Tenable.io
Tenable.io is a cloud-based vulnerability management tool that scans hosts in your network and generates vulnerabilities against those hosts. You can bring asset and security data from Tenable.io into Brinqa to enhance your vulnerability management capabilities, gain insights into the relationship between the vulnerabilities and your assets, construct a unified view of your attack surface, and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Tenable.io and how to obtain that information from Tenable. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Tenable.io from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Tenable.io with Brinqa:
-
API URL: The Tenable.io API URL. The default URL is
https://cloud.tenable.com. -
Access key and Secret key: The access key and secret key associated with the Tenable.io account, which must have permissions to log in to the API server and return data.
Generate Tenable.io access key and secret key
In order for the Tenable.io connector to successfully retrieve data from the Tenable.io API, the access key and secret key must be tied to a Basic user role with Can View permissions. For additional information, see Tenable.io documentation on permissions.
For the Tenable.io connector to use the Tenable.io API, you must provide an access key and secret key. Tenable.io does not allow retrieving the access key and secret key for an existing user, therefore, you must generate new keys instead.
To generate new access keys, follow these steps:
-
Log in to your Tenable.io account.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click My Account.
-
Click the User Account button on the upper-right corner of the page, and then click the API Keys tab.
-
Click Generate. The Generate API Keys window appears.
-
Review the warning on the page and click Generate.
Your new Tenable.io access key and secret key display. Copy the access key and secret key to a safe and secure location.
To generate a new access key and secret key for another user as an administrator, follow these steps:
-
Log in to your Tenable.io account as an administrator.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click Access Control.
-
Click the name of the user for which you want to generate an access key and secret key. The Edit User page appears.
-
In the API Keys section, click Generate API Keys.
-
Review the warning on the page and click Replace & Generate.
The new Tenable.io access key and secret key display. Copy the access key and secret key to a safe and secure location.
If you do not have permissions to create Tenable.io access and secret keys, contact your Tenable.io administrator. For additional information, see Tenable.io documentation on API keys.
Additional settings
The Tenable.io connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Tenable.io API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The Tenable.io connector can retrieve the following types of data from the Tenable.io API:
Table 1: Data retrieved from Tenable.io
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Assessment | No | Not mapped |
| Host | Yes | Host |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Tenable.io in the Brinqa Platform, see How to view your data.
Tenable compliance audit results can be found under Violations.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Host
Table 2: Host attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| asset.agent_names | Local variable |
| asset.agent_uuid | Local variable |
| asset.aws_availability_zone | Local variable |
| asset.aws_ec2_instance_ami_id | Local variable |
| asset.aws_ec2_instance_group_name | Local variable |
| asset.aws_ec2_instance_id | Local variable |
| asset.aws_ec2_instance_state_name | Local variable |
| asset.aws_ec2_instance_type | Local variable |
| asset.aws_ec2_name | Local variable |
| asset.aws_ec2_product_code | Local variable |
| asset.aws_owner_id | Local variable |
| asset.aws_region | Local variable |
| asset.aws_subnet_id | Local variable |
| asset.aws_vpc_id | Local variable |
| asset.azure_resource_id | Local variable |
| asset.azure_vm_id | Local variable |
| asset.created_at | sourceCreatedDate |
| asset.deleted_at | Local variable |
| asset.deleted_by | Local variable |
| asset.first_scan_time | Local variable |
| asset.first_seen | firstSeen |
| asset.fqdns | dnsNames |
| asset.gcp_instance_id | Local variable |
| asset.gcp_project_id | Local variable |
| asset.gcp_zone | Local variable |
| asset.has_agent | Local variable |
| asset.hostnames | hostnames |
| asset.id | uid |
| asset.ipv4s | privateIpAddresses |
| asset.ipv6s | ipAddresses |
| asset.last_authenticated_scan_date | Local variable |
| asset.last_scan_id | Local variable |
| asset.last_scan_time | lastScanned |
| asset.last_schedule_id | Local variable |
| asset.last_seen | lastSeen |
| asset.mac_addresses | macAddresses |
| asset.mcafee_epo_agent_guid | Local variable |
| asset.mcafee_epo_guid | Local variable |
| asset.network_id | Local variable |
| asset.operating_systems | os |
| asset.public_ipv4s | publicIpAddresses |
| asset.servicenow_sysid | Local variable |
| asset.sources | Local variable |
| asset.tags | tags |
| asset.terminated_at | Local variable |
| asset.terminated_at/asset.delete_at | status |
| asset.terminated_by | Local variable |
| categories | categories |
| description | description |
| instanceId | cloudInstanceId |
| LAST_LICENSED_SCAN | Local variable |
| lastScan.name | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Violation
Table 3: Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ACTUAL_VALUE | Local variable |
| AUDIT_FILE | Local variable |
| CHECK_ERROR | Local variable |
| CHECK_ID | Local variable |
| CHECK_INFO | Local variable |
| CHECK_NAME | Local variable |
| DB_TYPE | Local variable |
| EXPECTED_VALUE | Local variable |
| FIRST_SEEN | firstSeen |
| HOST_ID | targets, Local variable |
| LAST_SEEN | lastSeen |
| PLUGIN_ID | targets, Local variable |
| PROFILE_NAME | Local variable |
| REFERENCES | references |
| SEE_ALSO | Local variable |
| SOLUTION | recommendation |
| STATUS | status, sourceStatus, statusCategory |
| SYS_ID | uid |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Violation Definition
Table 4: Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| AFFECTED | affected |
| CATEGORIES | categories |
| CVE_IDS | cveIds |
| CVE_RECORDS | cveRecords |
| CVSS_IMPACT_SCORE_PREDICTED | Local variable |
| CVSS_V2_VECTOR | Use CVSS calculator |
| CVSS_V3_IMPACT_SCORE | Local variable |
| CVSS_V3_VECTOR | Use CVSS calculator |
| DESCRIPTION | description |
| EXPLOIT_AVAILABLE | Local variable |
| EXPLOIT_CODE_MATURITY | Local variable |
| EXPLOIT_EASE | Local variable |
| EXPLOITS | exploits |
| NAME | name |
| PATCH_AVAILABLE | patchAvailable |
| PATCH_PUBLICATION_DATE | Local variable |
| PLUGIN_TYPE | Local variable |
| PRODUCT_COVERAGE | Local variable |
| PUBLISHED_DATE | publishedDate |
| RECOMMENDATION | recommendation |
| REFERENCES | references |
| SEE_ALSO | Local variable |
| SEVERITY | severity, sourceSeverity, severityScore |
| SEVERITY_SCORE | severityScore |
| SOURCE_LAST_MODIFIED | sourceLastModified |
| SUMMARY | summary |
| THREAT_INTENSITY | Local variable |
| THREAT_RECENCY | Local variable |
| THREAT_SOURCES | Local variable |
| UID | uid |
| VPR_SCORE | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Vulnerability
Table 5: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| uid | uid |
| vuln.asset.agent_uuid | Local variable |
| vuln.asset.fqdn | privateDnsName, publicDnsName |
| vuln.asset.hostname | hostnames |
| vuln.asset.ipv4 | ipAddresses |
| vuln.asset.mac_address | macAddresses |
| vuln.asset.uuid | targets |
| vuln.first_found | firstFound |
| vuln.last_fixed | Local variable |
| vuln.last_found | lastFound |
| vuln.output | results |
| vuln.plugin.id | type |
| vuln.port.port | port |
| vuln.port.protocol | protocol |
| vuln.scan.schedule_uuid | Local variable |
| vuln.scan.uuid | Local variable |
| vuln.severity_id | severity, sourceSeverity |
| vuln.severity_modification_type | Local variable |
| vuln.state | status, statusCategory |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Vulnerability Definition
Table 6: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cvss_vector | Use CVSS calculator |
| drivers.cvss3_impact_score | Local variable |
| drivers.cvss_impact_score_predicted | Local variable |
| drivers.exploit_code_maturity | Local variable |
| drivers.exploitability_ease | Local variable |
| drivers.product_coverage | Local variable |
| drivers.threat_intensity_last28 | Local variable |
| drivers.threat_recency | Local variable |
| drivers.threat_sources_last28 | Local variable |
| family | categories |
| plugin.attributes.cpe | affected |
| plugin.attributes.description | description |
| plugin.attributes.exploit_available | Local variable |
| plugin.attributes.exploit_framework_ | exploits |
| plugin.attributes.exploitability_ease | Local variable |
| plugin.attributes.has_patch | patchAvailable |
| plugin.attributes.patch_publication_date | patchPublishedDate |
| plugin.attributes.plugin_modification_date | sourceLastModified |
| plugin.attributes.plugin_type | Local variable |
| plugin.attributes.risk_factor | sourceSeverity, severity, severityScore |
| plugin.attributes.see_also | Local variable |
| plugin.attributes.solution | recommendation |
| plugin.attributes.synopsis | summary |
| plugin.attributes.vpr | Local variable |
| plugin.attributes.vuln_publication-date | publishedDate |
| plugin.attributes.xref | cveIds, cveRecords |
| plugin,attributes.xref | cveIds, cveRecords |
| PLUGIN_PREFIX + plugin.id | uid |
| plugin.name | name |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Operation options
The Tenable.io connector supports the following operation options. Expand the sections below to view the operation options per supported connector object. See connector operation options for information about how to apply them.
Host operation options
Table 7: Host operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Host | chunk_size | Any number ranges from 100-10000 | Specifies the number of hosts that are exported in a batch. Tenable recommends not exceeding 5000. | Key: chunk_size Value: 100. This key and value combination only retrieves 100 hosts at a time. Once 100 hosts are exported, the next group of 100 hosts exports. |
| has_plugin_results | true or false | Filters hosts by whether or not they have plugin results associated with it. | Key: has_plugin_results Value: true. This key and value combination only retrieves hosts that have plugin results. | |
| is_deleted | true or false | Filters hosts by whether or not they have been deleted. | Key: is_deleted Value: false. This key and value combination only retrieves hosts that exist and are active. | |
| is_licensed | true or false | Filters hosts by whether or not they are included in the asset count for Tenable.io. | Key: is_licensed Value: true. This key and value combination only retrieves hosts that are licensed and authorized to run. | |
| is_terminated | true or false | Filters hosts by whether or not they have been terminated. | Key: is_terminated Value: true. This key and value combination only retrieves hosts that have been terminated. | |
| last_assessed | Any date value in the Unix timestamp format | Returns all hosts with a last assessed time later than the specified date. | Key: last_assessed Value: 1593000000. This key and value combination only retrieves hosts that have been assessed since (UTC) July 12th, 2020 at 21:40:00. | |
| servicenow_sysid | true or false | Filters hosts by whether or not they have a ServiceNow Sys ID. | Key: servicenow_sysid Value: true. This key and value combination only retrieves hosts that have a ServiceNow Sys ID. | |
| sources | AWS, NESSUS_AGENT, PVS, NESSUS_SCAN, or WAS | A comma-separated list of sources that filter hosts by whether or not they are discovered by the specified source. | Key: sources Value: NESSUS_SCAN, AWS. This key and value combination only retrieves hosts that are from AWS or discovered in a Nessus scan. | |
tag.<category> | Any Tenable.io tag category name | Filters hosts with the specified tag category. For additional information on tags, see Tenable.io documentation | Key: tag.<category> Value: Test2. This key and value combination only retrieves hosts with the Test2 tag category. |
The option keys and values are case-sensitive as they are shown in this documentation.
Violation operation options
Table 8: Violation operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Violation | chunkTimeout | Any time value in seconds | Specifies the maximum amount of time in seconds to wait for a chunk of violation data to be retrieved. | Key: chunkTimeout Value: 60. This key and value combination sets the timeout for chunk retrieval to 60 seconds. |
| exportTimeout | Any time value in seconds | Specifies the maximum amount of time in seconds to wait for the entire violation data export process to complete. | Key: exportTimeout Value: 300. This key and value combination sets the export process timeout to 5 minutes. | |
| initialTimeout | Any time value in seconds | Defines the initial waiting time in seconds before the export process begins. | Key: initialTimeout Value: 30. This key and value combination sets an initial delay of 30 seconds before starting the export. | |
| last_seen | Any date value in the Unix timestamp format | Returns all violations with a last seen time later than the specified date. | Key: last_seen Value: 1609459200. This key and value combination only retrieves violations seen after January 1, 2021. | |
| num_findings | Any number ranges from 50-5000 | Specifies the number of findings used to chunk the vulnerabilities. | Key: num_findings Value: 1000. This key and value combination retrieves violations for 1000 findings at a time. Once the violations for the 1000 findings are exported, the violations for the next group of 1000 findings export. | |
| pollInterval | Any time value in seconds | Sets the interval time in seconds between polling attempts for new data. | Key: pollInterval Value: 10. This key and value combination sets the polling interval for new violations to 10 seconds. |
The option keys and values are case-sensitive as they are shown in this documentation.
Vulnerability operation options
Table 9: Vulnerability operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability | cidr_range | Any range of IP addresses assigned to the hosts in your network | Restricts search for vulnerabilities to the hosts assigned an IP address within the specified CIDR range. | Key: cidr_range Value: 192.168.0.0/24. This key and value combination only retrieves vulnerabilities on the hosts bearing the IP addresses from 192.168.0.1 to 192.168.0.254. |
| include_unlicensed | true or false | Filters vulnerabilities by whether or not to include unlicensed hosts. | Key: include_unlicensed Value: true. This key and value combination retrieves vulnerabilities from both licensed and unlicensed hosts. | |
| num_assets | Any number ranges from 50-5000 | Specifies the number of hosts used to chunk the vulnerabilities. | Key: num_assets Value: 100. This key and value combination retrieves vulnerabilities for 100 hosts at a time. Once the vulnerabilities for the 100 hosts are exported, the vulnerabilities for the next group of 100 hosts export. | |
| plugin_family | Any Tenable.io plugin family string | Filters vulnerabilities by whether or not they are related to the specified plugin family. | Key: plugin_family Value: operating systems. This key and value combination only retrieves vulnerabilities related to the operating systems plugin family. | |
| plugin_id | Any supported Tenable.io plugin ID number | Filters vulnerabilities by whether or not they are related to the specific plugin ID. | Key: plugin_id Value: 10150. This key and value combination only retrieves vulnerabilities associated with plugin ID 10150. | |
| plugin_type | Any supported plugin type: remote, local, combined, etc. | Filters vulnerabilities by whether or not they are related to the specified plugin type. | Key: plugin_type Value: mobile. This key and value combination only retrieves vulnerabilities associated with the mobile plugin type. | |
| severity | low, medium, high, or critical | Returns all vulnerabilities of the specified severity. | Key: severity Value: critical. This key and value combination only retrieves the critical vulnerabilities found in a scan. | |
| since | Any date value in the Unix timestamp format | Returns all vulnerabilities seen since the specified date value. | Key: since Value: 1593000000. This key and value combination only retrieves vulnerabilities that exist since (UTC) July 12th, 2020 at 21:40:00. | |
| state or status | fixed, open, or reopened | Returns all vulnerabilities with the specified state or status. | Key: status Value: open. This key and value combination only retrieves open vulnerabilities. You can use state for the key in place of status and it produces the same result. | |
tag.<category> | Any Tenable.io tag category name | Returns all vulnerabilities with the specified tag category. For additional information on tags, see Tenable.io documentation | Key: tag.<category> Value: Test2. This key and value combination only retrieves vulnerabilities with the Test2 tag category. | |
| vpr_score | Any numeric value from 0.1-10.0 | Retrieve all vulnerabilities with a Vulnerability Priority Rating (VPR) score of the specified value or higher. | Key: vpr_score Value: 7. This key and value combination retrieves all vulnerabilities with a VPR score of 7 or higher. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Tenable.io connector uses the Tenable.io REST API. Specifically, it uses the following endpoints:
Table 10: Tenable.io REST API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Host | POST https://cloud.tenable.com/assets/export |
POST https://cloud.tenable.com/assets/export/{export_uuid}/cancel | |
GET https://cloud.tenable.com/assets/export/{export_uuid}/chunks/{chunk_id} | |
GET https://cloud.tenable.com/assets/export/{export_uuid}/status | |
| Violation | POST https://cloud.tenable.com/compliance/export |
GET https://cloud.tenable.com/compliance/export/{export_uid}/chunks/{check_id} | |
GET https://cloud.tenable.com/plugins/families/{familyId} | |
| Violation Definition | GET https://cloud.tenable.com/plugins/families/ |
GET https://cloud.tenable.com/plugins/plugin | |
| Vulnerability | POST https://cloud.tenable.com/vulns/export |
POST https://cloud.tenable.com/vulns/export/{export_uuid}/cancel | |
GET https://cloud.tenable.com/vulns/export/{export_uuid}/chunks/{chunk_id} | |
GET https://cloud.tenable.com/vulns/export/{export_uuid}/status | |
| Vulnerability Definition | GET https://cloud.tenable.com/plugins/families |
GET https://cloud.tenable.com/plugins/families/{familyId} | |
GET https://cloud.tenable.com/plugins/plugin |
Changelog
The Tenable.io connector has undergone the following changes:
3.1.19
-
Added two connector objects, Violation and Violation Definition.
-
Started fetching Tenable Compliance Check results and storing them as violations.
3.1.17
- Changed the data type of 'acr_score' and 'exposure_score' from Integer to Double to align with the API response format.
3.1.16
- Addressed precision issues by changing the data type for CVSS scores from Float to Double.
3.1.15
-
Changed the SOURCE_SEVERITY attribute to a String type.
-
Added a SOURCE_SEVERITY_SCORE attribute in the Vulnerability and Vulnerability Definition object.
3.1.12
- Added a new setting to configure maximum retries.
3.1.11
-
Added a SOURCE_STATUS attribute in the Vulnerability object to store the source finding statuses.
-
Added a method to normalize the source finding statuses.
3.1.3
- Started retrieving scans of all statuses.
3.1.2
- Added a check for null or empty dates.
3.1.1
- Started retrieving
name,rrules,starttime, anduuidfrom the Tenable vulnerability management scans.
3.0.11
- Added a SEVERITY_MODIFICATION_TYPE attribute in the Vulnerability object.
3.0.8
-
Added some new attributes in the Host object, including AWS_EC2_INSTANCE_ID, AZURE_RESOURCE_ID, and GCP_INSTANCE_ID.
-
Used AZURE_VM_ID, if available, as the instance ID of Azure hosts.
3.0.7
- Added 'SSM' as a valid source for hosts.
3.0.6
- Added a LAST_SCAN_NAME attribute in the Host object.
3.0.5
- Added a PATCH_PUBLICATION_DATE attribute in the Vulnerability Definition object.
3.0.3
- Fixed an issue in parsing CVSS v3 vectors.
3.0.0
- Initial Integration+ release.