This articles outlines the steps needed to setup an integration to Nessus that allows vulnerability scans to be initiated and the results collected within UpGuard

Prerequisites

  • A Nessus Pro appliance
  • A standard user account within Nessus

Configuring

The Nessus integration settings form is shown in the following screenshot.

nessus integration

Field Description
Integration Name The name of the integration within UpGuard
Nessus Instance URL The URL of the default Nessus instance that will initiate scans
Username The username of the account within Nessus
Password The password of the account within Nessus
Bypass Certificate Validation If checked, will not attempt certificate validation (not recommended)
SecurityCenter Instance If checked, indicates that the Nessus instance is a SecurityCenter appliance rather than a Nessus Pro appliance
Severity Levels These fields allow custom severity levels to be defined, if configured within Nessus

Event setup

Adding a Nessus integration provides access to the Launch a Nessus Scan event action. This action will initiate a Nessus scan whenever an event associated with the underlying view is created. The fields available to the action are as follows:

event action

Field Description
Action Type The type of action, in this case “Launch a Nessus scan”
Action name The name of the action
Nessus Integration The name of the previously created Nessus integration to use
Scan Template The scan template within Nessus that will form the basis for the initiated vulnerability scans
Host list The list of hosts to scan when using Nessus

An example setup would be as follows:

  1. An event view that captures successful Node Scanned events
  2. An action associated with that view with the following settings:
    • Action name: Something that meaningfully identifies this action, or the default
    • Nessus integration: The integration that should scan the nodes captured by the event view, i.e. one that is appropriately set up to reach the targets
    • Scan Template: A Nessus scan template that suits the type of scanning that is possible against those nodes. When in doubt, ‘Basic Network Scan’ is a good coverall, as it has no Nessus agent requirements
    • Host list: The name of the node associated with the Node Scanned event. This would be supplied using the liquid syntax variable ``

This setup will cause nodes to be scanned by Nessus whenever a scan within UpGuard is completed. Once the Nessus scan is complete, an External Vuln Scan Complete event will be generated within UpGuard:

external vuln scan complete

Field Description
external_scan_id The numeric ID of the scan within the external vulnerability scanner
external_scan_name The name of the scan within the external vulnerability scanner
external_scan_type The type of external vulnerability scanner that generated this event. In this case, it will be “Nessus”
external_user The name of the user within the external vulnerability scanner that was used to perform the scan
hosts The hosts that the external vulnerability scanner attempted to scan
integration_id The numeric ID of the integration within UpGuard that was used to trigger the external scan
success A boolean value indicating whether or not the external scan was successful
upguard_nodes A list of node IDs corresponding to the hosts scanned, if node records within UpGuard exist
vulns_by_severity A set of counts, by severity, of the vulnerabilities discovered
timestamp The time the event was created

In addition to the fields above, the `` helper variable is available for use with External Vuln Scan Complete events when creating an event action. This variable will contain detailed results regarding the vulnerabilities found, and may be iterated over.

Troubleshooting

  • Verify that the account credentials supplied for the Nessus integration are correct
  • If you have scan zones set up, ensure that the hosts being scanned by a given integration will fall within those scan zones
Tags: nessus