Tenable.sc
Tenable.sc is a vulnerability management and security configuration tool that scans, consolidates, and evaluates vulnerability data from your entire network. You can bring asset and security findings from Tenable.sc into Brinqa to calculate risk scores, construct a unified view of your attack surface, and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Tenable.sc and how to obtain that information from Tenable. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Tenable.sc from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Tenable.sc with Brinqa:
-
Server URL: The Tenable.sc Server URL.
-
Access key and Secret key: The access key and secret key associated with the Tenable.sc account, which must have permissions to log in to the API server and return data.
Generate Tenable.sc access key and secret key
For the Tenable.sc connector to use the Tenable.sc API, you must provide the access key and secret key from Tenable.sc.
Before you can generate a new access key and secret key, you must enable API key authentication. To do so, follow these steps:
-
Log in to your organization's Tenable.sc account as an administrator.
-
Navigate to System > Configuration, and then click Security.
-
In Authentication Settings, click Allow API Keys.
-
Click Submit.
To generate new API keys for authentication, follow these steps:
-
Log in to your organization's Tenable.sc account as an administrator.
-
Navigate to Users > Users.
-
Right-click the user for which you want to generate new API keys.
-
Click API Keys > Generate API Key.
-
Review the confirmation and click Generate.
Your new Tenable.sc access key and secret key display in the window. Copy the access key and secret key to a safe and secure location.
If you do not have the permissions to create Tenable.sc access and secret keys, contact your Tenable.sc administrator. For additional information, see Tenable.sc documentation.
Additional settings
The Tenable.sc connector contains additional options for specific configuration:
-
Set page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Tenable.sc API before giving up and reporting a failure. The default setting is 10.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Tenable.sc connector can retrieve the following types of data from the Tenable.sc API:
Table 1: Data retrieved from Tenable.sc
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Host | Yes | Host |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
Tenable.sc refers to vulnerability definitions as plugins.
For detailed steps on how to view the data retrieved from Tenable.sc in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Host
- Vulnerability
- Vulnerability Definition
Table 2: Host attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| host.createdTime | sourceCreatedDate |
| host.dns, record.dnsName | publicDnsName, privateDnsName |
| host.dns | name |
| host.firstSeen | firstSeen |
| host.ipAddress | name |
| host.ipAddress, record.ip | ipAddresses, publicIpAddresses, privateIpAddresses |
| host.lastSeen | lastSeen |
| host.macAddress, record.macAddress | macAddresses |
| host.modifiedTime | sourceLastModified |
| host.name | name |
| host.netBios | name |
| host.tenableUUID | Local variable |
| record.dnsName | name |
| record.identifier | name |
| record.ip | name |
| record.netbiosName | name |
| record.serial | name |
| repository.id (host) | Local variable |
| repository.name (host) | Local variable |
| STATUS | status |
| uid | uid |
| vuln.asset.fqdn | privateDnsName, publicDnsName |
| vuln.asset.hostname | hostnames |
| vuln.asset.ipv4 | ipAddresses |
| vuln.asset.mac_address | macAddresses |
| vuln.asset.uuid | targets |
| vuln.first_found | firstFound |
| vuln.last_fixed | Local variable |
| vuln.last_found | lastFound |
| vuln.plugin.id | type |
| vuln.port.port | port |
| vuln.port.protocol | protocol |
| vuln.output | results |
| vuln.severity_id | severity, sourceSeverity |
| vuln.state | sourceStatus, statusCategory, status |
Table 3: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| repository.id (vuln) | Local variable |
| repository.name (vuln) | Local variable |
| record.sourceType | status, sourceStatus, statusCategory |
| uniqueAssetId | uid, targets |
| vuln.acceptRisk | Local variable |
| vuln.dnsName | publicDnsName, privateDnsName |
| vuln.firstSeen | firstFound |
| vuln.identifier | uid, targets |
| vuln.ip | ipAddresses |
| vuln.lastMitigated | lastFixed |
| vuln.lastSeen | lastFound |
| vuln.macAddress | macAddresses |
| vuln.netbiosName | hostname |
| vuln.pluginId | uid, type |
| vuln.pluginText | results |
| vuln.port | uid, port |
| vuln.protocol | uid, protocol |
| vuln.recastRisk | Local variable |
| vuln.serial | uid, targets |
| vuln.severity | severity, sourceSeverity |
Table 4: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| age_of_vuln | Local variable |
| cvssV3_impactScore | Local variable |
| exploit_code_maturity | Local variable |
| PATCH_AVAILABLE | patchAvailable |
| plugin.baseScore | cvssV2BaseScore |
| plugin.checkType | Local variable |
| plugin.cpe | affected |
| plugin.cvssVector | cvssV2Vector |
| plugin.cvssV3BaseScore | cvssV3BaseScore |
| plugin.cvssV3TemporalScore | cvssV3TemporalScore |
| plugin.cvssV3Vector | cvssV3Vector |
| plugin.description | description |
| plugin.exploitAvailable | Local variable |
| plugin.exploitEase | Local variable |
| plugin.exploitFrameworks | exploits |
| plugin.family | categories |
| plugin.id | uid |
| plugin.modifiedTime | sourceLastModified |
| plugin.name | name |
| plugin.patchPubDate | Local variable |
| plugin.pluginModDate | sourceLastModified |
| plugin.pluginPubDate | publishedDate |
| plugin.riskFactor | severity, sourceSeverity, severityScore |
| plugin.solution | recommendation |
| plugin.synopsis | summary |
| plugin.temporalScore | cvssV2TemporalScore |
| plugin.type | Local variable |
| plugin.vprScore | Local variable |
| plugin.xrefs | cveIds, cveRecords, references |
| plugin.seeAlso | Local variable |
| predicted_impactScore | Local variable |
| product_coverage | Local variable |
| threat_intensity_last_28 | Local variable |
| threat_model_type | Local variable |
| threat_model_version | Local variable |
| threat_recency | Local variable |
| threat_sources_last_28 | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Tenable.sc connector supports the following operation options. See connector operation options for information about how to apply them.
Table 5: Tenable.sc connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Host | asset | Any number identifying the hosts in your network. | Retrieves the host that is associated with the specified asset ID. | Key: asset Value: 123456789. This key and value combination only retrieves the host with asset ID 123456789. |
| ip | Any valid IP addresses or DNS names in your network. | A comma-separated list of valid IP addresses or DNS names in your network. | Key: ip Value: 192.168.1.1. This key and value combination only retrieves the host whose IP address is 192.168.1.1. | |
| per_repo_distinct_asset_uuid | true or false | Indicate whether to create a unique identifier when the same asset is found in multiple repositories. | Key: per_repo_distinct_asset_uuid Value: true. This key and value combination creates a unique identifier when the same asset is found in multiple repositories. | |
| Vulnerability | asset | Any number identifying the hosts in your network. | Retrieves the vulnerabilities that are associated with the specified asset ID. | Key: asset Value: 123456789. This key and value combination only retrieves the vulnerabilities that are associated with asset ID 123456789. |
| baseCVSSScore or cvssV2BaseScore | Any numeric value ranges from from 0.1-10.0. | Retrieves all vulnerabilities with the specified Common Vulnerability Score System (CVSS) V2 score or range of CVSS V2 scores. Values are separated by a dash -. | Key: baseCVSSScore Value: 8. This key and value combination only retrieves vulnerabilities with a CVSS V2 score of 8. | |
| cvssV3BaseScore | Any numeric value ranges from 0.1-10.0 | Retrieves all vulnerabilities with the specified CVSS V3 score or range of CVSS V3 scores. Values are separated by a dash -. | Key: cvssV3BaseScore Value: 3. This key and value combination only retrieves vulnerabilities with a CVSS V3 score of 3. | |
| infoPlugins | Any supported Tenable.sc plugin ID number or range of plugin IDs from 0-8388607. | A comma-separated list of plugin IDs. Retrieves additional information about each plugin associated with the vulnerabilities identified in your network, such as the plugin's name, description, severity, and other details. | Key: infoPlugins Value: 123456,789012. This key and value combination only retrieves detailed information about the plugins with IDs 123456 and 789012. | |
| ip | Any valid IP addresses or DNS names in your network. | A comma-separated list of valid IP addresses or DNS names in your network. | Key: ip Value: 192.168.1.1. This key and value combination only retrieves the vulnerabilities associated with the IP address 192.168.1.1. | |
| mitigated | never or previously | Retrieves vulnerabilities by their mitigation status. | Key: mitigated Value: never. This key and value combination only retrieves vulnerabilities that have not been mitigated. | |
| per_repo_distinct_asset_uuid | true or false | Indicate whether to create a unique identifier when the same asset is found in multiple repositories. | Key: per_repo_distinct_asset_uuid Value: true. This key and value combination creates a unique identifier when the same asset is found in multiple repositories. | |
| plugin or pluginID | Any supported Tenable.sc plugin ID number or range of plugin IDs from 0-8388607. | Retrieves vulnerabilities that are related to the specified plugin ID or range of plugin IDs. Plugin IDs are separated by a dash -. | Key: pluginID Value: 123456. This key and value combination only retrieves vulnerabilities associated with plugin ID 123456. | |
| pluginType | active, compliance, lce, or passive | Retrieves vulnerabilities that are related to the specified plugin types. | Key: pluginType Value: active, compliance. This key and value combination only retrieves active and compliant plugins that are used to identify vulnerabilities. | |
| repository | Any vulnerability repository. | Retrieves only vulnerabilities from the specified repository. | Key: repository Value: repo2. This key and value combination only retrieves vulnerabilities from the repo2 repository. | |
| severity | Any number from 0-4. | Retrieves vulnerabilities based on their specified severity level. 0 = Informational, 1 = Low, 2 = Medium, 3 = High, and 4 = Critical. | Key: severity Value: 4: This key and value combination only retrieves vulnerabilities with a severity level of 4, or critical vulnerabilities. | |
| vprScore | Any numeric value from 0.1-10.0. | Retrieve all vulnerabilities with a Vulnerability Priority Rating (VPR) score of the specified value or higher. | Key: vpr_score Value: 7. This key and value combination retrieves all vulnerabilities with a VPR score of 7 or higher. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Tenable.sc connector uses the Tenable.sc REST API. Specifically, it uses the following API endpoints:
Table 6: Tenable.sc REST API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Host | POST /rest/hosts/search |
| Vulnerability | POST /rest/analysis |
GET /rest/status | |
| Vulnerability Definition | GET /rest/plugin |
Changelog
The Tenable.sc connector has undergone the following changes:
3.1.20
- Changed the EXPLOIT_AVAILABILITY attribute on the Vulnerability Definition object from a String to a Boolean.
3.1.18
- Added a VULNERABILITY_PUBLISHED_DATE attribute to the Vulnerability Definition object.
3.1.16
- Addressed precision issues by changing the data type for CVSS scores from Float to Double.
3.1.15
-
Changed the SOURCE_SEVERITY attribute to a String type.
-
Added a SOURCE_SEVERITY_SCORE attribute in the Vulnerability and Vulnerability Definition object.
3.1.14
- Normalized the HOSTNAME attribute in the Host object.
3.1.13
- Added a new operation option,
per_repo_distinct_asset_uuid, to indicate whether to create a unique identifier when the same asset is found in multiple repositories.
3.1.12
- Added a new setting to configure maximum retries.
3.1.11
-
Added a SOURCE_STATUS attribute in the Vulnerability object to store the source finding statuses.
-
Added a method to normalize the source finding statuses.
3.1.10
- Added operation options to retrieve vulnerabilities based on both severity and plugins.
3.1.9
- Avoided retrieving nanoseconds by changing the data type of date attributes from Long to Instant.
3.1.4
- Set the vulnerability status to 'Risk accepted' if the
acceptRiskattribute on the source data is marked as 'true'.
3.1.2
- Added a check for null or empty dates.
3.0.5
- Added a PATCH_PUBLICATION_DATE attribute in the Vulnerability Definition object.
3.0.0
- Initial Integration+ release.