Web App Scanning Asset Properties
The following table defines the properties in a Tenable Data Stream web app scanning assets payload file. To see an example file, go to Web App Scanning Asset Payload Files.
| Property | Data Type | Description |
|---|---|---|
| payload_id | string | The ID of the payload sent from Tenable Vulnerability Management. |
| version | integer | The version of the payload. This number increments when the payload structure changes. |
| type | string | The type of payload (WAS_ASSET). |
| count_updated | integer | The number of objects updated in the payload. |
| count_deleted | integer | The number of objects deleted in the payload. |
| updates[] | array of objects | A list of updated web app scanning asset objects. |
| updates[].id | string | The UUID of the asset in Tenable Vulnerability Management. Use this value as the unique key for the asset. |
| updates[].has_agent | boolean | Specifies whether a Tenable Agent scan identified the asset. |
| updates[].has_plugin_results | boolean | Specifies whether the asset has plugin results associated with it. |
| updates[].is_licensed | boolean | Indicates whether the asset is licensed by Tenable. |
| updates[].types[] | array of strings | A list of asset types that apply to the asset (for example, webapp). |
| updates[].terminated_by | string | The user who terminated the AWS instance of the asset. |
| updates[].deleted_by | string | The user who deleted the asset record. |
| updates[].agentNames[] | array of strings | The names of any Tenable Agents that scanned and identified the asset. |
| updates[].operating_systems[] | array of strings | The operating systems that scans have associated with the asset record. |
| updates[].system_types[] | array of strings | The system types as reported by Plugin ID 54615. Possible values include router, general-purpose, scan-host, and embedded. |
| updates[].manufacturer_tpm_ids[] | array of strings | The manufacturer's unique identifiers of the Trusted Platform Module (TPM) associated with the asset. |
| updates[].installed_software[] | array of strings |
A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This attribute supports the CPE 2.2 format. For more information, see the "Component Syntax" section of the CPE Specification, Version 2.2. For assets identified in Tenable scans, this attribute contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset. Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable Vulnerability Management considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable Vulnerability Management removes the expired application from the installed_software_attribute. This activity is logged as a remove type of attribute_change update in the asset activity log.
|
| updates[].is_public | boolean | Specifies whether if the asset is an internet-facing and accessible externally. |
| updates[].sources[] | array of objects |
Objects that describe the scan sources that identified the asset. An asset source is the entity that reported the asset details. Sources can include sensors, connectors, and API imports. If your request specifies multiple sources, Tenable Vulnerability Management returns all assets seen by any of the specified sources. The items in the sources array must correspond to the names of the sources as defined in your organization's implementation of Tenable Vulnerability Management. Commonly used names include:
|
| updates[].sources[].name | string |
The name of the entity that reported the asset details. Sources can include sensors, connectors, and API imports. Source names can be customized by your organization (for example, you specify a name when you import asset records). If your organization does not customize source names, the system-generated names include:
|
| updates[].sources[].first_seen | string | The ISO timestamp when the source first reported the asset. |
| updates[].sources[].last_seen | string | The ISO timestamp when the source last reported the asset. |
| updates[].tags | array of objects |
Object containing the tags for the asset. Note: The tags object is always empty and appears to maintain compatibility with the Tenable API. Your tag data is sent in the tags payload file.
|
| updates[].tags[].uuid | string | The UUID of the tag. |
| updates[].tags[].key | string | The tag category (the first half of the category:value pair). |
| updates[].tags[].value | string | The tag value (the second half of the category:value pair). |
| updates[].tags[].added_at | string | The ISO timestamp when the tag was assigned to the asset. |
| updates[].tags[].added_by | string | The UUID of the user who assigned the tag to the asset. |
| updates[].network | object | An object containing network-related information for the asset. |
| updates[].network.network_id | string | The ID of the network associated with the scanners that identified the asset. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Manage Networks. |
| updates[].network.network_name | string | The ID of the network object associated with scanners that identified the asset. The default network name is Default. All other network names are user-defined. For more information about network objects, see Manage Networks. |
| updates[].network.ipv4s[] | array of strings | The IPv4 addresses that scans have associated with the asset record. |
| updates[].network.bios_uuid | string | The BIOS UUID of the asset. |
| updates[].network.ipv6s[] | array of strings | The IPv6 addresses that scans have associated with the asset record. |
| updates[].network.fqdns[] | array of strings | The fully-qualified domain names that scans have associated with the asset record. |
| updates[].network.mac_addresses[] | array of strings | The MAC addresses that scans have associated with the asset record. |
| updates[].network.netbios_names[] | array of strings | The NetBIOS names that scans have associated with the asset record. |
| updates[].network.hostnames[] | array of strings | The hostnames that scans have associated with the asset record. |
| updates[].network.ssh_fingerprints[] | array of strings | The SSH key fingerprints that scans have associated with the asset record. |
| updates[].network.network_interfaces[] | array of objects | The network interfaces that scans identified on the asset. |
| updates[].network.network_interfaces[].name | string | The name of the network interface. |
| updates[].network.network_interfaces[].virtual | boolean | Indicates whether the network interface is virtual. |
| updates[].network.network_interfaces[].aliased | boolean | Indicates whether the network interface is aliased. |
| updates[].network.network_interfaces[].fqdns[] | array of strings | A list of FQDNs for the network interface. |
| updates[].network.network_interfaces[].mac_addresses[] | array of strings | The MAC addresses of the network interface. |
| updates[].network.network_interfaces[].ipv4s[] | array of strings | A list of IPv4 addresses belonging to the interface. |
| updates[].network.network_interfaces[].ipv6s[] | array of strings | A list of IPv6 addresses belonging to the interface. |
| updates[].network.open_ports[] | array of objects | An array of open ports and their services as reported by the info-level plugins. |
| updates[].network.open_ports[].port | integer | The open port number. |
| updates[].network.open_ports[].protocol | string | The communication protocol corresponding to the open port. |
| updates[].network.open_ports[].service_names[] | array of strings | The names of the services associated with the open port. |
| updates[].network.open_ports[].first_seen | string | The ISO timestamp when the source first detected the open port on the asset. |
| updates[].network.open_ports[].last_seen | string | The ISO timestamp when the source last detected the open port on the asset. |
| updates[].scan | object | An object containing scan-related information for the asset. |
| updates[].scan.first_scan_time | string | The time and date of the first scan run against the asset. |
| updates[].scan.last_scan_time | string | The time and date of the last scan run against the asset. |
| updates[].scan.last_authenticated_scan_date | string | The time and date of the last credentialed scan run on the asset. |
| updates[].scan.last_licensed_scan_date | string | The time and date of the last scan that identified the asset as licensed. Tenable Vulnerability Management categorizes an asset as licensed if a scan of that asset has returned results from a non-discovery plugin within the last 90 days. |
| updates[].scan.last_scan_id | string | The UUID of the scan configuration used during the last scan of the asset. |
| updates[].scan.last_schedule_id | string | The schedule_uuid for the last scan of the asset. |
| updates[].scan.last_authentication_attempt_date | string | The date when last authentication scan attempt was made. |
| updates[].scan.last_authentication_success_date | string | The date when last authentication scan attempt was successful. |
| updates[].scan.last_authentication_scan_status | string | The status of the last scan authentication (for example, SUCCESS). |
| updates[].scan.last_scan_target | string | The last scan target that was scanned. |
| updates[].timestamps | object | An object containing various timestamps related to the asset. |
| updates[].timestamps.created_at | string | The time and date when Tenable Vulnerability Management created the asset record. |
| updates[].timestamps.updated_at | string | The time and date when the asset record was last updated. |
| updates[].timestamps.deleted_at | string | The time and date when a user deleted the asset record. When a user deletes an asset record, Tenable Vulnerability Management retains the record until the asset ages out of the license count. |
| updates[].timestamps.terminated_at | string | The time and date when a user terminated the Amazon Web Service (AWS) virtual machine instance of the asset. |
| updates[].timestamps.first_seen | string | The time and date when a scan first identified the asset. |
| updates[].timestamps.last_seen | string | The time and date of the scan that most recently identified the asset. |
| updates[].custom_attributes[] | array of objects | A list of custom attributes for the asset. |
| updates[].custom_attributes[].id | string | The identifier for the custom attribute. |
| updates[].custom_attributes[].value | string | The value of the custom attribute. |
| updates[].ratings | object | A list of vulnerability ratings and score calculations. These ratings provide a comprehensive view of exposure. Currently, only the Asset Criticality Rating (ACR) and Asset Exposure Score (AES) are provided. |
| updates[].ratings.acr | object | The Tenable-defined Asset Criticality Rating (ACR) for the asset. Tenable uses an algorithm based on the asset profile to assign a metric rating the importance of an asset to your organization from 1 to 10, with higher numbers for more critical assets. |
| updates[].ratings.acr.score | number | The Asset Criticality Rating (ACR) value. |
| updates[].ratings.aes | object | The Tenable-defined Asset Exposure Score (AES) for the asset. This metric weighs an asset's Vulnerability Priority Rating (VPR) and Asset Criticality Rating (AES) and then assigns a number from 1 to 1000, with higher numbers for more exposed assets. |
| updates[].ratings.aes.score | number | The Asset Exposure Score (AES) value. |
| updates[].acr_score | string | (Tenable Lumin-only) The Asset Criticality Rating (ACR) for the asset. |
| updates[].exposure_score | string | (Tenable Lumin-only) The Asset Exposure Score (AES) for the asset. |
| deletes[] | array of objects | Contains the web app scanning asset objects deleted in the payload. |
| deletes[].id | string | The ID of the deleted web app scanning asset. |
| deletes[].deleted_at | string | An ISO timestamp indicating the date and time when the asset was deleted. |
| first_ts | string | A Unix timestamp indicating the date and time of the first entry in the payload. |
| last_ts | string | A Unix timestamp indicating the date and time of the last entry in the payload. |