Matching Tenable Assets in the CMDB with ServiceNow

Tenable for Assets 3.x, CMDB Identification and Reconciliation Engine (IRE) Architecture

The Tenable® for Assets integration with ServiceNow’s CMDB allows ServiceNow to retrieve and accurately match Tenable assets to existing Configuration Items(CIs). Tenable for Vulnerability Response and Tenable for ITSM also rely on this application to find the correct asset related to vulnerabilities imported from Tenable scans.

With the release of Tenable plugins 3.0 for Paris, specifically Tenable for Assets, new functionality included integration with the ServiceNow CMDB Identification and Reconciliation Engine (IRE). In lieu of Tenable matching rules supported in previous versions, the new plugin is dependent on IRE’s underlying rule structure. 

The IRE module is important because it provides a centralized framework for identifying and reconciling data from different data sources. It helps maintain the CMDB integrity when multiple data sources are used to create and update CI records. 

Preparing properly for integration is key, particularly because the Tenable plugins developed by ServiceNow are not in scope. The Tenable for Assets swimlane is the process of transforming the payload to the IRE format. Once ingested by IRE, the Identification and Reconciliation rules are triggered to match on CIs. CIs can be created or updated based on the rules. One or more Identification Rules must be configured before importing to match on CIs. Asset imports from Tenable will update the CI Attributes unless Reconciliation Rules are configured.

Below is the import process using the Tenable for Assets 3.x plugin and the IRE API. 

Note: The integration details listed below provide an overview of the integration process for the Tenable for Assets Version 3.x only.

1. Tenable.io / Tenable.sc imports Asset data via Tenable for Assets 3.x plugin.
2. Raw Asset Data is imported as Tenable JSON Payload
3. Raw Data is converted to IRE Format (for IRE ingestion)
4. Determine CI Class, based on:
   

Steps to Integration

1. Incomplete IP Identified Device (cmdb_ci_incomplete_ip) CI is created in this table if only the IP address is available in the payload received from the scanner.
2. Unclassed Hardware (cmdb_unclassed_hardware_ci) CI is created in this table if missing an OS. The following information is available in the payload that is received from the scanner: hostname, IP address, FQDN, NETBIOS, MAC address.
3. Computer (cmdb_computer_ci) CI is created in this table if any of the following information is available in the payload that is received from the scanner: hostname, IP address, FQDN, NETBIOS, MAC address, operating system
4. IRE Match Rule – Unique ID. IRE will always attempt to match the asset with Tenable Uniqueness (sys_object_source_unique_id) first. If it exists, it matches that asset.
5. Match. The IRE Identification Rules are triggered at this point, linking the Tenable Asset to the CI and matching Class or creating a new CI based on the IRE Payload in one of the 3 classes listed above.
6.  Run Identification Rules. If the CI is matched based on the current Identification Rules, the Reconciliation Rules are triggered if configured for updates. If the CI does not match, an existing CI based on the current Identification Rules, a new CI is created.
7. Matched IRE Rule. If the CI did not match an existing CI based on the current Identification Rules, a new CI is created linking the Tenable Asset to a new CI and added to one of the 3 matching Classes.
8. Create CI / Add to identified Class. 
9. Run Reconciliation Rules. If Reconciliation Rules are created for Discovery Source = Tenable.io/.sc, only the Attributes specified in the rule will be updated.
10. IRE Updates CI based on Reconciliation Rules.

The new plugins support the platform identification rules using IRE, and the steps outlined above illustrate the integration and matching process.

As you embark on your path to integration, remember that Cask can assist with CMDB Preparation to support Tenable for Assets Integration.