls fixed vulnerabilities on the first import. Default setting: deselected.
    Last Run -Opened/Reopened The date and time that the open/reopened import was last run.
    Last run - Fixed The date and time that the fixed import was last run.
    Active If selected, an asset sync is automatically queued when you submit the import or export. Default setting: selected.
    Default Chunk Size The number of records pulled in segments during the import. (This option populates when you select the Tenable Application in step 6. However, you can modify it by typing in the text box.) (For Tenable.io, you should not change this unless Tenable advises you to do so.)
    SC Query (Only for Tenable.sc) The Tenable.sc query used for the import or export.
    Schedule  

    Run

    The frequency with which you want the import to run.

    Time The set time (hh/mm/ss) to run the import.
  11. Click Update.

    By default, that evening, the connector starts syncing ServiceNow vulnerabilities to Tenable.io/Tenable.sc.

Create an Incident Rule

Incident Rules must be created/enabled for the integration to create incidents. By default, a disabled example rule comes with the application.

  1. From the left navigation pane, navigate to Tenable for ITSMConfiguration > Incident Rules.

    The Incident Rules page appears.

  2. Click New.

    The New record page appears.

  3. In the Name text box, type a name for the matching rule.
  4. Select the Active check box.
  5. (Optional) If you want to use scripting to create this rule, click the Advanced check box and type the desired script.

  6. In the Asset field text box, select the appropriate asset for the rule.
  7. In the Operator text box, select the appropriate operator for the rule.
  8. In the Value text box, type the value for the rule.
  9. (Optional) To reorder the incident rule, update the value in the Order text box. Incident rules are tried in ascending order (lowest to highest).

  10. Click Submit.

Plugins

To view plugins:

  • Navigate to Tenable for ITSMPlugins.

Vulnerabilities

To view vulnerabilities:

  • Navigate to Tenable for ITSMVulnerabilites.

Incidents

To view incidents:

  • Navigate to Tenable for ITSMIncidents.

Configuration Items

To view configuration items:

  • Navigate to Tenable for Assets > Assets Pending Approval.