Managed in the cloud and powered by Nessus technology, http://Tenable.io provides the comprehensive vulnerability coverage with the ability to predict which security issues to remediate first. It’s a complete end-to-end vulnerability management solution. Get a risk-based view of your entire attack surface—from IT to cloud to containers—so you can quickly identify, investigate and prioritize vulnerabilities.
1.x to 2.x migrating guide
If you are migrating from v1.x to v2.x, you can find a complete guide in this article.
Devo collector features
Feature
Details
Feature
Details
Allow parallel downloading (multipod)
not allowed
Running environments
collector server
on-premise
Populated Devo events
table
Flattening preprocessing
no
Data sources
This collector extracts data from multiple sources within http://Tenable.io , enabling comprehensive vulnerability and asset management. Below is a detailed description of the data sources, their purpose, endpoints, collector service names, associated Devo tables, and the release version when they became available.
Data source
Description
API endpoint
Collector service name
Devo table
Available from release
Data source
Description
API endpoint
Collector service name
Devo table
Available from release
Agents
Nessus Agents collect vulnerability, compliance, and system data from hosts and report it back to http://Tenable.io .
PyTenable - Agents
agents
vuln.tenable.io.agents
v1.0.0
Assets
Represents network entities such as servers, desktops, mobile devices, and cloud instances. Helps identify and mitigate potential security risks.
PyTenable - Assets
export_assets
vuln.tenable.io.assets
v1.2.0
Audit Log
Provides visibility into actions taken in the http://Tenable.io account, including user actions, timestamps, and affected entities.
PyTenable - Audit Logs
audit_log
vuln.tenable.io.audit_log
v1.0.0
Plugins
Programs written in NASL (Nessus Attack Scripting Language) for detecting vulnerabilities. Includes information about vulnerabilities and their remediation.
PyTenable - Plugins
plugins
vuln.tenable.io.plugins
v1.0.0
Scanners
Configuration and linking of Nessus, NNM, and cloud scanners for use in http://Tenable.io .
PyTenable - Scanners
scanners
vuln.tenable.io.scanners
v1.0.0
Scans
Retrieves information about vulnerability scans conducted on the network.
PyTenable - Scans
scans
vuln.tenable.io.scans
v1.0.0
Vulnerabilities
Centralized data for vulnerabilities detected by Tenable and third-party scans.
PyTenable - Vulnerabilities
export_vulnerabilities
vuln.tenable.io.vulnerabilities
v1.0.0
WAS Vulnerabilities
Returns vulnerabilities detected by Tenable Web App Scanning API v2.
/vulnerabilities/search
was_vulnerabilities
vuln.tenable.io.was_vulnerability
v2.0.0
For more information on how the events are parsed, visit our page← LINK TO THE PARSER ARTICLE IF EXISTS
Flattening preprocessing
This collector does not implement flattening
Vendor setup
To set up access to the http://Tenable.io API and configure the collector, follow the steps below.
Obtaining API Keys
Verify Account Permissions
Ensure you have a valid user account with appropriate permissions by logging into http://Tenable.io .
Generate API Keys
Generate the access_key and secret_key for your account. For more information, refer to Generate API Keys in the http://Tenable.io Vulnerability Management User Guide.
http://Tenable.io generates a unique set of API keys for each user account.
These keys allow your application to authenticate without creating a session.
Add API Keys to Requests
Include the X-ApiKeys header element in your HTTP request messages. Example:
Users with the Basic role (Value: 16) can safely view and configure scan results.
Administrator Permissions
To request Audit_log data, you must have the Administrator role (Value: 64).
Security Recommendations
Treat your access_key and secret_key like passwords.
Do not share your keys with unauthorized individuals.
Store the keys securely in an environment variable or a secrets manager.
Rotate your API keys periodically to enhance security.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting
Details
Setting
Details
access_key
The access key is required to authenticate API requests.
secret_key
The secret key is required to securely sign API requests.
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
The collector supports the following authentication method to connect to http://Tenable.io :
Authentication Method
Details
Authentication Method
Details
access_key/secret_key
The access_key serves as the user identifier, while the secret_key is used to securely sign API requests.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Common services detail
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
INFO InputProcess::MainThread -> TenableIoPullerSetup(tenable_io#13245,scanners#predefined) -> Starting thread
WARNING InputProcess::TenableIoPullerSetup(tenable_io#13245,scanners#predefined) -> The token/header/authentication has not been created yet
WARNING InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Waiting until setup will be executed
INFO InputProcess::TenableIoPullerSetup(tenable_io#13245,scanners#predefined) -> Setup for module <TenableIoStatelessPuller> has been successfully executed
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Error Type
Error ID
Error Message
Cause
Solution
Error Type
Error ID
Error Message
Cause
Solution
InitVariablesError
1
The init_start_time: {start_time_in_utc_str} is not in the correct format: {datetime_forma}
Incorrect format for start_time_in_utc.
Ensure the start_time_in_utc is in the correct format (e.g., YYYY-MM-DD).
2
Invalid start_time_in_utc: {start_time_in_utc_str}. Must be a past date.
The provided start_time_in_utc is not a valid past date.
Verify that start_time_in_utc is set to a valid past date.
PullError
301
Response Content (not JSON)
The response from the server is not in the expected JSON format.
Check the response content and ensure it is properly formatted as JSON.
302
Error: {response.status_code} - {response.text}
The API response was an error.
Review the status code and message for more details on the failure.
SetupError
101
Unexpected error occurred: {e}
A general setup error occurred during initialization.
Inspect the setup process and correct any misconfigurations or issues.
ApiError
400
Bad Request (400): The request was invalid.
The API request was malformed or missing required parameters.
Verify the request parameters and ensure they match the API specifications.
401
Unauthorized (401): Access key or secret key is incorrect.
The access key or secret key is invalid.
Check that the correct access_key and secret_key are being used.
403
Forbidden (403): Access is forbidden, check permissions.
Insufficient permissions for the requested operation.
Ensure that the API user has the necessary permissions.
404
Not Found (404): The requested resource does not exist.
The resource requested could not be found.
Verify the resource ID or endpoint is correct.
429
Too Many Requests (429): Rate limit exceeded.
Too many requests were sent in a short period of time.
Review the rate limit and implement retry logic as needed.
500
Server Error (500): An internal server error occurred.
The server encountered an internal error while processing.
Retry the request or contact support if the issue persists.
410
Unhandled HTTP Error ({status_code}): {error}
An unhandled error occurred with a status code other than 400-500.
Investigate the error code and consult the API documentation for details.
PullError
313
Error during _request_job_creation. {e.cause}
An error occurred while creating the job.
Investigate the error in job creation and check the API documentation.
310
{export_type} job {job_uuid}: Error on Tenable API during job creation.
A failure occurred during the job creation process.
Check the job creation API request for issues.
311
{export_type} job {job_uuid}: Job creation was cancelled.
The job creation was manually or automatically cancelled.
Verify the job status and resolve any issues that caused cancellation.
Scanners service
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Puller output
A successful initial run has the following output messages for the puller module:
Note that the PrePull action is executed only one time before the first run of the Pull action.
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) Starting the execution of pre_pull()
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Reading persisted data
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Data retrieved from the persistence: None
WARNING InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Persistence will be overridden due to the retrieved state is empty
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Running the persistence upgrade steps
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Running the persistence corrections steps
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Running the persistence corrections steps
WARNING InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> The persistence version value is <ZERO>, so no persistence will be allocated
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) Finalizing the execution of pre_pull()
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Starting data collection every 43200 seconds
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Pull Started
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1733390827964):Number of requests made: 2; Number of events received: 31; Number of duplicated events filtered out: 0; Number of events generated and sent: 31; Average of events per second: 48.412.
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1733390827964):Number of requests made: 2; Number of events received: 31; Number of duplicated events filtered out: 0; Number of events generated and sent: 31; Average of events per second: 48.276.
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> The data is up to date!
INFO InputProcess::TenableIoStatelessPuller(tenable_io#13245,scanners#predefined) -> Data collection completed. Elapsed time: 0.656 seconds. Waiting for 43199.344 second(s) until the next one
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Scans service
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Puller output
A successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Agents service
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Puller output
A successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Audit log service
Plugins service
Export assets service
Export vulnerabilities service
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Change log
Release
Released on
Release Type
Details
Recommendations
Release
Released on
Release Type
Details
Recommendations
v2.0.0
Nov 14, 2024
BUG FIX IMPROVEMENT
Improvements:
A complete refactor of the code was implemented, streamlining services and enhancing overall performance. This new architecture improves maintainability and extensibility, ensuring a smoother experience in future updates.
Bug Fixing:
Significant improvements were made in memory handling, particularly in high-load services. By utilizing compression techniques, memory usage was optimized, reducing the risk of system lockups and boosting efficiency under heavy workloads.
Recommended version
v1.6.0
Oct 22, 2024
NEW FEATURE IMPROVEMENT
New Features:
New service: was_vulnerabilities: Returns a list of vulnerabilities detected by Tenable Web App Scanning API v2 scans.
Improvements:
Update DC SDK from v1.12.1 to v1.13.1
Update
v1.4.0
Apr 12, 2024
IMPROVEMENT
Improvements:
Upgrade DC SDK to the latest version 1.11.1. Upgrade the Docker base image to 1.2.0.
Update
v1.3.0
Oct 13, 2023
NEW FEATURE IMPROVEMENT
New Features:
Added new data source export_vulnerabilities as a new service.
Improvements:
Upgrade DC SDK to the latest version 1.9.2.
Update
v1.2.5
Apr 5, 2023
IMPROVEMENT
Improvements:
Upgrade DC SDK to the latest version 1.7.2.dev1 to avoid errors in the sender module. These errors made the collector restart constantly. Added a lock to enhance the sender object.
Update
v1.2.4
Apr 3, 2023
IMPROVEMENT
Improvements:
The export_assets service now cancels previous jobs (if any) and launches new jobs instead of waiting for all other jobs to finish. Upgrade DC SDK to the latest version 1.7.0.
Update
v1.2.3
Mar 27, 2023
BUG FIX IMPROVEMENT
Bug Fixing:
Resolved a fix in the audit_log service, as it was sending duplicate events upon change of day.
Improvements:
Adjusted rate limits.
Update
v1.2.2
Mar 26, 2023
BUG FIX IMPROVEMENT
Bug Fixing:
Fixed the audit_log service, which wasn't paginating through the available results and didn't send anything to Devo.
