Overview

Powered by Nessus technology, Tenable.io is Tenable’s cloud-based vulnerability management and coverage. It scans and analyzes assets of many types and gathers data on vulnerabilities on them. Adding Tenable.io integration to Hunters will enable native vulnerabilities alerts and leads enrichments.

Supported Datatypes

  • Tenable.io assets - snapshot of all the assets Tenable scans.

  • Tenable.io vulnerabilities - reports on vulnerabilities found by Tenable on scanned assets.

Tenable.io Asset Example
{
    "id": "uuid",
    "has_agent": false,
    "has_plugin_results": true,
    "created_at": "2022-01-01T01:01:11.111Z",
    "terminated_at": null,
    "terminated_by": null,
    "updated_at": "2022-01-01T01:22:01.111Z",
    "deleted_at": null,
    "deleted_by": null,
    "first_seen": "2022-01-01T01:22:01.111Z",
    "last_seen": "2022-01-01T01:22:01.111Z",
    "first_scan_time": "2022-01-01T01:22:01.111Z",
    "last_scan_time": "2022-01-01T01:22:01.111Z",
    "last_authenticated_scan_date": null,
    "last_licensed_scan_date": "2022-01-01T01:22:01.111Z",
    "last_scan_id": "uuid",
    "last_schedule_id": "template-id",
    "azure_vm_id": null,
    "azure_resource_id": null,
    "gcp_project_id": null,
    "gcp_zone": null,
    "gcp_instance_id": null,
    "aws_ec2_instance_ami_id": null,
    "aws_ec2_instance_id": null,
    "agent_uuid": null,
    "bios_uuid": null,
    "network_id": "00000000-0000-0000-0000-000000000000",
    "network_name": "Default",
    "aws_owner_id": null,
    "aws_availability_zone": null,
    "aws_region": null,
    "aws_vpc_id": null,
    "aws_ec2_instance_group_name": null,
    "aws_ec2_instance_state_name": null,
    "aws_ec2_instance_type": null,
    "aws_subnet_id": null,
    "aws_ec2_product_code": null,
    "aws_ec2_name": null,
    "mcafee_epo_guid": null,
    "mcafee_epo_agent_guid": null,
    "servicenow_sysid": null,
    "bigfix_asset_id": null,
    "agent_names": [],
    "installed_software": [],
    "ipv4s": [
        "10.10.10.10"
    ],
    "ipv6s": [],
    "fqdns": [],
    "mac_addresses": [],
    "netbios_names": [],
    "operating_systems": [
        "Linux"
    ],
    "system_types": [
        "general-purpose"
    ],
    "hostnames": [],
    "ssh_fingerprints": [],
    "qualys_asset_ids": [],
    "qualys_host_ids": [],
    "manufacturer_tpm_ids": [],
    "symantec_ep_hardware_keys": [],
    "sources": [
        {
            "name": "NESSUS_SCAN",
            "first_seen": "2022-01-01T01:22:01.111Z",
            "last_seen": "2022-01-01T01:22:01.111Z"
        }
    ],
    "tags": [],
    "network_interfaces": [
        {
            "name": "UNKNOWN",
            "virtual": null,
            "aliased": null,
            "fqdns": [],
            "mac_addresses": [],
            "ipv4s": [
                "10.10.10.10"
            ],
            "ipv6s": []
        }
    ],
}
JSON
Tenable.io Vulnerability Example
{
    "asset": {
        "device_type": "general-purpose",
        "hostname": "10.10.10.10",
        "uuid": "uuid",
        "ipv4": "10.10.10.10",
        "last_unauthenticated_results": "2022-04-04T04:04:04Z",
        "operating_system": [
            "Linux"
        ],
        "network_id": "00000000-0000-0000-0000-000000000000",
        "tracked": true
    },
    "output": "\nAn AMQP server was found :\n\n  Protocol : null\n  Version  : 0.0.1\n",
    "plugin": {
        "checks_for_default_account": false,
        "checks_for_malware": false,
        "cpe": [],
        "cvss3_base_score": 0,
        "cvss3_temporal_score": 0,
        "cvss_base_score": 0,
        "cvss_temporal_score": 0,
        "description": "The remote host is running an AMQP server",
        "exploit_available": false,
        "exploit_framework_canvas": false,
        "exploit_framework_core": false,
        "exploit_framework_d2_elliot": false,
        "exploit_framework_exploithub": false,
        "exploit_framework_metasploit": false,
        "exploited_by_malware": false,
        "exploited_by_nessus": false,
        "family": "Service detection",
        "family_id": 1,
        "has_patch": false,
        "id": 12345,
        "in_the_news": false,
        "name": "Advanced Message Queuing Protocol Detection",
        "modification_date": "2022-04-04T04:04:04Z",
        "publication_date": "2009-09-09T09:09:09Z",
        "risk_factor": "None",
        "see_also": [],
        "solution": "N/A",
        "synopsis": "A messaging service is listening on the remote host.",
        "type": "remote",
        "unsupported_by_vendor": false,
        "version": "1.0"
    },
    "port": {
        "port": 1234,
        "protocol": "TCP"
    },
    "scan": {
        "completed_at": "2022-03-04T04:04:04.040Z",
        "schedule_uuid": "template-id",
        "started_at": "2022-03-04T04:04:04.040Z",
        "uuid": "id"
    },
    "severity": "info",
    "severity_id": 0,
    "severity_default_id": 0,
    "severity_modification_type": "NONE",
    "state": "OPEN",
    "first_found": "2022-03-04T04:04:04.040Z",
    "last_found": "2022-04-04T04:04:04.040Z",
    "indexed": "2022-04-04T04:04:04.040Z",
    "sample_time": "2022-04-04T04:04:04.040Z"
}
JSON

Sending Data to Hunters

To integrate Tenable.io to Hunters, provide hunters with the Access and Secret Keys exported using this guide by Tenable. To allow hunters collection of Assets and Vulnerabilities datatypes, make sure to generate keys with Administrator Permissions as described in this article by Tenable.

The expected format is the raw JSONs provided by Tenable. The expected time fields format is epoch-timestamp in milliseconds, in UTC timezone.