Tenable IO Connector
The Tenable IO Connector ingests vulnerability and asset data from Tenable IO into Qualys Enterprise TruRisk Management (ETM) for unified risk analysis and prioritization.
The Tenable IO Connector is available on demand. To activate it for your subscription, please contact your Technical Account Manager (TAM) or Qualys Support.
Connector Details
| Vendor | Tenable |
| Product | Tenable IO |
| Category | Risk Source |
| Findings Supported | Vulnerabilities |
| Assets Supported | Host Assets |
| Version | N/A |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Tenable IO > Qualys) |
| Delta Support | Yes (limited by Tenable API chunk expiration) |
Connection Settings
User Roles and Permissions
To generate API keys for Tenable IO, the user must have the Basic (16) role. Reference: Tenable IO Roles.
Authentication Details
Provide the following credentials in the connector configuration screen:
| Name | Key | Type | Description |
|---|---|---|---|
| Access Key | accessKey |
Encrypted | Tenable IO Access Key |
| Secret Key | secretKey |
Encrypted | Tenable IO Secret Key |
Steps to Generate API Keys
- Login to Tenable IO.
- Navigate to My Account.
- Select the API Keys tab and click Generate.
- A warning message will appear. Confirm and copy your new Access Key and Secret Key.
Reference: Generate API Keys
Connector Configuration
Basic Details
- Login to Qualys ETM.
- Go to Connectors >Integration tab and locate the Tenable IO Connector.
- Click Manage from the ellipses menu.
- Provide a Name and Description for the connector.
- Select supported findings type: Vulnerability / Host Asset.
- Enter Access Key and Secret Key.
Mapping Details
Data Model
The Tenable IO connector provides out-of-the-box data model mappings for assets only or assets with vulnerabilities. View the models in ETM to understand all supported fields.
Transform Maps
Default transform maps are provided. You can create or clone maps to customize field transformations.
- Click Create New to add a new transform map.
- Provide a Transform Map Name, select Source Data Model, and select Target Data Model.
- Save the map.
- Alternatively, use Clone from the quick menu to copy and adjust the default transform map.
Data Model Mapping - Asset Transformation
|
Source Field |
Target Field |
|---|---|
|
Asset ID |
externalAssetId |
|
Primary Hostname |
assetName |
|
IPv4 Addresses |
ipAddress |
|
IPv6 Addresses |
ipAddress |
|
MAC Addresses |
macAddress |
|
Operating System |
operatingSystemName |
|
Cloud Instance ID |
cloudInstanceId |
|
Cloud Provider Type AWS | Azure | GCP | OCI | Alibaba | VMWare, Inc |
cloudProvider EC2 | Azure | GCP | OCI | ALIBABA | SOURCE_TYPE_UNKNOWN |
|
Fully Qualified Domain Names |
fqdn |
|
NetBIOS Names |
netBiosName |
Data Model Mapping - Vulnerability Transformation
|
Source Field |
Target Field |
|---|---|
|
Asset ID |
externalAssetId (Required) |
|
Plugin Name |
findingName (Required) |
|
Finding ID |
externalFindingId (Required) |
|
Severity ID |
findingSeverity (Required) |
|
Operating System |
operatingSystemName |
|
IPv4 Addresses |
ipAddress |
|
MAC Addresses |
macAddress |
|
Cloud Type |
cloudProvider |
|
Solution |
remediationStrategy |
|
CVSS v2 Base Score |
cvssV2Base |
|
CVSS v3 Base Score |
cvss3Base |
|
CVSS v2 Temporal Score |
cvss2Temporal |
|
CVSS v3 Temporal Score |
cvss3Temporal |
|
Vulnerability State |
findingStatus |
|
FQDNs |
fqdn |
|
NetBIOS Names |
netBiosName |
|
CVE |
cveId |
|
Has Patch |
isPatchAvailable |
|
Exploit Available |
isExploitAvailable |
|
Port |
findingPort |
|
Protocol |
findingProtocol |
|
Plugin Description |
findingDescription |
|
VPR Score |
detectionScore |
|
Asset Name |
assetName |
|
First Found |
findingFirstFoundOn |
|
Last Found |
findingLastFoundOn |
|
Synopsis |
detectionResult |
|
VPR Exploit Code Maturity |
exploitCodeMaturity |
|
CVSS v2 Temporal Vector |
vector |
|
AWS EC2 Instance IDs |
cloudInstanceId |
|
GCP Instance IDs |
cloudInstanceId |
|
Azure VM IDs |
cloudInstanceId |
Profiles
Profiles control execution of the connector.
- Click + to add a new profile.
- Provide a Name and Description.
- Select the required Transform Map.
- Set Status (Active or Inactive).
- Configure a Schedule: Single Occurrence or Recurring with start and end dates/times.
When editing a connector, you can find the Retain Delta checkbox. Select this checkbox to retain delta that has already been set for this connection. Deselecting this resets delta and begins fresh ingestion.
Viewing Assets and Findings in ETM
After a successful run, Tenable assets appear in ETM's Inventory:
- Assets: Go to Inventory > Assets > Host. Filter with
tags.name:"Tenable".
- Findings: Go to Risk Management > Findings > Vulnerability. Filter with
finding.vendorProductName:"Tenable".
Additional Resources
Scoring
Use the scoring screen to map Tenable non-CVE severities to Qualys Detection Score (QDS) 0–100. Configure 5 levels of mapping and set a Default Severity for unmapped values.
Identification Rules
Identification Rules are provided out-of-the-box by Qualys CSAM. They control how findings are matched to assets. You may proceed without changes, but ensure at least one rule is active.
How Does a Connection Work?
The Tenable IO connector executes on schedule (or on-demand) based on the configured profile. It imports asset and vulnerability data into ETM, where it can be analyzed with other security findings.
In the Connector screen, your newly configured connector will appear with the state Processed once execution completes.
Limitations / Known Behavior
- The API chunks to fetch asset-only data have an expiration of 24 hours. This time is set by Tenable for the downloadable chunks.
- The API chunks to fetch Asset + Vulnerability data have an expiration of 72 hours. This time is set by Tenable for the downloadable chunks.
- Configuring the same connector twice will cause the second to fail due to Tenable export API concurrency restrictions. Reference: Tenable API Concurrency.