Troubleshooting Tip: How to get Nessus Vulnerability Scanner Report in FortiSIEM
Purpose
FortiSIEM supports Nessus 7.1.4 and Nessus-8.1.2 now
Expectations, Requirements
FortiSIEM supports Nessus 7.1.4 and Nessus-8.1.2 now
Follow the steps below to get Nessus Vulnerability Scanner Report in FortiSIEM:
1) Deploy Nessus7/Nessus8 server, generate API key, add a target device IP that waiting to be scan
2) Add the target device IP to the CMDB > Devices in FortiSIEM
3) Add the Nessus7/Nessus8 credentials in FortiSIEM, associate the credential with the target device IP, then test connectivity
4) Go to ADMIN -> Setup -> Pull Events
the yellow star besides the Nessus pull job should turn into green
5) Scan the target device IP in Nessus7/Nessus8 server, export the scan report
6) Go to Analytics page in FortiSIEM, query the Nessus events with the condition Event Type = Nessus-Vuln-Detected
7) Compare the events in the FortiSIEM with the scan report exported from Nessus7/Nessus8 server
Expectations, Requirements
1) The events in the FortiSIEM should match with the scan report exported from Nessus7/Nessus8 server, no matter the detail and amount.
2) The severity matching rule between Nessus8 and AO Event follows:
Nessus Critical -> FortiSIEM Event Severity 10
Nessus High -> FortiSIEM Event Severity 9
Nessus Medium -> FortiSIEM Event Severity 6
Nessus Low -> FortiSIEM Event Severity 2
Nessus None-> FortiSIEM Event Severity 3
3) If Vulnerability CVE Id in FortiSIEM events is not NULL, the target device IP will be added to INCIDENT -> Risk in FortiSIEM