Tenable.io
This Integration is part of the Tenable.io Pack.#
Overview
Use the Tenable.io integration to manage scans and asset vulnerabilities.
This integration was integrated and tested with the November 2018 release of Tenable.io.
Configure Tenable.io on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Tenable.io.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL
- Access Key
- Secret Key
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get a list of scans: tenable-io-list-scans
- Launch a scan: tenable-io-launch-scan
- Get a scan report: tenable-io-get-scan-report
- Get information for a vulnerability: tenable-io-get-vulnerability-details
- Get a list of vulnerabilities for an asset: tenable-io-get-vulnerabilities-by-asset
- Check the status of a scan: tenable-io-get-scan-status
- Pause a scan: tenable-io-pause-scan
- Resume a scan: tenable-io-resume-scan
- Get asset details: tenable-io-get-asset-details
1. Get a list of scans
Retrieves a list of scans from the Tenable platform.
Base Command
tenable-io-list-scansInput
| Argument Name | Description | Required |
|---|---|---|
| folderId | The ID of the folder whose scans should be listed. Scans are stored in specific folders on Tenable, e.g.: folderId=8. | Optional |
| lastModificationDate | Limit the results to those that have only changed since this time. Format: YYYY-MM-DD | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Scan.Id | number | The unique ID of the scan. |
| TenableIO.Scan.Name | string | The name of the scan. |
| TenableIO.Scan.Target | string | The targets to scan. |
| TenableIO.Scan.Status | string | The status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped)". |
| TenableIO.Scan.StartTime | date | The scheduled start time for the scan. |
| TenableIO.Scan.EndTime | date | The scheduled end time for the scan. |
| TenableIO.Scan.Enabled | boolean | If true, the schedule for the scan is enabled. |
| TenableIO.Scan.Type | string | The type of scan ("local", "remote", or "agent"). |
| TenableIO.Scan.Owner | string | The owner of the scan. |
| TenableIO.Scan.Scanner | string | The scanner assigned for the scan. |
| TenableIO.Scan.Policy | string | The policy assigned for the scan. |
| TenableIO.Scan.CreationDate | date | The creation date for the scan in Unix time. |
| TenableIO.Scan.LastModificationDate | date | The last modification date for the scan in Unix time. |
| TenableIO.Scan.FolderId | number | The unique ID of the folder where the scan has been stored. |
Command Example
!tenable-io-list-scans
Human Readable Output
Tenable.io - List of Scans
| FolderId | Id | Name | Targets | Status | StartTime | EndTime | Enabled | Type | Owner | Scanner | Policy | CreationDate | LastModificationDate |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 8 | 20 | artTest | anorton.ddns.net | completed | Tue Sep 18 15:12:47 2018 | Tue Sep 18 15:23:53 2018 | false | ps | owner@demisto.com | US Cloud Scanner | Basic Network Scan | Tue Sep 18 15:12:47 2018 | Tue Sep 18 15:23:53 2018 |
| 15 | 13 | Test 2 | www.google.com | completed | Wed Oct 31 14:36:45 2018 | Wed Oct 31 16:41:45 2018 | true | ps | owner@demisto.com | US Cloud Scanner | PCI Quarterly External Scan | Wed Oct 31 14:36:45 2018 | Wed Oct 31 16:41:45 2018 |
| 8 | 10 | Test Scan - 1 | 216.75.62.8, 80.82.77.139, 60.191.38.77 | running | Mon Nov 12 12:31:17 2018 | false | ps | owner@demisto.com | US Cloud Scanner | Advanced Network Scan | Mon Nov 12 12:31:17 2018 | Mon Nov 12 12:31:47 2018 | |
| 7 | 15 | Test 3 - Prasen | 192.168.1.1-192.168.1.255,www.google.com,93.174.93.1-93.174.93.255, 82.211.30.0/24, www.google.com | completed | Tue Jul 3 23:00:36 2018 | Wed Jul 4 01:59:44 2018 | true | ps | owner@demisto.com | US Cloud Scanner | Advanced Network Scan | Tue Jul 3 23:00:36 2018 | Wed Jul 4 01:59:44 2018 |
| - | 22 | z | empty | false | owner@demisto.com | US Cloud Scanner | Advanced Network Scan |
Inactive Web Applications Scans - Renew WAS license to use these scans
| Id | Name | Status | Enabled | Type | Owner | CreationDate | LastModificationDate |
|---|---|---|---|---|---|---|---|
| 18 | Test - Web | canceled | false | webapp | owner@demisto.com | Thu Jul 19 11:13:03 2018 | Thu Jul 19 11:17:51 2018 |
2. Launch a scan
Launches a scan with existing or custom targets. You can specify custom targets in the command arguments.
Base Command
tenable-io-launch-scanInput
| Argument Name | Description | Required |
|---|---|---|
| scanId | The ID of the scan to launch. | Required |
| scanTargets | If specified, targets to be scanned instead of the default. This value can be an array where each index is a target, or an array with a single index of comma-separated targets. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Scan.Id | number | The unique ID of the scan. |
| TenableIO.Scan.Targets | string | The targets to scan. |
| TenableIO.Scan.Status | string | The status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped"). |
Command Example
!tenable-io-launch-scan scan-id="10" scan-targets="216.75.62.8, 80.82.77.139, 60.191.38.77"Human Readable Output
The requested scan was launched successfully
| Id | Targets | Status |
|---|---|---|
| 10 | 216.75.62.8, 80.82.77.139, 60.191.38.77 | pending |
3. Get a scan report
Retrieves a scan report for the specified scan.
Base Command
tenable-io-get-scan-reportInput
| Argument Name | Description | Required |
|---|---|---|
| scanId | The ID of the scan to retrieve. | Required |
| detailed | If true, the report will contain remediation and host information for the specified scan. Otherwise, the report will only contain vulnerabilities. | Optional |
| info | Whether to return the basic details of the specified scan. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Scan.Id | number | The unique ID of the scan. |
| TenableIO.Scan.Name | string | The name of the scan. |
| TenableIO.Scan.Targets | string | The targets to scan. |
| TenableIO.Scan.Status | string | The status of the scan ("completed", "aborted", "imported", "pending", "running", "resuming", "canceling", "cancelled", "pausing", "paused", "stopping", "stopped"). |
| TenableIO.Scan.StartTime | string | The scheduled start time for the scan. |
| TenableIO.Scan.EndTime | string | The scheduled end time for the scan. |
| TenableIO.Scan.Scanner | string | The scanner assigned to the scan. |
| TenableIO.Scan.Policy | string | The policy assigned to the scan. |
| TenableIO.Vulnerabilities.Id | string | The unique ID of the vulnerability. |
| TenableIO.Vulnerabilities.Name | string | The name of the vulnerability. |
| TenableIO.Vulnerabilities.Severity | number | The severity level of the vulnerability. |
| TenableIO.Vulnerabilities.Description | string | The description of the vulnerability. |
| TenableIO.Vulnerabilities.Synopsis | string | A brief summary of the vulnerability. |
| TenableIO.Vulnerabilities.Solution | string | Information on how to fix the vulnerability. |
| TenableIO.Vulnerabilities.FirstSeen | date | When the vulnerability was first seen. |
| TenableIO.Vulnerabilities.LastSeen | date | When the vulnerability was last seen. |
| TenableIO.Vulnerabilities.VulnerabilityOccurences | number | A count of the vulnerability occurrences. |
| TenableIO.Assets.Hostname | string | The name of the host. |
| TenableIO.Assets.Score | number | The overall score for the host. |
| TenableIO.Assets.Critical | number | The percentage of critical findings on the host. |
| TenableIO.Assets.High | number | The number of high findings on the host. |
| TenableIO.Assets.Medium | number | The number of medium findings on the host. |
| TenableIO.Assets.Low | number | The number of low findings on the host. |
| TenableIO.Remediations.Id | string | The unique ID of the remediation. |
| TenableIO.Remediations.Description | string | Specific information related to the vulnerability and steps to remediate. |
| TenableIO.Remediations.AffectedHosts | number | The number of hosts affected. |
| TenableIO.Remediations.AssociatedVulnerabilities | number | The number of vulnerabilities associated with the remedy. |
Command Example
!tenable-io-get-scan-report scan-id="10" detailed="yes" info="yes"Human Readable Output
Scan basic info
| Id | Name | Targets | Status | StartTime | EndTime | Scanner | Policy |
|---|---|---|---|---|---|---|---|
| 10 | Test Scan - 1 | 216.75.62.8, 80.82.77.139, 60.191.38.77 | completed | Mon Nov 12 12:31:17 2018 | Mon Nov 12 12:36:03 2018 | US Cloud Scanner | Advanced Network Scan |
Vulnerabilities
| Id | Name | Severity | Description | Synopsis | Solution | FirstSeen | LastSeen | VulnerabilityOccurences |
|---|---|---|---|---|---|---|---|---|
| 10881 | SSH Protocol Versions Supported | None | This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. | A SSH server is running on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 2 | |
| 10114 | ICMP Timestamp Request Remote Date Disclosure | None |
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. |
It is possible to determine the exact time set on the remote host. | Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 46 |
| 110723 | No Credentials Provided | None | Nessus was unable to execute credentialed checks because no credentials were provided. | Nessus was able to find common ports used for local checks, however, no credentials were provided in the scan policy. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 8 | |
| 25220 | TCP/IP Timestamps Supported | None | The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. | The remote service implements TCP timestamps. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 | |
| 70657 | SSH Algorithms and Languages Supported | None | This script detects which algorithms and languages are supported by the remote service for encrypting communications. | An SSH server is listening on this port. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 19 | |
| 71049 | SSH Weak MAC Algorithms Enabled | Low |
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions. |
The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms. | Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 5 |
| 53335 | RPC portmapper (TCP) | None |
The RPC portmapper is running on this port.
The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. |
An ONC RPC portmapper is running on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 | |
| 70658 | SSH Server CBC Mode Ciphers Enabled | Low |
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions. |
The SSH server is configured to use Cipher Block Chaining. | Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 5 |
| 11154 | Unknown Service Detection: Banner Retrieval | None | Nessus was unable to identify a service on the remote host even though it returned a banner of some type. | There is an unknown service running on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 75 | |
| 12053 | Host Fully Qualified Domain Name (FQDN) Resolution | None | Nessus was able to resolve the fully qualified domain name (FQDN) of the remote host. | It was possible to resolve the name of the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 98 | |
| 45590 | Common Platform Enumeration (CPE) | None |
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. |
It was possible to enumerate CPE names that matched on the remote system. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 78 | |
| 10884 | Network Time Protocol (NTP) Server Detection | None | An NTP server is listening on port 123. If not securely configured, it may provide information about its version, current date, current time, and possibly system information. | An NTP server is listening on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 | |
| 10267 | SSH Server Type and Version Information | None | It is possible to obtain information about the remote SSH server by sending an empty authentication request. | An SSH server is listening on this port. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 38 | |
| 81052 | Openswan < 2.6.36 IKE Packet NULL Pointer Dereference Remote DoS | Medium | The remote host is running a version of Openswan prior to version 2.6.36. It is, therefore, affected by a remote denial of service vulnerability due to a NULL pointer dereference flaw. A remote attacker, using a specially crafted ISAKMP message with an invalid KEY_LENGTH attribute, can cause a denial of service. | The remote host is affected by a remote denial of service vulnerability. | Upgrade to Openswan 2.6.36 or later. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 |
| 81053 | Openswan < 2.6.37 Cryptographic Helper Use-After-Free Remote DoS | Medium | The remote host is running a version of Openswan prior to version 2.6.37. It is, therefore, affected by a remote denial of service vulnerability due to a use-after-free flaw in the cryptographic helper handler. A remote attacker can exploit this issue to cause a denial of service. | The remote host is affected by a remote denial of service vulnerability. | Upgrade to Openswan version 2.6.37 or later. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 |
| 66334 | Patch Report | None | The remote host is missing one or more security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date. | The remote host is missing several patches. | Install the patches listed below. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 18 |
| 11935 | IPSEC Internet Key Exchange (IKE) Version 1 Detection | None |
The remote host seems to be enabled to do Internet Key Exchange (IKE) version 1. This is typically indicative of a VPN server. VPN servers are used to connect remote hosts into internal resources.
Make sure that the use of this VPN endpoint is done in accordance with your corporate security policy. Note that if the remote host is not configured to allow the Nessus host to perform IKE/IPSEC negotiations, Nessus won't be able to detect the IKE service. Also note that this plugin does not run over IPv6. |
A VPN server is listening on the remote port. | If this service is not needed, disable it or filter incoming traffic to this port. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 2 |
| 11936 | OS Identification | None | Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. | It is possible to guess the remote operating system. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 56 | |
| 46215 | Inconsistent Hostname and IP Address | None |
The name of this machine either does not resolve or resolves to a different IP address.
This may come from a badly configured reverse DNS or from a host file in use on the Nessus scanning host. As a result, URLs in plugin output may not be directly usable in a web browser and some web tests may be incomplete. |
The remote host's hostname is not consistent with DNS information. | Fix the reverse DNS or host file. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 58 |
| 19506 | Nessus Scan Information | None |
This plugin displays, for each tested host, information about the scan itself :
- The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. |
This plugin displays information about the Nessus scan. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 187 | |
| 22964 | Service Detection | None | Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. | The remote service could be identified. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 30 | |
| 90317 | SSH Weak Algorithms Supported | Medium | Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys. | The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. | Contact the vendor or consult product documentation to remove the weak ciphers. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 |
| 11219 | Nessus SYN scanner | None |
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. |
It is possible to determine which TCP ports are open. | Protect your target with an IP filter. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 324 |
| 54615 | Device Type | None | Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). | It is possible to guess the remote device type. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 14 | |
| 39520 | Backported Security Patch Detection (SSH) | None |
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. |
Security patches are backported. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 | |
| 11111 | RPC Services Enumeration | None | By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. | An ONC RPC service is running on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 32 | |
| 10223 | RPC portmapper Service Detection | None |
The RPC portmapper is running on this port.
The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. |
An ONC RPC portmapper is running on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 1 | |
| 117886 | Local Checks Not Enabled (info) | None |
Nessus did not enable local checks on the remote host. This does not necessarily indicate a problem with the scan. Credentials may not have been provided, local checks may not be available for the target, the target may not have been identified, or another issue may have occurred that prevented local checks from being enabled. See plugin output for details.
This plugin reports informational findings related to local checks not being enabled. For failure information, see plugin 21745 : 'Authentication Failure - Local Checks Not Run'. |
Local checks were not enabled. | 2018-10-25T12:51:05.830Z | 2018-11-12T12:34:11.622Z | 1 |
Vulnerabilities - Missing From Workbench
| Id | VulnerabilityOccurences | Severity |
|---|---|---|
| 27576 | 1 | 0 |
| 60020 | 1 | 0 |
| 33930 | 1 | 0 |
Assets
| Hostname | Score | Critical | High | Medium | Low |
|---|---|---|---|---|---|
| 216.75.62.8 | 24 | 0 | 0 | 0 | 0 |
| 80.82.77.139 | 23 | 0 | 0 | 0 | 0 |
| 60.191.38.77 | 332 | 0 | 0 | 3 | 2 |
Remediations
| Id | Description | AffectedHosts | AssociatedVulnerabilities |
|---|---|---|---|
| 68e52411b3ca69f756a5a7fc219a3d71 | Openswan < 2.6.37 Cryptographic Helper Use-After-Free Remote DoS: Upgrade to Openswan version 2.6.37 or later. | 1 | 1 |
4. Get information for a vulnerability
Retrieves details for the specified vulnerability.
Base Command
tenable-io-get-vulnerability-detailsInput
| Argument Name | Description | Required |
|---|---|---|
| vulnerabilityId | The unique ID of the vulnerability. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Vulnerabilities.Name | string | The name of the vulnerability. |
| TenableIO.Vulnerabilities.Severity | number | Integer [0-4] indicating how severe the vulnerability is, where 0 is info only. |
| TenableIO.Vulnerabilities.Type | string | The type of the vulnerability. |
| TenableIO.Vulnerabilities.Family | string | Object containing plugin information such as family, type, and publication and modification dates. |
| TenableIO.Vulnerabilities.Description | string | The description of the vulnerability. |
| TenableIO.Vulnerabilities.Synopsis | string | A brief summary of the vulnerability. |
| TenableIO.Vulnerabilities.Solution | string | Information on how to fix the vulnerability. |
| TenableIO.Vulnerabilities.FirstSeen | date | When the vulnerability was first seen. |
| TenableIO.Vulnerabilities.LastSeen | date | When the vulnerability was last seen. |
| TenableIO.Vulnerabilities.PublicationDate | date | The publication date of the vulnerability. |
| TenableIO.Vulnerabilities.ModificationDate | date | The last modification date for the vulnerability in Unix time. |
| TenableIO.Vulnerabilities.VulnerabilityOccurences | number | A count of the vulnerability occurrences. |
| TenableIO.Vulnerabilities.CvssVector | string | The Common Vulnerability Scoring System vector. |
| TenableIO.Vulnerabilities.CvssBaseScore | string | The Common Vulnerability Scoring System allotted base score. |
| TenableIO.Vulnerabilities.Cvss3Vector | string | The Common Vulnerability Scoring System version 3 vector. |
| TenableIO.Vulnerabilities.Cvss3BaseScore | string | The Common Vulnerability Scoring System version 3 allotted base score. |
Command Example
!tenable-io-get-vulnerability-details vulnerability-id=10881Human Readable Output
Vulnerability details - 10881
| Name | Severity | Type | Family | Description | Synopsis | FirstSeen | LastSeen | PublicationDate | ModificationDate | VulnerabilityOccurences |
|---|---|---|---|---|---|---|---|---|---|---|
| SSH Protocol Versions Supported | None | remote | General | This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. | A SSH server is running on the remote host. | 2018-07-03T22:08:05.242Z | 2018-11-12T12:34:11.622Z | 2002-03-06T00:00:00Z | 2017-05-30T00:00:00Z | 2 |
5. Get a list of vulnerabilities for an asset
Gets a list of up to 5000 the vulnerabilities recorded for a specified asset.
Base Command
tenable-io-get-vulnerabilities-by-assetInput
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of the asset. | Optional |
| ip | IP of the asset. | Optional |
| dateRange | The number of days of data prior to and including today that should be returned. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Assets.Hostname | number | Hostname of the asset. |
| TenableIO.Assets.Vulnerabilities | number | A list of all the vulnerability IDs associated with the asset. |
| TenableIO.Vulnerabilities.Id | number | The vulnerability unique ID. |
| TenableIO.Vulnerabilities.Name | string | The name of the vulnerability. |
| TenableIO.Vulnerabilities.Severity | number | Integer [0-4] indicating how severe the vulnerability is, where 0 is info only. |
| TenableIO.Vulnerabilities.Family | string | The vulnerability family. |
| TenableIO.Vulnerabilities.VulnerabilityOccurences | number | The number of times the vulnerability was found. |
| TenableIO.Vulnerabilities.VulnerabilityState | string | The current state of the reported vulnerability ("Active", "Fixed", "New", etc.). |
Command Example
!tenable-io-get-vulnerabilities-by-asset hostname=debian8628.aspadmin.netHuman Readable Output
Vulnerabilities for asset debian8628.aspadmin.net
| Id | Name | Severity | Family | VulnerabilityOccurences | VulnerabilityState |
|---|---|---|---|---|---|
| 11111 | RPC Services Enumeration | None | Service detection | 4 | Active |
| 11219 | Nessus SYN scanner | None | Port scanners | 2 | Active |
| 10114 | ICMP Timestamp Request Remote Date Disclosure | None | General | 1 | Active |
| 10223 | RPC portmapper Service Detection | None | RPC | 1 | Active |
| 10267 | SSH Server Type and Version Information | None | Service detection | 1 | Resurfaced |
| 10881 | SSH Protocol Versions Supported | None | General | 1 | Resurfaced |
| 10884 | Network Time Protocol (NTP) Server Detection | None | Service detection | 1 | Active |
| 11936 | OS Identification | None | General | 1 | Resurfaced |
| 12053 | Host Fully Qualified Domain Name (FQDN) Resolution | None | General | 1 | Active |
| 19506 | Nessus Scan Information | None | Settings | 1 | Resurfaced |
| 22964 | Service Detection | None | Service detection | 1 | Resurfaced |
| 25220 | TCP/IP Timestamps Supported | None | General | 1 | Resurfaced |
| 39520 | Backported Security Patch Detection (SSH) | None | General | 1 | Resurfaced |
| 45590 | Common Platform Enumeration (CPE) | None | General | 1 | Resurfaced |
| 46215 | Inconsistent Hostname and IP Address | None | Settings | 1 | Active |
| 53335 | RPC portmapper (TCP) | None | RPC | 1 | Active |
| 54615 | Device Type | None | General | 1 | Resurfaced |
| 70657 | SSH Algorithms and Languages Supported | None | Misc. | 1 | Resurfaced |
| 110723 | No Credentials Provided | None | Settings | 1 | Resurfaced |
| 117886 | Local Checks Not Enabled (info) | None | Settings | 1 |
6. Check the status of a scan
Checks the status of a specific scan using the scan ID. Possible statuses include: "Running", "Completed", and "Empty" (Ready to run).
Base Command
tenable-io-get-scan-statusInput
| Argument Name | Description | Required |
|---|---|---|
| scanId | The unique ID of the scan. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Scan.Id | string | The unique ID of the scan. |
| TenableIO.Scan.Status | string | The status of the scan. |
Command Example
!tenable-io-get-scan-status scan-id=10Human Readable Output
Scan status for 10
| Status | Id |
|---|---|
| completed | 10 |
7. Pause a scan
Pauses all scans inputted as an array. Will pause scans whose status is 'Running'.
Base Command
tenable-io-pause-scanInput
| Argument Name | Description | Required |
|---|---|---|
| scanId | Comma-separated list of scan IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Scan.Id | string | The unique ID of the scan. |
| TenableIO.Scan.Status | string | The status of the scan. |
Command Example
!tenable-io-pause-scan scan-id=10Human Readable Output
The requested scan was paused successfully
| Status | Id |
|---|---|
| Pausing | 10 |
8. Resume a scan
Resumes all scans inputted as an array. Will work resume scans whose status is 'Paused'.
Base Command
tenable-io-resume-scanInput
| Argument Name | Description | Required |
|---|---|---|
| scanId | Comma-separated list of scan IDs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.Scan.Id | string | The unique ID of the scan. |
| TenableIO.Scan.Status | string | The status of the scan. |
Command Example
!tenable-io-resume-scan scan-id=10Human Readable Output
The requested scan was resumed successfully
| Status | Id |
|---|---|
| Resuming | 10 |
9. Get asset details by IP address
Retrieves details for the specified asset to include custom attributes.
Base Command
tenable-io-get-asset-detailsInput
| Argument Name | Description | Required |
|---|---|---|
| ip | IP Address of the asset. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| TenableIO.AssetDetails.attributes | unknown | Array of custom attributes of asset. |
| TenableIO.AssetDetails.counts | unknown | Array of audit statuses and vulnerabilities by type. |
| TenableIO.AssetDetails.created_at | date | Date asset was created. |
| TenableIO.AssetDetails.first_seen | date | Date asset was first seen. |
| TenableIO.AssetDetails.fqdn | unknown | Array of fully-qualified domain names. |
| TenableIO.AssetDetails.id | string | GUID of tenable.io asset. |
| TenableIO.AssetDetails.interfaces | unknown | Array of interface information. |
| TenableIO.AssetDetails.ipv4 | unknown | Array of IPv4 addresses. |
| TenableIO.AssetDetails.operating_system | unknown | Array of operating systems. |
| TenableIO.AssetDetails.tags | unknown | Array of tags added to asset. |
| TenableIO.AssetDetails.updated_at | date | Date the asset was last updated. |
Command Example
!tenable-io-get-asset-details ip=1.3.2.1Human Readable Output
Asset Info for 1.3.2.1
| attributes | fqdn | interfaces | ipv4 | id | last_seen |
|---|---|---|---|---|---|
| {'owner': 'owner@demisto.com'} | 1.2.3.1.bc.googleusercontent.com | {'name': 'UNKNOWN', 'fqdn': ['1.2.3.1.bc.googleusercontent.com'], 'mac_address': [], 'ipv4': ['1.3.2.1'], 'ipv6': []} | 1.3.2.1 | fake_asset_id | 2022-09-07T19:25:28.329Z |