Hello all,

We have technical dificulties with implementing Tenable.sc (T.sc) with IBM QRarad SIEM (SIEM). We installed on SIEM Tenable.sc application via IBM QRadar Assistant.

We are running IBM QRadar 7.4.3 FixPack 4 (Build 20211113154131) with interim fix IF02 applied on-prem. We are running T.sc at Version: 5.20.1 Server Build ID: 20220122051145
We are using latest Tenable app for Qradar v7.4.1 FP2+ in Version 4.1.0 from QRadar Assistant.

We are trying to set it up by this step by step documentation: https://docs.tenable.com/integrations/IBM/QRadar/Content/Tenable.scConfiguration.htm

We have set Configure Rule-Based Scanning a Configure Right-Click Scanning, acces keys, tokens, certs and so on. In T.sc we have user QRadar with Security Analyst rights and API key for Tenable app and basic scan with name Qradar_Scan.

When we try test connection and save config, we have an error: "Please enter valid Address or configure valid proxy settings or verify SSL certificate."



It does not matter if we try Enable SSL or not, in address is used IP address or DNS name. Always same error.

Any idea what is wrong? Does anyone have experience with QRadar and Tenable.sc integration? 

Thanks in advance.


------------------------------
Radim Navratil
Head of IT Security
TOTAL SERVICE a.s.
Prague 7
+420 270002811
------------------------------

It is probably the SSL certificate on the Tenable SC is not trusted by QRadar.  If QR cannot validate the certificate you will need to put a copy in correct format in /opt/qradar/config/trusted_certificates.  There is a script called getcert.sh or something like that in the /opt/qradar/bin directory which does it for you.  Once the file is in the directory, named correctly and is NOT zero bytes, I use certutil -print -file filename to check the format is correct for java.  If you have offline CAs in the chain, you will need them in the file as well and in the proper order.  This is all just normal java certificate stuff.  It has to trust the cert or it will not work.

For the Tenable APP, this has to be done on wherever the app is running.  To pull vulnerability data into QR, you will need it on the device doing the pulling, usually a Console, EP or EC.

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Wed February 23, 2022 02:26 AM
From: Radim Navratil
Subject: QRadar and Tenable.sc

Hello all,

We have technical dificulties with implementing Tenable.sc (T.sc) with IBM QRarad SIEM (SIEM). We installed on SIEM Tenable.sc application via IBM QRadar Assistant.

We are running IBM QRadar 7.4.3 FixPack 4 (Build 20211113154131) with interim fix IF02 applied on-prem. We are running T.sc at Version: 5.20.1 Server Build ID: 20220122051145
We are using latest Tenable app for Qradar v7.4.1 FP2+ in Version 4.1.0 from QRadar Assistant.

We are trying to set it up by this step by step documentation: https://docs.tenable.com/integrations/IBM/QRadar/Content/Tenable.scConfiguration.htm

We have set Configure Rule-Based Scanning a Configure Right-Click Scanning, acces keys, tokens, certs and so on. In T.sc we have user QRadar with Security Analyst rights and API key for Tenable app and basic scan with name Qradar_Scan.

When we try test connection and save config, we have an error: "Please enter valid Address or configure valid proxy settings or verify SSL certificate."

It does not matter if we try Enable SSL or not, in address is used IP address or DNS name. Always same error.

Any idea what is wrong? Does anyone have experience with QRadar and Tenable.sc integration? 

Thanks in advance.


------------------------------
Radim Navratil
Head of IT Security
TOTAL SERVICE a.s.
Prague 7
+420 270002811
------------------------------

yeah, I had to do the same by adding the TLS cert and it works after.   One feature I like to see is to add the filter on the vuln.severity.  I like to have the option to import just the Critical, High and medium vulnerability instead of everything.

------------------------------
Raymond Tam
------------------------------

Original Message:
Sent: Fri February 25, 2022 09:24 AM
From: Frank Eargle
Subject: QRadar and Tenable.sc

It is probably the SSL certificate on the Tenable SC is not trusted by QRadar.  If QR cannot validate the certificate you will need to put a copy in correct format in /opt/qradar/config/trusted_certificates.  There is a script called getcert.sh or something like that in the /opt/qradar/bin directory which does it for you.  Once the file is in the directory, named correctly and is NOT zero bytes, I use certutil -print -file filename to check the format is correct for java.  If you have offline CAs in the chain, you will need them in the file as well and in the proper order.  This is all just normal java certificate stuff.  It has to trust the cert or it will not work.

For the Tenable APP, this has to be done on wherever the app is running.  To pull vulnerability data into QR, you will need it on the device doing the pulling, usually a Console, EP or EC.

------------------------------
Frank Eargle

Original Message:
Sent: Wed February 23, 2022 02:26 AM
From: Radim Navratil
Subject: QRadar and Tenable.sc

Hello all,

We have technical dificulties with implementing Tenable.sc (T.sc) with IBM QRarad SIEM (SIEM). We installed on SIEM Tenable.sc application via IBM QRadar Assistant.

We are running IBM QRadar 7.4.3 FixPack 4 (Build 20211113154131) with interim fix IF02 applied on-prem. We are running T.sc at Version: 5.20.1 Server Build ID: 20220122051145
We are using latest Tenable app for Qradar v7.4.1 FP2+ in Version 4.1.0 from QRadar Assistant.

We are trying to set it up by this step by step documentation: https://docs.tenable.com/integrations/IBM/QRadar/Content/Tenable.scConfiguration.htm

We have set Configure Rule-Based Scanning a Configure Right-Click Scanning, acces keys, tokens, certs and so on. In T.sc we have user QRadar with Security Analyst rights and API key for Tenable app and basic scan with name Qradar_Scan.

When we try test connection and save config, we have an error: "Please enter valid Address or configure valid proxy settings or verify SSL certificate."

It does not matter if we try Enable SSL or not, in address is used IP address or DNS name. Always same error.

Any idea what is wrong? Does anyone have experience with QRadar and Tenable.sc integration? 

Thanks in advance.


------------------------------
Radim Navratil
Head of IT Security
TOTAL SERVICE a.s.
Prague 7
+420 270002811
------------------------------

I agree on the severities!  It would also be nice for QRadar to import all of the IP addresses associated with an asset versus the ID IP.  

QRadar will not pull the Operating System right now, I'm pretty sure I created an APAR for that.  Maybe they will fix both at the same time!  Since QRadar vulnerability manager has been EOL they need to make better use of the data in systems like Tenable, Qualys, etc.

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Wed April 13, 2022 10:53 AM
From: Raymond Tam
Subject: QRadar and Tenable.sc

yeah, I had to do the same by adding the TLS cert and it works after.   One feature I like to see is to add the filter on the vuln.severity.  I like to have the option to import just the Critical, High and medium vulnerability instead of everything.

------------------------------
Raymond Tam

Original Message:
Sent: Fri February 25, 2022 09:24 AM
From: Frank Eargle
Subject: QRadar and Tenable.sc

It is probably the SSL certificate on the Tenable SC is not trusted by QRadar.  If QR cannot validate the certificate you will need to put a copy in correct format in /opt/qradar/config/trusted_certificates.  There is a script called getcert.sh or something like that in the /opt/qradar/bin directory which does it for you.  Once the file is in the directory, named correctly and is NOT zero bytes, I use certutil -print -file filename to check the format is correct for java.  If you have offline CAs in the chain, you will need them in the file as well and in the proper order.  This is all just normal java certificate stuff.  It has to trust the cert or it will not work.

For the Tenable APP, this has to be done on wherever the app is running.  To pull vulnerability data into QR, you will need it on the device doing the pulling, usually a Console, EP or EC.

------------------------------
Frank Eargle

Original Message:
Sent: Wed February 23, 2022 02:26 AM
From: Radim Navratil
Subject: QRadar and Tenable.sc

Hello all,

We have technical dificulties with implementing Tenable.sc (T.sc) with IBM QRarad SIEM (SIEM). We installed on SIEM Tenable.sc application via IBM QRadar Assistant.

We are running IBM QRadar 7.4.3 FixPack 4 (Build 20211113154131) with interim fix IF02 applied on-prem. We are running T.sc at Version: 5.20.1 Server Build ID: 20220122051145
We are using latest Tenable app for Qradar v7.4.1 FP2+ in Version 4.1.0 from QRadar Assistant.

We are trying to set it up by this step by step documentation: https://docs.tenable.com/integrations/IBM/QRadar/Content/Tenable.scConfiguration.htm

We have set Configure Rule-Based Scanning a Configure Right-Click Scanning, acces keys, tokens, certs and so on. In T.sc we have user QRadar with Security Analyst rights and API key for Tenable app and basic scan with name Qradar_Scan.

When we try test connection and save config, we have an error: "Please enter valid Address or configure valid proxy settings or verify SSL certificate."

It does not matter if we try Enable SSL or not, in address is used IP address or DNS name. Always same error.

Any idea what is wrong? Does anyone have experience with QRadar and Tenable.sc integration? 

Thanks in advance.


------------------------------
Radim Navratil
Head of IT Security
TOTAL SERVICE a.s.
Prague 7
+420 270002811
------------------------------

great 
but please what is meant by correct format this means .PEM  or .CRT or what

thanks alot

------------------------------
kamal ghanem
------------------------------

Original Message:
Sent: Wed April 13, 2022 10:53 AM
From: Raymond Tam
Subject: QRadar and Tenable.sc

yeah, I had to do the same by adding the TLS cert and it works after.   One feature I like to see is to add the filter on the vuln.severity.  I like to have the option to import just the Critical, High and medium vulnerability instead of everything.

------------------------------
Raymond Tam

Original Message:
Sent: Fri February 25, 2022 09:24 AM
From: Frank Eargle
Subject: QRadar and Tenable.sc

It is probably the SSL certificate on the Tenable SC is not trusted by QRadar.  If QR cannot validate the certificate you will need to put a copy in correct format in /opt/qradar/config/trusted_certificates.  There is a script called getcert.sh or something like that in the /opt/qradar/bin directory which does it for you.  Once the file is in the directory, named correctly and is NOT zero bytes, I use certutil -print -file filename to check the format is correct for java.  If you have offline CAs in the chain, you will need them in the file as well and in the proper order.  This is all just normal java certificate stuff.  It has to trust the cert or it will not work.

For the Tenable APP, this has to be done on wherever the app is running.  To pull vulnerability data into QR, you will need it on the device doing the pulling, usually a Console, EP or EC.

------------------------------
Frank Eargle

Original Message:
Sent: Wed February 23, 2022 02:26 AM
From: Radim Navratil
Subject: QRadar and Tenable.sc

Hello all,

We have technical dificulties with implementing Tenable.sc (T.sc) with IBM QRarad SIEM (SIEM). We installed on SIEM Tenable.sc application via IBM QRadar Assistant.

We are running IBM QRadar 7.4.3 FixPack 4 (Build 20211113154131) with interim fix IF02 applied on-prem. We are running T.sc at Version: 5.20.1 Server Build ID: 20220122051145
We are using latest Tenable app for Qradar v7.4.1 FP2+ in Version 4.1.0 from QRadar Assistant.

We are trying to set it up by this step by step documentation: https://docs.tenable.com/integrations/IBM/QRadar/Content/Tenable.scConfiguration.htm

We have set Configure Rule-Based Scanning a Configure Right-Click Scanning, acces keys, tokens, certs and so on. In T.sc we have user QRadar with Security Analyst rights and API key for Tenable app and basic scan with name Qradar_Scan.

When we try test connection and save config, we have an error: "Please enter valid Address or configure valid proxy settings or verify SSL certificate."

It does not matter if we try Enable SSL or not, in address is used IP address or DNS name. Always same error.

Any idea what is wrong? Does anyone have experience with QRadar and Tenable.sc integration? 

Thanks in advance.


------------------------------
Radim Navratil
Head of IT Security
TOTAL SERVICE a.s.
Prague 7
+420 270002811
------------------------------

hello,
i have the same issue what did you do??
many thanks

------------------------------
kamal ghanem
------------------------------

Original Message:
Sent: Wed February 23, 2022 02:26 AM
From: Radim Navratil
Subject: QRadar and Tenable.sc

Hello all,

We have technical dificulties with implementing Tenable.sc (T.sc) with IBM QRarad SIEM (SIEM). We installed on SIEM Tenable.sc application via IBM QRadar Assistant.

We are running IBM QRadar 7.4.3 FixPack 4 (Build 20211113154131) with interim fix IF02 applied on-prem. We are running T.sc at Version: 5.20.1 Server Build ID: 20220122051145
We are using latest Tenable app for Qradar v7.4.1 FP2+ in Version 4.1.0 from QRadar Assistant.

We are trying to set it up by this step by step documentation: https://docs.tenable.com/integrations/IBM/QRadar/Content/Tenable.scConfiguration.htm

We have set Configure Rule-Based Scanning a Configure Right-Click Scanning, acces keys, tokens, certs and so on. In T.sc we have user QRadar with Security Analyst rights and API key for Tenable app and basic scan with name Qradar_Scan.

When we try test connection and save config, we have an error: "Please enter valid Address or configure valid proxy settings or verify SSL certificate."

It does not matter if we try Enable SSL or not, in address is used IP address or DNS name. Always same error.

Any idea what is wrong? Does anyone have experience with QRadar and Tenable.sc integration? 

Thanks in advance.


------------------------------
Radim Navratil
Head of IT Security
TOTAL SERVICE a.s.
Prague 7
+420 270002811
------------------------------