In this guide we will cover:
– How to set up the the Tenable integration in Halo
The Tenable integration allows one way syncing of assets between Tenable and Halo. You can import assets from Tenable into Halo and have a scheduled sync run to update the asset information in Halo with details from Tenable.
Connecting to Tenable
First, head to configuration > integrations > find Tenable and enable the module by selecting the '+' icon.
Fig 1. Enable module
Once enabled, open the module and make a new connection.
Now we will need to generate the API keys needed to connect to Tenable. If you have generated these previously (for other integrations) you can use your existing keys, otherwise generate new ones. Head into Tenable > my profile > API Keys, on this page you can generate the API keys needed.
Fig 2. Generate API keys in Tenable
Copy Both the 'Access Key' and the 'Secret Key', make note of these as you will not be able to access them again once you leave the page.
Now head back to Halo and fill in the required details in the details tab of the integration. Paste the 'Access Key' into the 'Public API Key' field. Paste the 'Secret Key' into the 'Private API Key' field. Enter the Tenable URL into the URL field. Then hit save.
Fig 4. Fields to complete in Halo
After saving, check you are connected by using the 'Test Configuration' button. If this returns a pop-up stating 'Test successful' you have connected successfully.
Site Mappings
Now head to the 'sites' tab to setup site mappings. Tenable does not have a concept of sites or customers, so to determine which site an asset should be created against you can use site rules. These rules are based on field values, if a rule is matched the asset will be assigned to the site of the mapping. For example if an asset in Tenable has a field with a value 'x' it will be imported under a chosen site in Halo. To do this, add a site rule to the table, select the Halo site you would like the asset to go to, add to the criteria table. Here select the Halo field that you would like to base the criteria on, then set the rule type and the outcome needed in the field to match the rule.
For example, if I set up a rule as shown in figure 4, all assets that have a value equal to 'Tenableasset' in their (Halo) Name field will match the rule and be imported to the site 'Terry's Chocolates/Melbourne1234).
Fig 4. Site rule example
You will also need to set a default site for assets, this ensures any assets that do not match a site rule are still imported, they will be imported to the chosen site.
Fig 5. Default site field
Asset Mappings
Now head to the 'Assets' tab. Here you will need to set an asset matching field, this is the field in Halo that will be matched on during the import. If the field value in Halo matches the value of the mapped Tenable field, an existing asset is updated otherwise an new one is created, if no match can be made a new asset will be created.
Now you will need to create the asset field mappings, this links a field in Tenable to a field in Halo. Ensure your matching field is in mapped here, as well as any other fields you would like to be populated.
Setting Asset Types
The asset types of the assets can either use a fixed type for all assets, be determined from a field, or use asset type mappings that are determined using rules based on the values of the mapped asset fields.
If you would like all imported assets to have the same asset type when imported set the 'Determining an Asset's type' field to be 'use the same type for all Assets' then set the 'Default Asset Type' field to be the asset type you would like assets from Tenable to be. Figure 6 shows how to set this so all assets are imported as the 'Laptop' asset type.
Fig 6. Settings for all assets to be imported as the same type
If you would like all imported assets' types to be determined by a particular field, set the set the 'Determining an Asset's type' field to be 'Use a field to determine each Asset's type'. Then in 'Field for determining an Asset's type' choose the field you would like the type to depend on. The field you choose must contain the name of the desired asset type, if this name can be matched to an existing asset type in Halo, it will be assigned this asset type. If the name is not the same as an asset type in Halo, a new asset type will be created. Note that the names must be identical in order to match. This setting is used if you have a field in Tenable that already determines an asset's type and you would like the types to be consistent between Halo and Tenable. You will still need to populate the default asset type field, assets that do not have the selected field populated will be imported as the default asset type. In figure 7 asset types will be determined by the value in the field 'Operating System'.
Fig 7. Setting for assets to be imported based on a field
If you would like asset types to be determined by asset rules set the set the 'Determining an Asset's type' field to be 'Determine asset type using rules'. Now you will be able to set asset's types based on rules, These rules are based on field values, and if matched will assign an asset to the chosen asset type. When creating a rule first add criteria for the rule, select the Halo field that you would like to base the criteria on, then set the rule type and the outcome needed in the field to match the rule. If an asset matches this rule it will be imported as this asset type. For example, in figure 8 the rule I have set up will check the name field of an asset, if the name begins with 'LAP' the asset will be imported with the 'Laptop' asset type.
Fig 8. Determining asset type with Rule setup
If an asset is imported that does not match any of these rules, it will be created under the default asset type. Alternatively, if you would like to not import assets that do not match these rules, set the 'Default Asset type' to 'Don't import assets that do not match any rules'.
Setting Asset group
If a new asset type is created for an imported asset you will need to set the group that this asset type comes under. Set this on the setting shown in figure 9.
Fig 9. Default group for new asset types setting
Miscellaneous Settings
Deactivate Assets in Halo when they are deleted from Tenable (Halo Integrator only)- If you have enabled the Halo integrator for this integration, this setting will deactivate any assets in Halo when they are deleted in tenable.
Don't create new Assets- If enabled will only import assets that can be matched to an existing asset in Halo. Any assets that cannot be matched to the matching field will not be created/imported.
Don't update the Asset type for existing or matched Assets– If enabled, any assets that match to an existing asset when importing will not update the existing asset with a different asset type from Tenable. This allows you to change asset type data in Tenable without it affecting the existing assets in Halo.
Don't update the asset site for existing or matched assets– If enabled, any assets that match to an existing asset when importing will not update the existing asset with a new site. This allows you to change asset site rules without it affecting the existing assets in Halo.
Importing
The user must have at least basic user permissions and "Can View" access control permissions for the asset objects they want to export.
Before importing the assets you must first complete an export, to do this hit 'start export'
Fig 10. Start export
When the export has started it will show the status of 'QUEUED' or 'IN PROGRESS' in the progress feed column. You can check the status of the export at any time, using the 'Check Export Status' button. Once the export has finished the progress feed will change to 'FINISHED'. Once this is finished you can run the import, using the 'Import Assets' button. When importing you will need to select an export to import assets from. Exports will be retained for 7 days and then automatically removed or they can be manually deleted.
To import assets on a recurring schedule you will need to enable the Halo integrator. This can be enabled under the 'Syncing' tab. When enabled the export and import will run on a scheduled basis.
