Skip to main content

Tenable.sc

Tenable.sc is a vulnerability management and security configuration tool that scans, consolidates, and evaluates vulnerability data from your entire network. You can bring asset and security data from Tenable.sc into Brinqa to calculate risk scores, construct a unified view of your attack surface, and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Tenable.sc and how to obtain that information from Tenable. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Tenable.sc from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Tenable.sc with Brinqa:

  • Server URL: The Tenable.sc Server URL.

  • Access key and Secret key: The access key and secret key associated with the Tenable.sc account, which must have permissions to log in to the API server and return data.

Generate Tenable.sc access key and secret key

For the Tenable.sc connector to use the Tenable.sc API, you must provide the access key and secret key from Tenable.sc.

Before you can generate a new access key and secret key, you must enable API key authentication. To do so, follow these steps:

  1. Log in to your organization's Tenable.sc account as an administrator.

  2. Navigate to System > Configuration, and then click Security.

  3. In Authentication Settings, click Allow API Keys.

  4. Click Submit.

To generate new API keys for authentication, follow these steps:

  1. Log in to your organization's Tenable.sc account as an administrator.

  2. Navigate to Users > Users.

  3. Right-click the user for which you want to generate new API keys.

  4. Click API Keys > Generate API Key.

  5. Review the confirmation and click Generate.

    Your new Tenable.sc access key and secret key display in the window. Copy the access key and secret key to a safe and secure location.

note

If you do not have the permissions to create Tenable.sc access and secret keys, contact your Tenable.sc administrator. For additional information, see Tenable.sc documentation.

Required ports

To ensure proper communication between your on-premise Brinqa Agent servers and the Tenable.sc on-prem server, the following port must be opened:

  • Port 443 (HTTPS): This port is used for secure communication between the Brinqa Agent and Tenable.sc. Ensure that this port is open for outbound and inbound traffic on any firewall protecting the Tenable.sc server.

The Tenable.sc connector is set up using a URL provided by the Tenable administrator. The URL is typically in the format https://host..., where the https:// part indicates that the communication is over HTTPS, using port 443. However, the specific port can be configured differently based on your network and security setup. For instance, if the URL is in the format http://host:<PORT>, then the specified port will be used. The exact port and route that need to be open and accessible are determined by the Tenable.sc administrator and network team. The Brinqa connector or Brinqa Agent does not have any specific port requirement; it depends on how Tenable.sc is configured.

Additional settings

The Tenable.sc connector contains additional options for specific configuration:

  • Set page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 8.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Tenable.sc API before giving up and reporting a failure. The default setting is 10.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The Tenable.sc connector can retrieve the following types of data from the Tenable.sc API:

Table 1: Data retrieved from Tenable.sc

Connector ObjectRequiredMaps to Data Model
HostYesHost
VulnerabilityYesVulnerability
Vulnerability DefinitionYesVulnerability Definition
info

Tenable.sc refers to vulnerability definitions as plugins.

For detailed steps on how to view the data retrieved from Tenable.sc in the Brinqa Platform, see How to view your data.

Attribute mappings

Click the tabs below to view the mappings between the source and the Brinqa data model attributes.

Table 2: Host attribute mappings

Source Field NameMaps to Attribute
host.createdTimesourceCreatedDate
host.dns, record.dnsNamepublicDnsName, privateDnsName
host.dnsname
host.firstSeenfirstSeen
host.ipAddressname
host.ipAddress, record.ipipAddresses, publicIpAddresses, privateIpAddresses
host.lastSeenlastSeen
host.macAddress, record.macAddressmacAddresses
host.modifiedTimesourceLastModified
host.namename
host.netBiosname
host.tenableUUIDLocal variable
record.dnsNamename
record.identifiername
record.ipname
record.netbiosNamename
record.serialname
repository.id (host)Local variable
repository.name (host)Local variable
STATUSstatus
uiduid
vuln.asset.fqdnprivateDnsName, publicDnsName
vuln.asset.hostnamehostnames
vuln.asset.ipv4ipAddresses
vuln.asset.mac_addressmacAddresses
vuln.asset.uuidtargets
vuln.first_foundfirstFound
vuln.last_fixedLocal variable
vuln.last_foundlastFound
vuln.plugin.idtype
vuln.port.portport
vuln.port.protocolprotocol
vuln.outputresults
vuln.severity_idseverity, sourceSeverity
vuln.statesourceStatus, statusCategory, status
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Operation options

The Tenable.sc connector supports the following operation options. See connector operation options for information about how to apply them.

Table 5: Tenable.sc connector operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
HostassetAny number identifying the hosts in your network.Retrieves the host that is associated with the specified asset ID.Key: asset Value: 123456789. This key and value combination only retrieves the host with asset ID 123456789.
ipAny valid IP addresses or DNS names in your network.A comma-separated list of valid IP addresses or DNS names in your network.Key: ip Value: 192.168.1.1. This key and value combination only retrieves the host whose IP address is 192.168.1.1.
per_repo_distinct_asset_uuidtrue or falseIndicate whether to create a unique identifier when the same asset is found in multiple repositories.Key: per_repo_distinct_asset_uuid Value: true. This key and value combination creates a unique identifier when the same asset is found in multiple repositories.
VulnerabilityassetAny number identifying the hosts in your network.Retrieves the vulnerabilities that are associated with the specified asset ID.Key: asset Value: 123456789. This key and value combination only retrieves the vulnerabilities that are associated with asset ID 123456789.
baseCVSSScore or cvssV2BaseScoreAny numeric value ranges from from 0.1-10.0.Retrieves all vulnerabilities with the specified Common Vulnerability Score System (CVSS) V2 score or range of CVSS V2 scores. Values are separated by a dash -.Key: baseCVSSScore Value: 8. This key and value combination only retrieves vulnerabilities with a CVSS V2 score of 8.
cvssV3BaseScoreAny numeric value ranges from 0.1-10.0Retrieves all vulnerabilities with the specified CVSS V3 score or range of CVSS V3 scores. Values are separated by a dash -.Key: cvssV3BaseScore Value: 3. This key and value combination only retrieves vulnerabilities with a CVSS V3 score of 3.
infoPluginsAny supported Tenable.sc plugin ID number or range of plugin IDs from 0-8388607.A comma-separated list of plugin IDs. Retrieves additional information about each plugin associated with the vulnerabilities identified in your network, such as the plugin's name, description, severity, and other details.Key: infoPlugins Value: 123456,789012. This key and value combination only retrieves detailed information about the plugins with IDs 123456 and 789012.
ipAny valid IP addresses or DNS names in your network.A comma-separated list of valid IP addresses or DNS names in your network.Key: ip Value: 192.168.1.1. This key and value combination only retrieves the vulnerabilities associated with the IP address 192.168.1.1.
mitigatednever or previouslyRetrieves vulnerabilities by their mitigation status.Key: mitigated Value: never. This key and value combination only retrieves vulnerabilities that have not been mitigated.
per_repo_distinct_asset_uuidtrue or falseIndicate whether to create a unique identifier when the same asset is found in multiple repositories.Key: per_repo_distinct_asset_uuid Value: true. This key and value combination creates a unique identifier when the same asset is found in multiple repositories.
plugin or pluginIDAny supported Tenable.sc plugin ID number or range of plugin IDs from 0-8388607.Retrieves vulnerabilities that are related to the specified plugin ID or range of plugin IDs. Plugin IDs are separated by a dash -.Key: pluginID Value: 123456. This key and value combination only retrieves vulnerabilities associated with plugin ID 123456.
pluginTypeactive, compliance, lce, or passiveRetrieves vulnerabilities that are related to the specified plugin types.Key: pluginType Value: active, compliance. This key and value combination only retrieves active and compliant plugins that are used to identify vulnerabilities.
repositoryAny vulnerability repository.Retrieves only vulnerabilities from the specified repository.Key: repository Value: repo2. This key and value combination only retrieves vulnerabilities from the repo2 repository.
severityAny number from 0-4.Retrieves vulnerabilities based on their specified severity level. 0 = Informational, 1 = Low, 2 = Medium, 3 = High, and 4 = Critical.Key: severity Value: 4: This key and value combination only retrieves vulnerabilities with a severity level of 4, or critical vulnerabilities.
vprScoreAny numeric value from 0.1-10.0.Retrieve all vulnerabilities with a Vulnerability Priority Rating (VPR) score of the specified value or higher.Key: vpr_score Value: 7. This key and value combination retrieves all vulnerabilities with a VPR score of 7 or higher.
note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The Tenable.sc connector uses the Tenable.sc REST API. Specifically, it uses the following API endpoints:

Table 6: Tenable.sc REST API Endpoints

Connector ObjectAPI Endpoint
HostPOST /rest/hosts/search
VulnerabilityPOST /rest/analysis
GET /rest/status
Vulnerability DefinitionGET /rest/plugin

Changelog

The Tenable.sc connector has undergone the following changes:

3.1.20

  • Changed the EXPLOIT_AVAILABILITY attribute on the Vulnerability Definition object from a String to a Boolean.

3.1.18

  • Added a VULNERABILITY_PUBLISHED_DATE attribute to the Vulnerability Definition object.

3.1.16

  • Addressed precision issues by changing the data type for CVSS scores from Float to Double.

3.1.15

  • Changed the SOURCE_SEVERITY attribute to a String type.

  • Added a SOURCE_SEVERITY_SCORE attribute in the Vulnerability and Vulnerability Definition object.

3.1.14

  • Normalized the HOSTNAME attribute in the Host object.

3.1.13

  • Added a new operation option, per_repo_distinct_asset_uuid, to indicate whether to create a unique identifier when the same asset is found in multiple repositories.

3.1.12

  • Added a new setting to configure maximum retries.

3.1.11

  • Added a SOURCE_STATUS attribute in the Vulnerability object to store the source finding statuses.

  • Added a method to normalize the source finding statuses.

3.1.10

  • Added operation options to retrieve vulnerabilities based on both severity and plugins.

3.1.9

  • Avoided retrieving nanoseconds by changing the data type of date attributes from Long to Instant.

3.1.4

  • Set the vulnerability status to 'Risk accepted' if the acceptRisk attribute on the source data is marked as 'true'.

3.1.2

  • Added a check for null or empty dates.

3.0.5

  • Added a PATCH_PUBLICATION_DATE attribute in the Vulnerability Definition object.

3.0.0