Skip to main content

Tenable Vulnerability Management (formerly Tenable.io)

This Integration is part of the Tenable Vulnerability Management (formerly Tenable.io) Pack.#

A comprehensive asset-centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers, and web applications. This integration was integrated and tested with January 2023 release of Tenable.io.

Configure Tenable Vulnerability Management on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Tenable Vulnerability Management. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    URLTenable URL.True
    Access KeyTenable API access key.True
    Secret KeyTenable API secret key.True
    Events Fetch IntervalFetch interval in minutes for events.False
    Assets Fetch IntervalFetch interval in minutes for assets and vulnerabilities.False
    SeverityThe severity of the vulnerabilities to include in the export.False
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Max FetchThe maximum number of audit logs to retrieve for each event type. For more information about event types see the help section.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  3. Click Test to validate the URLs, token, and connection.

Permissions#

Command NameRequired Permissions
tenable-io-list-scansBASIC [16] user permissions and CAN VIEW [16] scan permissions.
tenable-io-launch-scanSCAN OPERATOR [24] user permissions.
tenable-io-get-scan-reportBASIC [16] user permissions.
tenable-io-get-vulnerability-detailsBASIC [16] user permissions.
tenable-io-get-vulnerabilities-by-assetBASIC [16] user permissions.
tenable-io-get-scan-statusBASIC [16] user permissions and CAN VIEW [16] scan permissions.
tenable-io-resume-scanSCAN OPERATOR [24] user permissions and CAN EXECUTE [32] scan permissions.
tenable-io-pause-scanSCAN OPERATOR [24] user permissions and CAN EXECUTE [32] scan permissions.
tenable-io-get-asset-detailsBASIC [16] user permissions.
tenable-io-export-assetsADMINISTRATOR [64] user permissions.
tenable-io-export-vulnerabilitiesADMINISTRATOR [64] user permissions.
tenable-io-list-scan-filtersBASIC [16] user permissions
tenable-io-get-scan-historySCAN OPERATOR [24] user permissions and CAN VIEW [16] scan permissions
tenable-io-export-scanSCAN OPERATOR [24] user permissions and CAN VIEW [16] scan permissions

Concurrency Limits#

LimitationsCommands name
Three concurrent requests per Tenable.io customer instance.
Note: This limit is subject to change.
tenable-io-list-scans
tenable-io-launch-scan
tenable-io-get-scan-report
tenable-io-get-vulnerability-details
tenable-io-get-vulnerabilities-by-asset
tenable-io-get-scan-status
tenable-io-resume-scan
tenable-io-pause-scan
tenable-io-get-asset-details
Two concurrent asset exports per container. Tenable.io also prevents duplicate exports from running concurrently.
For example, export requests with the same filters.
tenable-io-export-assets
tenable-io-export-vulnerabilities

Notes:#

  • Fetch assets and vulnerabilities (Beta) command fetches assets and vulnerabilities from the last 90 days only.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

tenable-io-list-scans#


Retrieves scans from the Tenable platform.

Base Command#

tenable-io-list-scans

Input#

Argument NameDescriptionRequired
folderIdThe ID of the folder whose scans should be listed. Scans are stored
in specific folders on Tenable, e.g.: folderId=8.
Optional
lastModificationDateLimit the results to those that have only changed since this time. Date format will be YYYY-MM-DD format or relational expressions like “7 days ago”.Optional

Context Output#

PathTypeDescription
TenableIO.Scan.IdnumberThe unique ID of the scan.
TenableIO.Scan.NamestringThe name of the scan.
TenableIO.Scan.TargetstringThe targets to scan.
TenableIO.Scan.StatusstringThe status of the scan (completed, aborted, imported, pending, running, resuming, canceling, cancelled, pausing, paused, stopping, stopped).
TenableIO.Scan.StartTimedateThe scheduled start time for the scan.
TenableIO.Scan.EndTimedateThe scheduled end time for the scan.
TenableIO.Scan.EnabledbooleanIf true, the schedule for the scan is enabled.
TenableIO.Scan.TypestringThe type of scan (local, remote, or agent).
TenableIO.Scan.OwnerstringThe owner of the scan.
TenableIO.Scan.ScannerstringThe scanner assigned for the scan.
TenableIO.Scan.PolicystringThe policy assigned for the scan.
TenableIO.Scan.CreationDatedateThe creation date for the scan in Unix time.
TenableIO.Scan.LastModificationDatedateThe last modification date for the scan in Unix time.
TenableIO.Scan.FolderIdnumberThe unique ID of the folder where the scan has been stored.

Command example#

!tenable-io-list-scans

Context Example#

{
"TenableIO": {
"Scan": [
{
"CreationDate": "2024-11-07T11:11:05Z",
"Enabled": false,
"EndTime": "2024-11-07T11:11:05Z",
"FolderId": 5,
"Id": 10,
"LastModificationDate": "2024-05-07T11:11:05Z",
"Name": "some_name",
"Owner": "some_owner",
"Policy": "Host Discovery",
"StartTime": "2024-11-07T11:11:05Z",
"Status": "aborted",
"Targets": "1.1.1.1, 0.0.0.0",
"Type": "remote"
},
]
}
}

Human Readable Output#

Tenable.io - List of Scans#

FolderIdIdNameTargetsStatusStartTimeEndTimeEnabledTypeOwnerScannerPolicyCreationDateLastModificationDate
510some_name1.1.1.1, 0.0.0.0abortedThu Nov 07 11:11:05 2024Thu Nov 07 11:11:05 2024falseremotesome_ownerHost DiscoveryThu Nov 07 11:11:05 2024Thu Nov 07 11:11:05 2024

tenable-io-launch-scan#


Launches a scan with existing or custom targets. You can specify custom targets in the command arguments.

Base Command#

tenable-io-launch-scan

Input#

Argument NameDescriptionRequired
scanIdThe ID of the scan to launch.Required
scanTargetsIf specified, targets to be scanned instead of the default. This value can be an array where each index is a target, or an array with a single index of comma-separated targets.Optional

Context Output#

PathTypeDescription
TenableIO.Scan.IdnumberThe unique ID of the scan.
TenableIO.Scan.TargetsstringThe targets to scan.
TenableIO.Scan.StatusstringThe status of the scan (completed, aborted, imported, pending, running, resuming, canceling, cancelled, pausing, paused, stopping, stopped).

Command example#

!tenable-io-launch-scan scanId="10"

Context Example#

{
"TenableIO": {
"Scan": {
"Id": "10",
"Status": "pending",
"Targets": "target_1,target_2,target_3"
}
}
}

The requested scan was launched successfully#

IdTargetsStatus
10target_1,target_2,target_3pending

tenable-io-get-scan-report#


Retrieves a scan report for the specified scan.

Base Command#

tenable-io-get-scan-report

Input#

Argument NameDescriptionRequired
scanIdThe ID of the scan to retrieve.Required
detailedIf true, the report will contain remediation and host information for the specified scan. Otherwise, the report will only contain vulnerabilities. Possible values: "yes" and "no". Possible values are: yes, no. Default is no.Optional
infoWhether to return the basic details of the specified scan. Possible values: "yes" and "no". Possible values are: yes, no. Default is no.Optional

Context Output#

PathTypeDescription
TenableIO.Scan.IdnumberThe unique ID of the scan.
TenableIO.Scan.NamestringThe name of the scan.
TenableIO.Scan.TargetsstringThe targets to scan.
TenableIO.Scan.StatusstringThe status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped").
TenableIO.Scan.StartTimestringThe scheduled start time for the scan.
TenableIO.Scan.EndTimestringThe scheduled end time for the scan.
TenableIO.Scan.ScannerstringThe scanner assigned for the scan.
TenableIO.Scan.PolicystringThe policy assigned to the scan.
TenableIO.Vulnerabilities.IdstringThe unique ID of the vulnerability.
TenableIO.Vulnerabilities.NamestringThe name of the vulnerability.
TenableIO.Vulnerabilities.SeveritynumberThe severity level of the vulnerability.
TenableIO.Vulnerabilities.DescriptionstringThe description of the vulnerability.
TenableIO.Vulnerabilities.SynopsisstringA brief summary of the vulnerability.
TenableIO.Vulnerabilities.SolutionstringInformation on how to fix the vulnerability.
TenableIO.Vulnerabilities.FirstSeendateWhen the vulnerability was first seen.
TenableIO.Vulnerabilities.LastSeendateWhen the vulnerability was last seen.
TenableIO.Vulnerabilities.VulnerabilityOccurencesnumberA count of the vulnerability occurrences.
TenableIO.Assets.HostnamestringThe name of the host.
TenableIO.Assets.ScorenumberThe overall score for the host.
TenableIO.Assets.CriticalnumberThe percentage of critical findings on the host.
TenableIO.Assets.HighnumberThe number of high findings on the host.
TenableIO.Assets.MediumnumberThe number of medium findings on the host.
TenableIO.Assets.LownumberThe number of low findings on the host.
TenableIO.Remediations.IdstringThe unique ID of the remediation.
TenableIO.Remediations.DescriptionstringSpecific information related to the vulnerability and steps to remediate.
TenableIO.Remediations.AffectedHostsnumberThe number of hosts affected.
TenableIO.Remediations.AssociatedVulnerabilitiesnumberThe number of vulnerabilities associated with the remedy.

Command example#

!tenable-io-get-scan-report scanId="10"

Context Example#

{
"TenableIO": {
"Vulnerabilities": [
{
"Description": "description",
"FirstSeen": "2024-11-07T11:11:05Z",
"Id": 00000,
"LastSeen": "2024-11-07T11:11:05Z",
"Name": "some_name",
"Severity": "None",
"Solution": "Solution",
"Synopsis": "Synopsis",
"VulnerabilityOccurences": 26
},
{
"Description": "description",
"FirstSeen": "2024-11-07T11:11:05Z",
"Id": 11111,
"LastSeen": "2024-11-07T11:11:05Z",
"Name": "some_name",
"Severity": "None",
"Synopsis": "Synopsis",
"VulnerabilityOccurences": 12
},
]
}
}

Human Readable Output#

Vulnerabilities#

IdNameSeverityDescriptionSynopsisSolutionFirstSeenLastSeenVulnerabilityOccurences
00000some_nameNonedescriptionSynopsisSolution2024-11-07T11:11:05Z2024-11-07T11:11:05Z26
11111some_nameNonedescriptionSynopsis2024-11-07T11:11:05Z2024-11-07T11:11:05Z12

tenable-io-get-vulnerability-details#


Retrieves details for the specified vulnerability.

Base Command#

tenable-io-get-vulnerability-details

Input#

Argument NameDescriptionRequired
vulnerabilityIdThe unique ID of the vulnerability.Required

Context Output#

PathTypeDescription
TenableIO.Vulnerabilities.NamestringThe name of the vulnerability.
TenableIO.Vulnerabilities.SeveritynumberInteger [0-4] indicating how severe the vulnerability is, where 0 is info only.
TenableIO.Vulnerabilities.TypestringThe type of the vulnerability.
TenableIO.Vulnerabilities.FamilystringObject containing plugin information such as family, type, and publication and modification dates.
TenableIO.Vulnerabilities.DescriptionstringThe description of the vulnerability.
TenableIO.Vulnerabilities.SynopsisstringA brief summary of the vulnerability.
TenableIO.Vulnerabilities.SolutionstringInformation on how to fix the vulnerability.
TenableIO.Vulnerabilities.FirstSeendateWhen the vulnerability was first seen.
TenableIO.Vulnerabilities.LastSeendateWhen the vulnerability was last seen.
TenableIO.Vulnerabilities.PublicationDatedateThe publication date of the vulnerability.
TenableIO.Vulnerabilities.ModificationDatedateThe last modification date for the vulnerability in Unix time.
TenableIO.Vulnerabilities.VulnerabilityOccurencesnumberA count of the vulnerability occurrences.
TenableIO.Vulnerabilities.CvssVectorstringThe Common Vulnerability Scoring System vector.
TenableIO.Vulnerabilities.CvssBaseScorestringThe Common Vulnerability Scoring System allotted base score.
TenableIO.Vulnerabilities.Cvss3VectorstringThe Common Vulnerability Scoring System version 3 vector.
TenableIO.Vulnerabilities.Cvss3BaseScorestringThe Common Vulnerability Scoring System version 3 allotted base score.

Command example#

!tenable-io-get-vulnerability-details vulnerabilityId=fake_id

Context Example#

{
"TenableIO": {
"Vulnerabilities": {
"Description": "Description",
"Family": "General",
"FirstSeen": "2024-11-07T11:11:05Z",
"LastSeen": "2024-11-07T11:11:05Z",
"ModificationDate": "2024-11-07T11:11:05Z",
"Name": "Name",
"PublicationDate": "2024-11-07T11:11:05Z",
"Severity": "None",
"Synopsis": "Synopsis",
"Type": "remote",
"VulnerabilityOccurences": 1
}
}
}

Human Readable Output#

Vulnerability details - fake_id#

NameSeverityTypeFamilyDescriptionSynopsisFirstSeenLastSeenPublicationDateModificationDateVulnerabilityOccurences
NameNoneremoteGeneralDescriptionSynopsis2024-11-07T11:11:05Z2024-11-07T11:11:05Z2024-11-07T11:11:05Z2024-11-07T11:11:05Z1

tenable-io-get-vulnerabilities-by-asset#


Gets a list of up to 5000 of the vulnerabilities recorded for a specified asset.

Base Command#

tenable-io-get-vulnerabilities-by-asset

Input#

Argument NameDescriptionRequired
hostnameHostname of the asset.Optional
ipIP of the asset.Optional
dateRangeThe number of days of data prior to and including today that should be returned.Optional

Context Output#

PathTypeDescription
TenableIO.Assets.HostnamenumberHostname of the asset.
TenableIO.Assets.VulnerabilitiesnumberA list of all the vulnerability IDs associated with the asset.
TenableIO.Vulnerabilities.IdnumberThe vulnerability unique ID.
TenableIO.Vulnerabilities.NamestringThe name of the vulnerability.
TenableIO.Vulnerabilities.SeveritynumberInteger [0-4] indicating how severe the vulnerability is, where 0 is info only.
TenableIO.Vulnerabilities.FamilystringThe vulnerability family.
TenableIO.Vulnerabilities.VulnerabilityOccurencesnumberThe number of times the vulnerability was found.
TenableIO.Vulnerabilities.VulnerabilityStatestringThe current state of the reported vulnerability ("Active", "Fixed", "New", etc.).

Command example#

!tenable-io-get-vulnerabilities-by-asset hostname="debian8628.aspadmin.net"

Context Example#

{
"TenableIO": {
"Assets": {
"Hostname": "debian8628.aspadmin.net",
"Vulnerabilities": [
11111,
22222,
]
},
"Vulnerabilities": [
{
"Family": "General",
"Id": 11111,
"Name": "Name_01",
"Severity": "None",
"VulnerabilityOccurences": 2,
"VulnerabilityState": "Active"
},
{
"Family": "General",
"Id": 22222,
"Name": "Name_02",
"Severity": "None",
"VulnerabilityOccurences": 2,
"VulnerabilityState": "Active"
},
]
}
}

Human Readable Output#

Vulnerabilities for asset debian8628.aspadmin.net#

IdNameSeverityFamilyVulnerabilityOccurencesVulnerabilityState
11111Name_01NoneGeneral2Active
22222Name_02NoneGeneral2Active

tenable-io-get-scan-status#


Checks the status of a specific scan using the scan ID. Possible values: "Running", "Completed", and "Empty" (Ready to run).

Base Command#

tenable-io-get-scan-status

Input#

Argument NameDescriptionRequired
scanIdThe unique ID of the scan.Required

Context Output#

PathTypeDescription
TenableIO.Scan.IdstringThe unique ID of the scan specified.
TenableIO.Scan.StatusstringThe status of the scan specified.

Command example#

!tenable-io-get-scan-status scanId="10"

Context Example#

{
"TenableIO": {
"Scan": {
"Id": "10",
"Status": "aborted"
}
}
}

Human Readable Output#

Scan status for 10#

IdStatus
10aborted

tenable-io-resume-scan#


Resumes all scans inputted as an array. Will resume scans whose status is 'Paused'.

Base Command#

tenable-io-resume-scan

Input#

Argument NameDescriptionRequired
scanIdComma-separated list of scan IDs.Required

Context Output#

PathTypeDescription
TenableIO.Scan.IdStringThe unique ID of the scan.
TenableIO.Scan.StatusStringThe status of the scan (completed, aborted, imported, pending, running, resuming, canceling, cancelled, pausing, paused, stopping, stopped).

Command example#

!tenable-io-resume-scan scanId="13"

Context Example#

{
"TenableIO": {
"Scan": {
"Id": "13",
"Status": "Resuming"
}
}
}

Human Readable Output#

The requested scan was resumed successfully#

IdStatus
13Resuming

tenable-io-pause-scan#


Pauses all scans inputted as an array. Will pause scans whose status is 'Running'.

Base Command#

tenable-io-pause-scan

Input#

Argument NameDescriptionRequired
scanIdComma-separated list of scan IDs.Required

Context Output#

PathTypeDescription
TenableIO.Scan.IdStringThe unique id of the scan.
TenableIO.Scan.StatusStringThe status of the scan (completed, aborted, imported, pending, running, resuming, canceling, cancelled, pausing, paused, stopping, stopped).

Command example#

!tenable-io-pause-scan scanId="10"

Context Example#

{
"TenableIO": {
"Scan": {
"Id": "10",
"Status": "Pausing"
}
}
}

Human Readable Output#

The requested scan was paused successfully#

IdStatus
13Pausing

tenable-io-get-asset-details#


Retrieves details for the specified asset including custom attributes.

Base Command#

tenable-io-get-asset-details

Input#

Argument NameDescriptionRequired
ipIP Address of the asset.Required

Context Output#

PathTypeDescription
TenableIO.AssetDetails.attributesunknownArray of custom attributes of asset.
TenableIO.AssetDetails.countsunknownArray of audit statuses and vulnerabilities by type.
TenableIO.AssetDetails.created_atdateDate asset was created.
TenableIO.AssetDetails.first_seendateDate asset was first seen.
TenableIO.AssetDetails.fqdnunknownArray of fully-qualified domain names.
TenableIO.AssetDetails.idstringGUID of tenable.io asset.
TenableIO.AssetDetails.interfacesunknownArray of interface information.
TenableIO.AssetDetails.ipv4unknownArray of IPv4 addresses.
TenableIO.AssetDetails.operating_systemunknownArray of operating systems.
TenableIO.AssetDetails.tagsunknownArray of tags added to asset.
TenableIO.AssetDetails.updated_atdateDate the asset was last updated.

Command example#

!tenable-io-get-asset-details ip=1.3.2.1"

Context Example#

{
"TenableIO": {
"AssetDetails": {
"agent_name": [],
"attributes": [],
"aws_availability_zone": [],
"aws_ec2_instance_ami_id": [],
"aws_ec2_instance_group_name": [],
"aws_ec2_instance_id": [],
"aws_ec2_instance_state_name": [],
"aws_ec2_instance_type": [],
"aws_ec2_name": [],
"aws_ec2_product_code": [],
"aws_owner_id": [],
"aws_region": [],
"aws_subnet_id": [],
"aws_vpc_id": [],
"azure_location": [],
"azure_resource_group": [],
"azure_resource_id": [],
"azure_subscription_id": [],
"azure_type": [],
"azure_vm_id": [],
"bigfix_asset_id": [],
"bios_uuid": [],
"counts": {
"audits": {
"statuses": [
{
"count": 0,
"level": 1,
"name": "Passed"
},
{
"count": 0,
"level": 2,
"name": "Warning"
},
{
"count": 0,
"level": 3,
"name": "Failed"
}
],
"total": 0
},
"vulnerabilities": {
"severities": [
{
"count": 17,
"level": 0,
"name": "Info"
},
{
"count": 0,
"level": 1,
"name": "Low"
},
{
"count": 0,
"level": 2,
"name": "Medium"
},
{
"count": 0,
"level": 3,
"name": "High"
},
{
"count": 1,
"level": 4,
"name": "Critical"
}
],
"total": 18
}
},
"created_at": "2024-11-07T11:11:05Z",
"exposure_confidence_value": null,
"first_seen": "2024-11-07T11:11:05Z",
"fqdn": [
"test.com"
],
"gcp_instance_id": [],
"gcp_project_id": [],
"gcp_zone": [],
"has_agent": false,
"hostname": [
"test.com"
],
"id": "fake_asset_id",
"installed_software": [
"cpe:/a:test:0.0.0",
],
"interfaces": [
{
"fqdn": [
"test.com"
],
"ipv4": [
"1.3.2.1"
],
"ipv6": [],
"mac_address": [],
"name": "UNKNOWN"
}
],
"ipv4": [
"1.3.2.1"
],
"ipv6": [],
"last_authenticated_scan_date": null,
"last_licensed_scan_date": "2024-11-07T11:11:05Z",
"last_scan_id": "fake_scan_id",
"last_scan_target": "test.com'",
"last_schedule_id": "fake_schedule_id",
"last_seen": "2024-11-07T11:11:05Z",
"mac_address": [],
"mcafee_epo_agent_guid": [],
"mcafee_epo_guid": [],
"netbios_name": [],
"network_name": "Default",
"operating_system": [
"Linux Kernel 2.6"
],
"qualys_asset_id": [],
"qualys_host_id": [],
"security_protection_level": null,
"security_protections": [],
"servicenow_sysid": [],
"sources": [
{
"first_seen": "2024-11-07T11:11:05.739Z",
"last_seen": "2024-11-07T11:11:05.739Z",
"name": "name"
}
],
"ssh_fingerprint": [],
"system_type": [
"general-purpose"
],
"tags": [
{
"added_at": "2024-11-07T11:11:05Z",
"added_by": "fake_id",
"source": "static",
"tag_key": "some_key",
"tag_uuid": "fake_uuid",
"tag_value": "test.com"
}
],
"tenable_uuid": [],
"time_end": "2024-11-07T11:11:05Z",
"time_start": "2024-11-07T11:11:05Z",
"updated_at": "2024-11-07T11:11:05Z",
"uuid": "fake_asset_id"
}
}
}

Human Readable Output#

Asset Info for 1.3.2.1#

attributesfqdninterfacesipv4idlast_seen
test.com{'name': 'UNKNOWN', 'fqdn': ['test.com'], 'mac_address': [], 'ipv4': ['1.3.2.1'], 'ipv6': []}1.3.2.1fake_asset_id2024-11-07T11:11:05.739Z

tenable-io-export-assets#


Retrieves details for the specified asset to include custom attributes.

Limitations#

When inserting invalid arguments, an error message could be returned.

Base Command#

tenable-io-export-assets

Input#

Argument NameDescriptionRequired
chunkSizeSpecifies the number of assets per exported chunk. The range is 100-10000. Default is 100.Optional
intervalInSecondsThe number of seconds until the next run. Default is 10.Optional
timeOutThe timeout for the polling in seconds. Default is 600.Optional
createdAtWhen specified, the results returned in the list are limited to assets created later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
updatedAtWhen specified, the results returned in the list are limited to assets updated later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
terminatedAtWhen specified, the results returned in the list are limited to assets terminated later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
isTerminatedWhen set to true, returns assets which have any value for the terminatedAt attribute.Optional
deletedAtWhen specified, the results returned in the list are limited to assets deleted later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
isDeletedWhen set to true, returns assets which have any value for the deletedAt attribute. Possible values are: true, false.Optional
isLicensedSpecifies whether the asset is included in the asset count for the Tenable.io instance. If true, returns only licensed assets. If false, returns only unlicensed assets. Possible values are: true, false.Optional
firstScanTimeWhen specified, the results returned in the list are limited to assets with a first scan time later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
lastAuthenticatedScanTimeWhen specified, the results returned in the list are limited to assets with a last credentialed scan time later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
lastAssessedWhen specified, the results returned in the list are limited to assets with a last assessed time later than the date specified. Date format will be epoch date format or relational expressions like “7 days ago”.'.Optional
serviceNowSysIdIf true, returns all assets that have a ServiceNow Sys ID, regardless of value. If false, returns all assets that do not have a ServiceNow Sys ID. Possible values are: true, false.Optional
sourcesA comma-separated list of sources. Possible values are: AWS, NESSUS_AGENT, PVS,NESSUS_SCAN, WAS. When specified, the results returned in the list are limited to assets that have the specified source.Optional
hasPluginResultsIf true, returns all assets that have a plugin results associated with it. Possible values are: true, false.Optional
tagCategoryWhen specified, the results returned in the list are limited to assets with the specified tag category.Optional
tagValueWhen specified, the results returned in the list are limited to assets with the specified tag value.Optional
exportUuidThe export uuid.Optional

Context Output#

PathTypeDescription
TenableIO.Asset.idStringThe UUID of the asset in Tenable.io. Use this value as the unique key for the asset.
TenableIO.Asset.has_agentBooleanSpecifies whether a Nessus agent scan identified the asset.
TenableIO.Asset.has_plugin_resultsBooleanSpecifies whether the asset has plugin results associated with it.
TenableIO.Asset.created_atDateThe time and date when Tenable.io created the asset record.
TenableIO.Asset.terminated_atDateThe time and date when a user terminated the Amazon Web Service (AWS) virtual machine instance of the asset.
TenableIO.Asset.terminated_byStringThe user who terminated the AWS instance of the asset.
TenableIO.Asset.updated_atDateThe time and date when the asset record was last updated.
TenableIO.Asset.deleted_atDateThe time and date when a user deleted the asset record. When a user deletes an asset record, Tenable.io retains the record until the asset ages out of the license count.
TenableIO.Asset.deleted_byStringThe user who deleted the asset record.
TenableIO.Asset.first_seenDateThe time and date when a scan first identified the asset.
TenableIO.Asset.last_seenDateThe time and date of the scan that most recently identified the asset.
TenableIO.Asset.first_scan_timeDateThe time and date of the first scan run against the asset.
TenableIO.Asset.last_scan_timeDateThe time and date of the last scan run against the asset.
TenableIO.Asset.last_authenticated_scan_dateDateThe time and date of the last credentialed scan run on the asset.
TenableIO.Asset.last_licensed_scan_dateDateThe time and date of the last scan that identified the asset as licensed. Tenable.io categorizes an asset as licensed if a scan of that asset has returned results from a non-discovery plugin within the last 90 days.
TenableIO.Asset.last_scan_idStringThe UUID of the scan configuration used during the last scan of the asset.
TenableIO.Asset.last_schedule_idStringThe schedule id for the last scan of the asset.
TenableIO.Asset.azure_vm_idStringThe unique identifier of the Microsoft Azure virtual machine instance. For more information, see "Accessing and Using Azure VM Unique ID" in the Microsoft Azure documentation.
TenableIO.Asset.azure_resource_idStringThe unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
TenableIO.Asset.gcp_project_idStringThe unique identifier of the virtual machine instance in Google Cloud Platform (GCP).
TenableIO.Asset.gcp_zoneStringThe customized name of the project to which the virtual machine instance belongs in GCP. For more information see "Creating and Managing Projects" in the GCP documentation.
TenableIO.Asset.gcp_instance_idStringThe zone where the virtual machine instance runs in GCP. For more information, see "Regions and Zones" in the GCP documentation.
TenableIO.Asset.aws_ec2_instance_ami_idStringThe unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.
TenableIO.Asset.aws_ec2_instance_idStringThe unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation.
TenableIO.Asset.agent_uuidStringThe unique identifier of the Nessus agent that identified the asset.
TenableIO.Asset.bios_uuidStringThe BIOS UUID of the asset.
TenableIO.Asset.network_idStringThe ID of the network object associated with scanners that identified the asset.
TenableIO.Asset.network_nameStringThe ID of the network object associated with scanners that identified the asset.
TenableIO.Asset.aws_owner_idStringThe canonical user identifier for the AWS account associated with the virtual machine instance.
TenableIO.Asset.aws_availability_zoneStringThe availability zone where Amazon Web Services hosts the virtual machine instance.
TenableIO.Asset.aws_regionStringThe region where AWS hosts the virtual machine instance.
TenableIO.Asset.aws_vpc_idStringThe unique identifier for the virtual public cloud that hosts the AWS virtual machine instance.
TenableIO.Asset.aws_ec2_instance_group_nameStringThe virtual machine instance's group in AWS.
TenableIO.Asset.aws_ec2_instance_state_nameStringThe state of the virtual machine instance in AWS at the time of the scan.
TenableIO.Asset.aws_ec2_instance_typeStringThe type of instance in AWS EC2.
TenableIO.Asset.aws_subnet_idStringThe unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.
TenableIO.Asset.aws_ec2_product_codeStringThe product code associated with the AMI used to launch the virtual machine instance in AWS EC2.
TenableIO.Asset.aws_ec2_nameStringThe name of the virtual machine instance in AWS EC2.
TenableIO.Asset.mcafee_epo_guidStringThe unique identifier of the asset in McAfee ePolicy Orchestrator (ePO).
TenableIO.Asset.mcafee_epo_agent_guidStringThe unique identifier of the McAfee ePO agent that identified the asset.
TenableIO.Asset.servicenow_sysidStringThe unique record identifier of the asset in ServiceNow.
TenableIO.Asset.bigfix_asset_idStringThe unique identifiers of the asset in HCL BigFix.
TenableIO.Asset.agent_namesStringThe names of any Nessus agents that scanned and identified the asset.
TenableIO.Asset.installed_softwareStringA list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset.
TenableIO.Asset.ipv4sStringThe IPv4 addresses that scans have associated with the asset record.
TenableIO.Asset.ipv6sStringThe IPv6 addresses that scans have associated with the asset record.
TenableIO.Asset.fqdnsStringThe fully-qualified domain names that scans have associated with the asset record.
TenableIO.Asset.mac_addressesStringThe MAC addresses that scans have associated with the asset record.
TenableIO.Asset.netbios_namesStringThe NetBIOS names that scans have associated with the asset record.
TenableIO.Asset.operating_systemsStringThe operating systems that scans have associated with the asset record.
TenableIO.Asset.system_typesStringThe system types as reported by Plugin ID 54615. Possible values include router, general-purpose, scan-host, and embedded.
TenableIO.Asset.hostnamesStringThe hostnames that scans have associated with the asset record.
TenableIO.Asset.ssh_fingerprintsStringThe SSH key fingerprints that scans have associated with the asset record.
TenableIO.Asset.qualys_asset_idsStringThe Asset ID of the asset in Qualys. For more information, see the Qualys documentation.
TenableIO.Asset.qualys_host_idsStringThe Host ID of the asset in Qualys. For more information, see the Qualys documentation.
TenableIO.Asset.manufacturer_tpm_idsStringThe manufacturer's unique identifiers of the Trusted Platform Module (TPM) associated with the asset.
TenableIO.Asset.symantec_ep_hardware_keysStringThe hardware keys for the asset in Symantec Endpoint Protection.
TenableIO.Asset.sources.nameStringThe name of the entity that reported the asset details. Sources can include sensors, connectors, and API imports.
TenableIO.Asset.sources.first_seenDateThe ISO timestamp when the source first reported the asset.
TenableIO.Asset.sources.last_seenDateThe ISO timestamp when the source last reported the asset.
TenableIO.Asset.tags.uuidStringThe UUID of the tag.
TenableIO.Asset.tags.keyStringThe tag category (the first half of the category:value pair).
TenableIO.Asset.tags.valueStringThe tag value (the second half of the category:value pair).
TenableIO.Asset.tags.added_byStringThe UUID of the user who assigned the tag to the asset.
TenableIO.Asset.tags.added_atDateThe ISO timestamp when the tag was assigned to the asset.
TenableIO.Asset.network_interfaces.nameStringThe name of the interface.
TenableIO.Asset.network_interfaces.mac_addressStringThe MAC addresses of the interface.
TenableIO.Asset.network_interfaces.ipv6StringOne or more IPv6 addresses belonging to the interface.
TenableIO.Asset.network_interfaces.fqdnsStringOne or more FQDNs belonging to the interface.
TenableIO.Asset.network_interfaces.ipv4sStringOne or more IPv4 addresses belonging to the interface.
TenableIO.Asset.acr_scoreStringThe Asset Criticality Rating (ACR) for the asset.
TenableIO.Asset.exposure_scoreStringThe Asset Exposure Score (AES) for the asset.

Command example#

!tenable-io-export-assets chunkSize=500

Context Example#

{
"TenableIO": {
"Asset": [
{
"created_at": "2024-11-07T11:11:05Z",
"first_scan_time": "2024-11-07T11:11:05Z",
"first_seen": "2024-11-07T11:11:05Z",
"fqdns": [
"test.com"
],
"has_agent": false,
"has_plugin_results": true,
"hostnames": [
"test.com"
],
"id": "fake_uuid",
"installed_software": [],
"ipv4s": [
"1.3.2.1"
],
"last_licensed_scan_date": "2024-11-07T11:11:05Z",
"last_scan_id": "fake_uuid",
"last_scan_time": "2024-11-07T11:11:05Z",
"last_schedule_id": "fake_uuid",
"last_seen": "2024-11-07T11:11:05Z",
"network_id": "00000000-0000-0000-0000-000000000000",
"network_interfaces": [
{
"aliased": null,
"fqdns": [
"test.com"
],
"ipv4s": [
"1.3.2.1"
],
"ipv6s": [],
"mac_addresses": [],
"name": "UNKNOWN",
"virtual": null
}
],
"network_name": "Default",
"operating_systems": [
"Linux Kernel 2.6"
],
"sources": [
{
"first_seen": "2024-11-07T11:11:05Z",
"last_seen": "2024-11-07T11:11:05Z",
"name": "NESSUS_SCAN"
}
],
"system_types": [
"general-purpose"
],
"tags": [
{
"added_at": "2024-11-07T11:11:05Z",
"added_by": "fake_uuid",
"key": "some_key",
"uuid": "fake_uuid",
"value": "test.com"
}
],
"updated_at": "2024-11-07T11:11:05Z"
},
{
"created_at": "2024-11-07T11:11:05Z",
"first_scan_time": "2024-11-07T11:11:05Z",
"first_seen": "2024-11-07T11:11:05Z",
"fqdns": [
"test.net"
],
"has_agent": false,
"has_plugin_results": true,
"hostnames": [
"test.net"
],
"id": "fake_uuid",
"installed_software": [],
"ipv4s": [
"1.3.2.1"
],
"last_licensed_scan_date": "2024-11-07T11:11:05Z",
"last_scan_id": "fake_uuid",
"last_scan_time": "2024-11-07T11:11:05Z",
"last_schedule_id": "fake_uuid",
"last_seen": "2024-11-07T11:11:05Z",
"network_id": "00000000-0000-0000-0000-000000000000",
"network_interfaces": [
{
"aliased": null,
"fqdns": [
"test.net"
],
"ipv4s": [
"1.3.2.1"
],
"ipv6s": [],
"mac_addresses": [],
"name": "UNKNOWN",
"virtual": null
}
],
"network_name": "Default",
"operating_systems": [
"Linux Kernel 2.6"
],
"sources": [
{
"first_seen": "2024-11-07T11:11:05Z",
"last_seen": "2024-11-07T11:11:05Z",
"name": "NESSUS_SCAN"
}
],
"ssh_fingerprints": [
"fake_ssh_fingerprints"
],
"system_types": [
"general-purpose"
],
"tags": [
{
"added_at": "2024-11-07T11:11:05Z",
"added_by": "fake_uuid",
"key": "some_key",
"uuid": "fake_uuid",
"value": "test.com"
}
],
"updated_at": "2024-11-07T11:11:05Z"
},
]
}
}

Human Readable Output#

Export Assets Results:#

ASSET IDDNS NAME (FQDN)SYSTEM TYPEOPERATING SYSTEMIPV4 ADDRESSNETWORKFIRST SEENLAST SEENLAST LICENSED SCANSOURCETAGS
fake_uuidtest.comgeneral-purposeLinux Kernel 2.61.3.2.1Default2024-11-07T11:11:05Z2024-11-07T11:11:05Z2024-11-07T11:11:05ZNESSUS_SCANsome_key:test.com
fake_uuidtest.netgeneral-purposeLinux Kernel 2.61.3.2.1Default2024-11-07T11:11:05Z2024-11-07T11:11:05Z2024-11-07T11:11:05ZNESSUS_SCANsome_key:test.com

tenable-io-export-vulnerabilities#


Retrieves details for the specified asset to include custom attributes.

Limitations#

When inserting invalid arguments, an error message could be returned.

Base Command#

tenable-io-export-vulnerabilities

Input#

Argument NameDescriptionRequired
numAssetsThe number of assets used to chunk the vulnerabilities. The range for number of assets in a chunk is 50-5000. Default is 50.Optional
intervalInSecondsThe number of seconds until the next run. Default is 10.Optional
timeOutThe timeout for the polling in seconds. Default is 600.Optional
includeUnlicensedSpecifies whether or not to include unlicensed assets. Possible values are: true, false.Optional
cidrRangeWhen specified, restricts the search for vulnerabilities to assets assigned an IP address within the specified CIDR range.Optional
firstFoundWhen specified, the results returned in the list are limited to vulnerabilities that were first found between the specified date and now. Date format will be epoch date format or relational expressions like “7 days ago”.Optional
lastFixedWhen specified, the results returned in the list are limited to vulnerabilities that were fixed between the specified date and now. Date format will be epoch date format or relational expressions like “7 days ago”.Optional
lastFoundWhen specified, the results returned in the list are limited to vulnerabilities that were last found between the specified date and now. Date format will be epoch date format or relational expressions like “7 days ago”.Optional
networkIdThe ID of the network object associated with scanners that detected the vulnerabilities you want to export.Optional
pluginIdA comma-separated list of plugin IDs for which you want to filter the vulnerabilities.Optional
pluginTypeThe plugin type for which you want to filter the vulnerabilities. If not set, export includes all vulnerabilities regardless of plugin type. Possible values are: remote, local, combined, settings, summary, third-party, reputation.Optional
severityThe severity of the vulnerabilities to include in the export. Defaults to all severity levels. The severity of a vulnerability is defined using the Common Vulnerability Scoring System (CVSS) base score. Supported array values are: info, low, medium, high, critical.Optional
sinceThe start date for the range of data you want to export. Date format will be epoch date format or relational expressions like “7 days ago”. Note: This filter cannot be used in conjunction with the firstFound, lastFound, or lastFixed.Optional
stateA comma-separated list of states of the vulnerabilities you want the export to include. Supported, case-insensitive values are: open, reopened, fixed. This parameter is required if your request includes firstFound, lastFound, or lastFixed parameters. If your request omits this parameter, the export includes default states open and reopened only.Optional
tagCategoryWhen specified, the results returned in the list are limited to assets with the specified tag category.Optional
tagValueWhen specified, the results returned in the list are limited to assets with the specified tag value.Optional
vprScoreOperatorAn operator that determines the limitation on Vulnerability Priority Rating (VPR), scores value specified at vprScoreValue argument. Supported values are: equal, not equal, lt-lesser, lte-lesser than or equal , gt-greater than , gte-greater than or equal. Possible values are: gte, gt, lte, lt, equal, not equal.Optional
vprScoreValueWhen specified, the results returned in the list are limited to vulnerabilities with the specified Vulnerability Priority Rating (VPR), score or scores according to the score operator (vprScoreOperator) argument.Optional
vprScoreRangeWhen specified, the results returned in the list are limited to vulnerabilities with the specified Vulnerability Priority Rating (VPR) score range. Example value: 2.5-3.5.Optional
exportUuidThe export UUID.Optional
should_push_eventsSet this argument to True in order to create vulnerabilities, otherwise the command will only display the vulnerabilities. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
TenableIO.Vulnerability.asset.agent_uuidStringThe UUID of the agent that performed the scan where the vulnerability was found.
TenableIO.Vulnerability.asset.bios_uuidStringThe BIOS UUID of the asset where the vulnerability was found.
TenableIO.Vulnerability.asset.device_typeStringThe type of asset where the vulnerability was found.
TenableIO.Vulnerability.asset.fqdnStringThe fully-qualified domain name of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.hostnameStringThe host name of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.uuidStringThe UUID of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.ipv6StringThe IPv6 address of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.last_authenticated_resultsDateThe last date credentials that were used successfully to scan the asset.
TenableIO.Vulnerability.asset.last_unauthenticated_resultsDateThe last date when the asset was scanned without using credentials
TenableIO.Vulnerability.asset.mac_addressStringThe MAC address of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.netbios_nameStringThe NETBIOS name of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.netbios_workgroupStringThe NETBIOS workgroup of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.operating_systemStringThe operating system of the asset where a scan found the vulnerability.
TenableIO.Vulnerability.asset.network_idStringThe ID of the network object associated with scanners that identified the asset.
TenableIO.Vulnerability.asset.trackedBooleanA value specifying whether Tenable.io tracks the asset in the asset management system.
TenableIO.Vulnerability.outputStringThe text output of the Nessus scanner.
TenableIO.Vulnerability.plugin.bidNumberThe Bugtraq ID for the plugin.
TenableIO.Vulnerability.plugin.canvas_packageStringThe name of the CANVAS exploit pack that includes the vulnerability.
TenableIO.Vulnerability.plugin.checks_for_default_accountBooleanA value specifying whether the plugin checks for default accounts.
TenableIO.Vulnerability.plugin.checks_for_malwareBooleanA value specifying whether the plugin checks for malware.
TenableIO.Vulnerability.plugin.cpeStringThe Common Platform Enumeration (CPE) number for the plugin.
TenableIO.Vulnerability.plugin.cveStringThe Common Vulnerability and Exposure (CVE) ID for the plugin.
TenableIO.Vulnerability.plugin.cvss3_base_scoreNumberThe CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
TenableIO.Vulnerability.plugin.cvss3_temporal_scoreNumberThe CVSSv3 temporal score (characteristics of a vulnerability that change over time but not among user environments).
TenableIO.Vulnerability.plugin.cvss3_temporal_vector.exploitabilityStringThe CVSSv3 Exploit Maturity Code (E) for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_temporal_vector.remediation_levelStringThe CVSSv3 Remediation Level (RL) temporal metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_temporal_vector.report_confidenceStringThe CVSSv3 Report Confidence (RC) temporal metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_temporal_vector.rawStringThe complete CVSSv3 temporal vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format.
TenableIO.Vulnerability.plugin.cvss3_vector.access_vectorStringThe CVSSv3 Attack Vector (AV) metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_vector.access_complexityStringThe CVSSv3 Access Complexity (AC) metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_vector.authenticationStringThe CVSSv3 Authentication (Au) metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_vector.confidentiality_impactStringThe CVSSv3 integrity impact metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_vector.integrity_impactStringThe CVSSv3 integrity impact metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_vector.availability_impactStringThe CVSSv3 availability impact metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss3_vector.rawStringThe complete cvss3_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format.
TenableIO.Vulnerability.plugin.cvss_temporal_vector.exploitabilityStringThe CVSSv2 Exploitability (E) temporal metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_temporal_vector.remediation_levelStringThe CVSSv2 Remediation Level (RL) temporal metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_temporal_vector.report_confidenceStringThe CVSSv2 Report Confidence (RC) temporal metric for the vulnerability the plugin covers
TenableIO.Vulnerability.plugin.cvss_temporal_vector.rawStringThe complete CVSS temporal vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format.
TenableIO.Vulnerability.plugin.cvss_vector.access_vectorStringThe CVSSv2 Access Vector (AV) metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_vector.access_complexityStringThe CVSSv2 Access Complexity (AC) metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_vector.authenticationStringThe CVSSv2 Authentication (Au) metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_vector.confidentiality_impactStringThe CVSSv2 confidentiality impact metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_vector.integrity_impactStringThe CVSSv2 integrity impact metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_vector.availability_impactStringThe CVSSv2 availability impact metric for the vulnerability the plugin covers.
TenableIO.Vulnerability.plugin.cvss_vector.rawStringThe complete CVSSv2 vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format.
TenableIO.Vulnerability.plugin.cvss_base_scoreNumberThe CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
TenableIO.Vulnerability.plugin.cvss_temporal_scoreNumberThe CVSSv2 temporal score (characteristics of a vulnerability that change over time but not among user environments).
TenableIO.Vulnerability.plugin.d2_elliot_nameStringThe name of the exploit in the D2 Elliot Web Exploitation framework.
TenableIO.Vulnerability.plugin.descriptionStringFull text description of the vulnerability.
TenableIO.Vulnerability.plugin.exploit_availableBooleanA value specifying whether a public exploit exists for the vulnerability.
TenableIO.Vulnerability.plugin.exploit_framework_canvasBooleanA value specifying whether an exploit exists in the Immunity CANVAS framework.
TenableIO.Vulnerability.plugin.exploit_framework_coreBooleanA value specifying whether an exploit exists in the CORE Impact framework.
TenableIO.Vulnerability.plugin.exploit_framework_d2_elliotBooleanA value specifying whether an exploit exists in the D2 Elliot Web Exploitation framework.
TenableIO.Vulnerability.plugin.exploit_framework_exploithubBooleanA value specifying whether an exploit exists in the ExploitHub framework.
TenableIO.Vulnerability.plugin.exploit_framework_metasploitBooleanA value specifying whether an exploit exists in the Metasploit framework.
TenableIO.Vulnerability.plugin.exploitability_easeStringDescription of how easy it is to exploit the issue.
TenableIO.Vulnerability.plugin.exploited_by_malwareBooleanWhether the vulnerability discovered by this plugin is known to be exploited by malware.
TenableIO.Vulnerability.plugin.exploited_by_nessusBooleanA value specifying whether Nessus exploited the vulnerability during the process of identification.
TenableIO.Vulnerability.plugin.exploithub_skuStringThe SKU number of the exploit in the ExploitHub framework.
TenableIO.Vulnerability.plugin.familyStringThe family to which the plugin belongs.
TenableIO.Vulnerability.plugin.family_idNumberThe ID of the plugin family.
TenableIO.Vulnerability.plugin.has_patchBooleanA value specifying whether the vendor has published a patch for the vulnerability.
TenableIO.Vulnerability.plugin.idNumberThe ID of the plugin that identified the vulnerability.
TenableIO.Vulnerability.plugin.in_the_newsBooleanA value specifying whether this plugin has received media attention (for example, ShellShock, Meltdown).
TenableIO.Vulnerability.plugin.metasploit_nameStringThe name of the related exploit in the Metasploit framework.
TenableIO.Vulnerability.plugin.ms_bulletinStringThe Microsoft security bulletin that the plugin covers.
TenableIO.Vulnerability.plugin.nameStringThe name of the plugin that identified the vulnerability.
TenableIO.Vulnerability.plugin.patch_publication_dateStringThe date on which the vendor published a patch for the vulnerability.
TenableIO.Vulnerability.plugin.modification_dateDateThe date on which the plugin was last modified.
TenableIO.Vulnerability.plugin.publication_dateDateThe date on which the plugin was published.
TenableIO.Vulnerability.plugin.risk_factorStringThe risk factor associated with the plugin. Possible values are: Low, Medium, High, or Critical.
TenableIO.Vulnerability.plugin.see_alsoStringLinks to external websites that contain helpful information about the vulnerability.
TenableIO.Vulnerability.plugin.solutionStringRemediation information for the vulnerability.
TenableIO.Vulnerability.plugin.stig_severityStringSecurity Technical Implementation Guide (STIG) severity code for the vulnerability.
TenableIO.Vulnerability.plugin.synopsisStringBrief description of the plugin or vulnerability.
TenableIO.Vulnerability.plugin.typeStringThe general type of plugin check (for example, local or remote).
TenableIO.Vulnerability.plugin.unsupported_by_vendorBooleanWhether software found by this plugin is unsupported by the software's vendor (for example, Windows 95 or Firefox 3).
TenableIO.Vulnerability.plugin.usnStringUbuntu security notice that the plugin covers.
TenableIO.Vulnerability.plugin.versionStringThe version of the plugin used to perform the check.
TenableIO.Vulnerability.plugin.vuln_publication_dateDateThe publication date of the plugin.
TenableIO.Vulnerability.plugin.xrefs.typeStringReferences to third-party information about the vulnerability, exploit, or update associated with the plugin.
TenableIO.Vulnerability.plugin.xrefs.idStringReferences to third-party information about the vulnerability, exploit, or update associated with the plugin.
TenableIO.Vulnerability.plugin.vpr.scoreNumberThe Vulnerability Priority Rating (VPR) for the vulnerability.
TenableIO.Vulnerability.plugin.vpr.drivers.age_of_vulnNumberA range representing the number of days since the National Vulnerability Database (NVD) published the vulnerability.
TenableIO.Vulnerability.plugin.vpr.drivers.age_of_vuln.lower_boundNumberThe lower bound of the range.
TenableIO.Vulnerability.plugin.vpr.drivers.age_of_vuln.upper_boundNumberThe upper bound of the range.
TenableIO.Vulnerability.plugin.vpr.drivers.exploit_code_maturityStringThe relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources.
TenableIO.Vulnerability.plugin.vpr.drivers.cvss3_impact_scoreNumberThe NVD-provided CVSSv3 impact score for the vulnerability.
TenableIO.Vulnerability.plugin.vpr.drivers.cvss_impact_score_predictedBooleanA value specifying whether Tenable.io predicted the CVSSv3 impact score for the vulnerability.
TenableIO.Vulnerability.plugin.vpr.drivers.threat_intensity_last28StringThe relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
TenableIO.Vulnerability.plugin.vpr.drivers.threat_recencyStringA range representing the number of days since a threat event occurred for the vulnerability.
TenableIO.Vulnerability.plugin.vpr.drivers.threat_recency.lower_boundStringThe lower bound of the range.
TenableIO.Vulnerability.plugin.vpr.drivers.threat_recency.upper_boundStringThe upper bound of the range.
TenableIO.Vulnerability.plugin.vpr.drivers.threat_sources_last28StringA list of all sources (for example, social media channels, the dark web, etc.) where threat events related to this vulnerability occurred.
TenableIO.Vulnerability.plugin.vpr.drivers.product_coverageStringThe relative number of unique products affected by the vulnerability: 'Low', 'Medium', 'High', or 'Very High'.
TenableIO.Vulnerability.plugin.vpr.updatedDateThe ISO timestamp when Tenable.io last imported the VPR for this vulnerability.
TenableIO.Vulnerability.port.portNumberThe port the scanner used to communicate with the asset.
TenableIO.Vulnerability.port.protocolStringThe protocol the scanner used to communicate with the asset.
TenableIO.Vulnerability.port.serviceStringThe service the scanner used to communicate with the asset.
TenableIO.Vulnerability.recast_reasonStringThe text that appears in the Comment field of the recast rule in the Tenable.io user interface.
TenableIO.Vulnerability.recast_rule_uuidStringThe UUID of the recast rule that applies to the plugin.
TenableIO.Vulnerability.scan.completed_atDateThe ISO timestamp when the scan completed.
TenableIO.Vulnerability.scan.schedule_uuidStringThe schedule UUID for the scan that found the vulnerability.
TenableIO.Vulnerability.scan.started_atDateThe ISO timestamp when the scan started.
TenableIO.Vulnerability.scan.uuidStringThe UUID of the scan that found the vulnerability.
TenableIO.Vulnerability.severityStringThe severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score.
TenableIO.Vulnerability.severity_idNumberThe code for the severity assigned when a user recast the risk associated with the vulnerability.
TenableIO.Vulnerability.severity_default_idNumberThe code for the severity originally assigned to a vulnerability before a user recast the risk associated with the vulnerability.
TenableIO.Vulnerability.severity_modification_typeStringThe type of modification a user made to the vulnerability's severity.
TenableIO.Vulnerability.first_foundDateThe ISO date when a scan first detected the vulnerability on the asset.
TenableIO.Vulnerability.last_fixedDateThe ISO date when a scan no longer detects the previously detected vulnerability on the asset.
TenableIO.Vulnerability.last_foundDateThe ISO date when a scan last detected the vulnerability on the asset.
TenableIO.Vulnerability.stateStringThe state of the vulnerability as determined by the Tenable.io state service.
TenableIO.Vulnerability.indexedDateThe date and time (in Unix time) when the vulnerability was indexed into Tenable.io.

Command example#

!tenable-io-export-vulnerabilities numAssets=500

Context Example#

{
"TenableIO": {
"Vulnerability": [
{
"asset": {
"device_type": "general-purpose",
"fqdn": "fqdn",
"hostname": "1.1.1.1",
"ipv4": "1.1.1.1",
"last_unauthenticated_results": "2024-11-07T11:11:05.906Z",
"network_id": "00000000-0000-0000-0000-000000000000",
"operating_system": [
"Linux Kernel 3.13 on Ubuntu 14.04 (trusty)"
],
"tracked": true,
"uuid": "fake_uuid"
},
"first_found": "2024-11-07T11:11:05.906Z",
"indexed": "2024-11-07T11:11:05.906Z",
"last_fixed": "2024-11-07T11:11:05.906Z",
"last_found": "2024-11-07T11:11:05.906Z",
"output": "outputs",
"plugin": {
"checks_for_default_account": false,
"checks_for_malware": false,
"cvss3_base_score": 0,
"cvss3_temporal_score": 0,
"cvss_base_score": 0,
"cvss_temporal_score": 0,
"description": "Description",
"exploit_available": false,
"exploit_framework_canvas": false,
"exploit_framework_core": false,
"exploit_framework_d2_elliot": false,
"exploit_framework_exploithub": false,
"exploit_framework_metasploit": false,
"exploited_by_malware": false,
"exploited_by_nessus": false,
"family": "General",
"family_id": 30,
"has_patch": false,
"id": 00000,
"in_the_news": false,
"modification_date": "2024-11-07T11:11:05Z",
"name": "Name",
"publication_date": "2024-11-07T11:11:05Z",
"risk_factor": "None",
"see_also": [
""
],
"solution": "N/A",
"synopsis": "synopsis",
"type": "remote",
"unsupported_by_vendor": false,
"version": "$Revision: 1.16 $"
},
"port": {
"port": 0,
"protocol": "TCP"
},
"scan": {
"completed_at": "2024-11-07T11:11:05.906Z",
"schedule_uuid": "fake_uuid",
"started_at": "2024-11-07T11:11:05.906Z",
"uuid": "fake_uuid"
},
"severity": "info",
"severity_default_id": 0,
"severity_id": 0,
"severity_modification_type": "NONE",
"state": "OPEN"
},
{
"asset": {
"device_type": "general-purpose",
"fqdn": "fqdn",
"hostname": "1.3.2.1",
"ipv4": "1.3.2.1",
"last_unauthenticated_results": "2024-11-07T11:11:05Z",
"network_id": "00000000-0000-0000-0000-000000000000",
"operating_system": [
"Nutanix"
],
"tracked": true,
"uuid": "fake_uuid"
},
"first_found": "2024-11-07T11:11:05.906Z",
"indexed": "2024-11-07T11:11:05.906Z",
"last_fixed": "2024-11-07T11:11:05.906Z",
"last_found": "2024-11-07T11:11:05.906Z",
"output": "outputs",
"plugin": {
"checks_for_default_account": false,
"checks_for_malware": false,
"cvss3_base_score": 0,
"cvss3_temporal_score": 0,
"cvss_base_score": 0,
"cvss_temporal_score": 0,
"description": "Description",
"exploit_available": false,
"exploit_framework_canvas": false,
"exploit_framework_core": false,
"exploit_framework_d2_elliot": false,
"exploit_framework_exploithub": false,
"exploit_framework_metasploit": false,
"exploited_by_malware": false,
"exploited_by_nessus": false,
"family": "SMTP problems",
"family_id": 12,
"has_patch": false,
"id": 00000,
"in_the_news": false,
"modification_date": "2024-11-07T11:11:05Z",
"name": "Name",
"publication_date": "2024-11-07T11:11:05Z",
"risk_factor": "None",
"see_also": [],
"solution": "N/A",
"synopsis": "synopsis.",
"type": "remote",
"unsupported_by_vendor": false,
"version": "1.12"
},
"port": {
"port": 25,
"protocol": "TCP",
"service": "smtp"
},
"scan": {
"completed_at": "2024-11-07T11:11:05.906Z",
"schedule_uuid": "fake_uuid",
"started_at": "2024-11-07T11:11:05.906Z",
"uuid": "fake_uuid"
},
"severity": "info",
"severity_default_id": 0,
"severity_id": 0,
"severity_modification_type": "NONE",
"state": "OPEN"
},
]
}
}

Human Readable Output#

Export Vulnerabilities Results:#

ASSET IDASSET NAMEIPV4 ADDRESSOPERATING SYSTEMSYSTEM TYPEDNS NAME (FQDN)SEVERITYPLUGIN IDPLUGIN NAMEVULNERABILITY PRIORITY RATINGCVSSV2 BASE SCORECVEPROTOCOLPORTFIRST SEENLAST SEENDESCRIPTIONSOLUTION
fake_uuid1.1.1.11.1.1.1Linux Kernel 3.13 on Ubuntu 14.04 (trusty)general-purposefqdninfo00000NameTCP222024-11-07T11:11:05.906Z2024-11-07T11:11:05.906ZDescriptionN/A
fake_uuid1.3.2.11.3.2.1Nutanixgeneral-purposefqdninfo00000NameTCP02024-11-07T11:11:05.906Z2024-11-07T11:11:05.906ZDescriptionN/A

tenable-io-list-scan-filters#


Lists the filtering, sorting, and pagination capabilities available for scan records on endpoints/commands that support them.

Base Command#

tenable-io-list-scan-filters

Input#


There are no inputs for this command.

Context Output#

PathTypeDescription
TenableIO.ScanFilter.nameStringThe name of the scan filter.
TenableIO.ScanFilter.readable_nameStringThe readable name of the scan filter.
TenableIO.ScanFilter.control.typeStringThe type of control associated with the scan filter.
TenableIO.ScanFilter.control.regexStringThe regular expression used by the scan filter.
TenableIO.ScanFilter.control.readable_regexStringAn example expression that the filter's regular expression would match.
TenableIO.ScanFilter.operatorsStringThe operators available for the scan filter.
TenableIO.ScanFilter.group_nameStringThe group name associated with the scan filter.

Command example#

!tenable-io-list-scan-filters

Context Example#

{
"TenableIO": {
"ScanFilter": [
{
"control": {
"readable_regex": "01234567-abcd-ef01-2345-6789abcdef01",
"regex": "[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}(,[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12})*",
"type": "entry"
},
"group_name": null,
"name": "host.id",
"operators": [
"eq",
"neq",
"match",
"nmatch"
],
"readable_name": "Asset ID"
},
{
"control": {
"maxlength": 18,
"readable_regex": "NUMBER",
"regex": "^[0-9]+(,[0-9]+)*",
"type": "entry"
},
"group_name": null,
"name": "plugin.attributes.bid",
"operators": [
"eq",
"neq",
"match",
"nmatch"
],
"readable_name": "Bugtraq ID"
}
]
}
}

Human Readable Output#

Tenable IO Scan Filters#

Filter nameFilter Readable nameFilter Control typeFilter regexReadable regexFilter operators
host.idAsset IDentry[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}(,[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12})*01234567-abcd-ef01-2345-6789abcdef01eq,
neq,
match,
nmatch
plugin.attributes.bidBugtraq IDentry^[0-9]+(,[0-9]+)*NUMBEReq,
neq,
match,
nmatch

tenable-io-get-scan-history#


Lists the individual runs of the specified scan.

Base Command#

tenable-io-get-scan-history

Input#

Argument NameDescriptionRequired
scanIdThe ID of the scan of which to get the runs.Required
sortFieldsA comma-separated list of fields by which to sort, in the order defined by "sortOrder". Possible values are: start_date, end_date, status.Optional
sortOrderA comma-separated list of directions in which to sort the fields defined by "sortFields".
If multiple directions are chosen, they will be sequentially matched with "sortFields".
If only one direction is chosen it will be used to sort all values in "sortFields".
For example:
If sortFields is "start_date,status" and sortOrder is "asc,desc",
then start_date is sorted in ascending order and status in descending order.
If sortFields is "start_date,status" and sortOrder is simply "asc",
then both start_date and status are sorted in ascending order.
. Possible values are: asc, desc. Default is asc.
Optional
excludeRolloverWhether to exclude rollover scans from the scan history. Possible values are: true, false. Default is false.Optional
pageThe page number of scan records to retrieve (used for pagination) starting from 1. The page size is defined by the "pageSize" argument.Optional
pageSizeThe number of scan records per page to retrieve (used for pagination). The page number is defined by the "page" argument.Optional
limitThe maximum number of records to retrieve. If "pageSize" is defined, this argument is ignored. Default is 50.Optional

Context Output#

PathTypeDescription
TenableIO.ScanHistory.time_endNumberThe end time of the scan.
TenableIO.ScanHistory.scan_uuidStringThe UUID (Universally Unique Identifier) of the scan.
TenableIO.ScanHistory.idNumberThe ID of the scan history.
TenableIO.ScanHistory.is_archivedBooleanIndicates whether the scan is archived or not.
TenableIO.ScanHistory.time_startNumberThe start time of the scan.
TenableIO.ScanHistory.visibilityStringThe visibility of the scan.
TenableIO.ScanHistory.targets.customBooleanIndicates whether custom targets were used in the scan.
TenableIO.ScanHistory.targets.defaultBooleanIndicates whether the default targets were used in the scan.
TenableIO.ScanHistory.statusStringThe status of the scan.

Command example#

!tenable-io-get-scan-history scanId=16 excludeRollover=true sortFields=end_date,status sortOrder=desc page=2 pageSize=4

Context Example#

{
"TenableIO": {
"ScanHistory": [
{
"id": 17235445,
"is_archived": true,
"reindexing": null,
"scan_uuid": "69a55b8e-0d52-427a-81e0-7dfe4dc6eda6",
"status": "completed",
"targets": {
"custom": null,
"default": false
},
"time_end": 1677425182,
"time_start": 1677424566,
"visibility": "public"
},
{
"id": 17235342,
"is_archived": true,
"reindexing": null,
"scan_uuid": "2c592d52-df56-42e0-9f18-d892bdeb1e18",
"status": "completed",
"targets": {
"custom": null,
"default": false
},
"time_end": 1677424556,
"time_start": 1677423906,
"visibility": "public"
},
{
"id": 17235033,
"is_archived": true,
"reindexing": null,
"scan_uuid": "44586b4f-1051-415c-b375-db86f6bd8c13",
"status": "completed",
"targets": {
"custom": null,
"default": false
},
"time_end": 1677423865,
"time_start": 1677423247,
"visibility": "public"
},
{
"id": 17234969,
"is_archived": true,
"reindexing": null,
"scan_uuid": "06c12bf7-436f-489d-bb04-aae511ea9f5c",
"status": "completed",
"targets": {
"custom": null,
"default": false
},
"time_end": 1677423205,
"time_start": 1677422585,
"visibility": "public"
}
]
}
}

Human Readable Output#

Tenable IO Scan History#

History idHistory uuidStatusIs archivedTargets defaultVisibilityTime startTime end
1723544569a55b8e-0d52-427a-81e0-7dfe4dc6eda6completedtruefalsepublic16774245661677425182
172353422c592d52-df56-42e0-9f18-d892bdeb1e18completedtruefalsepublic16774239061677424556
1723503344586b4f-1051-415c-b375-db86f6bd8c13completedtruefalsepublic16774232471677423865
1723496906c12bf7-436f-489d-bb04-aae511ea9f5ccompletedtruefalsepublic16774225851677423205

tenable-io-export-scan#


Export and download a scan report. Scan results older than 35 days are supported in Nessus and CSV formats only, and filters cannot be applied. Scans that are actively running cannot be exported (run "tenable-io-list-scans" to view scan statuses)

Base Command#

tenable-io-export-scan

Input#

Argument NameDescriptionRequired
scanIdThe identifier for the scan to export. Run the "tenable-io-list-scans" command to get all available scans.Required
historyIdThe unique identifier of the historical data to export. Run the "tenable-io-get-scan-history" command to get history IDs.Optional
historyUuidThe UUID of the historical data to export. Run the "tenable-io-get-scan-history" command to get history UUIDs.Optional
formatThe file format to export the scan in. Scans can be export in the HTML and PDF formats for up to 35 days.
For scans that are older than 35 days, only the Nessus and CSV formats are supported.
The "chapters" argument must be defined if the chosen format is HTML or PDF.
. Possible values are: Nessus, HTML, PDF, CSV. Default is CSV.
Required
chaptersA comma-separated list of chapters to include in the export. This argument is required if the file format is PDF or HTML. Possible values are: vuln_hosts_summary, vuln_by_host, compliance_exec, remediations, vuln_by_plugin, compliance.Optional
filterA comma-separated list of filters, in the format of "name quality value" to apply to the exported scan report.
Example: "port.protocol eq tcp, plugin_id eq 1234567"
Note: when used literally, commas and spaces should be escaped. (i.e. "\\," for comma and "\\s" for space)
Filters cannot be applied to scans older than 35 days.
Run "tenable-io-list-scan-filters" to get all available filters, ("Filter name" (name), "Filter operators" (quality) and "Readable regex" (value) in response).
For more information: https://developer.tenable.com/docs/scan-export-filters-tio
.
Optional
filterSearchTypeFor multiple filters, specifies whether to use the AND or the OR logical operator. Possible values are: AND, OR. Default is AND.Optional
assetIdThe ID of the asset scanned.Optional

Context Output#

PathTypeDescription
InfoFile.SizenumberThe size of the file in bytes.
InfoFile.NamestringThe name of the file.
InfoFile.EntryIDstringThe War Room entry ID of the file.
InfoFile.InfostringThe format and encoding of the file.
InfoFile.TypestringThe type of the file.
InfoFile.ExtensionunknownThe file extension of the file.

Command example#

!tenable-io-export-scan scanId=16 format=HTML chapters="compliance_exec,remediations,vuln_by_plugin" historyId=19540157 historyUuid=f7eaad37-23bd-4aac-a979-baab0e9a465b filterSearchType=OR filter="port.protocol eq tcp, plugin_id eq 1234567" assetId=10

Human Readable Output#

Preparing scan report:

Returned file: scan_16_SSE-144f3dc6-cb2d-42fc-b6cc-dd20b807735f-html.html Download

tenable-io-get-audit-logs#


Returns audit logs extracted from Tenable io.

Base Command#

tenable-io-get-audit-logs

Input#

Argument NameDescriptionRequired
should_push_eventsSet this argument to True in order to create events, otherwise the command will only display the events. Possible values are: true, false. Default is false.Required
limitThe maximum number of alerts to return (maximum value - 5000).Optional
from_dateReturn events that occurred after the specified date.Optional
to_dateReturn events that occurred before the specified date.Optional
actor_idReturn events that contain the specified actor UUID.Optional
target_idReturn events matching the specified target UUID.Optional

Context Output#

There is no context output for this command.

Command example#

!tenable-io-get-audit-logs limit=1

Human Readable Output#

Audit Logs List:#

ActionActorCrudDescriptionFieldsIdIs AnonymousIs FailureReceivedTarget
user.createid: testc{'key': 'X-Access-Type', 'value': 'apikey'},
{'key': 'X-Forwarded-For', 'value': '1.2.3.4'},
{'key': 'X-Request-Uuid', 'value': '12:12:12:12:12'}
12truefalse2022-05-18T16:33:02Zid: 12-1-1-1-1
name: test@test.com
type: User