Assets Properties
The following table defines the properties in a Tenable Data Stream assets payload file. To see an example file, go to Assets Payload Files.
| Property | Data Type | Description |
|---|---|---|
| payload_id | string | The ID of the payload sent from Tenable Vulnerability Management. |
| version | integer | The version of the payload. This number increments when the payload structure changes. |
| type | string | The type of payload, for example, TAGS. |
| count_updated | integer | The number of objects updated in the payload. |
| count_deleted | integer | The number of objects deleted in the payload. |
| updates[{}] | array of objects | Contains the objects updated in the payload; for example, assets or tags. |
| updates[].id | string | The UUID of the asset in Tenable Vulnerability Management. Use this value as the unique key for the asset. |
| updates[].has_agent | boolean | Specifies whether a Nessus agent scan identified the asset. |
| updates[].has_plugin_results | boolean | Specifies whether the asset has plugin results associated with it. |
| updates[].created_at | string | An ISO timestamp indicating the date and time when the system created the asset record. |
| updates[].terminated_at | string | An ISO timestamp indicating the date and time when a user terminated the Amazon Web Service (AWS) virtual machine instance of the asset. |
| updates[].terminated_by | string | The user who terminated the AWS instance of the asset. |
| updates[].updated_at | string | An ISO timestamp indicating the date and time when the asset record was last updated. |
| updates[].deleted_at | string | An ISO timestamp indicating the date and time when a user deleted the asset record. When a user deletes an asset record, the system retains the record until the asset ages out of the license count. |
| updates[].deleted_by | string | The user who deleted the asset record. |
| updates[].first_seen | string | An ISO timestamp indicating the date and time when a scan first identified the asset. |
| updates[].last_seen | string | An ISO timestamp indicating the date and time of the scan that most recently identified the asset. |
| updates[].first_scan_time | string | An ISO timestamp indicating the date and time of the first scan run against the asset. |
| updates[].last_scan_time | string | An ISO timestamp indicating the date and time of the last scan run against the asset. |
| updates[].last_authenticated_scan_date | string | An ISO timestamp indicating the date and time of the last credentialed scan run on the asset. |
| updates[].last_licensed_scan_date | string | An ISO timestamp indicating the date and time of the last scan that identified the asset as licensed. The system categorizes an asset as licensed if a scan of that asset has returned results from a non-discovery plugin within the last 90 days. |
| updates[].last_scan_id | string | The UUID of the scan configuration used during the last scan of the asset. |
| updates[].last_scan_target | string | The IP address of the last target scanned. |
| updates[].acr_score | integer | (Tenable Lumin-only) The Asset Criticality Rating (ACR) for the asset. |
| updates[].exposure_score | integer | (Tenable Lumin-only) The Asset Exposure Score (AES) for the asset. |
| updates[].last_schedule_id | string | The schedule_uuid for the last scan of the asset. |
| updates[].last_scan_target | string | The IP address or fully qualified domain name (FQDN) of the asset targeted in the last scan. |
| updates[].last_authentication_attempt_date | string | An ISO timestamp indicating the date and time when Tenable Nessus last attempted to sign in, either with SSH on Unix-based systems or SMB on Windows systems. |
| updates[].last_authentication_success_date | string | An ISO timestamp indicating the date and time when Tenable Nessus last successfully authenticated. Since agents do not log in, they do not update this property. |
| updates[].last_authentication_scan_status | string | Indicates if the last authentication attempt by Tenable Nessus was successful. Possible values are Success, Failure, and N/A. Since agents do not log in, they do not update this property. |
| updates[].azure_vm_id | string | The unique identifier of the Microsoft Azure virtual machine instance. For more information, see Accessing and Using Azure VM Unique ID in the Microsoft Azure documentation. |
| updates[].azure_resource_id | string | The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager documentation. |
| updates[].gcp_project_id | string | The unique identifier of the virtual machine instance in Google Cloud Platform (GCP). |
| updates[].gcp_instance_id | string | The customized name of the project to which the virtual machine instance belongs in GCP. For more information see Creating and Managing Projects in the GCP documentation. |
| updates[].aws_ec2_instance_ami_id | string | The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation. |
| updates[].aws_ec2_instance_id | string | The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation. |
| updates[].agent_uuid | string | This property represents the tenable_uuid. This identifier can originate from either an agent or a credentialed remote Nessus scan. If no agent is present on the asset, a UUID is assigned by Tenable Vulnerability Management during a credentialed scan when the Create unique identifier on hosts scanned with credentials option is enabled. Note that no UUID is set for an uncredentialed non-agent scans. |
| updates[].bios_uuid | string | The BIOS UUID of the asset. |
| updates[].network_id | string | The ID of the network associated with the scanners that identified the asset. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Manage Networks. |
| updates[].aws_owner_id | string | The canonical user identifier for the AWS account associated with the virtual machine instance. For example, 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. For more information, see AWS Account Identifiers in the AWS documentation. |
| updates[].aws_availability_zone | string | The availability zone where Amazon Web Services hosts the virtual machine instance, for example, `us-east-1a`. Availability zones are subdivisions of AWS regions. For more information, see Regions and Availability Zones in the AWS documentation. |
| updates[].aws_region | string | The region where AWS hosts the virtual machine instance, for example, `us-east-1`. For more information, see "Regions and Availability Zones" in the AWS documentation. |
| updates[].aws_vpc_id | string | The unique identifier for the virtual public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide. |
| updates[].aws_ec2_instance_group_name | string | The virtual machine instance's group in AWS. |
| updates[].aws_ec2_instance_state_name | string | The state of the virtual machine instance in AWS at the time of the scan. |
| updates[].aws_ec2_instance_type | string | The type of instance in AWS EC2. |
| updates[].aws_subnet_id | string | The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan. |
| updates[].aws_ec2_product_code | string | The product code associated with the AMI used to launch the virtual machine instance in AWS EC2. |
| updates[].aws_ec2_name | string | The name of the virtual machine instance in AWS EC2. |
| updates[].mcafee_epo_guid | string | The unique identifier of the asset in McAfee ePolicy Orchestrator (ePO). For more information, see the McAfee documentation. |
| updates[].mcafee_epo_agent_guid | string | The unique identifier of the McAfee ePO agent that identified the asset. For more information, see the McAfee documentation. |
| updates[].servicenow_sysid | string | The unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation. |
| updates[].bigfix_asset_id[] | string | The unique identifiers of the asset in HCL BigFix. For more information, see the HCL BigFix documentation. |
| updates[].agent_names[] | array of strings | The names of any Nessus agents that scanned and identified the asset. |
| updates[].installed_software[] | array of strings |
A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This attribute supports the CPE 2.2 format. For more information, see the "Component Syntax" section of the CPE Specification, Version 2.2. For assets identified in Tenable scans, this attribute contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset. Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable Vulnerability Management considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable Vulnerability Management removes the expired application from the installed_software_attribute. This activity is logged as a remove type of attribute_change update in the asset activity log.
|
| updates[].ipv4s[] | array of strings | The IPv4 addresses that scans have associated with the asset record. |
| updates[].ipv6s[] | array of strings | The IPv6 addresses that scans have associated with the asset record. |
| updates[].fqdns[] | array of strings | The fully-qualified domain names that scans have associated with the asset record. |
| updates[].mac_addresses[] | array of strings | The MAC addresses that scans have associated with the asset record. |
| updates[].netbios_names[] | array of strings | The NetBIOS names that scans have associated with the asset record. |
| updates[].operating_systems[] | array of strings | The operating systems that scans have associated with the asset record. |
| updates[].system_types[] | array of strings | The system types as reported by Plugin ID 54615. Possible values include router, general-purpose, scan-host, and embedded. |
| updates[].hostnames[] | array of strings | The hostnames that scans have associated with the asset record. |
| updates[].ssh_fingerprints[] | array of strings | The SSH key fingerprints that scans have associated with the asset record. |
| updates[].qualys_asset_ids[] | array of strings |
The Asset ID of the asset in Qualys. For more information, see the Qualys documentation. |
| updates[].qualys_host_ids[] | array of strings | The Host ID of the asset in Qualys. For more information, see the Qualys documentation. |
| updates[].manufacturer_tpm_ids[] | array of strings | The manufacturer's unique identifiers of the Trusted Platform Module (TPM) associated with the asset. |
| updates[].symantec_ep_hardware_keys[] | array of strings | The hardware keys for the asset in Symantec Endpoint Protection. |
| updates[].sources[{}] | array of objects |
The sources of the scans that identified the asset. An asset source is the entity that reported the asset details. Sources can include sensors, connectors, and API imports. If your request specifies multiple sources, Tenable Vulnerability Management returns all assets seen by any of the specified sources. The items in the sources array must correspond to the names of the sources as defined in your organization's implementation of Tenable Vulnerability Management. Commonly used names include:
|
| updates[].sources[]. name | string |
The name of the entity that reported the asset details. Sources can include sensors, connectors, and API imports. Source names can be customized by your organization (for example, you specify a name when you import asset records). If your organization does not customize source names, the system-generated names include:
|
| updates[].sources[].first_seen | string | An ISO timestamp indicating the date and time when the source first reported the asset. |
| updates[].sources[].last_seen | string | An ISO timestamp indicating the date and time when the source last reported the asset. |
| updates[].network_interfaces[{}] | array of objects | The network interfaces that scans identified on the asset. |
| updates[].network_interfaces.name | string | The name of the interface. |
| updates[].network_interfaces[].mac_addresses | array of strings | The MAC addresses of the interface. |
| updates[].network_interfaces[].ipv6s | array of strings | One or more IPv6 addresses belonging to the interface. |
| updates[].network_interfaces[].ipv4s | array of strings | One or more IPv4 addresses belonging to the interface. |
| updates[].network_interfaces[].fqdns | array of strings | One or more FQDNs belonging to the interface. |
| updates[].network_interfaces.virtual | boolean | If a virtual name exists for the interface. |
| updates[].network_interfaces.aliased | boolean | If an alias exists for the interface. |
| updates[].open ports | array of objects | An array of open ports and their services as reported by the info-level plugins. For more information about open ports reported by info-level plugins, see Open Ports and the Assets Workbench. |
| updates[].open_ports[].port | integer | The open port number. |
| updates[].open_ports[].protocol | string | The communication protocol corresponding to the open port. |
| updates[].open_ports[].service_names | array of strings | The names of the services associated with the open port. |
| updates[].gcp_zone | string | The customized name of the project to which the virtual machine instance belongs in GCP. For more information see "Creating and Managing Projects" in the GCP documentation. |
| updates[].network_name | string | The ID of the network object associated with scanners that identified the asset. The default network name is Default. All other network names are user-defined. |
| updates[].open_ports[].first_seen | string | An ISO timestamp indicating the date and time when the source first detected the open port on the asset. |
| updates[].open_ports[].last_seen | string | An ISO timestamp indicating the date and time when the source last detected the open port on the asset. |
| updates[].custom_attributes | array of objects | Custom attributes for the asset. |
| updates[].custom_attributes[].id | string | The custom ID for the asset. |
| updates[].custom_attributes[].value | string | The custom value for the asset. |
| updates[].tags | array of objects |
Object containing the tags for the asset. Note: The tags object is always empty and appears to maintain compatibility with the Tenable API. Your tag data is sent in the tags payload file.
|
| updates[].tags[].uuid | string | The UUID of the tag. |
| updates[].tags[].key | string | The tag category. |
| updates[].tags[].value | string | The tag value. |
| updates[].tags[].added_by | string | The UUID of the user who assigned the tag to the asset. |
| updates[].tags[].added | string | An ISO timestamp indicating the date and time when the tag was assigned to the asset. |
| deletes[] | array of objects | Contains any assets deleted in the payload, along with their _id and a timestamp. |
| deletes[].id | string | The UUID of the deleted asset in Tenable Vulnerability Management. |
| deletes[].deleted_at | string | An ISO timestamp indicating the date and time of the data deletion. |
| first_ts | string | A Unix timestamp indicating the date and time of the first entry in the payload. |
| last_ts | string | A Unix timestamp indicating the date and time of the last entry in the payload. |
.