Available Data Tenable Vulnerability Management

Tenable Vulnerability Management Asset Import Data Map

Logic for mapping Tenable Vulnerability Management Assets to ServiceNow Configuration Items.

Asset import sequence:

  1. ServiceNow queries Tenable Vulnerability Management for assets.

  2. Data is attached to ServiceNow Job Chunk.

  3. Data is transformed into a format useable for ServiceNow Identification and Reconciliation Engine (IRE).

  4. Data is submitted to IRE which creates CIs in CMDB.

Data Transformation in ServiceNow

For each Asset imported from Tenable Vulnerability Management into ServiceNow, multiple records are created.

Main CI

A main CI record (cmdb_ci_incomplete_ip, cmdb_ci_unclassed_hardware, or cmdb_ci_computer) is created for every Tenable Vulnerability Management Asset imported into ServiceNow.

ServiceNow Field Details (Tenable Vulnerability Management fields in bold) CMDB Class
Class

  • Incomplete IP Identified Device

    If ipv4s or ipv6s are received from Tenable Vulnerability Management.

  • Unclassed Hardware

    If 1., plus hostnames, netbios_names, or fqdns are received from Tenable Vulnerability Management.

  • Computer

    If 2., plus aws_ec2_instance_id, gcp_instance_id, azure_resource_id, or operating_systems are received from Tenable Vulnerability Management.

 All classes
Name

  1. netbios_names

  2. hostnames

  3. fqdns

  4. ipv4s

  5. ipv6s

  6. mac_addressses

All classes
Description Information about how name was identified All classes
Discovery Source “SG-TenableForAssets” All classes
Tenable Asset Attributes Reference to Tio CMDB Asset Attributes table with Tenable Vulnerability Management specific fields All classes
Is Virtual If aws_ec2_instance_id, gcp_instance_id, azure_resource_id is received from Tenable Vulnerability Management Computer class only
Operating System operating_systems Computer class only
IP Address ipv4s Incomplete IP class only
IP Version “4” Incomplete IP class only
Network Partition Identifier network_name Incomplete IP class only
Fully Qualified Domain Name fqdns Computer class

Child Network Adapter CIs

Related Network Adapter CI records (cmdb_ci_network_adapter) are created for each MAC address associated with a Main CI.

ServiceNow field Details (Tenable Vulnerability Management fields in bold)
Class “Network Adapter”
Name network_interfaces.name
MAC Address network_interfaces.mac_addresses
Fully Qualified Domain Name network_interfaces.fqdns
Configuration Item Reference to Main CI
Discovery Source “SG-TenableForAssets”

Child IP Address CIs

Related IP Address CI records (cmdb_ci_ip_address) are created for each IP address associated with a Main CI.

ServiceNow field Details (Tenable Vulnerability Management fields in bold)
Class “Network Adapter”
Name

  1. network_interfaces.ipv4s or network_interfaces.ipv6s

  2. ipv4s or ipv6s

IP Address

  1. network_interfaces.ipv4s or network_interfaces.ipv6s

  2. ipv4s or ipv6s

IP Version “4” or “6”
Network Partition Identifier network_name
Nic Reference to Network Adapter (if exists)
Discovery Source “SG-TenableForAssets”

Tenable Asset Attributes Records

A Tenable Asset Attributes record (x_tsirm_tio_cmdb_asset_attributes) is created for every Main CI.

ServiceNow filed Details (Tenable Vulnerability Management fields in bold)
Hostname Main CI name
Connector Reference to connector record
Tenable Uniqueness id
Asset UUID id
Raw Data Raw JSON data
Sources “IO for ” + Tenable App Name
Source Native Key id
Has Agent has_agent
Has Plugin Results has_plugin_results
Created At created_at
Terminated At terminated_at
Terminated By terminated_by
Updated At updated_at
Deleted At deleted_at
Deleted By deleted_by
First Seen first_seen
Last Seen last_seen
First Scan Time first_scan_time
Last Scan Time last_scan_time
Last Authenticated Scan Date last_auhenticated_scan_date
Last Licensed Scan Date last_licensed_scan_date
Last Scan ID last_scan_id
Last Schedule ID last_schedule_id
Azure Instance ID azure_vm_id
GCP Project ID gcp_project_id
GCP Zone gcp_zone
GCP Instance ID gcp_instance_id
AWS EC2 Instance ID aws_ec2_instance_id
Agent UUID agent_uuid
BIOS UUID bios_uuid
Network ID network_id
AWS Owner ID aws_owner_id
McAfee EPO GUID mcafee_epo_guid
McAfee EPO Agent GUID mcafee_epo_agent_guid
Bigfix Asset ID bigfix_asset_id
Agent Names agent_names
Netbios Name netbios_names
Operating Systems operating_systems
System Type system_types
SSH Fingerprints ssh_fingerprints
Qualys Asset ID qualys_asset_ids
Qualys Host IDs qualys_host_ids
Manufacturer TPM ID manufacturer_tpm_ids
Symantec EP Hardware Key symantec_ep_hardware_keys
Sources sources
Tags tags
ACR Score acr_score
Exposure Score exposure_score
Attributes Raw JSON data in ServiceNow format
Name Connector.Name + ": " + id
Related CI Reference to Main CI

CMDB Relationship Records

A CMDB Relationship record (cmdb_rel_ci) is created for every parent/child relationship between the Main CI and a Network Adapter CI or an IP Address CI.

ServiceNow field Details
Parent Reference to Main CI
Child Reference to Network Adapter or IP Address CI
Type “Owns::Owned by”

Discovery Source Records

A Discovery Source record (sys_object_source) is created for every new CI created in ServiceNow with information about the source and the unique identifier of the CI.

ServiceNow field Details
ID id
Last Scan Date/time of last Tenable Vulnerability Management import
Target Sys ID Reference to Main CI
Target Table Table of Main CI
Name “SG-TenableForAssets”
Source Feed “Tenable”

API Calls to Tenable Vulnerability Management

Generate Tenable Assets Export

Input: chunk_size, filters

  • Example: {"chunk_size":1500,"filters":{"updated_at":1657660668,"is_deleted":false,"is_licensed":true}}

Output: export_uuid

Query for Asset Export Status

Input: export_uuid

Output: status, chunks_available

Download Tenable Assets Export Chunk

Input: export_uuid, chunk_id

Output: Open link and select the 200 response for all possible asset values.