Tenable.io Vulnerability Management provides the most accurate information about dynamic assets and vulnerabilities in ever-changing environments.
This document provides information about the Tenable.io connector, which facilitates automated interactions, with a Tenable.io server using FortiSOAR™ playbooks. Add the Tenable.io connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list along with details of all the completed scans for a specified time duration, retrieving information about asset(s) that are associated with a specified scan, and retrieving information about the vulnerabilities associated with a particular asset.
Connector Version: 1.2.0
Authored By: Community
Certified: No
Following enhancements have been made to the Tenable.io connector in version 1.2.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-tenable-io
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Tenable.io connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Tenable.io server to which you will connect and perform the automated operations. |
| Access Key | Access Key that is configured for your account to access the Tenable.io server to which you will connect and perform the automated operations. |
| Secret Key | Secret Key that is configured for your account to access the Tenable.io server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| List Scans | Retrieves a list along with the details of all the completed scans from the Tenable.io server, based on the time duration, such as 24 hours or last 3 days, you have specified. | search_scans Investigation |
| Trigger Scan | Triggers a scan on the Tenable.io server based on the scan ID you have specified. | trigger_scan Investigation |
| List Scan's Assets | Retrieves information about asset(s) that are associated with a particular scan from the Tenable.io server, based on the scan ID you have specified. | get_endpoints Investigation |
| List Asset's Vulnerabilities | Retrieves information about vulnerabilities that are associated with a particular asset from the Tenable.io server, based on the asset UUID you have specified. | get_vulnerabilities Investigation |
| Get Vulnerability Information | Retrieves information about vulnerabilities that are associated with a particular plugin from the Tenable.io server, based on the plugin ID you have specified. | vuln_details Investigation |
| Get Plugin Information | Retrieves information about a specific plugin from the Tenable.io server, based on the plugin ID you have specified. | plugin_details Investigation |
| Export Vulnerabilities | Exports all vulnerabilities from the Tenable.io server based on the filter criteria such as chunk size, severity, etc. you have specified. | export_vulns Investigation |
| Export Assets | Export all assets from the Tenable.io server based on the filter criteria such as chunk size and last assessed time you have specified. | export_assets Investigation |
| Parameter | Description |
|---|---|
| Completion Time | Time duration for which you want to retrieve a list along with details of all the completed scans from Tenable.io. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable.io server. You can choose from the following options: Last 24 Hours, Last 3 Days, Last 5 Days, Last 7 Days, Last 15 Days, Last 25 Days, Last 30 Days, Last 50 Days, Last 60 Days, Last 90 Days, Last 120 Days, and Last 180 Days. |
The JSON output contains a list along with the details of all the completed scans retrieved from Tenable.io, based on the time duration you have specified.
The output contains the following populated JSON schema:
{
"starttime": "",
"uuid": "",
"enabled": "",
"legacy": "",
"read": "",
"owner": "",
"control": "",
"schedule_uuid": "",
"permissions": "",
"id": "",
"status": "",
"user_permissions": "",
"name": "",
"rrules": "",
"type": "",
"creation_date": "",
"last_modification_date": "",
"timezone": "",
"shared": ""
}
| Parameter | Description |
|---|---|
| Scan ID | ID of scan that you want to trigger on Tenable.io. |
| Targets | (Optional) Targets to be scanned instead of the default targets. Value for this field can be an array where each index is a target or an array with a single index of comma-separated targets. For example, ['111.122.22.1', 'example.com'] |
The JSON output contains the status of the trigger scan operation. The JSON output returns a Success message if the scan is triggered successfully or an Error message containing the reason for failure. The JSON output also contains the UUID of the triggered scan.
The output contains the following populated JSON schema:
{
"scan_uuid": ""
}
| Parameter | Description |
|---|---|
| Scan ID | ID of scan whose associated asset(s) information you want to retrieve from Tenable.io. |
The JSON output contains information about the asset(s) associated with a specific scan retrieved from Tenable.io, based on the scan ID you have specified.
The output contains the following populated JSON schema:
{
"uuid": "",
"mac": [],
"ip": [],
"time_start": "",
"fqdn": [],
"os": [],
"time_end": ""
}
| Parameter | Description |
|---|---|
| Asset UUID | UUID of the asset whose associated vulnerabilities information you want to retrieve from Tenable.io. |
The JSON output contains information about the vulnerabilities associated with a specific asset retrieved from Tenable.io, based on the asset UUID you have specified.
The output contains the following populated JSON schema:
{
"plugin_id": "",
"plugin_family": "",
"counts_by_severity": [
{
"value": "",
"count": ""
}
],
"count": "",
"severity": "",
"vulnerability_state": "",
"plugin_name": "",
"accepted_count": "",
"recasted_count": ""
}
| Parameter | Description |
|---|---|
| Plugin ID | ID of the plugin whose associated vulnerabilities details you want to retrieve from Tenable.io. |
The JSON output contains information about the vulnerabilities associated with a specific plugin retrieved from Tenable.io, based on the plugin ID you have specified.
The output contains the following populated JSON schema:
{
"see_also": [],
"count": "",
"reference_information": [],
"severity": "",
"synopsis": "",
"discovery": {
"seen_last": "",
"seen_first": ""
},
"risk_information": {
"cvss_vector": "",
"cvss3_temporal_score": "",
"stig_severity": "",
"cvss3_base_score": "",
"cvss3_temporal_vector": "",
"risk_factor": "",
"cvss_temporal_vector": "",
"cvss_base_score": "",
"cvss_temporal_score": "",
"cvss3_vector": ""
},
"plugin_details": {
"modification_date": "",
"name": "",
"type": "",
"publication_date": "",
"family": "",
"severity": "",
"version": ""
},
"description": ""
}
| Parameter | Description |
|---|---|
| Plugin ID | ID of the plugin whose details you want to retrieve from Tenable.io. |
The JSON output contains information about the specific plugin retrieved from Tenable.io, based on the plugin ID you have specified.
The output contains the following populated JSON schema:
{
"id": "",
"family_name": "",
"name": "",
"attributes": [
{
"attribute_name": "",
"attribute_value": ""
}
]
}
| Parameter | Description |
|---|---|
| Chunk Size | Maximum number of vulnerabilities that you want to export, per chunk, from Tenable.io. |
| CIDR Range | (Optional) CIDR range that will restrict the search of vulnerabilities from Tenable.io. The search will be restricted to assets that assigned to IP addresses specified within the specified CIDR range |
| Severity | (Optional) Severity of the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Info, Low, Medium, High, or Critical. By default, all severity levels are selected. |
| From | (Optional) Start date of the range of data (vulnerabilities) you want to export from Tenable.io. |
| State | (Optional) State of the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Open, Reopened, or Fixed. |
The output contains the following populated JSON schema:
{
"severity": "",
"first_found": "",
"output": "",
"port": {
"protocol": "",
"port": ""
},
"last_found": "",
"severity_id": "",
"plugin": {
"version": "",
"risk_factor": "",
"publication_date": "",
"solution": "",
"family_id": "",
"id": "",
"modification_date": "",
"name": "",
"synopsis": "",
"type": "",
"has_patch": "",
"description": "",
"family": ""
},
"scan": {
"uuid": "",
"schedule_uuid": "",
"started_at": "",
"completed_at": ""
},
"asset": {
"uuid": "",
"last_authenticated_results": "",
"operating_system": [],
"agent_uuid": "",
"netbios_name": "",
"network_id": "",
"fqdn": "",
"mac_address": "",
"ipv4": "",
"hostname": "",
"tracked": "",
"device_type": "",
"bios_uuid": ""
},
"severity_default_id": "",
"state": "",
"severity_modification_type": ""
}
| Parameter | Description |
|---|---|
| Chunk Size | Maximum number of assets that you want to export, per chunk, from Tenable.io. |
| Last Assessed Time | (Optional) Last assessed DateTime of the assets from when you want to export assets from Tenable.io. |
The output contains the following populated JSON schema:
{
"azure_resource_id": "",
"aws_ec2_instance_id": "",
"agent_uuid": "",
"first_scan_time": "",
"aws_ec2_instance_type": "",
"azure_vm_id": "",
"aws_ec2_instance_ami_id": "",
"netbios_names": [],
"last_authenticated_scan_date": "",
"aws_region": "",
"fqdns": [],
"last_licensed_scan_date": "",
"terminated_at": "",
"gcp_zone": "",
"agent_names": [],
"ipv6s": [],
"deleted_by": "",
"id": "",
"aws_ec2_instance_group_name": "",
"aws_availability_zone": "",
"first_seen": "",
"aws_ec2_name": "",
"has_agent": "",
"aws_vpc_id": "",
"terminated_by": "",
"operating_systems": [],
"last_seen": "",
"tags": [],
"qualys_asset_ids": [],
"network_id": "",
"mcafee_epo_agent_guid": "",
"servicenow_sysid": "",
"qualys_host_ids": [],
"deleted_at": "",
"bios_uuid": "",
"system_types": [],
"gcp_instance_id": "",
"network_name": "",
"manufacturer_tpm_ids": [],
"hostnames": [],
"mcafee_epo_guid": "",
"last_scan_time": "",
"mac_addresses": [],
"sources": [
{
"first_seen": "",
"last_seen": "",
"name": ""
}
],
"ipv4s": [],
"aws_ec2_instance_state_name": "",
"gcp_project_id": "",
"network_interfaces": [
{
"aliased": "",
"name": "",
"ipv6s": [],
"mac_addresses": [],
"ipv4s": [],
"virtual": "",
"fqdns": []
}
],
"installed_software": [],
"has_plugin_results": "",
"aws_ec2_product_code": "",
"aws_owner_id": "",
"symantec_ep_hardware_keys": [],
"aws_subnet_id": "",
"ssh_fingerprints": [],
"updated_at": "",
"created_at": ""
}
The Sample - Tenable.io - 1.2.0 playbook collection comes bundled with the Tenable.io connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tenable.io connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Tenable.io Vulnerability Management provides the most accurate information about dynamic assets and vulnerabilities in ever-changing environments.
This document provides information about the Tenable.io connector, which facilitates automated interactions, with a Tenable.io server using FortiSOAR™ playbooks. Add the Tenable.io connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving a list along with details of all the completed scans for a specified time duration, retrieving information about asset(s) that are associated with a specified scan, and retrieving information about the vulnerabilities associated with a particular asset.
Connector Version: 1.2.0
Authored By: Community
Certified: No
Following enhancements have been made to the Tenable.io connector in version 1.2.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-tenable-io
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Tenable.io connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Tenable.io server to which you will connect and perform the automated operations. |
| Access Key | Access Key that is configured for your account to access the Tenable.io server to which you will connect and perform the automated operations. |
| Secret Key | Secret Key that is configured for your account to access the Tenable.io server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| List Scans | Retrieves a list along with the details of all the completed scans from the Tenable.io server, based on the time duration, such as 24 hours or last 3 days, you have specified. | search_scans Investigation |
| Trigger Scan | Triggers a scan on the Tenable.io server based on the scan ID you have specified. | trigger_scan Investigation |
| List Scan's Assets | Retrieves information about asset(s) that are associated with a particular scan from the Tenable.io server, based on the scan ID you have specified. | get_endpoints Investigation |
| List Asset's Vulnerabilities | Retrieves information about vulnerabilities that are associated with a particular asset from the Tenable.io server, based on the asset UUID you have specified. | get_vulnerabilities Investigation |
| Get Vulnerability Information | Retrieves information about vulnerabilities that are associated with a particular plugin from the Tenable.io server, based on the plugin ID you have specified. | vuln_details Investigation |
| Get Plugin Information | Retrieves information about a specific plugin from the Tenable.io server, based on the plugin ID you have specified. | plugin_details Investigation |
| Export Vulnerabilities | Exports all vulnerabilities from the Tenable.io server based on the filter criteria such as chunk size, severity, etc. you have specified. | export_vulns Investigation |
| Export Assets | Export all assets from the Tenable.io server based on the filter criteria such as chunk size and last assessed time you have specified. | export_assets Investigation |
| Parameter | Description |
|---|---|
| Completion Time | Time duration for which you want to retrieve a list along with details of all the completed scans from Tenable.io. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable.io server. You can choose from the following options: Last 24 Hours, Last 3 Days, Last 5 Days, Last 7 Days, Last 15 Days, Last 25 Days, Last 30 Days, Last 50 Days, Last 60 Days, Last 90 Days, Last 120 Days, and Last 180 Days. |
The JSON output contains a list along with the details of all the completed scans retrieved from Tenable.io, based on the time duration you have specified.
The output contains the following populated JSON schema:
{
"starttime": "",
"uuid": "",
"enabled": "",
"legacy": "",
"read": "",
"owner": "",
"control": "",
"schedule_uuid": "",
"permissions": "",
"id": "",
"status": "",
"user_permissions": "",
"name": "",
"rrules": "",
"type": "",
"creation_date": "",
"last_modification_date": "",
"timezone": "",
"shared": ""
}
| Parameter | Description |
|---|---|
| Scan ID | ID of scan that you want to trigger on Tenable.io. |
| Targets | (Optional) Targets to be scanned instead of the default targets. Value for this field can be an array where each index is a target or an array with a single index of comma-separated targets. For example, ['111.122.22.1', 'example.com'] |
The JSON output contains the status of the trigger scan operation. The JSON output returns a Success message if the scan is triggered successfully or an Error message containing the reason for failure. The JSON output also contains the UUID of the triggered scan.
The output contains the following populated JSON schema:
{
"scan_uuid": ""
}
| Parameter | Description |
|---|---|
| Scan ID | ID of scan whose associated asset(s) information you want to retrieve from Tenable.io. |
The JSON output contains information about the asset(s) associated with a specific scan retrieved from Tenable.io, based on the scan ID you have specified.
The output contains the following populated JSON schema:
{
"uuid": "",
"mac": [],
"ip": [],
"time_start": "",
"fqdn": [],
"os": [],
"time_end": ""
}
| Parameter | Description |
|---|---|
| Asset UUID | UUID of the asset whose associated vulnerabilities information you want to retrieve from Tenable.io. |
The JSON output contains information about the vulnerabilities associated with a specific asset retrieved from Tenable.io, based on the asset UUID you have specified.
The output contains the following populated JSON schema:
{
"plugin_id": "",
"plugin_family": "",
"counts_by_severity": [
{
"value": "",
"count": ""
}
],
"count": "",
"severity": "",
"vulnerability_state": "",
"plugin_name": "",
"accepted_count": "",
"recasted_count": ""
}
| Parameter | Description |
|---|---|
| Plugin ID | ID of the plugin whose associated vulnerabilities details you want to retrieve from Tenable.io. |
The JSON output contains information about the vulnerabilities associated with a specific plugin retrieved from Tenable.io, based on the plugin ID you have specified.
The output contains the following populated JSON schema:
{
"see_also": [],
"count": "",
"reference_information": [],
"severity": "",
"synopsis": "",
"discovery": {
"seen_last": "",
"seen_first": ""
},
"risk_information": {
"cvss_vector": "",
"cvss3_temporal_score": "",
"stig_severity": "",
"cvss3_base_score": "",
"cvss3_temporal_vector": "",
"risk_factor": "",
"cvss_temporal_vector": "",
"cvss_base_score": "",
"cvss_temporal_score": "",
"cvss3_vector": ""
},
"plugin_details": {
"modification_date": "",
"name": "",
"type": "",
"publication_date": "",
"family": "",
"severity": "",
"version": ""
},
"description": ""
}
| Parameter | Description |
|---|---|
| Plugin ID | ID of the plugin whose details you want to retrieve from Tenable.io. |
The JSON output contains information about the specific plugin retrieved from Tenable.io, based on the plugin ID you have specified.
The output contains the following populated JSON schema:
{
"id": "",
"family_name": "",
"name": "",
"attributes": [
{
"attribute_name": "",
"attribute_value": ""
}
]
}
| Parameter | Description |
|---|---|
| Chunk Size | Maximum number of vulnerabilities that you want to export, per chunk, from Tenable.io. |
| CIDR Range | (Optional) CIDR range that will restrict the search of vulnerabilities from Tenable.io. The search will be restricted to assets that assigned to IP addresses specified within the specified CIDR range |
| Severity | (Optional) Severity of the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Info, Low, Medium, High, or Critical. By default, all severity levels are selected. |
| From | (Optional) Start date of the range of data (vulnerabilities) you want to export from Tenable.io. |
| State | (Optional) State of the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Open, Reopened, or Fixed. |
The output contains the following populated JSON schema:
{
"severity": "",
"first_found": "",
"output": "",
"port": {
"protocol": "",
"port": ""
},
"last_found": "",
"severity_id": "",
"plugin": {
"version": "",
"risk_factor": "",
"publication_date": "",
"solution": "",
"family_id": "",
"id": "",
"modification_date": "",
"name": "",
"synopsis": "",
"type": "",
"has_patch": "",
"description": "",
"family": ""
},
"scan": {
"uuid": "",
"schedule_uuid": "",
"started_at": "",
"completed_at": ""
},
"asset": {
"uuid": "",
"last_authenticated_results": "",
"operating_system": [],
"agent_uuid": "",
"netbios_name": "",
"network_id": "",
"fqdn": "",
"mac_address": "",
"ipv4": "",
"hostname": "",
"tracked": "",
"device_type": "",
"bios_uuid": ""
},
"severity_default_id": "",
"state": "",
"severity_modification_type": ""
}
| Parameter | Description |
|---|---|
| Chunk Size | Maximum number of assets that you want to export, per chunk, from Tenable.io. |
| Last Assessed Time | (Optional) Last assessed DateTime of the assets from when you want to export assets from Tenable.io. |
The output contains the following populated JSON schema:
{
"azure_resource_id": "",
"aws_ec2_instance_id": "",
"agent_uuid": "",
"first_scan_time": "",
"aws_ec2_instance_type": "",
"azure_vm_id": "",
"aws_ec2_instance_ami_id": "",
"netbios_names": [],
"last_authenticated_scan_date": "",
"aws_region": "",
"fqdns": [],
"last_licensed_scan_date": "",
"terminated_at": "",
"gcp_zone": "",
"agent_names": [],
"ipv6s": [],
"deleted_by": "",
"id": "",
"aws_ec2_instance_group_name": "",
"aws_availability_zone": "",
"first_seen": "",
"aws_ec2_name": "",
"has_agent": "",
"aws_vpc_id": "",
"terminated_by": "",
"operating_systems": [],
"last_seen": "",
"tags": [],
"qualys_asset_ids": [],
"network_id": "",
"mcafee_epo_agent_guid": "",
"servicenow_sysid": "",
"qualys_host_ids": [],
"deleted_at": "",
"bios_uuid": "",
"system_types": [],
"gcp_instance_id": "",
"network_name": "",
"manufacturer_tpm_ids": [],
"hostnames": [],
"mcafee_epo_guid": "",
"last_scan_time": "",
"mac_addresses": [],
"sources": [
{
"first_seen": "",
"last_seen": "",
"name": ""
}
],
"ipv4s": [],
"aws_ec2_instance_state_name": "",
"gcp_project_id": "",
"network_interfaces": [
{
"aliased": "",
"name": "",
"ipv6s": [],
"mac_addresses": [],
"ipv4s": [],
"virtual": "",
"fqdns": []
}
],
"installed_software": [],
"has_plugin_results": "",
"aws_ec2_product_code": "",
"aws_owner_id": "",
"symantec_ep_hardware_keys": [],
"aws_subnet_id": "",
"ssh_fingerprints": [],
"updated_at": "",
"created_at": ""
}
The Sample - Tenable.io - 1.2.0 playbook collection comes bundled with the Tenable.io connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tenable.io connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
