Recorded Future Watch List Connector for Tenable Vulnerability Management: Getting Started

Updated

Introduction

Recorded Future's Watch List Connector for Tenable Vulnerability Management simplifies vulnerability management by automating the population of your Vulnerability Watch List based on your scan results. You can specify filter criteria such as vulnerability state, severity level, source, and scan folder on top of the retrieved scan results to further streamline the entities that go into your Vulnerability Watch List.

This connector can enable multiple use cases including:

  1. Real-time Monitoring: Automatically update your Watch List to stay on top of vulnerabilities with the latest scan data
  2. Proactive Threat Mitigation: Use filters to focus on critical vulnerabilities for proactive threat mitigation
  3. Patch Prioritization: Pinpoint and mitigate urgent vulnerabilities to streamline patching and minimize risks

Availability

Setting up this connector requires the following:

  • Recorded Future enterprise licence with Vulnerability or Threat Intelligence module
  • Recorded Future account with administrator rights

 

Getting Started

To enable the Recorded Future Watch List Connector for Tenable Vulnerability Management, navigate to the Integration Center in the left-hand menu.

Click on the Tenable Vulnerability Management tile.

Screenshot 2024-11-26 at 4.45.07 PM.png

You will see additional details about the connector. Click the Set up button.

Note: You must be an administrator to see the Set up button. 

You will be redirected to the Configuration page as shown below:

Screenshot 2025-03-18 at 2.36.17 PM.png

  • Connector Name: Watch List Connector for Tenable Vulnerability Management 
  • Tenable Vulnerability Management Authentication
    • Access Key
    • Secret Key
      Steps to generate an Access key and Secret key from Tenable Vulnerability Management platform:
      1. Go to the My Profile page under your User icon in top-right corner.
      Screenshot 2024-11-26 at 5.05.42 PM.png
      2. Click the Generate button in the bottom-right corner.
      3. Click Continue on the "Generate API Keys" pop-up.
      Screenshot 2024-11-26 at 5.10.19 PM.png
      4. You can find the Access key and Secret key generated on the same page.
      Screenshot 2024-11-26 at 5.13.49 PM.png
  • Tenable Vulnerability Management Scan Result Filters
    These are the filter options that can be applied on top of your last scan result to streamline and focus on the vulnerabilities to be populated into the Vulnerability Watch List.
    • Population Mode: Overwrite re-populates the entire Watch List while Append only populates the entries added by the Connector (Manually added entries will remain unaffected).
    • Severity: Filter vulnerabilities based on their criticality level (e.g., Low, Medium, High, or Critical). Defaults to Critical, High and Medium.
    • State of Vulnerability: Filter based on the State of the vulnerability (Open, Reopened and Fixed) Defaults to Open and Reopened.
    • Valid Vulnerability Sources: Limit scan results to vulnerabilities detected by specific sources (Nessus, NNM and Agent). This defaults to all three.
    • Folder ID: Narrow the results to assets grouped under a particular folder within your Tenable environment.
    • Connector Update Frequency: The Update Frequency refers to the duration of time that Recorded Future will pause between updates. Note that Recorded Future will poll for updates based on this frequency, but for all new events since the last time queried. The default (suggested) frequency is every 1 week.
    • Auto-remove undetected vulnerabilities: The time period before vulnerabilities no longer found in scans are automatically removed from the Vulnerability Watch List.

  • Initial Import
    • Last scan within: Choose the time frame in which we need to look for the last scan that will be used to populate the Watch List.

Once all the details are added, click the Activate button to generate an instance of connector.

FAQ

1. Does this connector support Tenable Security Center ?

No. This connector only works with Tenable Vulnerability Management.

2. Does this connector support multiple instances of Tenable Vulnerability Management ?

While there is ability to add multiple instances of Tenable Vulnerability Management within the platform, we recommend limiting to one instance at any point in time. 

3. What are the IP addresses which needs to be whitelisted to allow communication from the connector to Tenable Vulnerability Management?

The traffic from the following IP addresses from AWS which are dedicated to Recorded Future needs to be whitelisted to allow communication from the hosted service:

  • 52.204.27.85
  • 54.198.55.229
  • 54.156.251.192
  • 34.235.48.77

4. How many vulnerabilities can be ingested into the Vulnerability Watch List?

Any Watch List including the Vulnerability Watch List can only hold up to 15k entities.

Known Limitations

The Tenable Connector does not support multi-org customers where multiple sub-organizations write vulnerabilities to the same Watch List

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more