Findings Properties

The following table defines the properties in a Tenable Data Stream findings payload file. To see an example file, go to Findings Payload Files.

Property Data Type Description
payload_id string The ID of the payload sent from Tenable Vulnerability Management.
version integer The version of the payload. This number increments when the payload structure changes.
type string The type of data in the payload; for example, FINDING.
count_updated integer The number of updated findings in the payload.
count_deleted integer The number of deleted findings in the payload.
updates[{}] array of objects Contains the tags updated in the payload.
updates[].finding_id string The unique identifier for the finding.
updates[].asset.agent_uuid string The UUID of the agent that performed the scan where the vulnerability was found.
updates[].asset.bios_uuid string The BIOS UUID of the asset where the vulnerability was found.
updates[].asset.device_type string The type of asset where the vulnerability was found.
updates[].asset.fqdn string The fully-qualified domain name of the asset where a scan found the vulnerability.
updates[].asset.hostname string The host name of the asset where a scan found the vulnerability.
updates[].asset.uuid string The UUID of the asset where a scan found the vulnerability.
updates[].asset.ipv4 string The IPv4 address of the asset where a scan found the vulnerability.
updates[].asset.ipv6 string The IPv6 address of the asset where a scan found the vulnerability.
updates[].asset.last_authenticated_results string An ISO timestamp indicating the date and time when credentials were last successfully used to scan the asset.
updates[].asset.last_unauthenticated_results string An ISO timestamp indicating the date and time when the asset was scanned without using credentials.
updates[].scan_target string The IP address or fully qualified domain name (FQDN) of the asset targeted in the last scan.
updates[].asset.mac_address string The MAC address of the asset where a scan found the vulnerability.
updates[].asset.netbios_name string The NETBIOS name of the asset where a scan found the vulnerability.
updates[].asset.netbios_workgroup[] string array The NETBIOS workgroup of the asset where a scan found the vulnerability.
updates[].asset.operating_system[] array of strings The operating system of the asset where a scan found the vulnerability.
updates[].asset.network_id string The ID of the network associated with the scanners that identified the asset. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Networks.
updates[].asset.tracked boolean A value specifying whether Tenable Vulnerability Management tracks the asset in the asset management system. Tenable Vulnerability Management still assigns untracked assets identifiers in scan results, but these identifiers change with each new scan of the asset. This parameter is relevant to PCI-type scans and in certain cases where there is not enough information in a scan to identify the asset. Untracked assets appear in the scan history, but do not appear in workbenches or reports.
updates[].output string The text output of the Nessus scanner.
updates[].plugin object Information about the plugin that detected the vulnerability.
updates[].plugin.bid[] array of integers The Bugtraq ID for the plugin.
updates[].plugin.canvas_package string The name of the CANVAS exploit pack that includes the vulnerability.
updates[].plugin.checks_for_default_account boolean A value specifying whether the plugin checks for default accounts.
updates[].plugin.checks_for_malware boolean A value specifying whether the plugin checks for malware.
updates[].plugin.cpe[] array of strings The Common Platform Enumeration (CPE) numbers for the plugin.
updates[].plugin.cve[] array of strings The Common Vulnerability and Exposure (CVE) IDs for the plugin.
updates[].plugin.cvss3_base_score float The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
updates[].plugin.cvss3_temporal_score float The CVSSv3 temporal score (characteristics of a vulnerability that change over time but not among user environments).
updates[].plugin.cvss3_temporal_vector object CVSSv3 temporal metrics for the vulnerability.
updates[].plugin.cvss3_temporal_vector.exploitability string

The CVSSv3 Exploit Maturity Code (E) for the vulnerability the plugin covers. Possible values include:

  • Unproven — Corresponds to the Unproven (U) value for the E metric

  • Proof-of-concept — Corresponds to the Proof-of-Concept (POC) value for the E metric

  • Functional — Corresponds to the Functional (F) value for the E metric

  • High — Corresponds to the High (H) value for the E metric

  • Not-defined — Corresponds to the Not Defined (ND) value for the E metric
updates[].plugin.cvss3_temporal_vector.remediation_level string

The CVSSv3 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. Possible values include:

  • O — Official Fix

  • T — Temporary Fix

  • W — Workaround

  • U — Unavailable

  • X — Not Defined
updates[].plugin.cvss3_temporal_vector.report_confidence string

The CVSSv3 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. Possible values include:

  • U — Unknown

  • R — Reasonable

  • C — Confirmed

  • X — Not Defined
updates[].plugin.cvss3_temporal_vector.raw string The complete cvss3_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss3_vector object Additional CVSSv3 metrics for the vulnerability.
updates[].plugin.cvss3_vector.access_complexity string

The CVSSv3 Access Complexity (AC) metric for the vulnerability the plugin covers. Possible values are:

  • H — High

  • M — Medium

  • L — Low
updates[].plugin.cvss3_vector.access_vector string

The CVSSv2 Attack Vector (AV) metric for the vulnerability the plugin covers. Possible values are:

  • Network — Corresponds to the Network (N) value for the AV metric.

  • Adjacent Network — Corresponds to the Adjacent Network (A) value for the AV metric.

  • Local — Corresponds to the Local (L) value for the AV metric
updates[].plugin.cvss3_vector.privileges_required string

Level of privilege required to exploit this vulnerability. Possible values are L for low, H for high, and None for no access privileges required.
updates[].plugin.cvss3_vector.user_interaction string The user interaction required for exploitability.
updates[].plugin.cvss3_vector.scope string If the vulnerability can affect other assets or only the asset it was found on. Possible values are U for unchanged and C for changed (meaning that the vulnerability can affect other assets).
updates[].plugin.cvss3_vector.availability_impact string

The CVSSv2 availability impact metric for the vulnerability the plugin covers. Possible values include:

  • H — High

  • L — Low

  • N — None
updates[].plugin.cvss3_vector.confidentiality_impact string

The CVSSv3 confidentiality impact metric of the vulnerability the plugin covers to the vulnerable component. Possible values include:

  • H — High

  • L — Low

  • N — None
updates[].plugin.cvss3_vector.integrity_impact string

The CVSSv3 integrity impact metric for the vulnerability the plugin covers. Possible values include:

  • H — High

  • L — Low

  • N — None
updates[].plugin.cvss3_vector.raw string The complete cvss3_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.cvss_base_score float The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
updates[].plugin.cvss_temporal_score float The CVSSv2 temporal score (characteristics of a vulnerability that change over time but not among user environments).
updates[].plugin.cvss_temporal_vector object CVSSv2 temporal metrics for the vulnerability.
updates[].plugin.cvss_temporal_vector.exploitability string

The CVSSv2 Exploitability (E) temporal metric for the vulnerability the plugin covers. Possible values include:

  • U—Unproven

  • POC — Proof-of-Concept

  • F — Functional

  • H — High

  • ND — Not Defined
updates[].plugin.cvss_temporal_vector.remediation_level string

The CVSSv2 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. Possible values include:

  • OF — Official Fix

  • TF — Temporary Fix

  • W — Workaround

  • U — Unavailable

  • ND — Not Defined
updates[].plugin.cvss_temporal_vector.report_confidence string

The CVSSv2 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. Possible values include:

  • UC — Unconfirmed

  • UR — Uncorroborated

  • C — Confirmed

  • ND — Not Defined
updates[].plugin.cvss_temporal_vector.raw string The complete cvss_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss_vector.access_complexity string

The CVSSv2 Access Complexity (AC) metric for the vulnerability the plugin covers. Possible values include:

  • H — High

  • M — Medium

  • L — Low
updates[].plugin.cvss_vector.access_vector string

The CVSSv2 Access Vector (AV) metric for the vulnerability the plugin covers. Possible values include:

  • L — Local

  • A — Adjacent Network

  • N — Network
updates[].plugin.cvss_vector.authentication string

The CVSSv2 Authentication (Au) metric for the vulnerability the plugin covers. Possible values include:

  • N — None

  • S — Single

  • M — Multiple
updates[].plugin.cvss_vector.availability_impact string

The CVSSv2 availability impact metric for the vulnerability the plugin covers. Possible values include:

  • N — None

  • P — Partial

  • C — Complete
updates[].plugin.cvss_vector.confidentiality_impact string

The CVSSv2 confidentiality impact metric for the vulnerability the plugin covers. Possible values include:

  • N — None

  • P — Partial

  • C — Complete
updates[].plugin.cvss_vector.integrity_impact string

The CVSSv2 integrity impact metric for the vulnerability the plugin covers. Possible values include:

  • N — None

  • P — Partial

  • C — Complete
updates[].plugin.cvss_vector.raw string The complete cvss_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.d2_elliot_name string The name of the exploit in the D2 Elliot Web Exploitation framework.
updates[].plugin.description string Full text description of the vulnerability.
updates[].plugin.exploit_available boolean A value specifying whether a public exploit exists for the vulnerability.
updates[].plugin.exploit_framework_canvas boolean A value specifying whether an exploit exists in the Immunity CANVAS framework.
updates[].plugin.exploit_framework_core boolean A value specifying whether an exploit exists in the CORE Impact framework.
updates[].plugin.exploit_framework_d2_elliot boolean A value specifying whether an exploit exists in the D2 Elliot Web Exploitation framework.
updates[].plugin.exploit_framework_exploithub boolean A value specifying whether an exploit exists in the ExploitHub framework.
updates[].plugin.exploit_framework_metasploit boolean A value specifying whether an exploit exists in the Metasploit framework.
updates[].plugin.exploitability_ease string Description of how easy it is to exploit the issue.
updates[].plugin.exploited_by_malware boolean The vulnerability discovered by this plugin is known to be exploited by malware.
updates[].plugin.exploited_by_nessus boolean A value specifying whether Nessus exploited the vulnerability during the process of identification.
updates[].plugin.exploithub_sku string The SKU number of the exploit in the ExploitHub framework.
updates[].plugin.family string The family to which plugin belongs.
updates[].plugin.family_id integer The ID of the plugin family.
updates[].plugin.has_patch boolean A value specifying whether the vendor has published a patch for the vulnerability.
updates[].plugin.id integer The ID of the plugin that identified the vulnerability.
updates[].plugin.in_the_news boolean A value specifying whether this plugin has received media attention (for example, ShellShock, Meltdown).
updates[].plugin.metasploit_name string The name of the related exploit in the Metasploit framework.
updates[].plugin.ms_bulletin array of strings The Microsoft security bulletin that the plugin covers.
updates[].plugin.name string The name of the plugin that identified the vulnerability.
updates[].plugin.patch_publication_date string An ISO timestamp indicating the date and time when the vendor published a patch for the vulnerability.
updates[].plugin.modification_date string An ISO timestamp indicating the date and time when the plugin was last modified.
updates[].plugin.publication_date string An ISO timestamp indicating the date and time when the plugin was published.
updates[].plugin.risk_factor string The risk factor associated with the plugin. Possible values are: Low, Medium, High, or Critical. See the risk_factor attribute in Tenable Plugin Attributes.
updates[].plugin.see_also[] array of strings Links to external websites that contain helpful information about the vulnerability.
updates[].plugin.solution string Remediation information for the vulnerability.
updates[].plugin.stig_severity string Security Technical Implementation Guide (STIG) severity code for the vulnerability.
updates[].plugin.synopsis string Brief description of the plugin or vulnerability.
updates[].plugin.type string The general type of plugin check (for example, local or remote).
updates[].plugin.unsupported_by_vendor boolean Software found by this plugin is unsupported by the software's vendor (for example, Windows 95 or Firefox 3).
updates[].plugin.usn string Ubuntu security notice that the plugin covers.
updates[].plugin.version string The version of the plugin used to perform the check.
updates[].plugin.vuln_publication_date string An ISO timestamp indicating the date and time when the plugin was published.
updates[].plugin.xrefs[] array of objects References to third-party information about the vulnerability, exploit, or update associated with the plugin. Each reference includes a type and an ID. For example, 'FEDORA' and '2003-047'. This object can include type and id fields.
updates[].plugin.xrefs[].type string The type of reference.
updates[].plugin.xrefs[].id string The ID for the reference.
updates.plugin.vpr object Information about the Vulnerability Priority Rating (VPR) for the vulnerability.
updates[].plugin.vpr.score float The Vulnerability Priority Rating (VPR) for the vulnerability. If a plugin is designed to detect multiple vulnerabilities, the VPR represents the highest value calculated for a vulnerability associated with the plugin. For more information, see Severity vs. VPR in the Tenable Vulnerability Management User Guide.
updates[].plugin.vpr.drivers object The key drivers Tenable uses to calculate a vulnerability's VPR. For more information, see Vulnerability Priority Rating Drivers.
updates[].plugin.vpr.drivers.age_of_vuln object A range representing the number of days since the National Vulnerability Database (NVD) published the vulnerability. Ranges include 0-7 days, 7-30 days, 30-60 days, 60-180 days, 180-365 days, 365-730 days, and more than 730 days (+731)
updates[].plugin.vpr.drivers.age_of_vuln.lower_bound integer The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 730 days), this value is 731.
updates[].plugin.vpr.drivers.age_of_vuln.upper_bound integer The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.exploit_code_maturity string The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (for example, Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
updates[].plugin.vpr.drivers.cvss_impact_score_predicted boolean A value specifying whether Tenable predicted the CVSSv3 impact score for the vulnerability because NVD did not provide one (true) or used the NVD-provided CVSSv3 impact score (false) when calculating the VPR.
updates[].plugin.vpr.drivers.cvss3_impact_score float The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Vulnerability Management displays a Tenable-predicted score.
updates[].plugin.vpr.drivers.threat_intensity_last28 string The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
updates[].plugin.vpr.drivers.threat_recency object A range representing the number of days since a threat event occurred for the vulnerability. Ranges include 0-7 days, 7-30 days, 30-120 days, 120-365 days, and more than 365 days (+365).
updates[].plugin.vpr.drivers.threat_recency.lower_bound integer The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 365 days), this value is 366.
updates[].plugin.vpr.drivers.threat_recency.upper_bound integer The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.threat_sources_last28[] array of strings A list of all sources (for example, social media channels, the dark web, etc.) where threat events related to this vulnerability occurred.
updates[].plugin.vpr.drivers.product_coverage string The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
updates[].plugin.vpr.updated string An ISO timestamp indicating the date and time whenthe system last imported the VPR for this vulnerability. The system imports a VPR value the first time you scan a vulnerability on your network. Then, it automatically re-imports new and updated VPR values daily.
updates[].workaround string Describes the workaround for remediating the vulnerability.
updates[].workaround_type string

The workaround action required to remediate the vulnerability. Possible workaround types include:

  • Configuration Change — You must alter the configuration of software on the asset.

  • Disable Service — You must disable a service on the asset.
updates[].workaround_published string An ISO timestamp indicating the date and time when the workaround was published.
updates[].has_workaround boolean Indicates if a workaround exists for the vulnerability.
updates[].port object Information about the port the scanner used to connect to the asset.
updates[].port.port integer The port the scanner used to communicate with the asset.
updates[].port.protocol string The protocol the scanner used to communicate with the asset.
updates[].port.service string The service the scanner used to communicate with the asset.
updates[].recast_reason string The text that appears in the Comment field of the recast rule in the Tenable Vulnerability Management user interface.
updates[].recast_rule_uuid string The UUID of the recast rule that applies to the plugin.
updates[].scan object Information about the latest scan that detected the vulnerability.
updates[].scan.schedule_uuid string The schedule UUID for the scan that found the vulnerability.
updates[].scan.started_at string An ISO timestamp indicating the date and time when the scan started.
updates[].scan.uuid string The UUID of the scan that found the vulnerability.
updates[].severity string The severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info (CVSS score of 0), low (CVSS score between 0.1 and 3.9), medium (CVSS score between 4.0 and 6.9), high (CVSS score between 7.0 and 9.9), and critical (CVSS score of 10.0).
updates[].severity_id integer

The code for the severity assigned when a user recast the risk associated with the vulnerability. Possible values include:

  • 0 — The vulnerability has a CVSS score of 0, which corresponds to the "info" severity level.

  • 1 — The vulnerability has a CVSS score between 0.1 and 3.9, which corresponds to the "low" severity level.

  • 2 — The vulnerability has a CVSS score between 4.0 and 6.9, which corresponds to the "medium" severity level.

  • 3 — The vulnerability has a CVSS score between 7.0 and 9.9, which corresponds to the "high" severity level.

  • 4 — The vulnerability has a CVSS score of 10.0, which corresponds to the "critical" severity level.
updates[].severity_default_id integer The code for the severity originally assigned to a vulnerability before a user recast the risk associated with the vulnerability. Possible values are the same as for the severity_id attribute.
updates[].severity_modification_type string

The type of modification a user made to the vulnerability's severity. Possible values include:

  • none — No modification has been made.

  • recasted — A user in the Vulnerability Management user interface has recast the risk associated with the vulnerability

  • accepted — A user in the vulnerability Management user interface has accepted the risk associated with the vulnerability.

updates[].first_found string An ISO timestamp indicating the date and time when a scan first detected the vulnerability on the asset.
updates[].last_fixed string An ISO timestamp indicating the date and time whenn a scan no longer detects the previously detected vulnerability on the asset.
updates[].last_found string An ISO timestamp indicating the date and time when a scan last detected the vulnerability on the asset.
updates[].indexed string An ISO timestamp indicating the date and time when the system added the finding to the Tenable Vulnerability Management database.
updates[].state string

The state of the vulnerability as determined by the Tenable Vulnerability Management state service. Possible values include:

  • OPEN — The vulnerability is currently present on an asset.

  • REOPENED — The vulnerability was previously marked as fixed on an asset, but has been detected again by a new scan.

  • FIXED — The vulnerability was present on an asset, but is no longer detected.

updates[].source string

The source of the scans that identified the vulnerability. Sources can include sensors, connectors, and API imports. The values in the source field correspond to the names of the sources as defined in your organization's implementation of Tenable Vulnerability Management.

Commonly used source names include:

  • AGENT — The vulnerability data was obtained from a Tenable Nessus Agent scan.

  • NNM — The vulnerability data was obtained from a Tenable Nessus Network Monitor (NNM) scan.

  • NESSUS — The vulnerability data was obtained from a Tenable Nessus scan.
deletes[{}] array of objects Contains any findings deleted in the payload, along with their _id and a timestamp.
deletes[]._id string The UUID of the deleted finding in Tenable Vulnerability Management.
.deletes[].deleted_at string An ISO timestamp indicating the date and time when the data in the payload was deleted.
first_ts string A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts string A Unix timestamp indicating the date and time of the last entry in the payload.