Upgrade to 3.0.x Tenable Applications
While the upgrade is seamless from an application perspective, we have moved from a custom CI matching/create engine to the ServiceNow Identification Reconciliation Engine (IRE). This change means that you must first understand IRE and plan for testing to ensure that IRE works as expected before upgrading production and/or vulnerability data.
Two major items take place during application upgrade:
- All CIs that are in the Assets Pending Approval class are moved to one of the following new ServiceNow classes:
- Unclassified Hardware
- Incomplete IP
This allows Tenable to utilize out-of-the-box CI classes and remove our custom CI classes in subsequent versions of the application.
- The upgrade generates IRE payloads for every CI with Tenable asset attributes. This ensures that any previous matches continue working as they did prior to the upgrade.
While IRE provides a standardized engine for bringing third-party asset data into ServiceNow, there are some limitations in IRE. These limitations are not specific to Tenable or Tenable data, but rather are part of the design/functionality of the IRE. WThe below criteria can help you determine if IRE will work for you out of the box, or whether you may need to add some additional customization. You may not be able to use IRE until future features are added. If after reviewing the criteria below and/or after testing you discover an issue with IRE, please contact your ServiceNow representitve.
- Are you using ServiceNow Discovery?
- Do you have any overlapping IPs in your Tenable data set?
- If you do have overlapping IPs in your Tenable data set, are you scanning all overlapping IP ranges with credentials or agents?
Scenarios to consider based on the above responses:
- If you aren't using ServiceNow Discovery and don't have overlapping IPs in your Tenable data:
- Everything should work as expected. You will, however, need to create IRE rules and test that imports function as expected.
- If you aren't using ServiceNow Discovery and have overlapping IPs in your Tenable data:
- Everything should work as expected. You will, however, need to create completely custom IRE rules and test thoroughly to ensure the new rules and assets work as expected.
- If you are using ServiceNow Discovery and don't have overlapping IPs in your Tenable data:
- Everything may work fine, but you will need to duplicate some out-of-the-box IRE rules and test them. If all Tenable assets come in without any data collapse, then you are safe to continue upgrading. However, if there is a data collapse, Tenable does not recommend upgrading your test/production as there is no way to ensure consistent data between Tenable and ServiceNow.
- If you are using ServiceNow Discovery and have overlapping IPs in your Tenable data:
- While you may want to test out the integration, there is a high probability that Tenable CIs will be consolidated, resulting in data loss. Any workarounds to fix this issue will lead to issues with ServiceNow Discovery functionality. We provide all IRE input and output data and a set of scripts to find where data consolidation has happened because of IRE. We recommend you leverage these scripts to pinpoint the issues and open a case with ServiceNow so they can use it to help improve IRE and ServiceNow Discovery.
- If you have any overlapping IPs in your Tenable data and are NOT using authenticated scanning for all of the machines:
- While you may want to test out the integration, there is a high probability that no matter how much you customize IRE you, Tenable data will not import into ServiceNow correctly.
It is important that every unique Tenable asset translates to a unique CI in ServiceNow. Otherwise, you are guaranteed to lose Tenable vulnerability data when it imports into ServiceNow.
Moving forward, be sure to follow the Asset application setup procedures. Fore more information, see the IRE Rules instructions in the Assets Configuration section.