Tenable Web App Scanning
Tenable Web App Scanning (WAS), formerly Tenable Web Application Scanning, is a cloud-based application security tool that provides automated dynamic application security testing (DAST) to proactively identify and address vulnerabilities in web applications. You can bring site and security data from Tenable WAS into Brinqa to enhance your vulnerability management capabilities, therefore construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Tenable WAS and how to obtain that information from Tenable. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Tenable Web App Scanning from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Tenable WAS with Brinqa:
-
API URL: The Tenable API URL. The default URL is
https://cloud.tenable.com. -
Access key and Secret key: The access key and secret key associated with the Tenable account, which must have permissions to log in to the API server and return data.
Generate Tenable access key and secret key
For the Tenable WAS connector to use the Tenable WAS API, you must provide the access key and secret key from Tenable. The Tenable WAS connector uses the same access key and secret key as the Tenable Vulnerability Management connector for authentication. If you are using both the Tenable Vulnerability Management and the Tenable WAS connector and you generate new API keys for the Tenable Vulnerability Management integration, you must update your Tenable WAS integration with the same keys.
In order for the Tenable WAS connector to successfully retrieve data from the Tenable WAS API, the access key and secret key must be tied to a Basic user role with Can View permissions. For additional information, see Tenable documentation on permissions.
Tenable does not allow retrieving the access key and secret key for an existing user, therefore, you must generate new keys instead. To generate a new access key and secret key for your own Tenable account, follow these steps:
-
Log in to your Tenable account.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click My Account.
-
Click the User Account button on the upper-right corner of the page, and then click the API Keys tab.
-
Click Generate. The Generate API Keys window appears.
-
Review the warning on the page and click Generate.
Your new Tenable access key and secret key display. Copy the access key and secret key to a safe and secure location.
To generate a new access key and secret key for another user as an administrator, follow these steps:
-
Log in to your Tenable account as an administrator.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click Access Control.
-
Click the name of the user for which you want to generate an access key and secret key. The Edit User page appears.
-
In the API Keys section, click Generate API Keys.
-
Review the warning on the page and click Replace & Generate.
The new Tenable access key and secret key display. Copy the access key and secret key to a safe and secure location.
If you do not have permissions to create Tenable access and secret keys, contact your Tenable administrator. For additional information, see Tenable documentation on API keys.
Additional settings
The Tenable WAS connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Tenable WAS API before giving up and reporting a failure. The default setting is 10.
-
Custom properties: A comma-separated list of custom asset property names to sync. Specified properties are synced with a
CUSTOM_prefix (e.g., a property nameddepartmentis synced asCUSTOM_department).
Types of data to retrieve
The Tenable WAS connector can retrieve the following types of data from the Tenable WAS API:
Table 1: Data retrieved from Tenable WAS
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Dynamic Code Finding | Yes | Dynamic Code Finding |
| Dynamic Code Finding Definition | Yes | Dynamic Code Finding Definition |
| Site | Yes | Site |
For detailed steps on how to view the data retrieved from Tenable WAS in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Dynamic Code Finding
Table 2: Dynamic Code Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| asset.uuid | targets |
| finding_id | uid, name |
| first_found | firstFound |
| last_fixed | lastFixed |
| last_found | lastFound |
| output | results |
| plugin.id | type |
| scan.uuid | Local variable |
| state | status, sourceStatus, statusCategory |
| url | url |
Dynamic Code Finding Definition
Table 3: Dynamic Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cpe | affected |
| cves | cveIds, cveRecords |
| cvss_base_score | Use CVSS calculator |
| cvss3_base_score | Use CVSS calculator |
| cvss_vector | Use CVSS calculator |
| cvss3_vector | Use CVSS calculator |
| cwe | weaknesses |
| description | description |
| exploit_available | exploits |
| family | categories |
| name | name |
| owasp | tags |
| patch_published | patchAvailable, Local variable |
| plugin_id | uid |
| plugin_modified | sourceLastModified |
| plugin_published | publishedDate |
| policy | Local variable |
| risk_factor | severity, sourceSeverity, severityScore |
| see_also | Local variable |
| solution | recommendation |
| synopsis | summary |
| vuln_published | Local variable |
| wasc | tags |
Site
Table 4: Site attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| asset.agent_names | Local variable |
| asset.agent_uuid | Local variable |
| asset.aws_availability_zone | Local variable |
| asset.aws_ec2_instance_ami_id | Local variable |
| asset.aws_ec2_instance_group_name | Local variable |
| asset.aws_ec2_instance_id | Local variable |
| asset.aws_ec2_instance_state_name | Local variable |
| asset.aws_ec2_instance_type | Local variable |
| asset.aws_ec2_name | name, Local variable |
| asset.aws_ec2_product_code | Local variable |
| asset.aws_owner_id | Local variable |
| asset.aws_region | Local variable |
| asset.aws_subnet_id | Local variable |
| asset.aws_vpc_id | Local variable |
| asset.azure_resource_id | Local variable |
| asset.azure_vm_id | Local variable |
| asset.bios_uuid | Local variable |
| asset.created_at | sourceCreatedDate |
| asset.custom_attributes | Local variable (CUSTOM_{name}) |
| asset.deleted_at | Local variable |
| asset.deleted_by | Local variable |
| asset.first_scan_time | Local variable |
| asset.first_seen | firstSeen |
| asset.fqdns | dnsNames, privateDnsName, publicDnsName |
| asset.gcp_instance_id | Local variable |
| asset.gcp_project_id | Local variable |
| asset.gcp_zone | Local variable |
| asset.has_agent | Local variable |
| asset.has_plugin_results | Local variable |
| asset.hostnames | hostname, hostnames |
| asset.id | uid |
| asset.installed_software | Local variable |
| asset.ipv4s | ipAddresses, privateIpAddresses, publicIpAddress, publicIpAddresses |
| asset.ipv6s | ipAddresses |
| asset.is_licensed | Local variable |
| asset.is_public | Local variable |
| asset.last_authenticated_scan_date | Local variable |
| asset.last_authentication_attempt_date | Local variable |
| asset.last_authentication_scan_status | Local variable |
| asset.last_authentication_success_date | Local variable |
| asset.last_licensed_scan_date | Local variable |
| asset.last_scan_id | Local variable |
| asset.last_scan_target | Local variable |
| asset.last_scan_time | lastScanned |
| asset.last_schedule_id | Local variable |
| asset.last_seen | lastSeen |
| asset.mac_addresses | macAddresses |
| asset.manufacturer_tpm_ids | Local variable |
| asset.mcafee_epo_agent_guid | Local variable |
| asset.mcafee_epo_guid | Local variable |
| asset.network_device_serial_identifier | Local variable |
| asset.network_id | Local variable |
| asset.network_name | Local variable |
| asset.open_ports | Local variable |
| asset.operating_systems | operatingSystem, Local variable |
| asset.ratings.acr.score | Local variable |
| asset.ratings.aes.score | Local variable |
| asset.resource_tags | Local variable |
| asset.servicenow_sysid | Local variable |
| asset.sources | Local variable |
| asset.ssh_fingerprints | Local variable |
| asset.system_types | categories |
| asset.tags | tags |
| asset.tenable_agent_days_since_active | Local variable |
| asset.terminated_at | status, Local variable |
| asset.terminated_by | Local variable |
| asset.types | Local variable |
| asset.updated_at | sourceLastModified |
| description | description |
| instanceId | instanceId |
| lastScan.name | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Operation options
The Tenable WAS connector supports the following operation options:
Table 5: Operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Dynamic Code Finding | num_assets | Any number ranging from 50 to 5000 | Specifies the number of assets used to chunk the vulnerability export. | Key: num_assets Value: 1000. This key and value combination retrieves vulnerabilities for 1000 assets at a time. |
| state | OPEN, REOPENED, FIXED, or a comma-separated combination | Filters findings by state. Defaults to all states (OPEN,REOPENED,FIXED) when not set. Values are case-insensitive. | Key: state Value: OPEN,REOPENED. This key and value combination only retrieves open and reopened findings. | |
| Dynamic Code Finding, Site | chunk_size | Any number ranging from 100 to 10000 | Specifies the number of records that are exported in a batch. Tenable recommends not exceeding 5000. | Key: chunk_size Value: 100. This key and value combination only retrieves 100 records at a time. Once 100 records are exported, the next group of 100 records exports. |
| Site | is_licensed | true or false | Filters sites by whether or not they are included in the asset count for Tenable. | Key: is_licensed Value: true. This key and value combination only retrieves sites that are licensed. |
| network_id | Any valid Tenable network UUID | Filters sites by the Tenable network ID. | Key: network_id Value: 00000000-0000-0000-0000-000000000000. This key and value combination only retrieves sites belonging to the specified network. | |
| network_name | Any Tenable network name string | Filters sites by the Tenable network name. | Key: network_name Value: Default. This key and value combination only retrieves sites belonging to the named network. | |
| sinceFilter | last_assessed, created_at, updated_at, terminated_at, deleted_at, first_scan_time, last_scan_time, first_seen, last_seen | Specifies the timestamp field used for incremental sync filtering. Defaults to last_assessed. | Key: sinceFilter Value: updated_at. This key and value combination filters sites by the updated_at timestamp instead of last_assessed. | |
| sources | AWS, NESSUS_AGENT, PVS, NESSUS_SCAN, SSM, or WAS | A comma-separated list of sources that filter sites by whether or not they are discovered by the specified source. Defaults to WAS. | Key: sources Value: WAS. This key and value combination only retrieves sites discovered by WAS scans. | |
tag.<category> | Any Tenable tag category name | Filters sites with the specified tag category. | Key: tag.<category> Value: Test2. This key and value combination only retrieves sites with the Test2 tag category. | |
| types | host, webapp, or a comma-separated combination | Specifies the asset types to export. Defaults to webapp. Passed to the v2 export filters.types parameter. | Key: types Value: webapp. This key and value combination only retrieves webapp asset types. |
APIs
The Tenable WAS connector uses the Tenable WAS API v2. Specifically, it uses the following endpoints:
Table 6: Tenable WAS API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Dynamic Code Finding | /was/v1/export/vulns |
/was/v1/export/vulns/{exportUuid}/cancel | |
/was/v1/export/vulns/{exportUuid}/chunks/{chunkId} | |
/was/v1/export/vulns/{exportUuid}/status | |
| Dynamic Code Finding Definition | /was/v2/plugins |
/was/v2/plugins/{plugin_id} | |
| Site | POST /assets/v2/export |
/assets/export/{exportUuid}/cancel | |
/assets/export/{exportUuid}/chunks/{chunkId} | |
/assets/export/{exportUuid}/status |
Changelog
The Tenable WAS connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 7: Tenable WAS Changelog
| Version | Description | Date Published |
|---|---|---|
| 3.1.42 | - The connector now retrieves all finding states (OPEN, REOPENED, FIXED) by default, ensuring complete visibility into remediated vulnerabilities. - Added the LAST_FIXED attribute to the Dynamic Code Finding object, capturing when a previously detected vulnerability was resolved. - Added the state operation option for the Dynamic Code Finding object, allowing finding states to be configured (e.g., OPEN,REOPENED,FIXED). - Upgraded to the Tenable v2 Asset Export API for the Site object, providing richer asset data and better performance. - Added 17+ new Site attributes, including network details, scan authentication fields, Tenable ratings, and asset metadata. - Added custom properties support via the new customProperties additional setting. No migration required. | April 29th, 2026 |
| 3.1.41 | No change. | April 29th, 2026 |
| 3.1.40 | No change. | February 25th, 2026 |
| 3.1.39 | - Improved performance of plugin data retrieval by adding parallel processing. - Improved error handling for HTTP 503 and 504 errors with retry and graceful skip. | February 25th, 2026 |
| 3.1.38 | No change. | February 3rd, 2026 |
| 3.1.37 | No change. | January 22nd, 2026 |
| 3.1.36 | Updated to use the Tenable WAS Exports API for data retrieval, improving data synchronization reliability and performance. | January 2nd, 2026 |
| 3.1.35 | No change. | August 26th, 2025 |
| 3.1.34 | No change. | August 11th, 2025 |
| 3.1.33 | No change. | July 10th, 2025 |
| 3.1.32 | Fixed an issue where the Dynamic Code Finding Definition object sync was failing. | July 1st, 2025 |
| 3.1.31 | The Tenable Web Application Scanning connector has been renamed to "Tenable Web App Scanning" to reflect Tenable's product name changes. This change only affects the connector label and does not impact functionality. You can update without making any changes to your existing configurations. | June 10th, 2025 |
| 3.1.16 | Addressed precision issues by changing the data type for CVSS scores from Float to Double. | January 18th, 2024 |
| 3.1.15 | - Changed the SOURCE_SEVERITY attribute type on the Vulnerability object to a string. - Added the SOURCE_SEVERITY_SCORE attribute to the Vulnerability Definition object. | December 17th, 2023 |
| 3.1.12 | Added a new additional setting to help manage API throttling and optimize API call handling: Maximum retries. | September 12th, 2023 |
| 3.1.2 | Added a check for null or empty dates. | June 29th, 2023 |
| 3.0.16 | Initial Integration+ release. | June 11th, 2023 |