Tenable.io

Tenable.io automatically discovers and assesses a customer's environment for vulnerabilities, misconfigurations, and other cybersecurity issues.

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Users
• Vulnerabilities (default: last seen in the last 30 days)
• Software
• Groups
• SaaS Applications
• Network Services
  
  

About Tenable.io

Tenable provides tooling for Vulnerability Assessment, Management, and ultimately Risk-based Vulnerability management. Tenable.io is the cloud platform that provides a rich capability for discovery, assessment, reporting, and prioritization of vulnerabilities across systems and services.

Nessus is a stand-alone scanner used as a Vulnerability Assessment scanner Tenable.sc is the on-premise manager of Nessus scanners for Vulnerability Management across large businesses. ​

Use cases the adapter solves
Discovery and asset enrichment are secondary to the collection of vulnerability (missing patch and configuration) elements The case of unmanaged devices can partially be solved using Tenable.io for automation of enforcing scanning regimes. ​

Data retrieved by Tenable.io
Data collected by each adapter varies slightly between each adapter, and the collective set includes ID (agent-based), OS Type & Distribution, Interfaces / MAC / IP info, CPU, Patches, Software installations, Services & Open Ports, Vulnerabilities, and configuration validation.
Note that the Source field shown in the Axonius Installed Software table for Tenable shows either Direct or Agent Scanning.

• Direct - the information about this source is updated to the Axonius fetch time from Tenable
• Agent Scanning - the information is updated only according to the information fetched by the Tenable Agent, and up to date according to the time that the Tenable agent ran.

​ Related Enforcement Actions

The Tenable.io adapter can add tags and assets, and similarly, Tenable.sc can add IPs to 'Assets'; these capabilities improve scan coverage, in a single action.

• Tenable.io - Add Agent to Agent Group
• Tenable.io - Add IP Addresses to Scan
• Tenable.io - Add IP Addresses to Target Group
• Tenable.io - Add or Remove Tags to/from Assets
• Tenable.io - Create Assets
• Tenable.io - Launch WAS Scan

Parameters

1. Tenable.io Domain (required) - The hostname of the Tenable.io server. When fetching assets and vulnerabilites a different hard-coded domain is used (currently https://cloud.tenable.com).
2. Access API Key and Secret API Key (required) - An API Key associated with a user account that has the Required Permissions to fetch assets.

3. Tenable.io Tags Include list (optional, case sensitive) - Specify a comma-separated list of tag keys in Tenable.io.
   • If supplied, this adapter will only fetch devices from Tenable.io with any of the tag keys provided in this list.
   • If not supplied, this adapter will fetch all devices from Tenable.io.
4. Verify SSL - Select to verify the SSL certificate offered by the value supplied in Tenable.io Domain. For more details, see SSL Trust & CA Settings.
5. HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in Tenable.io Domain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Email domain include list (optional) - Enter a comma-separated list of email domains from which only users with email addresses that are connected to this domain are fetched. When the field is empty, users with email addresses from any domain are fetched.

2. Do not fetch devices with no last scan - Select whether to fetch devices without a Last Seen date.

   • If enabled, all connections for this adapter will not fetch devices if they do not have a Last Seen indication.
   • If disabled, all connections for this adapter will fetch devices even if they do not have a Last Seen indication.

3. Do not ingest OS for devices with unauthenticated fetches - Set this option ignore devices from unauthenticated fetches, that is, devices without agents.

4. Scan IDs include list (optional) - Specify a comma-separated list of scan IDs in Tenable.io.

   • If supplied, all connections for this adapter will only fetch devices from Tenable.io scans with the scan IDs provided in this list.
   • If not supplied, all connections for this adapter will fetch all devices from Tenable.io scans.

5. Tags key-value pair allow list (colon separated) (optional) - Enter a list of key-value tags (separated by a colon) to filter assets to fetch. The adapter will only fetch assets having all the key-value pairs of tags listed.

6. Fetch agent data (required, default: true) - Select whether to fetch Tenable.io agent data on each device.

   • If enabled, all connections for this adapter will fetch Tenable.io agent data on each device.
   • If disabled, all connections for this adapter will not fetch Tenable.io agent data on each device.

7. Fetch only agent data - Select whether to only fetch Tenable.io agent data on each device. If this is not selected, everything is fetched.

8. Cancel old export jobs - Set this option so that the adapter will try to cancel old exports jobs before starting a new one (export is the operation the adapter does to fetch assets and vulnerabilities).

9. Fetch scan exclusions - Select to fetch scan exclusion status for Tenable.io devices.

10. Do not fetch devices with no MAC addresses and no hostname - Select to exclude fetching devices without a MAC address and without a hostname.

11. Do not fetch devices with IP in hostname - Select this option to skip devices with IP in the hostname. Example: ip-10-20-30-40.us-east-45.compute.internal

12. Fetch fixed vulnerabilities - Select this option to also fetch vulnerabilities with the state ‘fixed’.

13. Fetch vulnerabilities with severity equal or above this level (required, default: Info) - Select the minimum level of severity to fetch vulnerabilities.

14. Do not fetch installed software - Select whether to not fetch installed software.

15. Fetch vulnerabilities in the background - Select this option to fetch vulnerabilities for devices in the background, and not as part of a fetch. Note that vulnerabilities will be updated in the UI only after a regular fetch.

16. Fetch compliance - will be fetched in background - Select this option so that the adapter will fetch compliance data in the background.

17. Omit dashes from Agent UUID in agent data (optional) - When this option is selected and Fetch agent data is also selected, the dash character is removed from the value retrieved from the Agent UUID field of Tenable.io agent devices.
    Note: The Fetch agent data option must be selected for the Omit dashes... option to properly function.

18. Do not populate fqdns as asset name - Select to not include fully qualified domain names (FQDNs) as asset names.

19. Do not fetch vulnerabilities Select this option to not fetch any vulnerabilities option.

    Note:

    Once you select this option, any other Advanced vulnerabilities configuration options will be ignored.

20. Use agent name as asset name - Select to use an agent name as an asset name.

21. Fetch Windows services from Plugin ID 44401 - Select to fetch data from the Windows services plugin 44401 for each device.

22. Fetch only assets updated at the last X days - Enter a value to fetch only assets updated in those number of days. The default value is empty in which case all assets are fetched (from the beginning of time) (entering 0 also fetches all assets).

23. Compliance scans (optional) - Enter one or more comma-separated scan audit files to parse compliance data.

24. Fetch installed software from Tenable plugins - Select installed software plugins from the drop-down list about which to fetch information.

25. Fetch listed info level plugins - Enter plugin IDs for the adapter to fetch at the info level. Press Enter after each plugin.

26. Fetch network details - Select this option to fetch information about the network to which the device is connected.

27. Do not insert devices with Scan Name in - Enter a comma-separated list of Tenable “scan names”. If devices are in these scan names, they will not be fetched

28. Fetch web applications - Select this option so that the adapter will fetch web applications as assets.

29. Use V2 API for fetching web application vulnerabilities - Select this option to use the API v2 instead of API v3 to fetch web application vulnerabilities.

30. Fetch cloud resources - Select this option so that the adapter will fetch cloud resources as assets. A user who can access the Cloud Module in Tenable.io is required for this setting.

31. Ignore devices that only have this plugin - Enter one or more plugins, for the adapter to not fetch devices that only have plugins with these IDs.

32. Parse SSL certificates from Plugin ID 10863 - Select this option to parse SSL certificate information from plugin ID number 10863.

33. Merge agents and assets in the same tab - Select this option to correlate Tenable.io Assets and Agents and display all the data from them in one tab in the adapter (instead of displaying the default view of each in a separate tab).

34. List of tags to parse as fields - Enter a comma-separated list of tags. The adapter will parse any tags having the key in this list as a dynamic field. If there are multiple tags with the same key the field will be a list.

35. Fetch deleted devices - Select this option so that the adapter will also fetch devices that were deleted.

36. Fetch vulnerabilities last seen in the last X days - By default, Tenable Vulnerability Management (Formerly Tenable.io) only brings vulnerabilities last seen in the last 30 days. Enter a number here so that the adapter will search for vulnerabilities with last seen between today and x days in the past.

37. Combine tags key and value - Select this option to create the value of a tag in Axonius to be the result of the Tenable key and value concatenation.

38. Prefetch assets to localdb - Select this option to first fetch all assets and store locally and then parse the data. This is useful in cases of fetches which take a long time.

39. Fetch only licensed assets - Select this option to fetch only Tenable.io licensed assets.

40. Use most recent CVSS version as CVSS Score - Select this option to use the most recent CVSS version as the CVSS Score.

41. Fetch compliance since X days - Enter a value to restrict compliance findings to those that were updated or indexed into Tenable Vulnerability Management after X days.

42. Tags values deny list (colon separated) - Enter a colon-separated list of tags values to be filtered out and not ingested.

43. Agent groups deny list - Enter the agent groups to be filtered out and not ingested. This setting has no function if Fetch agent data is disabled.

44. Include open ports - Select this option to include open ports (from all times) in the asset export.

45. Fetch compliance last seen from X days - Enter a value to restrict compliance findings to those that were last seen in X days.
46. Fetch extensions from firefox and chrome on windows and macOS (96533, 133180, 96534) - Select this option to fetch extensions from Firefox and Chrome on Windows and macOS (Plugin IDs 96533, 133180, 96534).
47. Fetch Groups - Select this option to fetch groups as Groups asset type.
48. Fetch current open ports - Fetch only ports that were open at the time of the current fetch.
49. Fetch plugin 16193 - Antivirus Software Check - Select this option to fetch plugin 16193 if it is present for the device.
50. Fetch OS serial information - Select this option to fetch plugins 131568, 35351 and 24270, and parse the Device Manufacturer Serial from them.
51. Remove Domain text from Local Admins - Group field - Select this option to remove the Domain text from the Axonius Local Admins - Group aggregated field. This will make the field value include only the actual Group name.
52. Insert both CVE and Plugin as vulnerable software - Select this option to parse each CVE ID and plugin ID in the vulnerability as vulnerable software.
53. Fetch containers from Plugin 93561 - Select this to fetch assets with plugin 93561 as Containers.
54. Ingest only the latest software versions - Select this option to fetch only the latest version of a software.
55. Ignore recasted vulnerabilities - Select this option to not fetch Recasted vulnerabilities.
56. Consider agent only if last source is a Nessus Agent - Select this optino to Aad an Agent property to fetched assets only if the last source is a Nessus Agent
57. Populate rich text fields - Select to have the adapter parse and populate rich text fields.
58. Exclude disabled users - Select this option to not fetch users that are disabled within Tenable.io. That is when this option is selected only users whose account_disabled is set to False or with no value will be fetched.

Required Permissions

The value supplied in Access API Key and Secret API Key must have read access to devices.

To generate an API key in the Tenable.io console, see Tenable.io - Generate an API Key.

The API Keys are created for a user account. This user account must have the Administrator user permissions because Axonius uses the Export Assets method, which requires Administrator user permissions as described in Tenable.io - Export Assets.