Host Audit Properties

The following table defines the properties in a Tenable Data Stream host audit payload file. To see an example file, go to Host Audit Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The version of the payload. This number increments when the payload structure changes.
type	string	The type of payload (HOST_AUDIT_FINDING).
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[]	array of objects	Contains the host audit objects updated in the payload.
updates[].finding_id	string	The ID of the finding.
updates[].asset_uuid	string	The UUID of the asset on which the compliance check was executed.
updates[].first_seen	string	The ISO date when a compliance scan first assessed the asset with the compliance check.
updates[].last_seen	string	The ISO date when a compliance scan last assessed the asset with the compliance check.
updates[].audit_file	string	The name of the audit file containing the compliance check.
updates[].check_id	string	The unique identifier for the compliance finding. This identifier is generated based on the compliance_full_id, compliance_functional_id, and compliance_informational_id. The check_id is regenerated if any of the identifiers it's based on changes.
updates[].check_name	string	The descriptive name of the compliance check.
updates[].check_info	string	A full text description of the compliance check.
updates[].expected_value	string	The desired value (integer or string) for the compliance check. For example, if a password length compliance check requires passwords to be 8 characters long then 8 is the expected value. For manual checks, this field will contain the command used for the compliance check.
updates[].actual_value	string	The actual value (integer, string, or table) evaluated from the compliance check. For example, if a password length compliance check requires passwords to be 8 characters long, but the evaluated value was 7 then 7 is the actual value. For manual checks, this field will contain the output of the command that was executed.
updates[].status	string	The result status of the audit check: PASSED — Returned if the asset has passed the compliance check FAILED — Returned if the asset has failed the compliance check. WARNING — Returned when there is no definable passing criteria (for example, an audit verifying that members of the administrator group are appropriate for your organization). SKIPPED — Returned if the plugin determined that the check is not applicable to the asset. It can also be returned in other various cases (for example, if a check requires that a direct command be run to gather data on an offline network device or if a check contains commands that will not run on the specified operating system). UNKNOWN — Returned when a status cannot be determined for the OVAL check. The OVAL engine sets this status.
updates[].reference[]	array of objects	Industry references for the compliance check.
updates[].reference[].framework	string	The name of the compliance framework.
updates[].reference[].control	string	The specific control within the compliance framework.
updates[].see_also	string	Links to external websites that contain reference information about the compliance check.
updates[].solution	string	Remediation information for the compliance check.
updates[].check_error	string	An error message if the compliance evaluation fails.
updates[].profile_name	string	The name of the profile for the benchmark standard.
updates[].db_type	string	The type of database if the compliance check assessed a database.
updates[].plugin_id	integer	The unique ID of the compliance plugin.
updates[].state	string	The state as determined by the Tenable Vulnerability Management state service. This field is NULL for findings last seen before December 2021. Possible values include: OPEN — The compliance finding is currently present on an asset. REOPENED — The compliance finding was previously marked as fixed on an asset but has been detected again by a new scan. FIXED — The compliance finding was present on an asset but is no longer detected. ACTIVE — The compliance finding is currently active on an asset. Note that the API uses different terms for states than the user interface. The new and active states in the user interface map to the OPEN state in the API. The resurfaced state in the user interface maps to the REOPENED state in the API. The fixed state is the same.
updates[].description	string	A detailed description of the finding.
updates[].audit_description	string	A detailed description of the compliance check.
updates[].compliance_benchmark_name	string	The name of the compliance benchmark (for example, CIS SQL Server 2019).
updates[].compliance_benchmark_version	string	The version of the compliance benchmark (for example, 1.2.0).
updates[].compliance_control_id	string	A unique identifier for the aggregation of multiple results to single recommendations in CIS and DISA audits. This identifier is a computed and hashed value for CIS and DISA content that enables customers to match checks that evaluate the same recommendation within a benchmark.
updates[].compliance_full_id	string	A unique identifier that identifies a full compliance result in the context of an audit. The identifier is a hash of fields within the compliance check (excluding external references). The identifier changes if any of the fields within the compliance check change.
updates[].compliance_functional_id	string	A unique identifier for aggregating or comparing compliance results that were tested the same way. The identifier is a hash of the code within the audit that actually performs the check. The identifier changes if functional evaluation of the audit changes.
updates[].compliance_informational_id	string	A unique identifier for aggregating or comparing compliance results that have the same informational data. For example, the same solution text. The identifier is a hash of the info and solution fields within the compliance check. The identifier changes if either of these fields are updated.
updates[].synopsis	string	A short summary of the compliance audit.
updates[].last_fixed	string	The ISO date when the compliance failure was last fixed on the asset.
updates[].last_observed	string	The ISO date when the compliance issue was last observed (whether active or fixed) on the asset.
updates[].metadata_id	string	A unique identifier used in the Tenable Vulnerability Management pipeline results ingestion.
updates[].uname_output	string	The output of the uname command on the asset. It typically contains the operating system type and version.
updates[].indexed_at	string	The ISO date when the audit for the asset was indexed into Tenable Vulnerability Management.
updates[].plugin_name	string	The name of the compliance check.
updates[].asset	object	An object containing detailed information about the affected asset.
updates[].asset.id	string	The UUID of the asset in Tenable Vulnerability Management. Use this value as the unique key for the asset.
updates[].asset.ipv4_addresses[]	array of strings	A list of IPv4 addresses that are associated with the asset.
updates[].asset.ipv6_addresses[]	array of strings	A list of IPv6 addresses that are associated with the asset.
updates[].asset.fqdns[]	array of strings	A list of fully-qualified domain names (FQDNs) that are associated with the asset.
updates[].asset.name	string	The name of the asset.
updates[].asset.agent_name	string	The name of the Tenable Agent that scanned and identified the asset.
updates[].asset.agent_uuid	string	This property represents the tenable_uuid. This identifier can originate from either an agent or a credentialed remote Tenable Nessus scan. If no agent is present on the asset, a UUID is assigned by Tenable Vulnerability Management during a credentialed scan when the Create unique identifier on hosts scanned with credentials option is enabled. Note that no UUID is set for an uncredentialed non-agent scans.
updates[].asset.tags[]	array of objects	The tags assigned to the asset in Tenable Vulnerability Management. Note: The tags object is always empty and appears to maintain compatibility with the Tenable API. Your tag data is sent in the tags payload file.
updates[].asset.tags[].category	string	The tag category identifier.
updates[].asset.tags[].value	string	The tag value identifier.
updates[].asset.mac_addresses[]	array of strings	A list of MAC addresses that are associated with the asset.
updates[].asset.operating_systems[]	array of strings	The operating systems that scans have associated with the asset record.
updates[].asset.system_type	string	The system type as reported by Plugin ID 54615. Possible values include: router general-purpose scan-host embedded
updates[].asset.network_id	string	The ID of the network to which the asset belongs. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Manage Networks.
updates[].scan	object	Information about the scan that detected the finding.
updates[].scan.completed_at	string	An ISO timestamp indicating the date and time when the scan was completed.
updates[].scan.schedule_uuid	string	The unique identifier for the scan schedule.
updates[].scan.started_at	string	An ISO timestamp indicating the date and time when the scan started.
updates[].scan.uuid	string	The UUID of the scan.
updates[].scan.target	string	The target IP or hostname of the scan.
deletes[]	array of objects	Contains the host audit objects deleted in the payload.
deletes[].id	string	The ID of the deleted host audit.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the host audit was deleted.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.