Available Data Tenable Vulnerability Management
Tenable Vulnerability Management Asset Import Data Map
Logic for mapping Tenable Vulnerability Management Assets to ServiceNow Configuration Items.
Asset import sequence:
- ServiceNow queries Tenable Vulnerability Management for assets.
-
Data is attached to ServiceNow Job Chunk.
-
Data is transformed into a format useable for ServiceNow Identification and Reconciliation Engine (IRE).
- Data is submitted to IRE which creates CIs in CMDB.
Data Transformation in ServiceNow
For each Asset imported from Tenable Vulnerability Management into ServiceNow, multiple records are created.
Main CI
A main CI record (cmdb_ci_incomplete_ip, cmdb_ci_unclassed_hardware, or cmdb_ci_computer) is created for every Tenable Vulnerability Management Asset imported into ServiceNow.
ServiceNow Field | Details (Tenable Vulnerability Management fields in bold) | CMDB Class |
---|---|---|
Class |
|
All classes |
Name |
|
All classes |
Description | Information about how name was identified | All classes |
Discovery Source | “SG-TenableForAssets” | All classes |
Tenable Asset Attributes | Reference to Tio CMDB Asset Attributes table with Tenable Vulnerability Management specific fields | All classes |
Is Virtual | If aws_ec2_instance_id, gcp_instance_id, azure_resource_id is received from Tenable Vulnerability Management | Computer class only |
Operating System | operating_systems | Computer class only |
IP Address | ipv4s | Incomplete IP class only |
IP Version | “4” | Incomplete IP class only |
Network Partition Identifier | network_name | Incomplete IP class only |
Fully Qualified Domain Name | fqdns | Computer class |
Child Network Adapter CIs
Related Network Adapter CI records (cmdb_ci_network_adapter) are created for each MAC address associated with a Main CI.
ServiceNow field | Details (Tenable Vulnerability Management fields in bold) |
---|---|
Class | “Network Adapter” |
Name | network_interfaces.name |
MAC Address | network_interfaces.mac_addresses |
Fully Qualified Domain Name | network_interfaces.fqdns |
Configuration Item | Reference to Main CI |
Discovery Source | “SG-TenableForAssets” |
Child IP Address CIs
Related IP Address CI records (cmdb_ci_ip_address) are created for each IP address associated with a Main CI.
ServiceNow field | Details (Tenable Vulnerability Management fields in bold) |
---|---|
Class | “Network Adapter” |
Name |
|
IP Address |
|
IP Version | “4” or “6” |
Network Partition Identifier | network_name |
Nic | Reference to Network Adapter (if exists) |
Discovery Source | “SG-TenableForAssets” |
Tenable Asset Attributes Records
A Tenable Asset Attributes record (x_tsirm_tio_cmdb_asset_attributes) is created for every Main CI.
ServiceNow filed | Details (Tenable Vulnerability Management fields in bold) |
---|---|
Hostname | Main CI name |
Connector | Reference to connector record |
Tenable Uniqueness | id |
Asset UUID | id |
Raw Data | Raw JSON data |
Sources | “IO for ” + Tenable App Name |
Source Native Key | id |
Has Agent | has_agent |
Has Plugin Results | has_plugin_results |
Created At | created_at |
Terminated At | terminated_at |
Terminated By | terminated_by |
Updated At | updated_at |
Deleted At | deleted_at |
Deleted By | deleted_by |
First Seen | first_seen |
Last Seen | last_seen |
First Scan Time | first_scan_time |
Last Scan Time | last_scan_time |
Last Authenticated Scan Date | last_auhenticated_scan_date |
Last Licensed Scan Date | last_licensed_scan_date |
Last Scan ID | last_scan_id |
Last Schedule ID | last_schedule_id |
Azure Instance ID | azure_vm_id |
GCP Project ID | gcp_project_id |
GCP Zone | gcp_zone |
GCP Instance ID | gcp_instance_id |
AWS EC2 Instance ID | aws_ec2_instance_id |
Agent UUID | agent_uuid |
BIOS UUID | bios_uuid |
Network ID | network_id |
AWS Owner ID | aws_owner_id |
McAfee EPO GUID | mcafee_epo_guid |
McAfee EPO Agent GUID | mcafee_epo_agent_guid |
Bigfix Asset ID | bigfix_asset_id |
Agent Names | agent_names |
Netbios Name | netbios_names |
Operating Systems | operating_systems |
System Type | system_types |
SSH Fingerprints | ssh_fingerprints |
Qualys Asset ID | qualys_asset_ids |
Qualys Host IDs | qualys_host_ids |
Manufacturer TPM ID | manufacturer_tpm_ids |
Symantec EP Hardware Key | symantec_ep_hardware_keys |
Sources | sources |
Tags | tags |
ACR Score | acr_score |
Exposure Score | exposure_score |
Attributes | Raw JSON data in ServiceNow format |
Name | Connector.Name + ": " + id |
Related CI | Reference to Main CI |
CMDB Relationship Records
A CMDB Relationship record (cmdb_rel_ci) is created for every parent/child relationship between the Main CI and a Network Adapter CI or an IP Address CI.
ServiceNow field | Details |
---|---|
Parent | Reference to Main CI |
Child | Reference to Network Adapter or IP Address CI |
Type | “Owns::Owned by” |
Discovery Source Records
A Discovery Source record (sys_object_source) is created for every new CI created in ServiceNow with information about the source and the unique identifier of the CI.
ServiceNow field | Details |
---|---|
ID | id |
Last Scan | Date/time of last Tenable Vulnerability Management import |
Target Sys ID | Reference to Main CI |
Target Table | Table of Main CI |
Name | “SG-TenableForAssets” |
Source Feed | “Tenable” |
API Calls to Tenable Vulnerability Management
Generate Tenable Assets Export
Input: chunk_size, filters
-
Example: {"chunk_size":1500,"filters":{"updated_at":1657660668,"is_deleted":false,"is_licensed":true}}
Output: export_uuid
Input: export_uuid
Output: status, chunks_available
Download Tenable Assets Export Chunk
Input: export_uuid, chunk_id
Output: Open link and select the 200 response for all possible asset values.