Tenable.io provide actions like get all scans, trigger scan, scan specific assets, asset specific vulnerabilities, export assets and export vulnerabilities from Tenable.io.
This document provides information about the Tenable.io Connector, which facilitates automated interactions, with a Tenable.io server using FortiSOAR™ playbooks. Add the Tenable.io Connector as a step in FortiSOAR™ playbooks and perform automated operations with Tenable.io.
Connector Version: 1.4.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Tenable.io Connector in version 1.4.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-tenable-io
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Tenable.io connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Tenable.io server to connect and perform the automated operations. |
Access Key | Specify the access key configured for your account to access the Tenable.io server. |
Secret Key | Specify the secret key configured for your account to access the Tenable.io server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
List Scans | Retrieves a list and details of all the completed scans from the Tenable.io server, based on the time duration (such as 24 hours or the last 3 days) you have specified. | search_scans Investigation |
Trigger Scan | Triggers a scan on the Tenable.io server based on the scan ID and optionally targets you have specified. | trigger_scan Investigation |
List Scan's Assets | Retrieves information about assets from the Tenable.io server that are associated with a particular scan, based on the scan ID you have specified. | get_endpoints Investigation |
List Asset's Vulnerabilities | Retrieves information about vulnerabilities from the Tenable.io server that are associated with a particular asset based on the asset UUID you have specified. | get_vulnerabilities Investigation |
Get Vulnerability Information | Retrieves information about vulnerabilities from the Tenable.io server that are associated with a particular plugin based on the plugin ID you have specified. | vuln_details Investigation |
Get Plugin Information | Retrieves information about a specific plugin from the Tenable.io server, based on the plugin ID you have specified. | plugin_details Investigation |
Submit Vulnerability Export Job | Submits vulnerability export job used to export the vulnerabilities, which match the specified request criteria, from Tenable.io. Vulnerabilities are exported from the Tenable.io server based on the chuck size and other input parameters you have specified. | submit_vuln_export_job Investigation |
Get Vulnerability Export Status | Returns the status of a vulnerability export job from Tenable.io based on the export UUID you have specified. | get_vuln_export_status Investigation |
Download Vulnerability Export Chunk | Downloads the exported vulnerabilities, as a JSON file, from Tenable.io based on the export UUID and chunk ID you have specified. | download_vuln_export Investigation |
List Vulnerability Export Jobs | Retrieves a list of vulnerability export jobs. This list includes the 1,000 most recent export jobs regardless of status. However, this list includes completed jobs only if the job was completed in the previous three days. | list_vuln_export_jobs Investigation |
Cancel Vulnerability Export Job | Cancels the specified vulnerability export job in Tenable.io based on the export UUID you have specified. | cancel_vuln_export_job Investigation |
Submit Asset Export Job | Submits asset export job used to export the assets, which match the specified request criteria, from Tenable.io. Assets are exported from the Tenable.io server based on the chuck size and other input parameters you have specified. | submit_asset_export_job Investigation |
Get Asset Export Status | Returns the status of an asset export job from Tenable.io based on the export UUID you have specified. | get_asset_export_status Investigation |
Download Asset Export Chunk | Downloads the exported assets, as a JSON file, from Tenable.io based on the export UUID and chunk ID you have specified. | download_asset_export_chunk Investigation |
List Asset Export Jobs | Retrieves a list of asset export jobs. This list includes the 1,000 most recent export jobs regardless of status. However, this list includes completed jobs only if the job was completed in the previous three days. | list_asset_export_jobs Investigation |
Cancel Asset Export Job | Cancels the specified asset export job in Tenable.io based on the export UUID you have specified. | cancel_asset_export_job Investigation |
Get Host Details | Retrieves the details for the specified host based on the scan UUID and host ID you have specified. | get_host_details Investigation |
Get Scan History | Retrieves a list of objects, each of which represent an individual run of a scan based on the scan ID you have specified. | get_scan_history Investigation |
Parameter | Description |
---|---|
Completion Time | Select the time duration for which you want to retrieve a list and details of all the completed scans from Tenable.io. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable.io server. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "legacy": "", "schedule_uuid": "", "enabled": "", "type": "", "read": "", "timezone": "", "control": "", "permissions": "", "id": "", "uuid": "", "user_permissions": "", "creation_date": "", "shared": "", "last_modification_date": "", "starttime": "", "rrules": "", "owner": "", "status": "", "name": "" }
Parameter | Description |
---|---|
Scan ID | Specify the ID of the scan that you want to trigger on Tenable.io. |
Targets | (Optional) Specify the targets to be scanned instead of the default targets. Value for this field can be an array where each index is a target or an array with a single index of comma-separated targets. For example, ['111.122.22.1', 'example.com'] |
The output contains the following populated JSON schema:
{ "scan_uuid": "" }
Parameter | Description |
---|---|
Scan ID | Specify the scan ID whose associated assets' information you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "time_start": "", "uuid": "", "time_end": "", "ip": [], "os": [], "mac": [], "fqdn": [] }
Parameter | Description |
---|---|
Asset UUID | Specify the UUID of the asset whose associated vulnerabilities information you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "plugin_family": "", "accepted_count": "", "severity": "", "vulnerability_state": "", "recasted_count": "", "plugin_id": "", "count": "", "plugin_name": "", "counts_by_severity": [ { "value": "", "count": "" } ] }
Parameter | Description |
---|---|
Plugin ID | Specify the ID of the plugin whose associated vulnerabilities details you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "info": { "count": "", "vuln_count": "", "description": "", "synopsis": "", "solution": "", "discovery": { "seen_first": "", "seen_last": "" }, "severity": "", "plugin_details": { "name": "", "type": "", "family": "", "version": "", "severity": "", "plugin_id": "", "publication_date": "", "modification_date": "" }, "reference_information": [ { "name": "", "url": "", "values": [] } ], "risk_information": { "risk_factor": "", "cvss_vector": "", "cvss_base_score": "", "cvss_temporal_vector": "", "cvss_temporal_score": "", "cvss3_vector": "", "cvss3_base_score": "", "cvss3_temporal_vector": "", "cvss3_temporal_score": "", "stig_severity": "" }, "see_also": [], "vulnerability_information": { "vulnerability_publication_date": "", "exploited_by_malware": "", "patch_publication_date": "", "exploit_available": "", "exploitability_ease": "", "asset_inventory": "", "default_account": "", "exploited_by_nessus": "", "in_the_news": "", "malware": "", "unsupported_by_vendor": "", "cpe": "", "exploit_frameworks": [ { "name": "" }, { "name": "", "exploits": [ { "name": "", "url": "" } ] } ] }, "vpr": { "score": "", "drivers": { "age_of_vuln": { "lower_bound": "", "upper_bound": "" }, "exploit_code_maturity": "", "cvss3_impact_score": "", "cvss_impact_score_predicted": "", "threat_intensity_last28": "", "threat_recency": { "lower_bound": "", "upper_bound": "" }, "threat_sources_last28": [], "product_coverage": "" }, "updated": "" } } }
Parameter | Description |
---|---|
Plugin ID | Specify the ID of the plugin whose details you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "attributes": [ { "attribute_value": "", "attribute_name": "" } ], "family_name": "", "name": "", "id": "" }
Parameter | Description |
---|---|
Chunk Size | Specify the maximum number of vulnerabilities that you want to export, per chunk, from Tenable.io. |
CIDR Range | Specify the CIDR range to restrict the search for vulnerabilities in Tenable.io. If specified, the search gets restricted to assets that are assigned to IP addresses specified within the specified CIDR range. |
Severity | Select one or more severities that are assigned to the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Info, Low, Medium, High, or Critical. By default, all severity levels are selected. |
From | (Optional) Select the start date for the range of data (vulnerabilities) you want to export from Tenable.io. |
State | (Optional) Select one or more states of the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Open, Reopened or Fixed. |
The output contains the following populated JSON schema:
{ "export_uuid": "" }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the vulnerability export request whose export status you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "uuid": "", "status": "", "chunks_available": [], "chunks_failed": [], "chunks_cancelled": [], "total_chunks": "", "chunks_available_count": "", "empty_chunks_count": "", "finished_chunks": "", "filters": { "state": [], "tags": {}, "since": "", "first_found": "", "last_found": "", "last_fixed": "", "first_seen": "", "last_seen": "", "indexed_at": "" }, "num_assets_per_chunk": "", "created": "" }
Parameter | Description |
---|---|
Export UUID | Specify the UUID for the vulnerability export request whose chunk you want to download from Tenable.io. |
Chunk ID | Specify the ID of the chunk of the vulnerability export request that you want to download from Tenable.io. |
The output contains the following populated JSON schema:
{ "asset": { "fqdn": "", "hostname": "", "uuid": "", "ipv4": "", "operating_system": [], "network_id": "", "tracked": "" }, "output": "", "plugin": { "cve": [], "cvss_base_score": "", "cvss_temporal_score": "", "cvss_temporal_vector": { "exploitability": "", "remediation_level": "", "report_confidence": "", "raw": "" }, "cvss_vector": { "access_complexity": "", "access_vector": "", "authentication": "", "confidentiality_impact": "", "integrity_impact": "", "availability_impact": "", "raw": "" }, "description": "", "family": "", "family_id": "", "has_patch": "", "id": "", "name": "", "risk_factor": "", "see_also": [], "solution": "", "synopsis": "", "vpr": { "score": "", "drivers": { "age_of_vuln": { "lower_bound": "", "upper_bound": "" }, "exploit_code_maturity": "", "cvss_impact_score_predicted": "", "cvss3_impact_score": "", "threat_intensity_last28": "", "threat_sources_last28": [], "product_coverage": "" }, "updated": "" } }, "port": { "port": "", "protocol": "" }, "scan": { "completed_at": "", "schedule_uuid": "", "started_at": "", "uuid": "" }, "severity": "", "severity_id": "", "severity_default_id": "", "severity_modification_type": "", "first_found": "", "last_found": "", "indexed_at": "", "state": "" }
None.
The output contains the following populated JSON schema:
{ "exports": [ { "uuid": "", "status": "", "total_chunks": "", "chunks_available_count": "", "empty_chunks_count": "", "finished_chunks": "", "filters": { "state": [], "tags": { "tag.": [] }, "since": "", "first_found": "", "last_found": "", "last_fixed": "", "first_seen": "", "last_seen": "", "indexed_at": "" }, "num_assets_per_chunk": "", "created": "" } ] }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the vulnerability export job that you want to cancel in Tenable.io. |
The output contains the following populated JSON schema:
{ "status": "" }
Parameter | Description |
---|---|
Chunk Size | Specify the maximum number of assets that you want to export, per chunk, from Tenable.io. |
Last Assessed Time | Select the last assessed DateTime of the assets from when you want to export assets from Tenable.io. |
The output contains the following populated JSON schema:
{ "export_uuid": "" }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the asset export request whose export status you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "status": "", "chunks_available": [] }
Parameter | Description |
---|---|
Export UUID | Specify the UUID for the asset export request whose chunk you want to download from Tenable.io. |
Chunk ID | Specify the ID of the chunk of the asset export request that you want to download from Tenable.io. |
The output contains the following populated JSON schema:
{ "id": "", "has_agent": "", "has_plugin_results": "", "created_at": "", "terminated_at": "", "terminated_by": "", "updated_at": "", "deleted_at": "", "deleted_by": "", "first_seen": "", "last_seen": "", "first_scan_time": "", "last_scan_time": "", "last_authenticated_scan_date": "", "last_licensed_scan_date": "", "last_scan_id": "", "last_schedule_id": "", "azure_vm_id": "", "azure_resource_id": "", "gcp_project_id": "", "gcp_zone": "", "gcp_instance_id": "", "aws_ec2_instance_ami_id": "", "aws_ec2_instance_id": "", "agent_uuid": "", "bios_uuid": "", "aws_owner_id": "", "aws_availability_zone": "", "aws_region": "", "aws_vpc_id": "", "aws_ec2_instance_group_name": "", "aws_ec2_instance_state_name": "", "aws_ec2_instance_type": "", "aws_subnet_id": "", "aws_ec2_product_code": "", "aws_ec2_name": "", "mcafee_epo_guid": "", "mcafee_epo_agent_guid": "", "servicenow_sysid": "", "bigfix_asset_id": "", "agent_names": [], "installed_software": [], "ipv4s": [], "ipv6s": [], "fqdns": [], "mac_addresses": [], "netbios_names": [], "operating_systems": [], "system_types": [], "hostnames": [], "ssh_fingerprints": [], "qualys_asset_ids": [], "qualys_host_ids": [], "manufacturer_tpm_ids": [], "symantec_ep_hardware_keys": [], "sources": [ { "name": "", "first_seen": "", "last_seen": "" } ], "tags": [ { "uuid": "", "key": "", "value": "", "added_by": "", "added_at": "" } ], "network_interfaces": [ { "name": "", "mac_address": [], "ipv4": [], "ipv6": [], "fqdn": [] } ], "acr_score": "", "exposure_score": "" }
None.
The output contains the following populated JSON schema:
{ "exports": [ { "uuid": "", "status": "", "total_chunks": "", "filters": "", "finished_chunks": "", "num_assets_per_chunk": "", "created": "" } ] }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the asset export job that you want to cancel in Tenable.io. |
The output contains the following populated JSON schema:
{ "status": "" }
Parameter | Description |
---|---|
Scan UUID | Specify the identifier for the scan. This identifier can be the either the schedule_uuid or the numeric id attribute for the scan. |
Host ID | Specify the ID of the host to retrieve. |
History ID | Specify the unique identifier of the historical data that you want Tenable.io to return. This identifier corresponds to the history.id attribute of the response message from the GET /scans//history endpoint. |
History UUID | Specify the UUID of the historical data that you want Tenable.io to return. This identifier corresponds to the history.scan_uuid attribute of the response message from the GET /scans//history endpoint. |
The output contains the following populated JSON schema:
{ "info": { "mac-address": "", "host-fqdn": "", "host-ip": "", "operating-system": [], "host_end": "", "host_start": "" }, "vulnerabilities": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "", "vuln_index": "" } ], "compliance": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "" } ] }
Parameter | Description |
---|---|
Scan ID | Specify the unique identifier for the scan. This identifier can be either the scans.schedule_uuid or the scans.id attribute in the response message from the GET /scans endpoint. |
Limit | Specify the number of records to retrieve. If this parameter is omitted, Tenable.io uses the default value of 50. |
Offset | Specify the starting record to retrieve. If this parameter is omitted, Tenable.io uses the default value of 0. |
Exclude Rollover | Specify whether or not to exclude rollover scans from the scan history. |
The output contains the following populated JSON schema:
{ "pagination": { "offset": "", "total": "", "sort": [ { "order": "", "name": "" } ], "limit": "" }, "history": [ { "time_end": "", "scan_uuid": "", "id": "", "is_archived": "", "time_start": "", "visibility": "", "targets": { "custom": "", "default": "" }, "status": "" } ] }
Parameter | Description |
---|---|
Scan UUID | Specify the identifier for the scan. This identifier can either be the schedule_uuid or the numeric.id attribute of the scan. |
Host ID | Specify the ID of the host to retrieve. |
History ID | Specify the unique identifier of the historical data that you want Tenable.io to return. This identifier corresponds to the history.id attribute of the response message from the GET /scans//history endpoint. |
History UUID | Specify the UUID of the historical data that you want Tenable.io to return. This identifier corresponds to the history.scan_uuid attribute of the response message from the GET /scans//history endpoint . |
The output contains the following populated JSON schema:
{ "info": { "mac-address": "", "host-fqdn": "", "host-ip": "", "operating-system": [], "host_end": "", "host_start": "" }, "vulnerabilities": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "", "vuln_index": "" } ], "compliance": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "" } ] }
Parameter | Description |
---|---|
Scan ID | Specify the unique identifier for the scan. This identifier can be either the scans.schedule_uuid or the scans.id attribute in the response message from the GET /scans endpoint. |
Limit | Specify the number of records to retrieve. If this parameter is omitted, Tenable.io uses the default value of 50 . |
Offset | Specify the starting record to retrieve. If this parameter is omitted, Tenable.io uses the default value of 0 . |
Exclude Rollover | Specify whether to exclude rollover scans from the scan history. |
The output contains the following populated JSON schema:
{ "pagination": { "offset": "", "total": "", "sort": [ { "order": "", "name": "" } ], "limit": "" }, "history": [ { "time_end": "", "scan_uuid": "", "id": "", "is_archived": "", "time_start": "", "visibility": "", "targets": { "custom": "", "default": "" }, "status": "" } ] }
The Sample - Tenable.io - 1.4.0
playbook collection comes bundled with the Tenable.io connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Tenable.io connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling scan data from Tenable.io. Currently, scan data ingested from is mapped to Scans in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Tenable.io Scan data to FortiSOAR™Scans.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Tenable.io into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between Tenable.io and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Tenable.io scan data.
Note: For the ingestion playbooks to work you must install and configure the SOAR Framework and Vulnerability Management Solution Packs on your FortiSOAR instance. For more information on solution packs see the respective solution pack document on the Content Hub Portal.
To begin configuring data ingestion, click Configure Data Ingestion on the Tenable.io connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Tenable.io data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch scan data from Tenable.io.
Users can pull scan data from Tenable.io by selecting the time duration for which they want to retrieve a list and the details of all the completed scans from Tenable.io from the Completion Time drop-down list. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable.io server.
Select the Enable Bulk Ingest checkbox, if you want to create ingested records using the Ingest Bulk Feed step instead of the Create Record step in the ingestion playbooks. The advantage of using Enable Bulk Ingest is a significant reduction in the execution time of the ingestion playbook. Therefore, it is recommended to select the Enable Bulk Ingest checkbox for high-volume data ingestion. It is also recommended to schedule data ingestion to run during non-working hours.
Known Issue: One known disadvantage of using the bulk ingest method is that it completely replaces all the fields of existing records; however, it keeps record correlations intact, i.e., the related records are not changed.
The fetched data is used to create a mapping between the scan data from Tenable.io and FortiSOAR Scans. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested scans Tenable.io to the fields of a scan present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the uuid
parameter of an ingested scan from Tenable.io to the Scan Reference ID parameter of a FortiSOAR™ scan, click the Scan Reference ID field and then click the uuid
field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Tenable.io, so that the content gets pulled from the Tenable.io integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron
expression for the schedule. For example, if you want to pull data from Tenable.io every month, click Monthly, and in the minute, hour, and day of month boxes enter 1
, 0
, and 1
respectively. This means that the scan data will be pulled from Tenable.io on the first day of every month at 12:01 AM:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Tenable.io provide actions like get all scans, trigger scan, scan specific assets, asset specific vulnerabilities, export assets and export vulnerabilities from Tenable.io.
This document provides information about the Tenable.io Connector, which facilitates automated interactions, with a Tenable.io server using FortiSOAR™ playbooks. Add the Tenable.io Connector as a step in FortiSOAR™ playbooks and perform automated operations with Tenable.io.
Connector Version: 1.4.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the Tenable.io Connector in version 1.4.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command as a root user to install the connector:
yum install cyops-connector-tenable-io
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Tenable.io connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Specify the URL of the Tenable.io server to connect and perform the automated operations. |
Access Key | Specify the access key configured for your account to access the Tenable.io server. |
Secret Key | Specify the secret key configured for your account to access the Tenable.io server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
List Scans | Retrieves a list and details of all the completed scans from the Tenable.io server, based on the time duration (such as 24 hours or the last 3 days) you have specified. | search_scans Investigation |
Trigger Scan | Triggers a scan on the Tenable.io server based on the scan ID and optionally targets you have specified. | trigger_scan Investigation |
List Scan's Assets | Retrieves information about assets from the Tenable.io server that are associated with a particular scan, based on the scan ID you have specified. | get_endpoints Investigation |
List Asset's Vulnerabilities | Retrieves information about vulnerabilities from the Tenable.io server that are associated with a particular asset based on the asset UUID you have specified. | get_vulnerabilities Investigation |
Get Vulnerability Information | Retrieves information about vulnerabilities from the Tenable.io server that are associated with a particular plugin based on the plugin ID you have specified. | vuln_details Investigation |
Get Plugin Information | Retrieves information about a specific plugin from the Tenable.io server, based on the plugin ID you have specified. | plugin_details Investigation |
Submit Vulnerability Export Job | Submits vulnerability export job used to export the vulnerabilities, which match the specified request criteria, from Tenable.io. Vulnerabilities are exported from the Tenable.io server based on the chuck size and other input parameters you have specified. | submit_vuln_export_job Investigation |
Get Vulnerability Export Status | Returns the status of a vulnerability export job from Tenable.io based on the export UUID you have specified. | get_vuln_export_status Investigation |
Download Vulnerability Export Chunk | Downloads the exported vulnerabilities, as a JSON file, from Tenable.io based on the export UUID and chunk ID you have specified. | download_vuln_export Investigation |
List Vulnerability Export Jobs | Retrieves a list of vulnerability export jobs. This list includes the 1,000 most recent export jobs regardless of status. However, this list includes completed jobs only if the job was completed in the previous three days. | list_vuln_export_jobs Investigation |
Cancel Vulnerability Export Job | Cancels the specified vulnerability export job in Tenable.io based on the export UUID you have specified. | cancel_vuln_export_job Investigation |
Submit Asset Export Job | Submits asset export job used to export the assets, which match the specified request criteria, from Tenable.io. Assets are exported from the Tenable.io server based on the chuck size and other input parameters you have specified. | submit_asset_export_job Investigation |
Get Asset Export Status | Returns the status of an asset export job from Tenable.io based on the export UUID you have specified. | get_asset_export_status Investigation |
Download Asset Export Chunk | Downloads the exported assets, as a JSON file, from Tenable.io based on the export UUID and chunk ID you have specified. | download_asset_export_chunk Investigation |
List Asset Export Jobs | Retrieves a list of asset export jobs. This list includes the 1,000 most recent export jobs regardless of status. However, this list includes completed jobs only if the job was completed in the previous three days. | list_asset_export_jobs Investigation |
Cancel Asset Export Job | Cancels the specified asset export job in Tenable.io based on the export UUID you have specified. | cancel_asset_export_job Investigation |
Get Host Details | Retrieves the details for the specified host based on the scan UUID and host ID you have specified. | get_host_details Investigation |
Get Scan History | Retrieves a list of objects, each of which represent an individual run of a scan based on the scan ID you have specified. | get_scan_history Investigation |
Parameter | Description |
---|---|
Completion Time | Select the time duration for which you want to retrieve a list and details of all the completed scans from Tenable.io. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable.io server. You can choose from the following options:
|
The output contains the following populated JSON schema:
{ "legacy": "", "schedule_uuid": "", "enabled": "", "type": "", "read": "", "timezone": "", "control": "", "permissions": "", "id": "", "uuid": "", "user_permissions": "", "creation_date": "", "shared": "", "last_modification_date": "", "starttime": "", "rrules": "", "owner": "", "status": "", "name": "" }
Parameter | Description |
---|---|
Scan ID | Specify the ID of the scan that you want to trigger on Tenable.io. |
Targets | (Optional) Specify the targets to be scanned instead of the default targets. Value for this field can be an array where each index is a target or an array with a single index of comma-separated targets. For example, ['111.122.22.1', 'example.com'] |
The output contains the following populated JSON schema:
{ "scan_uuid": "" }
Parameter | Description |
---|---|
Scan ID | Specify the scan ID whose associated assets' information you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "time_start": "", "uuid": "", "time_end": "", "ip": [], "os": [], "mac": [], "fqdn": [] }
Parameter | Description |
---|---|
Asset UUID | Specify the UUID of the asset whose associated vulnerabilities information you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "plugin_family": "", "accepted_count": "", "severity": "", "vulnerability_state": "", "recasted_count": "", "plugin_id": "", "count": "", "plugin_name": "", "counts_by_severity": [ { "value": "", "count": "" } ] }
Parameter | Description |
---|---|
Plugin ID | Specify the ID of the plugin whose associated vulnerabilities details you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "info": { "count": "", "vuln_count": "", "description": "", "synopsis": "", "solution": "", "discovery": { "seen_first": "", "seen_last": "" }, "severity": "", "plugin_details": { "name": "", "type": "", "family": "", "version": "", "severity": "", "plugin_id": "", "publication_date": "", "modification_date": "" }, "reference_information": [ { "name": "", "url": "", "values": [] } ], "risk_information": { "risk_factor": "", "cvss_vector": "", "cvss_base_score": "", "cvss_temporal_vector": "", "cvss_temporal_score": "", "cvss3_vector": "", "cvss3_base_score": "", "cvss3_temporal_vector": "", "cvss3_temporal_score": "", "stig_severity": "" }, "see_also": [], "vulnerability_information": { "vulnerability_publication_date": "", "exploited_by_malware": "", "patch_publication_date": "", "exploit_available": "", "exploitability_ease": "", "asset_inventory": "", "default_account": "", "exploited_by_nessus": "", "in_the_news": "", "malware": "", "unsupported_by_vendor": "", "cpe": "", "exploit_frameworks": [ { "name": "" }, { "name": "", "exploits": [ { "name": "", "url": "" } ] } ] }, "vpr": { "score": "", "drivers": { "age_of_vuln": { "lower_bound": "", "upper_bound": "" }, "exploit_code_maturity": "", "cvss3_impact_score": "", "cvss_impact_score_predicted": "", "threat_intensity_last28": "", "threat_recency": { "lower_bound": "", "upper_bound": "" }, "threat_sources_last28": [], "product_coverage": "" }, "updated": "" } } }
Parameter | Description |
---|---|
Plugin ID | Specify the ID of the plugin whose details you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "attributes": [ { "attribute_value": "", "attribute_name": "" } ], "family_name": "", "name": "", "id": "" }
Parameter | Description |
---|---|
Chunk Size | Specify the maximum number of vulnerabilities that you want to export, per chunk, from Tenable.io. |
CIDR Range | Specify the CIDR range to restrict the search for vulnerabilities in Tenable.io. If specified, the search gets restricted to assets that are assigned to IP addresses specified within the specified CIDR range. |
Severity | Select one or more severities that are assigned to the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Info, Low, Medium, High, or Critical. By default, all severity levels are selected. |
From | (Optional) Select the start date for the range of data (vulnerabilities) you want to export from Tenable.io. |
State | (Optional) Select one or more states of the vulnerabilities that you want to export from Tenable.io. You can choose from the following options: Open, Reopened or Fixed. |
The output contains the following populated JSON schema:
{ "export_uuid": "" }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the vulnerability export request whose export status you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "uuid": "", "status": "", "chunks_available": [], "chunks_failed": [], "chunks_cancelled": [], "total_chunks": "", "chunks_available_count": "", "empty_chunks_count": "", "finished_chunks": "", "filters": { "state": [], "tags": {}, "since": "", "first_found": "", "last_found": "", "last_fixed": "", "first_seen": "", "last_seen": "", "indexed_at": "" }, "num_assets_per_chunk": "", "created": "" }
Parameter | Description |
---|---|
Export UUID | Specify the UUID for the vulnerability export request whose chunk you want to download from Tenable.io. |
Chunk ID | Specify the ID of the chunk of the vulnerability export request that you want to download from Tenable.io. |
The output contains the following populated JSON schema:
{ "asset": { "fqdn": "", "hostname": "", "uuid": "", "ipv4": "", "operating_system": [], "network_id": "", "tracked": "" }, "output": "", "plugin": { "cve": [], "cvss_base_score": "", "cvss_temporal_score": "", "cvss_temporal_vector": { "exploitability": "", "remediation_level": "", "report_confidence": "", "raw": "" }, "cvss_vector": { "access_complexity": "", "access_vector": "", "authentication": "", "confidentiality_impact": "", "integrity_impact": "", "availability_impact": "", "raw": "" }, "description": "", "family": "", "family_id": "", "has_patch": "", "id": "", "name": "", "risk_factor": "", "see_also": [], "solution": "", "synopsis": "", "vpr": { "score": "", "drivers": { "age_of_vuln": { "lower_bound": "", "upper_bound": "" }, "exploit_code_maturity": "", "cvss_impact_score_predicted": "", "cvss3_impact_score": "", "threat_intensity_last28": "", "threat_sources_last28": [], "product_coverage": "" }, "updated": "" } }, "port": { "port": "", "protocol": "" }, "scan": { "completed_at": "", "schedule_uuid": "", "started_at": "", "uuid": "" }, "severity": "", "severity_id": "", "severity_default_id": "", "severity_modification_type": "", "first_found": "", "last_found": "", "indexed_at": "", "state": "" }
None.
The output contains the following populated JSON schema:
{ "exports": [ { "uuid": "", "status": "", "total_chunks": "", "chunks_available_count": "", "empty_chunks_count": "", "finished_chunks": "", "filters": { "state": [], "tags": { "tag.": [] }, "since": "", "first_found": "", "last_found": "", "last_fixed": "", "first_seen": "", "last_seen": "", "indexed_at": "" }, "num_assets_per_chunk": "", "created": "" } ] }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the vulnerability export job that you want to cancel in Tenable.io. |
The output contains the following populated JSON schema:
{ "status": "" }
Parameter | Description |
---|---|
Chunk Size | Specify the maximum number of assets that you want to export, per chunk, from Tenable.io. |
Last Assessed Time | Select the last assessed DateTime of the assets from when you want to export assets from Tenable.io. |
The output contains the following populated JSON schema:
{ "export_uuid": "" }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the asset export request whose export status you want to retrieve from Tenable.io. |
The output contains the following populated JSON schema:
{ "status": "", "chunks_available": [] }
Parameter | Description |
---|---|
Export UUID | Specify the UUID for the asset export request whose chunk you want to download from Tenable.io. |
Chunk ID | Specify the ID of the chunk of the asset export request that you want to download from Tenable.io. |
The output contains the following populated JSON schema:
{ "id": "", "has_agent": "", "has_plugin_results": "", "created_at": "", "terminated_at": "", "terminated_by": "", "updated_at": "", "deleted_at": "", "deleted_by": "", "first_seen": "", "last_seen": "", "first_scan_time": "", "last_scan_time": "", "last_authenticated_scan_date": "", "last_licensed_scan_date": "", "last_scan_id": "", "last_schedule_id": "", "azure_vm_id": "", "azure_resource_id": "", "gcp_project_id": "", "gcp_zone": "", "gcp_instance_id": "", "aws_ec2_instance_ami_id": "", "aws_ec2_instance_id": "", "agent_uuid": "", "bios_uuid": "", "aws_owner_id": "", "aws_availability_zone": "", "aws_region": "", "aws_vpc_id": "", "aws_ec2_instance_group_name": "", "aws_ec2_instance_state_name": "", "aws_ec2_instance_type": "", "aws_subnet_id": "", "aws_ec2_product_code": "", "aws_ec2_name": "", "mcafee_epo_guid": "", "mcafee_epo_agent_guid": "", "servicenow_sysid": "", "bigfix_asset_id": "", "agent_names": [], "installed_software": [], "ipv4s": [], "ipv6s": [], "fqdns": [], "mac_addresses": [], "netbios_names": [], "operating_systems": [], "system_types": [], "hostnames": [], "ssh_fingerprints": [], "qualys_asset_ids": [], "qualys_host_ids": [], "manufacturer_tpm_ids": [], "symantec_ep_hardware_keys": [], "sources": [ { "name": "", "first_seen": "", "last_seen": "" } ], "tags": [ { "uuid": "", "key": "", "value": "", "added_by": "", "added_at": "" } ], "network_interfaces": [ { "name": "", "mac_address": [], "ipv4": [], "ipv6": [], "fqdn": [] } ], "acr_score": "", "exposure_score": "" }
None.
The output contains the following populated JSON schema:
{ "exports": [ { "uuid": "", "status": "", "total_chunks": "", "filters": "", "finished_chunks": "", "num_assets_per_chunk": "", "created": "" } ] }
Parameter | Description |
---|---|
Export UUID | Specify the UUID of the asset export job that you want to cancel in Tenable.io. |
The output contains the following populated JSON schema:
{ "status": "" }
Parameter | Description |
---|---|
Scan UUID | Specify the identifier for the scan. This identifier can be the either the schedule_uuid or the numeric id attribute for the scan. |
Host ID | Specify the ID of the host to retrieve. |
History ID | Specify the unique identifier of the historical data that you want Tenable.io to return. This identifier corresponds to the history.id attribute of the response message from the GET /scans//history endpoint. |
History UUID | Specify the UUID of the historical data that you want Tenable.io to return. This identifier corresponds to the history.scan_uuid attribute of the response message from the GET /scans//history endpoint. |
The output contains the following populated JSON schema:
{ "info": { "mac-address": "", "host-fqdn": "", "host-ip": "", "operating-system": [], "host_end": "", "host_start": "" }, "vulnerabilities": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "", "vuln_index": "" } ], "compliance": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "" } ] }
Parameter | Description |
---|---|
Scan ID | Specify the unique identifier for the scan. This identifier can be either the scans.schedule_uuid or the scans.id attribute in the response message from the GET /scans endpoint. |
Limit | Specify the number of records to retrieve. If this parameter is omitted, Tenable.io uses the default value of 50. |
Offset | Specify the starting record to retrieve. If this parameter is omitted, Tenable.io uses the default value of 0. |
Exclude Rollover | Specify whether or not to exclude rollover scans from the scan history. |
The output contains the following populated JSON schema:
{ "pagination": { "offset": "", "total": "", "sort": [ { "order": "", "name": "" } ], "limit": "" }, "history": [ { "time_end": "", "scan_uuid": "", "id": "", "is_archived": "", "time_start": "", "visibility": "", "targets": { "custom": "", "default": "" }, "status": "" } ] }
Parameter | Description |
---|---|
Scan UUID | Specify the identifier for the scan. This identifier can either be the schedule_uuid or the numeric.id attribute of the scan. |
Host ID | Specify the ID of the host to retrieve. |
History ID | Specify the unique identifier of the historical data that you want Tenable.io to return. This identifier corresponds to the history.id attribute of the response message from the GET /scans//history endpoint. |
History UUID | Specify the UUID of the historical data that you want Tenable.io to return. This identifier corresponds to the history.scan_uuid attribute of the response message from the GET /scans//history endpoint . |
The output contains the following populated JSON schema:
{ "info": { "mac-address": "", "host-fqdn": "", "host-ip": "", "operating-system": [], "host_end": "", "host_start": "" }, "vulnerabilities": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "", "vuln_index": "" } ], "compliance": [ { "count": "", "host_id": "", "hostname": "", "plugin_family": "", "plugin_id": "", "plugin_name": "", "severity": "", "severity_index": "" } ] }
Parameter | Description |
---|---|
Scan ID | Specify the unique identifier for the scan. This identifier can be either the scans.schedule_uuid or the scans.id attribute in the response message from the GET /scans endpoint. |
Limit | Specify the number of records to retrieve. If this parameter is omitted, Tenable.io uses the default value of 50 . |
Offset | Specify the starting record to retrieve. If this parameter is omitted, Tenable.io uses the default value of 0 . |
Exclude Rollover | Specify whether to exclude rollover scans from the scan history. |
The output contains the following populated JSON schema:
{ "pagination": { "offset": "", "total": "", "sort": [ { "order": "", "name": "" } ], "limit": "" }, "history": [ { "time_end": "", "scan_uuid": "", "id": "", "is_archived": "", "time_start": "", "visibility": "", "targets": { "custom": "", "default": "" }, "status": "" } ] }
The Sample - Tenable.io - 1.4.0
playbook collection comes bundled with the Tenable.io connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Tenable.io connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling scan data from Tenable.io. Currently, scan data ingested from is mapped to Scans in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Tenable.io Scan data to FortiSOAR™Scans.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Tenable.io into FortiSOAR™. It also lets you pull some sample data from FortiSIEM using which you can define the mapping of data between Tenable.io and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Tenable.io scan data.
Note: For the ingestion playbooks to work you must install and configure the SOAR Framework and Vulnerability Management Solution Packs on your FortiSOAR instance. For more information on solution packs see the respective solution pack document on the Content Hub Portal.
To begin configuring data ingestion, click Configure Data Ingestion on the Tenable.io connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Tenable.io data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch scan data from Tenable.io.
Users can pull scan data from Tenable.io by selecting the time duration for which they want to retrieve a list and the details of all the completed scans from Tenable.io from the Completion Time drop-down list. For example, if you choose Last 24 Hours, then the details of all the scans that were completed in the last 24 hours will be retrieved from the Tenable.io server.
Select the Enable Bulk Ingest checkbox, if you want to create ingested records using the Ingest Bulk Feed step instead of the Create Record step in the ingestion playbooks. The advantage of using Enable Bulk Ingest is a significant reduction in the execution time of the ingestion playbook. Therefore, it is recommended to select the Enable Bulk Ingest checkbox for high-volume data ingestion. It is also recommended to schedule data ingestion to run during non-working hours.
Known Issue: One known disadvantage of using the bulk ingest method is that it completely replaces all the fields of existing records; however, it keeps record correlations intact, i.e., the related records are not changed.
The fetched data is used to create a mapping between the scan data from Tenable.io and FortiSOAR Scans. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested scans Tenable.io to the fields of a scan present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the uuid
parameter of an ingested scan from Tenable.io to the Scan Reference ID parameter of a FortiSOAR™ scan, click the Scan Reference ID field and then click the uuid
field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Tenable.io, so that the content gets pulled from the Tenable.io integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron
expression for the schedule. For example, if you want to pull data from Tenable.io every month, click Monthly, and in the minute, hour, and day of month boxes enter 1
, 0
, and 1
respectively. This means that the scan data will be pulled from Tenable.io on the first day of every month at 12:01 AM:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.