[tenable_io] Initial Release for the Tenable.io

[vinit-chauhan]

What does this PR do?

• Generated the skeleton of the Tenable.io integration package.
• Added data streams.
• Added data collection logic for all the data streams.
• Added the ingest pipeline for all the data streams.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Added test for pipeline for all the data streams.
• Added system test cases for all the data streams.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target is documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to: ^8.6.0

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/tenable_io directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes Tenable.io #2338

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-03T12:06:05.588+0000

• Duration: 14 min 20 sec

Test stats 🧪

Test	Results
Failed	0
Passed	18
Skipped	0
Total	18

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (3/3)	💚
Classes	100.0% (3/3)	💚
Methods	95.455% (42/44)	👎 -1.212
Lines	91.798% (2104/2292)	👎 -8.202
Conditionals	100.0% (0/0)	💚

[jamiehynds]

@vinit-elastic can we ensure the integration is shipping as Beta, not Tech Preview (as per the screenshots).

[vinit-chauhan]

Hey @jamiehynds, We have taken a screenshot of Tenable.io integration in stack version 8.6.0-SNAPSHOT, so that's why the Technical Preview tag may be there. Also, we have checked with the latest elastic stack version, 8.5.3, in which we are getting the beta tag. Here I am sharing the screenshot.

[P1llus]

This one is a nice usage of the new kind type 👍

[P1llus]

Do we need it in multiple places?

[vinit-chauhan]

We have added multiple on_failures on the potential failure points in the pipeline such as convert, date processors, etc.

[kcreddy]

@vinit-elastic what Marius meant was event.kind was already set to pipeline_error earlier in the pipeline.
Do we need to again append inside on_failure?

[vinit-chauhan]

Yes, we have handled the scenario where the pipeline goes to fail due to an uncertain situation in processors(rename, script, etc.). So this situation will skip the first pipeline_error and the control goes to on_failure at last and the pipeline error will append as expected.

[kcreddy]

Makes sense! But how about the other way around? I mean is error.message populated even without any failures in the pipeline? If not, then we could remove the earlier processor and just let the on_failure set event.kind to pipeline_error.

[vinit-chauhan]

The answer to your question is, no. We are not setting the error message in any other case than a pipeline error in this integration.
However, we have added on_failures in all the convert processors. And if that failure would be caught by the subsequent on_failure and not the on_failure on the root. Moreover, we do not want to add unnecessary processing by setting event.kind in all the on_failures. Hence, we have added one on the bottom to check if there are any error messages present and if so, append the event.kind with pipeline_error as the on_failure on the root won't run if the errors are caught by the on_failure associated with the processors.

[kcreddy]

Cool, makes sense! Thanks!

[P1llus]

This one seems to be missing proxy?

[vinit-chauhan]

We have added a proxy at the package level. Here's the like to that line:

integrations/packages/tenable_io/manifest.yml

Line 51 in 64ca1af

- name: proxy_url

[P1llus]

Might be a slight nitpick, but there has been several occasions in which users are required to have different setups per type of datastream, so I am a bit hesitant to leave these at the top of the integration.
However we can leave them there for now, and modify it if necessary.

[vinit-chauhan]

Hey @P1llus, The authorization parameter has been added at the package level. If we shift the SSL and proxy parameters at the data stream level, then we must shift the authorization parameter at the same level. Additionally, we are following the same pattern as all the previous connectors. However, If you think changes are required, we can change it.

[kcreddy]

@vinit-elastic what Marius meant was event.kind was already set to pipeline_error earlier in the pipeline.
Do we need to again append inside on_failure?

[infosecwatchman]

I know this is still in beta, but is there a way to add this integration myself to my Elastic Stack, without screwing up the integration when it comes out via the normal release?

[jamiehynds]

@infosecwatchman glad to hear you're interested in using this integration. We're just wrapping up some final reviews, so it will be easier to wait until it's publicly available.

@vinit-elastic @kcreddy are there any loose ends on the PR review or are we ready to merge?

[infosecwatchman]

Great! Do I have to upgrade my stack once this is merged?

[jamiehynds]

Great! Do I have to upgrade my stack once this is merged?

Possibly. The integration will require v8.4 or later.

[kcreddy]

LGTM 👍🏼

[kcreddy]

@infosecwatchman glad to hear you're interested in using this integration. We're just wrapping up some final reviews, so it will be easier to wait until it's publicly available.

@vinit-elastic @kcreddy are there any loose ends on the PR review or are we ready to merge?

I think I was just waiting for @P1llus review to be resolved as well. Looks like we are good. I will merge it now.

[elasticmachine]

Package tenable_io - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=tenable_io

[infosecwatchman]

How long does it take for new packages to be loaded into the repository?

[jamiehynds]

Hey @infosecwatchman - the integration is now available, however it requires the latest version of the stack, 8.6.

[infosecwatchman]

What's a good way to go about troubleshooting an integration. For some reason, I have not been recollecting data on the regular intervals as defined. The tenable asset dataset has not been updated since it was created (ie. after the initial data capture).

[dhruvil-elastic]

What's a good way to go about troubleshooting an integration. For some reason, I have not been recollecting data on the regular intervals as defined. The tenable asset dataset has not been updated since it was created (ie. after the initial data capture).

Hello @infosecwatchman,

Integration is designed in a way that for the first call, all the asset events will be ingested, and then onwards only those assets events will be ingested whose 'updated_at' field is updated or new assets are added.
Debug logs will be helpful in confirming if the integration is working as intended or not.

Moreover, we are working on an enhancement where a user faced an issue with a very large export job. Can you please confirm if it is the same case as yours or not? If not would you mind raising a new issue in GitHub?

Thank you.