Skip to main content

Tenable OT Security

Overview

Tenable OT Security (formerly Indegy) is an on-premise security platform for operational technology (OT) and industrial control system (ICS) environments. This integration polls the appliance's GraphQL API and pulls security data into Coralogix, where you can investigate it alongside the rest of your telemetry and retain it to meet compliance requirements.

It collects three data types, each of which you can enable independently:

  • Vulnerabilities — vulnerability findings, one record per affected asset and detecting plugin, with the asset's context and a summary of the plugin.
  • Assets — the full OT asset inventory records.
  • Plugins — the vulnerability-definition metadata behind findings, including CVSS scores and CVE references. Match plugin records to vulnerability findings on the plugin id.

Poll intervals

Assets and vulnerabilities are collected incrementally based on each asset's last-update time and are polled about once a minute. The first run collects your full asset estate and its findings; later runs collect only assets updated since the previous run, and their findings. Plugins are collected as a full catalog sweep about every 6 hours; after the first sweep, only new and changed plugins are ingested.

What you need

  • A Tenable OT Security appliance reachable over HTTPS from the Coralogix cloud-collector. On-premise network reachability is a deployment prerequisite on your side.
  • A Tenable OT Security API key for a user with permission to read the enabled data types.
  • A TLS certificate on the appliance that public certificate authorities trust, or the Skip TLS certificate verification option enabled in the integration settings. See TLS certificate verification.
  • Permission to create integrations in your Coralogix account.

Prepare an API key in OT Security

  1. Log in to your Tenable OT Security console.
  2. Generate an API key for the user the integration runs as. API keys are managed in the console's local settings, under user management; for the exact steps in your version, see the Tenable OT Security documentation.
  3. Copy the API key and store it securely.

The API key inherits the permissions of the user it belongs to. Use a user that can read the data types you plan to collect.

TLS certificate verification

The collector verifies the appliance's TLS certificate against public certificate authorities. OT Security appliances often ship with self-signed or privately issued certificates, which fail this verification. Select one of two options:

  • Install a certificate issued by a publicly trusted certificate authority on the appliance. Coralogix recommends this option.
  • Enable Skip TLS certificate verification in the integration settings. The connection stays encrypted, but the collector no longer confirms the identity of the endpoint it connects to, which leaves the connection open to interception. Use this option only when installing a trusted certificate is impractical.

Set up

  1. From your Coralogix toolbar, navigate to Data Flow > Integrations, select Tenable OT Security, and select Connect.
  2. Select Add New.
  3. Define the integration settings:
    • Integration name — a meaningful name for this integration.
    • Application name — the Coralogix application name to ingest under.
    • Subsystem name — the Coralogix subsystem name to ingest under.
    • OT Security URL — the base URL of your OT Security appliance, for example https://ot.example.com.
    • API key — the API key you generated in OT Security.
    • Skip TLS certificate verification — disabled by default. Enable only if the appliance's certificate is not publicly trusted and you accept the tradeoff described in TLS certificate verification.
    • Collect Vulnerabilities, Collect Assets, Collect Plugins — all enabled by default. Keep at least one enabled.
  4. Select Create.

Log format

Each collected record is ingested as a log with the Tenable OT Security payload nested under a tenable_ot top-level field. A vulnerability record carries the affected asset and a summary of the detecting plugin:

{
"tenable_ot": {
"asset": {
"id": "6a9f1e5c-...",
"name": "PLC-Line-4",
"type": "PlcType",
"criticality": "HIGH",
"ips": ["10.0.20.14"]
},
"plugin": {
"id": 500123,
"name": "Siemens SIMATIC S7-300 Denial of Service",
"severity": "High",
"vprScore": 6.7
}
}
}

Asset records carry the full inventory record under tenable_ot, and plugin records carry the vulnerability-definition metadata, including CVSS and CVE details. Match plugins to vulnerability findings on the plugin id.

Validate the integration

In Explore, filter by the application and subsystem names you configured. You should see logs whose body contains a top-level tenable_ot field. Data from the first full sweep typically appears within minutes of setup.

Troubleshoot common issues

The integration test fails with an authorization error. Cause: the configured API key is invalid. Fix: regenerate the API key in the OT Security console and re-enter it in the integration settings.

The integration test fails with a connection error. Cause: the collector cannot reach the OT Security URL — commonly a firewall rule or DNS resolution issue on the path from Coralogix to the appliance. Fix: confirm the URL is correct and that your network allows HTTPS from the Coralogix cloud-collector to the appliance.

The integration test fails with a TLS certificate error. Cause: the appliance presents a certificate that public certificate authorities do not trust, such as a self-signed certificate. Fix: install a publicly trusted certificate on the appliance, or enable Skip TLS certificate verification and accept the tradeoff described in TLS certificate verification.

No data appears after setup. Cause: all data types are disabled, or nothing changed since the last poll — assets and vulnerabilities are ingested only when an asset's last-update time advances, and plugins emit only new and changed definitions after the first sweep. Fix: confirm at least one data type is enabled; quiet periods are otherwise normal.

Last updated on