Tenable Data Stream Properties

Required Tenable Vulnerability Management User Role: Administrator

The Tenable Data Stream Properties files define the structured JSON schemas used to deliver continuous, high-volume security data from Tenable Vulnerability Management directly to your AWS S3 bucket. These schemas serve as a specialized alternative to the Tenable export APIs, providing a push-based delivery model for Host Audits, Vulnerability Management (Assets and Vulnerabilities), Web App Scanning (Assets and Findings), and Tags. Additionally, the inclusion of Asset Enriched Attributes and Finding Enriched Attributes properties allows for the export of critical metadata, such as manual risk recasts, accepted findings, and host audit overrides. Together, these properties files standardize the format of technical vulnerability data and human-driven risk adjustments to ensure consistent and reliable ingestion into your cloud infrastructure.

Assets Properties

The following table defines the properties in a Tenable Data Stream assets payload file. To see an example file, go to Assets Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The version of the payload. This number increments when the payload structure changes.
type	string	The type of payload, for example, TAGS.
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[{}]	array of objects	Contains the objects updated in the payload; for example, assets or tags.
updates[].id	string	The UUID of the asset in Tenable Vulnerability Management. Use this value as the unique key for the asset.
updates[].has_agent	boolean	Specifies whether a Tenable Agent scan identified the asset.
updates[].has_plugin_results	boolean	Specifies whether the asset has plugin results associated with it.
updates[].created_at	string	An ISO timestamp indicating the date and time when the system created the asset record.
updates[].terminated_at	string	An ISO timestamp indicating the date and time when a user terminated the Amazon Web Service (AWS) virtual machine instance of the asset.
updates[].terminated_by	string	The user who terminated the AWS instance of the asset.
updates[].updated_at	string	An ISO timestamp indicating the date and time when the asset record was last updated.
updates[].deleted_at	string	An ISO timestamp indicating the date and time when a user deleted the asset record. When a user deletes an asset record, the system retains the record until the asset ages out of the license count.
updates[].deleted_by	string	The user who deleted the asset record.
updates[].first_seen	string	An ISO timestamp indicating the date and time when a scan first identified the asset.
updates[].last_seen	string	An ISO timestamp indicating the date and time of the scan that most recently identified the asset.
updates[].first_scan_time	string	An ISO timestamp indicating the date and time of the first scan run against the asset.
updates[].last_scan_time	string	An ISO timestamp indicating the date and time of the last scan run against the asset.
updates[].last_authenticated_scan_date	string	An ISO timestamp indicating the date and time of the last credentialed scan run on the asset.
updates[].last_licensed_scan_date	string	An ISO timestamp indicating the date and time of the last scan that identified the asset as licensed. The system categorizes an asset as licensed if a scan of that asset has returned results from a non-discovery plugin within the last 90 days.
updates[].last_scan_id	string	The UUID of the scan configuration used during the last scan of the asset.
updates[].last_scan_target	string	The IP address of the last target scanned.
updates[].acr_score	integer	(Tenable Lumin-only) The Asset Criticality Rating (ACR) for the asset.
updates[].exposure_score	integer	(Tenable Lumin-only) The Asset Exposure Score (AES) for the asset.
updates[].last_schedule_id	string	The schedule_uuid for the last scan of the asset.
updates[].last_scan_target	string	The IP address or fully qualified domain name (FQDN) of the asset targeted in the last scan.
updates[].last_authentication_attempt_date	string	An ISO timestamp indicating the date and time when Tenable Nessus last attempted to sign in, either with SSH on Unix-based systems or SMB on Windows systems.
updates[].last_authentication_success_date	string	An ISO timestamp indicating the date and time when Tenable Nessus last successfully authenticated. Since agents do not log in, they do not update this property.
updates[].last_authentication_scan_status	string	Indicates if the last authentication attempt by Tenable Nessus was successful. Possible values are Success, Failure, and N/A. Since agents do not log in, they do not update this property.
updates[].azure_vm_id	string	The unique identifier of the Microsoft Azure virtual machine instance. For more information, see Accessing and Using Azure VM Unique ID in the Microsoft Azure documentation.
updates[].azure_resource_id	string	The unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager documentation.
updates[].gcp_project_id	string	The unique identifier of the virtual machine instance in Google Cloud Platform (GCP).
updates[].gcp_instance_id	string	The customized name of the project to which the virtual machine instance belongs in GCP. For more information see Creating and Managing Projects in the GCP documentation.
updates[].aws_ec2_instance_ami_id	string	The zone where the virtual machine instance runs in GCP. For more information, see Regions and Zones in the GCP documentation.
updates[].aws_ec2_instance_id	string	The unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.
updates[].agent_uuid	string	This property represents the tenable_uuid. This identifier can originate from either an agent or a credentialed remote Tenable Nessus scan. If no agent is present on the asset, a UUID is assigned by Tenable Vulnerability Management during a credentialed scan when the Create unique identifier on hosts scanned with credentials option is enabled. Note that no UUID is set for an uncredentialed non-agent scans.
updates[].bios_uuid	string	The BIOS UUID of the asset.
updates[].network_id	string	The ID of the network associated with the scanners that identified the asset. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Manage Networks.
updates[].aws_owner_id	string	The canonical user identifier for the AWS account associated with the virtual machine instance. For example, 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. For more information, see AWS Account Identifiers in the AWS documentation.
updates[].aws_availability_zone	string	The availability zone where Amazon Web Services hosts the virtual machine instance, for example, `us-east-1a`. Availability zones are subdivisions of AWS regions. For more information, see Regions and Availability Zones in the AWS documentation.
updates[].aws_region	string	The region where AWS hosts the virtual machine instance, for example, `us-east-1`. For more information, see "Regions and Availability Zones" in the AWS documentation.
updates[].aws_vpc_id	string	The unique identifier for the virtual public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide.
updates[].aws_ec2_instance_group_name	string	The virtual machine instance's group in AWS.
updates[].aws_ec2_instance_state_name	string	The state of the virtual machine instance in AWS at the time of the scan.
updates[].aws_ec2_instance_type	string	The type of instance in AWS EC2.
updates[].aws_subnet_id	string	The unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.
updates[].aws_ec2_product_code	string	The product code associated with the AMI used to launch the virtual machine instance in AWS EC2.
updates[].aws_ec2_name	string	The name of the virtual machine instance in AWS EC2.
updates[].mcafee_epo_guid	string	The unique identifier of the asset in McAfee ePolicy Orchestrator (ePO). For more information, see the McAfee documentation.
updates[].mcafee_epo_agent_guid	string	The unique identifier of the McAfee ePO agent that identified the asset. For more information, see the McAfee documentation.
updates[].servicenow_sysid	string	The unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation.
updates[].bigfix_asset_id[]	string	The unique identifiers of the asset in HCL BigFix. For more information, see the HCL BigFix documentation.
updates[].agent_names[]	array of strings	The names of any Tenable Agents that scanned and identified the asset.
updates[].installed_software[]	array of strings	A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This attribute supports the CPE 2.2 format. For more information, see the "Component Syntax" section of the CPE Specification, Version 2.2. For assets identified in Tenable scans, this attribute contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset. Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable Vulnerability Management considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable Vulnerability Management removes the expired application from the installed_software_attribute. This activity is logged as a remove type of attribute_change update in the asset activity log.
updates[].ipv4s[]	array of strings	The IPv4 addresses that scans have associated with the asset record.
updates[].ipv6s[]	array of strings	The IPv6 addresses that scans have associated with the asset record.
updates[].fqdns[]	array of strings	The fully-qualified domain names that scans have associated with the asset record.
updates[].mac_addresses[]	array of strings	The MAC addresses that scans have associated with the asset record.
updates[].netbios_names[]	array of strings	The NetBIOS names that scans have associated with the asset record.
updates[].operating_systems[]	array of strings	The operating systems that scans have associated with the asset record.
updates[].system_types[]	array of strings	The system types as reported by Plugin ID 54615. Possible values include router, general-purpose, scan-host, and embedded.
updates[].hostnames[]	array of strings	The hostnames that scans have associated with the asset record.
updates[].ssh_fingerprints[]	array of strings	The SSH key fingerprints that scans have associated with the asset record.
updates[].qualys_asset_ids[]	array of strings	The Asset ID of the asset in Qualys. For more information, see the Qualys documentation.
updates[].qualys_host_ids[]	array of strings	The Host ID of the asset in Qualys. For more information, see the Qualys documentation.
updates[].manufacturer_tpm_ids[]	array of strings	The manufacturer's unique identifiers of the Trusted Platform Module (TPM) associated with the asset.
updates[].symantec_ep_hardware_keys[]	array of strings	The hardware keys for the asset in Symantec Endpoint Protection.
updates[].sources[{}]	array of objects	The sources of the scans that identified the asset. An asset source is the entity that reported the asset details. Sources can include sensors, connectors, and API imports. If your request specifies multiple sources, Tenable Vulnerability Management returns all assets seen by any of the specified sources. The items in the sources array must correspond to the names of the sources as defined in your organization's implementation of Tenable Vulnerability Management. Commonly used names include: AWS — The asset data was obtained from an Amazon Web Services connector. PVS — The asset data from a Tenable Network Monitor scan. NESSUS_SCAN — The asset data was obtained from a Tenable Nessus scan. WAS — The asset data was obtained from a Tenable Web App Scanning scan. NESSUS_AGENT — The asset data was obtained from a Tenable Agent scan.
updates[].sources[]. name	string	The name of the entity that reported the asset details. Sources can include sensors, connectors, and API imports. Source names can be customized by your organization (for example, you specify a name when you import asset records). If your organization does not customize source names, the system-generated names include: AWS — The asset data was obtained from an Amazon Web Services connector. PVS — The asset data from a Tenable Network Monitor scan. NESSUS_SCAN — The asset data was obtained from a Tenable Nessus scan. WAS — The asset data was obtained from a Tenable Web App Scanning scan. NESSUS_AGENT — The asset data was obtained from a Tenable Agent scan.
updates[].sources[].first_seen	string	An ISO timestamp indicating the date and time when the source first reported the asset.
updates[].sources[].last_seen	string	An ISO timestamp indicating the date and time when the source last reported the asset.
updates[].network_interfaces[{}]	array of objects	The network interfaces that scans identified on the asset.
updates[].network_interfaces.name	string	The name of the interface.
updates[].network_interfaces[].mac_addresses	array of strings	The MAC addresses of the interface.
updates[].network_interfaces[].ipv6s	array of strings	One or more IPv6 addresses belonging to the interface.
updates[].network_interfaces[].ipv4s	array of strings	One or more IPv4 addresses belonging to the interface.
updates[].network_interfaces[].fqdns	array of strings	One or more FQDNs belonging to the interface.
updates[].network_interfaces.virtual	boolean	If a virtual name exists for the interface.
updates[].network_interfaces.aliased	boolean	If an alias exists for the interface.
updates[].open ports	array of objects	An array of open ports and their services as reported by the info-level plugins. For more information about open ports reported by info-level plugins, see Open Ports and the Assets Workbench.
updates[].open_ports[].port	integer	The open port number.
updates[].open_ports[].protocol	string	The communication protocol corresponding to the open port.
updates[].open_ports[].service_names	array of strings	The names of the services associated with the open port.
updates[].gcp_zone	string	The customized name of the project to which the virtual machine instance belongs in GCP. For more information see "Creating and Managing Projects" in the GCP documentation.
updates[].network_name	string	The ID of the network object associated with scanners that identified the asset. The default network name is Default. All other network names are user-defined.
updates[].open_ports[].first_seen	string	An ISO timestamp indicating the date and time when the source first detected the open port on the asset.
updates[].open_ports[].last_seen	string	An ISO timestamp indicating the date and time when the source last detected the open port on the asset.
updates[].custom_attributes	array of objects	Custom attributes for the asset.
updates[].custom_attributes[].id	string	The custom ID for the asset.
updates[].custom_attributes[].value	string	The custom value for the asset.
updates[].tags	array of objects	Object containing the tags for the asset. Note: The tags object is always empty and appears to maintain compatibility with the Tenable API. Your tag data is sent in the tags payload file.
updates[].tags[].uuid	string	The UUID of the tag.
updates[].tags[].key	string	The tag category.
updates[].tags[].value	string	The tag value.
updates[].tags[].added_by	string	The UUID of the user who assigned the tag to the asset.
updates[].tags[].added	string	An ISO timestamp indicating the date and time when the tag was assigned to the asset.
deletes[]	array of objects	Contains any assets deleted in the payload, along with their _id and a timestamp.
deletes[].id	string	The UUID of the deleted asset in Tenable Vulnerability Management.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time of the data deletion.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.

Asset Enriched Attributes Properties

The following table defines the properties in a Tenable Data Stream asset_enriched_attributes payload file. To see an example, go to Asset Enriched Attributes Payload Files .

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of payload, for example, ASSET_ENRICHED_ATTRIBUTES.
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[{}]	array of objects	Contains the objects updated in the payload.
updates[].asset_id	string	The UUID of the asset for which the system updated an asset. Use this value as the unique key for the asset.
updates[{}].ratings	object	Contains information about asset scores.
updates[].ratings.aes.score	number	The Asset Exposure Score (AES) for the asset.
updates[].ratings.acr.score	number	The Asset Criticality Rating (ACR) for the asset.
updates[].product	string	The product the asset applies to, for example, VM for Tenable Vulnerability Management or WAS for Tenable Web App Scanning
deletes[]	array	Contains asset attributes deleted in the payload.
deletes[].id	string	Indicates the ID for the deleted asset attribute.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the asset attribute was deleted.
first_ts	integer	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	integer	A Unix timestamp indicating the date and time of the last entry in the payload.

Findings Properties

The following table defines the properties in a Tenable Data Stream findings payload file. To see an example file, go to Findings Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of data in the payload; for example, FINDING.
count_updated	integer	The number of updated findings in the payload.
count_deleted	integer	The number of deleted findings in the payload.
updates[{}]	array of objects	Contains the tags updated in the payload.
updates[].finding_id	string	The unique identifier for the finding.
updates[].asset.agent_uuid	string	The UUID of the agent that performed the scan where the vulnerability was found.
updates[].asset.bios_uuid	string	The BIOS UUID of the asset where the vulnerability was found.
updates[].asset.device_type	string	The type of asset where the vulnerability was found.
updates[].asset.fqdn	string	The fully-qualified domain name of the asset where a scan found the vulnerability.
updates[].asset.hostname	string	The host name of the asset where a scan found the vulnerability.
updates[].asset.uuid	string	The UUID of the asset where a scan found the vulnerability.
updates[].asset.ipv4	string	The IPv4 address of the asset where a scan found the vulnerability.
updates[].asset.ipv6	string	The IPv6 address of the asset where a scan found the vulnerability.
updates[].asset.last_authenticated_results	string	An ISO timestamp indicating the date and time when credentials were last successfully used to scan the asset.
updates[].asset.last_unauthenticated_results	string	An ISO timestamp indicating the date and time when the asset was scanned without using credentials.
updates[].scan_target	string	The IP address or fully qualified domain name (FQDN) of the asset targeted in the last scan.
updates[].asset.mac_address	string	The MAC address of the asset where a scan found the vulnerability.
updates[].asset.netbios_name	string	The NETBIOS name of the asset where a scan found the vulnerability.
updates[].asset.netbios_workgroup[]	string array	The NETBIOS workgroup of the asset where a scan found the vulnerability.
updates[].asset.operating_system[]	array of strings	The operating system of the asset where a scan found the vulnerability.
updates[].asset.network_id	string	The ID of the network associated with the scanners that identified the asset. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Networks.
updates[].asset.tracked	boolean	A value specifying whether Tenable Vulnerability Management tracks the asset in the asset management system. Tenable Vulnerability Management still assigns untracked assets identifiers in scan results, but these identifiers change with each new scan of the asset. This parameter is relevant to PCI-type scans and in certain cases where there is not enough information in a scan to identify the asset. Untracked assets appear in the scan history, but do not appear in workbenches or reports.
updates[].output	string	The text output of the Nessus scanner.
updates[].plugin	object	Information about the plugin that detected the vulnerability.
updates[].plugin.epss_score	number	The Exploit Prediction Scoring System (EPSS) score of the finding.
updates[].plugin.bid[]	array of integers	The Bugtraq ID for the plugin.
updates[].plugin.canvas_package	string	The name of the CANVAS exploit pack that includes the vulnerability.
updates[].plugin.checks_for_default_account	boolean	A value specifying whether the plugin checks for default accounts.
updates[].plugin.checks_for_malware	boolean	A value specifying whether the plugin checks for malware.
updates[].plugin.cpe[]	array of strings	The Common Platform Enumeration (CPE) numbers for the plugin.
updates[].plugin.cve[]	array of strings	The Common Vulnerability and Exposure (CVE) IDs for the plugin.
updates[].plugin.cvss4_base_score	number	The CVSS v4.0 base score (intrinsic and fundamental characteristics of a finding that are constant over time and user environments).
updates[].plugin.cvss4_vector	object	Additional CVSS v4.0 metrics for the vulnerability.
updates[].plugin.cvss4_vector.attack_vector	string	The context where vulnerability exploitation is possible, such as Network or Local.
updates[].plugin.cvss4_vector.attack_complexity	string	The conditions beyond the attacker's control that must exist to exploit the vulnerability.
updates[].plugin.cvss4_vector.attack_requirements	string	The resources, access, or specialized conditions required for an attacker to exploit the vulnerability.
updates[].plugin.cvss4_vector.privileges_required	string	The permission level attackers require to exploit the vulnerability. Options are High, Low, or None. For example, None means attackers need no permissions in your environment and can exploit the vulnerability while unauthorized.
updates[].plugin.cvss4_vector.user_interaction	string	The level of user involvement required for an attacker to exploit the vulnerability.
updates[].plugin.cvss4_vector.vulnerable_system_availability	string	The impact on the availability of the vulnerable system when successfully exploited.
updates[].plugin.cvss4_vector.vulnerable_system_confidentiality	string	The impact on the confidentiality of the vulnerable system when successfully exploited.
updates[].plugin.cvss4_vector.vulnerable_system_integrity	string	The impact on the integrity of the vulnerable system when successfully exploited.
updates[].plugin.cvss4_vector.subsequent_system_availability	string	The impact on the availability of systems that can be impacted after the vulnerable system is exploited.
updates[].plugin.cvss4_vector.subsequent_system_confidentiality	string	The impact on the confidentiality of systems that can be impacted after the vulnerable system is exploited.
updates[].plugin.cvss4_vector.subsequent_system_integrity	string	The impact on the integrity of systems that can be impacted after the vulnerable system is exploited.
updates[].plugin.cvss4_vector.raw	string	The complete cvss4_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.cvss4_threat_vector	object	An object representing the CVSS v4.0 Threat metrics for the vulnerability. These metrics provide context on current, observed threat activity in the wild, such as evidence of exploitation or the presence of available exploit code. Threat metrics can help refine the severity and prioritization of vulnerabilities beyond their intrinsic characteristics. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_threat_vector.exploit_maturity	string	The CVSS v4.0 Exploit Maturity (E) metric, indicating the current development status of exploit techniques or code for the vulnerability. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_threat_vector.raw	string	The complete cvss4_threat_vector metrics and their result values for the vulnerability, expressed as a concise, coded string. This threat vector is typically appended to the CVSSv4 Base vector. For example, CVSS:4.0/E:U. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_threat_vector.threat_score	string	The CVSS v4.0 threat score (CVSS-T), which adjusts the base score by incorporating real-world threat intelligence, such as the presence of active exploitation, exploit code availability, or observed malware activity. This score reflects the current threat landscape for the vulnerability. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss3_base_score	float	The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
updates[].plugin.cvss3_temporal_score	float	The CVSSv3 temporal score (characteristics of a vulnerability that change over time but not among user environments).
updates[].plugin.cvss3_temporal_vector	object	CVSSv3 temporal metrics for the vulnerability.
updates[].plugin.cvss3_temporal_vector.exploitability	string	The CVSSv3 Exploit Maturity Code (E) for the vulnerability the plugin covers. Possible values include: Unproven — Corresponds to the Unproven (U) value for the E metric Proof-of-concept — Corresponds to the Proof-of-Concept (POC) value for the E metric Functional — Corresponds to the Functional (F) value for the E metric High — Corresponds to the High (H) value for the E metric Not-defined — Corresponds to the Not Defined (ND) value for the E metric
updates[].plugin.cvss3_temporal_vector.remediation_level	string	The CVSSv3 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. Possible values include: O — Official Fix T — Temporary Fix W — Workaround U — Unavailable X — Not Defined
updates[].plugin.cvss3_temporal_vector.report_confidence	string	The CVSSv3 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. Possible values include: U — Unknown R — Reasonable C — Confirmed X — Not Defined
updates[].plugin.cvss3_temporal_vector.raw	string	The complete cvss3_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss3_vector	object	Additional CVSSv3 metrics for the vulnerability.
updates[].plugin.cvss3_vector.access_complexity	string	The CVSSv3 Access Complexity (AC) metric for the vulnerability the plugin covers. Possible values are: H — High M — Medium L — Low
updates[].plugin.cvss3_vector.access_vector	string	The CVSSv2 Attack Vector (AV) metric for the vulnerability the plugin covers. Possible values are: Network — Corresponds to the Network (N) value for the AV metric. Adjacent Network — Corresponds to the Adjacent Network (A) value for the AV metric. Local — Corresponds to the Local (L) value for the AV metric
updates[].plugin.cvss3_vector.privileges_required	string	Level of privilege required to exploit this vulnerability. Possible values are L for low, H for high, and None for no access privileges required.
updates[].plugin.cvss3_vector.user_interaction	string	The user interaction required for exploitability.
updates[].plugin.cvss3_vector.scope	string	If the vulnerability can affect other assets or only the asset it was found on. Possible values are U for unchanged and C for changed (meaning that the vulnerability can affect other assets).
updates[].plugin.cvss3_vector.availability_impact	string	The CVSSv2 availability impact metric for the vulnerability the plugin covers. Possible values include: H — High L — Low N — None
updates[].plugin.cvss3_vector.confidentiality_impact	string	The CVSSv3 confidentiality impact metric of the vulnerability the plugin covers to the vulnerable component. Possible values include: H — High L — Low N — None
updates[].plugin.cvss3_vector.integrity_impact	string	The CVSSv3 integrity impact metric for the vulnerability the plugin covers. Possible values include: H — High L — Low N — None
updates[].plugin.cvss3_vector.raw	string	The complete cvss3_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.cvss_base_score	float	The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
updates[].plugin.cvss_temporal_score	float	The CVSSv2 temporal score (characteristics of a vulnerability that change over time but not among user environments).
updates[].plugin.cvss_temporal_vector	object	CVSSv2 temporal metrics for the vulnerability.
updates[].plugin.cvss_temporal_vector.exploitability	string	The CVSSv2 Exploitability (E) temporal metric for the vulnerability the plugin covers. Possible values include: U—Unproven POC — Proof-of-Concept F — Functional H — High ND — Not Defined
updates[].plugin.cvss_temporal_vector.remediation_level	string	The CVSSv2 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. Possible values include: OF — Official Fix TF — Temporary Fix W — Workaround U — Unavailable ND — Not Defined
updates[].plugin.cvss_temporal_vector.report_confidence	string	The CVSSv2 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. Possible values include: UC — Unconfirmed UR — Uncorroborated C — Confirmed ND — Not Defined
updates[].plugin.cvss_temporal_vector.raw	string	The complete cvss_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss_vector.access_complexity	string	The CVSSv2 Access Complexity (AC) metric for the vulnerability the plugin covers. Possible values include: H — High M — Medium L — Low
updates[].plugin.cvss_vector.access_vector	string	The CVSSv2 Access Vector (AV) metric for the vulnerability the plugin covers. Possible values include: L — Local A — Adjacent Network N — Network
updates[].plugin.cvss_vector.authentication	string	The CVSSv2 Authentication (Au) metric for the vulnerability the plugin covers. Possible values include: N — None S — Single M — Multiple
updates[].plugin.cvss_vector.availability_impact	string	The CVSSv2 availability impact metric for the vulnerability the plugin covers. Possible values include: N — None P — Partial C — Complete
updates[].plugin.cvss_vector.confidentiality_impact	string	The CVSSv2 confidentiality impact metric for the vulnerability the plugin covers. Possible values include: N — None P — Partial C — Complete
updates[].plugin.cvss_vector.integrity_impact	string	The CVSSv2 integrity impact metric for the vulnerability the plugin covers. Possible values include: N — None P — Partial C — Complete
updates[].plugin.cvss_vector.raw	string	The complete cvss_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.d2_elliot_name	string	The name of the exploit in the D2 Elliot Web Exploitation framework.
updates[].plugin.description	string	Full text description of the vulnerability.
updates[].plugin.exploit_available	boolean	A value specifying whether a public exploit exists for the vulnerability.
updates[].plugin.exploit_framework_canvas	boolean	A value specifying whether an exploit exists in the Immunity CANVAS framework.
updates[].plugin.exploit_framework_core	boolean	A value specifying whether an exploit exists in the CORE Impact framework.
updates[].plugin.exploit_framework_d2_elliot	boolean	A value specifying whether an exploit exists in the D2 Elliot Web Exploitation framework.
updates[].plugin.exploit_framework_exploithub	boolean	A value specifying whether an exploit exists in the ExploitHub framework.
updates[].plugin.exploit_framework_metasploit	boolean	A value specifying whether an exploit exists in the Metasploit framework.
updates[].plugin.exploitability_ease	string	Description of how easy it is to exploit the issue.
updates[].plugin.exploited_by_malware	boolean	The vulnerability discovered by this plugin is known to be exploited by malware.
updates[].plugin.exploited_by_nessus	boolean	A value specifying whether Nessus exploited the vulnerability during the process of identification.
updates[].plugin.exploithub_sku	string	The SKU number of the exploit in the ExploitHub framework.
updates[].plugin.family	string	The family to which plugin belongs.
updates[].plugin.family_id	integer	The ID of the plugin family.
updates[].plugin.has_patch	boolean	A value specifying whether the vendor has published a patch for the vulnerability.
updates[].plugin.id	integer	The ID of the plugin that identified the vulnerability.
updates[].plugin.in_the_news	boolean	A value specifying whether this plugin has received media attention (for example, ShellShock, Meltdown).
updates[].plugin.metasploit_name	string	The name of the related exploit in the Metasploit framework.
updates[].plugin.ms_bulletin	array of strings	The Microsoft security bulletin that the plugin covers.
updates[].plugin.name	string	The name of the plugin that identified the vulnerability.
updates[].plugin.patch_publication_date	string	An ISO timestamp indicating the date and time when the vendor published a patch for the vulnerability.
updates[].plugin.modification_date	string	An ISO timestamp indicating the date and time when the plugin was last modified.
updates[].plugin.publication_date	string	An ISO timestamp indicating the date and time when the plugin was published.
updates[].plugin.risk_factor	string	The risk factor associated with the plugin. Possible values are: Low, Medium, High, or Critical. See the risk_factor attribute in Tenable Plugin Attributes.
updates[].plugin.see_also[]	array of strings	Links to external websites that contain helpful information about the vulnerability.
updates[].plugin.solution	string	Remediation information for the vulnerability.
updates[].plugin.stig_severity	string	Security Technical Implementation Guide (STIG) severity code for the vulnerability.
updates[].plugin.synopsis	string	Brief description of the plugin or vulnerability.
updates[].plugin.type	string	The general type of plugin check (for example, local or remote).
updates[].plugin.unsupported_by_vendor	boolean	Software found by this plugin is unsupported by the software's vendor (for example, Windows 95 or Firefox 3).
updates[].plugin.usn	string	Ubuntu security notice that the plugin covers.
updates[].plugin.version	string	The version of the plugin used to perform the check.
updates[].plugin.vuln_publication_date	string	An ISO timestamp indicating the date and time when the plugin was published.
updates[].plugin.xrefs[]	array of objects	References to third-party information about the vulnerability, exploit, or update associated with the plugin. Each reference includes a type and an ID. For example, 'FEDORA' and '2003-047'. This object can include type and id fields.
updates[].plugin.xrefs[].type	string	The type of reference.
updates[].plugin.xrefs[].id	string	The ID for the reference.
updates[].plugin.vpr_v2	object	An object containing information about the Vulnerability Priority Rating (VPRv2) for the vulnerability.
updates[].plugin.vpr_v2.score	number	The Vulnerability Priority Rating (VPRv2) for the vulnerability. If a plugin is designed to detect multiple vulnerabilities, the VPR score represents the highest value calculated for a vulnerability associated with the plugin. For more information, see Tenable Metrics in the Tenable Vulnerability Management User Guide.
updates[].plugin.vpr_v2.vpr_percentile	string	Filter on the VPR v2 score percentile ranking of the CVE, indicating its position relative to other vulnerabilities.
updates[].plugin.vpr_v2.vpr_severity	string	Filter on the VPR v2 severity categorization of the CVE. Options are Critical, High, Medium, Low, Info.
updates[].plugin.vpr_v2.exploit_probability	number	Filter on the probability of exploitation produced by the VPR v2 threat model for the CVE.
updates[].plugin.vpr_v2.cve_id	string	Filter on a specific CVE ID for the CVE that is a primary contributor to the calculated VPRv2 score for a vulnerability.
updates[].plugin.vpr_v2.exploit_code_maturity	string	Filter on current availability and maturity of exploit code. Options are High, Functional, POC, and Unproven.
updates[].plugin.vpr_v2.on_cisa_kev	boolean	Filter on whether the CVE is listed on the CISA Known Exploited Vulnerabilities list. Options are Yes, No.
updates[].plugin.vpr_v2.exploit_chain[]	array of strings	Allows filtering on CVEs that are part of an exploit chain.
updates[].plugin.vpr_v2.in_the_news_intensity_last30	string	Allows filtering on the volume of news reporting on the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High.
updates[].plugin.vpr_v2.in_the_news_recency	string	Allows filtering on the recency of news sources reporting on the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days.
updates[].plugin.vpr_v2.in_the_news_sources_last30[]	array of strings	Filter on categories of news sources that have referenced the CVE within the last 30 days. Select from one or more of Academic and Research Institutions, Blogs and Individual Researchers, Code Repositories, Cybersecurity News Media, Cybersecurity Vendors, Forums and Community Platforms, Government and Regulatory, Mainstream News and Media, Security Research, Technology Companies, Tools and Resources, Other.
updates[].plugin.vpr_v2.malware_observations_intensity_last30	string	Filter on the volume of observed malware exploiting the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High.
updates[].plugin.vpr_v2.malware_observations_recency	string	Filter on the recency of observed malware exploiting the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days.
updates[].plugin.vpr_v2.threat_summary[]	object	The object container for information about the threat posed by the vulnerability, including relevant details that contribute to its Vulnerability Priority Rating (VPR) v2 score.
updates[].plugin.vpr_v2.threat_summary[].summary	string	Information about the threat posed by the vulnerability, including relevant details that contribute to its Vulnerability Priority Rating (VPR) v2 score.
updates[].plugin.vpr_v2.threat_summary[].lastUpdated	string	Most recent update to threat summary information.
updates[].plugin.vpr_v2.remediation[]	object	The object container for information and recommended actions for mitigating or resolving the vulnerability. This may include patches, configuration changes, or other remediation guidance.
updates[].plugin.vpr_v2.remediation[].summary	string	Information and recommended actions for mitigating or resolving the vulnerability. This may include patches, configuration changes, or other remediation guidance.
updates[].plugin.vpr_v2.remediation[].last_updated	string	Most recent update to remediation summary information.
updates[].plugin.vpr_v2.targeted_industries[]	array of strings	Allows filtering on specific industries where attacks leveraging the CVE have been observed. Sample options include Banking, Technology, Government.
updates[].plugin.vpr_v2.targeted_regions[]	array of strings	Allows filtering on specific geographic regions where attacks leveraging the CVE have been observed.
updates.plugin.vpr	object	Information about the Vulnerability Priority Rating (VPR) for the vulnerability.
updates[].plugin.vpr.score	float	The Vulnerability Priority Rating (VPR) for the vulnerability. If a plugin is designed to detect multiple vulnerabilities, the VPR represents the highest value calculated for a vulnerability associated with the plugin. For more information, see Severity vs. VPR in the Tenable Vulnerability Management User Guide.
updates[].plugin.vpr.drivers	object	The key drivers Tenable uses to calculate a vulnerability's VPR. For more information, see Vulnerability Priority Rating Drivers.
updates[].plugin.vpr.drivers.age_of_vuln	object	A range representing the number of days since the National Vulnerability Database (NVD) published the vulnerability. Ranges include 0-7 days, 7-30 days, 30-60 days, 60-180 days, 180-365 days, 365-730 days, and more than 730 days (+731)
updates[].plugin.vpr.drivers.age_of_vuln.lower_bound	integer	The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 730 days), this value is 731.
updates[].plugin.vpr.drivers.age_of_vuln.upper_bound	integer	The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.exploit_code_maturity	string	The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (for example, Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
updates[].plugin.vpr.drivers.cvss_impact_score_predicted	boolean	A value specifying whether Tenable predicted the CVSSv3 impact score for the vulnerability because NVD did not provide one (true) or used the NVD-provided CVSSv3 impact score (false) when calculating the VPR.
updates[].plugin.vpr.drivers.cvss3_impact_score	float	The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Vulnerability Management displays a Tenable-predicted score.
updates[].plugin.vpr.drivers.threat_intensity_last28	string	The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.
updates[].plugin.vpr.drivers.threat_recency	object	A range representing the number of days since a threat event occurred for the vulnerability. Ranges include 0-7 days, 7-30 days, 30-120 days, 120-365 days, and more than 365 days (+365).
updates[].plugin.vpr.drivers.threat_recency.lower_bound	integer	The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 365 days), this value is 366.
updates[].plugin.vpr.drivers.threat_recency.upper_bound	integer	The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.threat_sources_last28[]	array of strings	A list of all sources (for example, social media channels, the dark web, etc.) where threat events related to this vulnerability occurred.
updates[].plugin.vpr.drivers.product_coverage	string	The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.
updates[].plugin.vpr.updated	string	An ISO timestamp indicating the date and time whenthe system last imported the VPR for this vulnerability. The system imports a VPR value the first time you scan a vulnerability on your network. Then, it automatically re-imports new and updated VPR values daily.
updates[].workaround	string	Describes the workaround for remediating the vulnerability.
updates[].workaround_type	string	The workaround action required to remediate the vulnerability. Possible workaround types include: Configuration Change — You must alter the configuration of software on the asset. Disable Service — You must disable a service on the asset.
updates[].workaround_published	string	An ISO timestamp indicating the date and time when the workaround was published.
updates[].has_workaround	boolean	Indicates if a workaround exists for the vulnerability.
updates[].port	object	Information about the port the scanner used to connect to the asset.
updates[].port.port	integer	The port the scanner used to communicate with the asset.
updates[].port.protocol	string	The protocol the scanner used to communicate with the asset.
updates[].port.service	string	The service the scanner used to communicate with the asset.
updates[].recast_reason	string	The text that appears in the Comment field of the recast rule in the Tenable Vulnerability Management user interface.
updates[].recast_rule_uuid	string	The UUID of the recast rule that applies to the plugin.
updates[].scan	object	Information about the latest scan that detected the vulnerability.
updates[].scan.schedule_uuid	string	The schedule UUID for the scan that found the vulnerability.
updates[].scan.started_at	string	An ISO timestamp indicating the date and time when the scan started.
updates[].scan.uuid	string	The UUID of the scan that found the vulnerability.
updates[].severity	string	The severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info (CVSS score of 0), low (CVSS score between 0.1 and 3.9), medium (CVSS score between 4.0 and 6.9), high (CVSS score between 7.0 and 9.9), and critical (CVSS score of 10.0).
updates[].severity_id	integer	The code for the severity assigned when a user recast the risk associated with the vulnerability. Possible values include: 0 — The vulnerability has a CVSS score of 0, which corresponds to the "info" severity level. 1 — The vulnerability has a CVSS score between 0.1 and 3.9, which corresponds to the "low" severity level. 2 — The vulnerability has a CVSS score between 4.0 and 6.9, which corresponds to the "medium" severity level. 3 — The vulnerability has a CVSS score between 7.0 and 9.9, which corresponds to the "high" severity level. 4 — The vulnerability has a CVSS score of 10.0, which corresponds to the "critical" severity level.
updates[].severity_default_id	integer	The code for the severity originally assigned to a vulnerability before a user recast the risk associated with the vulnerability. Possible values are the same as for the severity_id attribute.
updates[].severity_modification_type	string	The type of modification a user made to the vulnerability's severity. Possible values include: none — No modification has been made. recasted — A user in the Vulnerability Management user interface has recast the risk associated with the vulnerability accepted — A user in the vulnerability Management user interface has accepted the risk associated with the vulnerability.
updates[].first_found	string	An ISO timestamp indicating the date and time when a scan first detected the vulnerability on the asset.
updates[].last_fixed	string	An ISO timestamp indicating the date and time when a scan no longer detects the previously detected vulnerability on the asset.
updates[].last_found	string	An ISO timestamp indicating the date and time when a scan last detected the vulnerability on the asset.
updates[].indexed	string	An ISO timestamp indicating the date and time when the system added the finding to the Tenable Vulnerability Management database.
updates[].state	string	The state of the vulnerability as determined by the Tenable Vulnerability Management state service. Possible values include: OPEN — The vulnerability is currently present on an asset. REOPENED — The vulnerability was previously marked as fixed on an asset, but has been detected again by a new scan. FIXED — The vulnerability was present on an asset, but is no longer detected.
updates[].source	string	The source of the scans that identified the vulnerability. Sources can include sensors, connectors, and API imports. The values in the source field correspond to the names of the sources as defined in your organization's implementation of Tenable Vulnerability Management. Commonly used source names include: AGENT — The vulnerability data was obtained from a Tenable Agent scan. NNM — The vulnerability data was obtained from a Tenable Network Monitor scan. NESSUS — The vulnerability data was obtained from a Tenable Nessus scan.
updates[].resurfaced_date	string	An ISO timestamp indicating the date and time the vulnerability resurfaced. Only the most recent date appears if a vulnerability has resurfaced multiple times.
updates[].time_taken_to_fix	long	The length of time (in seconds) it took for your organization to fix the vulnerability. This property only appears for fixed vulnerabilities.
deletes[{}]	array of objects	Contains any findings deleted in the payload, along with their _id and a timestamp.
deletes[]._id	string	The UUID of the deleted finding in Tenable Vulnerability Management.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the data in the payload was deleted.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.

Finding Enriched Attributes Properties

The following table defines the properties in a Tenable Data Stream finding_enriched_attributes payload file. To see an example, go to Finding Enriched Attributes Payload Files.

Property	Data Type	Description
payload_id	string	The unique ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of payload, for example, FINDING_ENRICHED_ATTRIBUTES.
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[{}]	array of objects	Contains the objects updated in the payload.
updates[{}].recast_properties	object	Object containing recast or risk acceptance details.
updates[{}].recast_properties.finding_id	string	The UUID of the finding that was modified by a recast rule.
updates[{}].recast_properties.source	string	The source system of the recast action, for example, recast-platform.
updates[{}].recast_properties.recast_annotation	object	Annotation details for the recast action.
updates[{}].recast_properties.recast_annotation.rule_id	string	The UUID of the rule that was applied.
updates[{}].recast_properties.recast_annotation.created_at	string	An ISO timestamp indicating the date and time when the rule was created.
updates[{}].recast_properties.recast_annotation.updated_at	string	An ISO timestamp indicating the date and time when the rule was last updated.
updates[{}].recast_properties.recast_annotation.modification	string	Type of modification. The possible values are: RECASTED - A vulnerability or web application finding was changed. ACCEPTED - The finding associated with a vulnerability or web application audit was accepted. RESULT_CHANGED - The result of a host audit was changed. RESULT_ACCEPTED - The result of a host audit was accepted.
updates[{}].recast_properties.recast_annotation.rule_comment	string	User-provided comment explaining the rule.
updates[{}].recast_properties.recast_annotation.modification_target	string	Identifies the specific finding metric that the recast rule is overwriting. For example, if a user changes a finding from 'High' to 'Low', the modification target is 'Severity'. The metric being modified. The possible values are are: RISK - For vulnerabilities or web applications. RESULT - For host audit.
updates[{}].recast_properties.recast_annotation.recasted_severity	string	The new severity level assigned. Severity values are NONE, LOW, MEDIUM, HIGH, or CRITICAL.
updates[{}].recast_properties.recast_annotation.changed_result	string	The resulting state of the Host Audit finding. The possible values are PASSED, FAILED, or WARNING.
deletes[]	array	Contains findings attributes deleted in the payload.
deletes[].id	string	Indicates the ID for the deleted finding attribute.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the finding attribute was deleted.
first_ts	integer	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	integer	A Unix timestamp indicating the date and time of the last entry in the payload.

Host Audit Properties

The following table defines the properties in a Tenable Data Stream host audit payload file. To see an example file, go to Host Audit Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of payload (HOST_AUDIT_FINDING).
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[]	array of objects	Contains the host audit objects updated in the payload.
updates[].finding_id	string	The ID of the finding.
updates[].asset_uuid	string	The UUID of the asset on which the compliance check was executed.
updates[].first_seen	string	The ISO date when a compliance scan first assessed the asset with the compliance check.
updates[].last_seen	string	The ISO date when a compliance scan last assessed the asset with the compliance check.
updates[].audit_file	string	The name of the audit file containing the compliance check.
updates[].check_id	string	The unique identifier for the compliance finding. This identifier is generated based on the compliance_full_id,compliance_functional_id, and compliance_informational_id. The check_id is regenerated if any of the identifiers it's based on changes.
updates[].check_name	string	The descriptive name of the compliance check.
updates[].check_info	string	A full text description of the compliance check.
updates[].expected_value	string	The desired value (integer or string) for the compliance check. For example, if a password length compliance check requires passwords to be 8 characters long then 8 is the expected value. For manual checks, this field will contain the command used for the compliance check.
updates[].actual_value	string	The actual value (integer, string, or table) evaluated from the compliance check. For example, if a password length compliance check requires passwords to be 8 characters long, but the evaluated value was 7 then 7 is the actual value. For manual checks, this field will contain the output of the command that was executed.
updates[].status	string	The result status of the audit check: PASSED — Returned if the asset has passed the compliance check FAILED — Returned if the asset has failed the compliance check. WARNING — Returned when there is no definable passing criteria (for example, an audit verifying that members of the administrator group are appropriate for your organization). SKIPPED — Returned if the plugin determined that the check is not applicable to the asset. It can also be returned in other various cases (for example, if a check requires that a direct command be run to gather data on an offline network device or if a check contains commands that will not run on the specified operating system). UNKNOWN — Returned when a status cannot be determined for the OVAL check. The OVAL engine sets this status.
updates[].reference[]	array of objects	Industry references for the compliance check.
updates[].reference[].framework	string	The name of the compliance framework.
updates[].reference[].control	string	The specific control within the compliance framework.
updates[].see_also	string	Links to external websites that contain reference information about the compliance check.
updates[].solution	string	Remediation information for the compliance check.
updates[].check_error	string	An error message if the compliance evaluation fails.
updates[].profile_name	string	The name of the profile for the benchmark standard.
updates[].db_type	string	The type of database if the compliance check assessed a database.
updates[].plugin_id	integer	The unique ID of the compliance plugin.
updates[].state	string	The state as determined by the Tenable Vulnerability Management state service. This field is NULL for findings last seen before December 2021. Possible values include: OPEN — The compliance finding is currently present on an asset. REOPENED — The compliance finding was previously marked as fixed on an asset but has been detected again by a new scan. FIXED — The compliance finding was present on an asset but is no longer detected. ACTIVE — The compliance finding is currently active on an asset. Note that the API uses different terms for states than the user interface. The new and active states in the user interface map to the OPEN state in the API. The resurfaced state in the user interface maps to the REOPENED state in the API. The fixed state is the same.
updates[].description	string	A detailed description of the finding.
updates[].audit_description	string	A detailed description of the compliance check.
updates[].compliance_benchmark_name	string	The name of the compliance benchmark (for example, CIS SQL Server 2019).
updates[].compliance_benchmark_version	string	The version of the compliance benchmark (for example, 1.2.0).
updates[].compliance_control_id	string	A unique identifier for the aggregation of multiple results to single recommendations in CIS and DISA audits. This identifier is a computed and hashed value for CIS and DISA content that enables customers to match checks that evaluate the same recommendation within a benchmark.
updates[].compliance_full_id	string	A unique identifier that identifies a full compliance result in the context of an audit. The identifier is a hash of fields within the compliance check (excluding external references). The identifier changes if any of the fields within the compliance check change.
updates[].compliance_functional_id	string	A unique identifier for aggregating or comparing compliance results that were tested the same way. The identifier is a hash of the code within the audit that actually performs the check. The identifier changes if functional evaluation of the audit changes.
updates[].compliance_informational_id	string	A unique identifier for aggregating or comparing compliance results that have the same informational data. For example, the same solution text. The identifier is a hash of the info and solution fields within the compliance check. The identifier changes if either of these fields are updated.
updates[].synopsis	string	A short summary of the compliance audit.
updates[].last_fixed	string	The ISO date when the compliance failure was last fixed on the asset.
updates[].last_observed	string	The ISO date when the compliance issue was last observed (whether active or fixed) on the asset.
updates[].metadata_id	string	A unique identifier used in the Tenable Vulnerability Management pipeline results ingestion.
updates[].uname_output	string	The output of the uname command on the asset. It typically contains the operating system type and version.
updates[].indexed_at	string	The ISO date when the audit for the asset was indexed into Tenable Vulnerability Management.
updates[].plugin_name	string	The name of the compliance check.
updates[].asset	object	An object containing detailed information about the affected asset.
updates[].asset.id	string	The UUID of the asset in Tenable Vulnerability Management. Use this value as the unique key for the asset.
updates[].asset.ipv4_addresses[]	array of strings	A list of IPv4 addresses that are associated with the asset.
updates[].asset.ipv6_addresses[]	array of strings	A list of IPv6 addresses that are associated with the asset.
updates[].asset.fqdns[]	array of strings	A list of fully-qualified domain names (FQDNs) that are associated with the asset.
updates[].asset.name	string	The name of the asset.
updates[].asset.agent_name	string	The name of the Tenable Agent that scanned and identified the asset.
updates[].asset.agent_uuid	string	This property represents the tenable_uuid. This identifier can originate from either an agent or a credentialed remote Tenable Nessus scan. If no agent is present on the asset, a UUID is assigned by Tenable Vulnerability Management during a credentialed scan when the Create unique identifier on hosts scanned with credentials option is enabled. Note that no UUID is set for an uncredentialed non-agent scans.
updates[].asset.tags[]	array of objects	The tags assigned to the asset in Tenable Vulnerability Management. Note: The tags object is always empty and appears to maintain compatibility with the Tenable API. Your tag data is sent in the tags payload file.
updates[].asset.tags[].category	string	The tag category identifier.
updates[].asset.tags[].value	string	The tag value identifier.
updates[].asset.mac_addresses[]	array of strings	A list of MAC addresses that are associated with the asset.
updates[].asset.operating_systems[]	array of strings	The operating systems that scans have associated with the asset record.
updates[].asset.system_type	string	The system type as reported by Plugin ID 54615. Possible values include: router general-purpose scan-host embedded
updates[].asset.network_id	string	The ID of the network to which the asset belongs. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Manage Networks.
updates[].scan	object	Information about the scan that detected the finding.
updates[].scan.completed_at	string	An ISO timestamp indicating the date and time when the scan was completed.
updates[].scan.schedule_uuid	string	The unique identifier for the scan schedule.
updates[].scan.started_at	string	An ISO timestamp indicating the date and time when the scan started.
updates[].scan.uuid	string	The UUID of the scan.
updates[].scan.target	string	The target IP or hostname of the scan.
deletes[]	array of objects	Contains the host audit objects deleted in the payload.
deletes[].id	string	The ID of the deleted host audit.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the host audit was deleted.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.

Tags Properties

The following table defines the properties in a Tenable Data Stream tags payload file. To see an example, go to Tags Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of payload, for example, TAGS.
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[{}]	array of objects	Contains the objects updated in the payload.
updates[].target.asset_uuid	string	The UUID of the asset for which the system updated tags. Use this value as the unique key for the asset.
updates[{}].tags	array of objects	Contains information about the asset tags updated in the payload.
updates[].tags[].type	string	The type of tag: STATIC or DYNAMIC.
updates[].tags[].category_uuid	string	The UUID of the tag category.
updates[].tags[].value_uuid	string	The UUID of the tag value.
updates[].tags[].category_name	string	The tag category (the first half of the category:value pair).
updates[].tags[].tag_name	string	The tag value (the second half of the category:value pair).
updates[].tags[].created_by	string	The UUID of the user who assigned the tag to the asset.
updates[].tags[].created_at	integer	A Unix timestamp indicating the date and time when the tag was created.
updates[].tags[].updated_by	string	The UUID of the user who last updated the tag.
updates[].tags[].updated_at	integer	A Unix timestamp indicating the date and time when the tag was updated.
updates[].tags[].description	string	The tag description.
updates[].tags[].category_description	string	The tag category description.
updates[].tags[].product	string	The product the tag applies to, for example, IO for Tenable Vulnerability Management.
deletes[{}]	array of objects	Contains tags deleted in the payload.
deletes[].id	string	Indicates the ID for the deleted tag.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the tag was deleted.
first_ts	integer	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	integer	A Unix timestamp indicating the date and time of the last entry in the payload.

Web App Scanning Asset Properties

The following table defines the properties in a Tenable Data Stream web app scanning assets payload file. To see an example file, go to Web App Scanning Asset Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of payload (WAS_ASSET).
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[]	array of objects	A list of updated web app scanning asset objects.
updates[].id	string	The UUID of the asset in Tenable Vulnerability Management. Use this value as the unique key for the asset.
updates[].has_agent	boolean	Specifies whether a Tenable Agent scan identified the asset.
updates[].has_plugin_results	boolean	Specifies whether the asset has plugin results associated with it.
updates[].is_licensed	boolean	Indicates whether the asset is licensed by Tenable.
updates[].types[]	array of strings	A list of asset types that apply to the asset (for example, webapp).
updates[].terminated_by	string	The user who terminated the AWS instance of the asset.
updates[].deleted_by	string	The user who deleted the asset record.
updates[].agentNames[]	array of strings	The names of any Tenable Agents that scanned and identified the asset.
updates[].operating_systems[]	array of strings	The operating systems that scans have associated with the asset record.
updates[].system_types[]	array of strings	The system types as reported by Plugin ID 54615. Possible values include router, general-purpose, scan-host, and embedded.
updates[].manufacturer_tpm_ids[]	array of strings	The manufacturer's unique identifiers of the Trusted Platform Module (TPM) associated with the asset.
updates[].installed_software[]	array of strings	A list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This attribute supports the CPE 2.2 format. For more information, see the "Component Syntax" section of the CPE Specification, Version 2.2. For assets identified in Tenable scans, this attribute contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset. Note: If no scan detects an application within 30 days of the scan that originally detected the application, Tenable Vulnerability Management considers the detection of that application expired. As a result, the next time a scan evaluates the asset, Tenable Vulnerability Management removes the expired application from the installed_software_attribute. This activity is logged as a remove type of attribute_change update in the asset activity log.
updates[].is_public	boolean	Specifies whether if the asset is an internet-facing and accessible externally.
updates[].sources[]	array of objects	Objects that describe the scan sources that identified the asset. An asset source is the entity that reported the asset details. Sources can include sensors, connectors, and API imports. If your request specifies multiple sources, Tenable Vulnerability Management returns all assets seen by any of the specified sources. The items in the sources array must correspond to the names of the sources as defined in your organization's implementation of Tenable Vulnerability Management. Commonly used names include: AWS — The asset data was obtained from an Amazon Web Services connector. NESSUS_AGENT — The asset data was obtained from a Tenable Agent scan. NESSUS_SCAN — The asset data was obtained from a Tenable Nessus scan. PVS — The asset data from a Tenable Network Monitor scan. WAS — The asset data was obtained from a Tenable Web App Scanning scan.
updates[].sources[].name	string	The name of the entity that reported the asset details. Sources can include sensors, connectors, and API imports. Source names can be customized by your organization (for example, you specify a name when you import asset records). If your organization does not customize source names, the system-generated names include: AWS — The asset data was obtained from an Amazon Web Services connector. NESSUS_AGENT — The asset data was obtained from a Tenable Agent scan. NESSUS_SCAN — The asset data was obtained from a Tenable Nessus scan. PVS — The asset data from a Tenable Network Monitor scan. WAS — The asset data was obtained from a Tenable Web App Scanning scan.
updates[].sources[].first_seen	string	The ISO timestamp when the source first reported the asset.
updates[].sources[].last_seen	string	The ISO timestamp when the source last reported the asset.
updates[].tags	array of objects	Object containing the tags for the asset. Note: The tags object is always empty and appears to maintain compatibility with the Tenable API. Your tag data is sent in the tags payload file.
updates[].tags[].uuid	string	The UUID of the tag.
updates[].tags[].key	string	The tag category (the first half of the category:value pair).
updates[].tags[].value	string	The tag value (the second half of the category:value pair).
updates[].tags[].added_at	string	The ISO timestamp when the tag was assigned to the asset.
updates[].tags[].added_by	string	The UUID of the user who assigned the tag to the asset.
updates[].network	object	An object containing network-related information for the asset.
updates[].network.network_id	string	The ID of the network associated with the scanners that identified the asset. The default network ID is 00000000-0000-0000-0000-000000000000. For more information about network objects, see Manage Networks.
updates[].network.network_name	string	The ID of the network object associated with scanners that identified the asset. The default network name is Default. All other network names are user-defined. For more information about network objects, see Manage Networks.
updates[].network.ipv4s[]	array of strings	The IPv4 addresses that scans have associated with the asset record.
updates[].network.bios_uuid	string	The BIOS UUID of the asset.
updates[].network.ipv6s[]	array of strings	The IPv6 addresses that scans have associated with the asset record.
updates[].network.fqdns[]	array of strings	The fully-qualified domain names that scans have associated with the asset record.
updates[].network.mac_addresses[]	array of strings	The MAC addresses that scans have associated with the asset record.
updates[].network.netbios_names[]	array of strings	The NetBIOS names that scans have associated with the asset record.
updates[].network.hostnames[]	array of strings	The hostnames that scans have associated with the asset record.
updates[].network.ssh_fingerprints[]	array of strings	The SSH key fingerprints that scans have associated with the asset record.
updates[].network.network_interfaces[]	array of objects	The network interfaces that scans identified on the asset.
updates[].network.network_interfaces[].name	string	The name of the network interface.
updates[].network.network_interfaces[].virtual	boolean	Indicates whether the network interface is virtual.
updates[].network.network_interfaces[].aliased	boolean	Indicates whether the network interface is aliased.
updates[].network.network_interfaces[].fqdns[]	array of strings	A list of FQDNs for the network interface.
updates[].network.network_interfaces[].mac_addresses[]	array of strings	The MAC addresses of the network interface.
updates[].network.network_interfaces[].ipv4s[]	array of strings	A list of IPv4 addresses belonging to the interface.
updates[].network.network_interfaces[].ipv6s[]	array of strings	A list of IPv6 addresses belonging to the interface.
updates[].network.open_ports[]	array of objects	An array of open ports and their services as reported by the info-level plugins.
updates[].network.open_ports[].port	integer	The open port number.
updates[].network.open_ports[].protocol	string	The communication protocol corresponding to the open port.
updates[].network.open_ports[].service_names[]	array of strings	The names of the services associated with the open port.
updates[].network.open_ports[].first_seen	string	The ISO timestamp when the source first detected the open port on the asset.
updates[].network.open_ports[].last_seen	string	The ISO timestamp when the source last detected the open port on the asset.
updates[].scan	object	An object containing scan-related information for the asset.
updates[].scan.first_scan_time	string	The time and date of the first scan run against the asset.
updates[].scan.last_scan_time	string	The time and date of the last scan run against the asset.
updates[].scan.last_authenticated_scan_date	string	The time and date of the last credentialed scan run on the asset.
updates[].scan.last_licensed_scan_date	string	The time and date of the last scan that identified the asset as licensed. Tenable Vulnerability Management categorizes an asset as licensed if a scan of that asset has returned results from a non-discovery plugin within the last 90 days.
updates[].scan.last_scan_id	string	The UUID of the scan configuration used during the last scan of the asset.
updates[].scan.last_schedule_id	string	The schedule_uuid for the last scan of the asset.
updates[].scan.last_authentication_attempt_date	string	The date when last authentication scan attempt was made.
updates[].scan.last_authentication_success_date	string	The date when last authentication scan attempt was successful.
updates[].scan.last_authentication_scan_status	string	The status of the last scan authentication (for example, SUCCESS).
updates[].scan.last_scan_target	string	The last scan target that was scanned.
updates[].timestamps	object	An object containing various timestamps related to the asset.
updates[].timestamps.created_at	string	The time and date when Tenable Vulnerability Management created the asset record.
updates[].timestamps.updated_at	string	The time and date when the asset record was last updated.
updates[].timestamps.deleted_at	string	The time and date when a user deleted the asset record. When a user deletes an asset record, Tenable Vulnerability Management retains the record until the asset ages out of the license count.
updates[].timestamps.terminated_at	string	The time and date when a user terminated the Amazon Web Service (AWS) virtual machine instance of the asset.
updates[].timestamps.first_seen	string	The time and date when a scan first identified the asset.
updates[].timestamps.last_seen	string	The time and date of the scan that most recently identified the asset.
updates[].custom_attributes[]	array of objects	A list of custom attributes for the asset.
updates[].custom_attributes[].id	string	The identifier for the custom attribute.
updates[].custom_attributes[].value	string	The value of the custom attribute.
updates[].ratings	object	A list of vulnerability ratings and score calculations. These ratings provide a comprehensive view of exposure. Currently, only the Asset Criticality Rating (ACR) and Asset Exposure Score (AES) are provided.
updates[].ratings.acr	object	The Tenable-defined Asset Criticality Rating (ACR) for the asset. Tenable uses an algorithm based on the asset profile to assign a metric rating the importance of an asset to your organization from 1 to 10, with higher numbers for more critical assets.
updates[].ratings.acr.score	number	The Asset Criticality Rating (ACR) value.
updates[].ratings.aes	object	The Tenable-defined Asset Exposure Score (AES) for the asset. This metric weighs an asset's Vulnerability Priority Rating (VPR) and Asset Criticality Rating (AES) and then assigns a number from 1 to 1000, with higher numbers for more exposed assets.
updates[].ratings.aes.score	number	The Asset Exposure Score (AES) value.
updates[].acr_score	string	(Tenable Lumin-only) The Asset Criticality Rating (ACR) for the asset.
updates[].exposure_score	string	(Tenable Lumin-only) The Asset Exposure Score (AES) for the asset.
deletes[]	array of objects	Contains the web app scanning asset objects deleted in the payload.
deletes[].id	string	The ID of the deleted web app scanning asset.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the asset was deleted.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.

Web App Scanning Findings Properties

The following table defines the properties in a Tenable Data Stream web app scanning findings payload file. To see an example file, go to Web App Scanning Findings Payload Files.

Property	Data Type	Description
payload_id	string	The ID of the payload sent from Tenable Vulnerability Management.
version	integer	The schema version identifier. This increments only when the JSON structure of the payload changes.
type	string	The type of payload (WAS_FINDING).
count_updated	integer	The number of objects updated in the payload.
count_deleted	integer	The number of objects deleted in the payload.
updates[]	array of objects	Contains the web app scanning findings objects updated in the payload.
updates[].finding_id	string	The unique identifier of the finding (vulnerability).
updates[].url	string	The fully-qualified domain name or URL associated with the finding.
updates[].input_type	string	The type of HTML Form input associated with the finding.
updates[].input_name	string	The type of page element that's vulnerable (for example, an HTML form).
updates[].http_method	string	The HTTP method associated with the finding. .
updates[].output	string	The text output from the plugin that detected the finding.
updates[].proof	string	The output from the web application corroborating that the finding is present.
updates[].payload	string	The attack payload used to detect the finding.
updates[].state	string	The state as determined by the Tenable Web App Scanning state service. Possible values include: OPEN — The compliance finding is currently present on an asset. REOPENED — The compliance finding was previously marked as fixed on an asset but has been detected again by a new scan. FIXED — The compliance finding was present on an asset but is no longer detected. ACTIVE — The compliance finding is currently active on an asset. Note that the API uses different terms for states than the user interface. The new and active states in the user interface map to the OPEN state in the API. The resurfaced state in the user interface maps to the REOPENED state in the API. The fixed state is the same.
updates[].severity	string	The severity of the finding as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info (CVSS score of 0), low (CVSS score between 0.1 and 3.9), medium (CVSS score between 4.0 and 6.9), high (CVSS score between 7.0 and 9.9), and critical (CVSS score of 10.0).
updates[].severity_id	integer	The code for the severity assigned when a user recast the risk associated with the finding. Possible values include: 0 — The vulnerability has a CVSS score of 0, which corresponds to the info severity level. 1 — The vulnerability has a CVSS score between 0.1 and 3.9, which corresponds to the low severity level. 2 — The vulnerability has a CVSS score between 4.0 and 6.9, which corresponds to the medium severity level. 3 — The vulnerability has a CVSS score between 7.0 and 9.9, which corresponds to the high severity level. 4 — The vulnerability has a CVSS score of 10.0, which corresponds to the critical severity level.
updates[].severity_default_id	integer	The code for the severity originally assigned to a finding before a user recast the risk associated with the finding. Possible values are the same as for the severity_id attribute.
updates[].severity_modification_type	string	The type of modification a user made to the finding's severity. Possible values include: NONE — No modification has been made. RECASTED — A user in the Tenable Web App Scanning user interface has recast the risk associated with the finding. ACCEPTED — A user in the Tenable Web App Scanning user interface has accepted the risk associated with the finding. For more information about recast and accept rules, see Recast/Accept Rules in the Tenable Vulnerability Management User Guide.
updates[].recast_reason	string	The text that appears in the Comment field of the recast rule in the Tenable Web App Scanning user interface.
updates[].recast_rule_uuid	string	The UUID of the recast rule that applies to the plugin.
updates[].first_found	string	An ISO timestamp indicating the date and time when a scan first detected the finding on the asset.
updates[].last_found	string	An ISO timestamp indicating the date and time when a scan last detected the finding on the asset.
updates[].last_fixed	string	An ISO timestamp indicating the date and time when a scan no longer detects the previously detected finding on the asset.
updates[].last_observed	string	An ISO timestamp indicating the date and time when the finding was previously detected/observed on the asset.
updates[].indexed_at	string	An ISO timestamp indicating the date and time when the vulnerability was indexed into Tenable Web App Scanning.
updates[].plugin	object	An object containing plugin details for the finding.
updates[].plugin.epss_score	number	The Exploit Prediction Scoring System (EPSS) score of the finding.
updates[].plugin.id	integer	The ID of the plugin that identified the finding.
updates[].plugin.risk_factor	string	The risk factor of the finding associated with the plugin. The risk factor is determined based on the calculation of the CVSS score. The possible values are: LOW — The vulnerability has a CVSS score between 0.1 and 3.9. MEDIUM — The vulnerability has a CVSS score between 4.0 and 6.9. HIGH — The vulnerability has a CVSS score between 7.0 and 9.9. CRITICAL — The vulnerability has a CVSS score of 10.0.
updates[].plugin.original_risk_factor_num	integer	The code for the severity originally assigned to a plugin.
updates[].plugin.locale	string	The plugin language used.
updates[].plugin.type	string	The general type of plugin check (for example, LOCAL or REMOTE).
updates[].plugin.intel_type	string	The intelligence type/source for the plugin.
updates[].plugin.name	string	The name of the plugin that identified the vulnerability.
updates[].plugin.version	string	The version of the plugin used to perform the check.
updates[].plugin.publication_date	string	An ISO timestamp indicating the date and time the publication date of the plugin.
updates[].plugin.modification_date	string	An ISO timestamp indicating the date and time the last modification date of the plugin.
updates[].plugin.solution	string	Remediation information for the vulnerability.
updates[].plugin.synopsis	string	Brief description of the plugin or vulnerability.
updates[].plugin.description	string	The full text description of the plugin.
updates[].plugin.patch_publication_date	string	An ISO timestamp indicating the date and time the vendor's patch publication date for the plugin.
updates[].plugin.exploitability_ease	string	The vulnerability's ease of exploitability.
updates[].plugin.stig_severity	string	The Security Technical Implementation Guide (STIG) severity code for the vulnerability.
updates[].plugin.public_display	integer	The public display details for the plugin.
updates[].plugin.in_the_news	boolean	A value specifying whether this plugin has received media attention (for example, ShellShock, Meltdown).
updates[].plugin.exploited_by_malware	boolean	The finding discovered by this plugin is known to be exploited by malware.
updates[].plugin.cvss2_base_score	number	The CVSSv2 base score (intrinsic and fundamental characteristics of a finding that are constant over time and user environments).
updates[].plugin.cvss2_temporal_score	number	The CVSSv2 temporal score (characteristics of a finding that change over time but not among user environments).
updates[].plugin.cvss3_base_score	number	The CVSSv3 base score (intrinsic and fundamental characteristics of a finding that are constant over time and user environments).
updates[].plugin.cvss3_temporal_score	number	The CVSSv3 temporal score (characteristics of a finding that change over time but not among user environments).
updates[].plugin.see_also[]	array of strings	Links to external websites that contain helpful information about the vulnerability.
updates[].plugin.bid[]	array of integers	A list of Bugtraq IDs associated with the finding.
updates[].plugin.policy[]	array of strings	A list of policy names associated with the finding.
updates[].plugin.xrefs[]	array of objects	References to third-party information about the finding, exploit, or update associated with the plugin. Each reference includes a type and an ID (for example, capec and 2003-047).
updates[].plugin.xrefs[].type	string	The type of cross-reference (for example, capec, hipaa, or iso).
updates[].plugin.xrefs[].id[]	array of strings	A list of IDs for the cross-reference type.
updates[].plugin.cpe[]	array of strings	The Common Platform Enumeration (CPE) number for the plugin.
updates[].plugin.cve[]	array of strings	The Common Vulnerability and Exposure (CVE) ID for the plugin.
updates[].plugin.cwe[]	array of strings	The Common Weakness Enumeration (CWE) ID for the plugin.
updates[].plugin.wasc[]	array of strings	The Web Application Security Consortium (WASC) ID for the plugin.
updates[].plugin.owasp_2010[]	array of strings	A list of chapters in OWASP Categories 2010 report for the plugin.
updates[].plugin.owasp_2013[]	array of strings	A list of chapters in OWASP Categories 2013 report for the plugin.
updates[].plugin.owasp_2017[]	array of strings	A list of chapters in OWASP Categories 2017 report for the plugin.
updates[].plugin.owasp_2021[]	array of strings	A list of chapters in OWASP Categories 2021 report for the plugin.
updates[].plugin.owasp_api_2019[]	array of strings	A list of chapters in OWASP Categories API 2019 report for the plugin.
updates[].plugin.vpr_v2	object	An object containing information about the Vulnerability Priority Rating (VPRv2) for the vulnerability.
updates[].plugin.vpr_v2.score	number	The Vulnerability Priority Rating (VPRv2) for the vulnerability. If a plugin is designed to detect multiple vulnerabilities, the VPR score represents the highest value calculated for a vulnerability associated with the plugin. For more information, see Tenable Metrics in the Tenable Vulnerability Management User Guide.
updates[].plugin.vpr_v2.vpr_percentile	string	Filter on the VPR v2 score percentile ranking of the CVE, indicating its position relative to other vulnerabilities.
updates[].plugin.vpr_v2.vpr_severity	string	Filter on the VPR v2 severity categorization of the CVE. Options are Critical, High, Medium, Low, Info.
updates[].plugin.vpr_v2.exploit_probability	number	Filter on the probability of exploitation produced by the VPR v2 threat model for the CVE.
updates[].plugin.vpr_v2.cve_id	string	Filter on a specific CVE ID for the CVE that is a primary contributor to the calculated VPRv2 score for a vulnerability.
updates[].plugin.vpr_v2.exploit_code_maturity	string	Filter on current availability and maturity of exploit code. Options are High, Functional, POC, and Unproven.
updates[].plugin.vpr_v2.on_cisa_kev	boolean	Filter on whether the CVE is listed on the CISA Known Exploited Vulnerabilities list. Options are Yes, No.
updates[].plugin.vpr_v2.exploit_chain[]	array of strings	Allows filtering on CVEs that are part of an exploit chain.
updates[].plugin.vpr_v2.in_the_news_intensity_last30	string	Allows filtering on the volume of news reporting on the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High.
updates[].plugin.vpr_v2.in_the_news_recency	string	Allows filtering on the recency of news sources reporting on the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days.
updates[].plugin.vpr_v2.in_the_news_sources_last30[]	array of strings	Filter on categories of news sources that have referenced the CVE within the last 30 days. Select from one or more of Academic and Research Institutions, Blogs and Individual Researchers, Code Repositories, Cybersecurity News Media, Cybersecurity Vendors, Forums and Community Platforms, Government and Regulatory, Mainstream News and Media, Security Research, Technology Companies, Tools and Resources, Other.
updates[].plugin.vpr_v2.malware_observations_intensity_last30	string	Filter on the volume of observed malware exploiting the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High.
updates[].plugin.vpr_v2.malware_observations_recency	string	Filter on the recency of observed malware exploiting the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days.
updates[].plugin.vpr_v2.threat_summary[]	object	The object container for information about the threat posed by the vulnerability, including relevant details that contribute to its Vulnerability Priority Rating (VPR) v2 score.
updates[].plugin.vpr_v2.threat_summary[].summary	string	Information about the threat posed by the vulnerability, including relevant details that contribute to its Vulnerability Priority Rating (VPR) v2 score.
updates[].plugin.vpr_v2.threat_summary[].lastUpdated	string	Most recent update to threat summary information.
updates[].plugin.vpr_v2.remediation[]	object	The object container for information and recommended actions for mitigating or resolving the vulnerability. This may include patches, configuration changes, or other remediation guidance.
updates[].plugin.vpr_v2.remediation[].summary	string	Information and recommended actions for mitigating or resolving the vulnerability. This may include patches, configuration changes, or other remediation guidance.
updates[].plugin.vpr_v2.remediation[].last_updated	string	Most recent update to remediation summary information.
updates[].plugin.vpr_v2.targeted_industries[]	array of strings	Allows filtering on specific industries where attacks leveraging the CVE have been observed. Sample options include Banking, Technology, Government.
updates[].plugin.vpr_v2.targeted_regions[]	array of strings	Allows filtering on specific geographic regions where attacks leveraging the CVE have been observed.
updates[].plugin.vpr	object	An object containing information about the Vulnerability Priority Rating (VPR) for the vulnerability.
updates[].plugin.vpr.score	number	The Vulnerability Priority Rating (VPR) for the vulnerability. If a plugin is designed to detect multiple vulnerabilities, the VPR represents the highest value calculated for a vulnerability associated with the plugin. For more information, see Severity vs. VPR in the Tenable Vulnerability Management User Guide.
updates[].plugin.vpr.drivers	object	The key drivers Tenable uses to calculate a vulnerability's VPR. For more information, see Vulnerability Priority Rating Drivers.
updates[].plugin.vpr.drivers.age_of_vuln	object	A range representing the number of days since the National Vulnerability Database (NVD) published the vulnerability. The valid ranges are: 0-7 days 7-30 days 30-60 days 60-180 days 180-365 days 365-730 days More than 730 days (+731)
updates[].plugin.vpr.drivers.age_of_vuln.lower_bound	integer	The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 730 days), this value is 731.
updates[].plugin.vpr.drivers.age_of_vuln.upper_bound	integer	The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.exploit_code_maturity	string	The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (for example, Reversinglabs, Exploit-db, Metasploit). The possible values (HIGH, FUNCTIONAL, POC, or UNPROVEN) parallel the CVSS Exploit Code Maturity categories.
updates[].plugin.vpr.drivers.cvss_impact_score_predicted	boolean	A value specifying whether Tenable predicted the CVSSv3 impact score for the vulnerability because NVD did not provide one (true) or used the NVD-provided CVSSv3 impact score (false) when calculating the VPR.
updates[].plugin.vpr.drivers.cvss3_impact_score	number	The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Vulnerability Management shows a Tenable-predicted score.
updates[].plugin.vpr.drivers.threat_intensity_last28	string	The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability. The possible values are: VERY LOW LOW MEDIUM HIGH VERY HIGH
updates[].plugin.vpr.drivers.threat_recency	object	A range representing the number of days since a threat event occurred for the vulnerability. The possible ranges are: 0-7 days 7-30 days 30-120 days 120-365 days More than 365 days (+365)
updates[].plugin.vpr.drivers.threat_recency.lower_bound	integer	The lower bound of the range. For example, for the 0-7 days range, this attribute is 0. For the highest range (more than 365 days), this value is 366.
updates[].plugin.vpr.drivers.threat_recency.upper_bound	integer	The upper bound of the range. For example, for the 0-7 days range, this attribute is 7. For the highest range (more than 730 days), this value is 0, which signifies that there is no higher category.
updates[].plugin.vpr.drivers.threat_sources_last28[]	array of strings	A list of all sources (for example, social media channels, the dark web, etc.) where threat events related to this vulnerability occurred.
updates[].plugin.vpr.drivers.product_coverage	string	The relative number of unique products affected by the vulnerability. The possible values are: LOW MEDIUM HIGH VERY HIGH
updates[].plugin.vpr.updated	string	The ISO timestamp when v last imported the VPR for this vulnerability. v imports a VPR value the first time you scan a vulnerability on your network. Then, Tenable Web App Scanning automatically re-imports new and updated VPR values daily.
updates[].plugin.vpr.updated_reason	string	The reason for the VPR update.
updates[].plugin.cvss2_temporal_vector	object	CVSSv2 temporal metrics for the vulnerability.
updates[].plugin.cvss2_temporal_vector.exploitability	string	The CVSSv2 Exploitability (E) temporal metric for the vulnerability the plugin covers. The possible values are: U — Unproven POC — Proof-of-Concept F — Functional H — High ND — Not Defined
updates[].plugin.cvss2_temporal_vector.remediation_level	string	The CVSSv2 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. The valid values are: O — Official Fix T — Temporary Fix W — Workaround U — Unavailable X — Not Defined
updates[].plugin.cvss2_temporal_vector.report_confidence	string	The CVSSv2 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. The possible values are: UC — Unconfirmed UR — Uncorroborated C — Confirmed ND — Not Defined
updates[].plugin.cvss2_temporal_vector.raw	string	The complete cvss_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss2_vector	object	Additional CVSSv2 metrics for the vulnerability.
updates[].plugin.cvss2_vector.access_complexity	string	The CVSSv2 Access Complexity (AC) metric for the vulnerability the plugin covers. The possible values are: H — High M — Medium L — Low
updates[].plugin.cvss2_vector.access_vector	string	The CVSSv2 Access Vector (AV) metric for the vulnerability the plugin covers. The possible values are: L — Local A — Adjacent Network N — Network
updates[].plugin.cvss2_vector.authentication	string	The CVSSv2 Authentication (Au) metric for the vulnerability the plugin covers. The possible values are: N — None Required S — Single M — Multiple
updates[].plugin.cvss2_vector.availability_impact	string	The CVSSv2 availability impact metric for the vulnerability the plugin covers. The possible values are: N — None P — Partial C — Complete
updates[].plugin.cvss2_vector.confidentiality_impact	string	The CVSSv2 confidentiality impact metric for the vulnerability the plugin covers.The possible values are: N — None P — Partial C — Complete
updates[].plugin.cvss2_vector.integrity_impact	string	The CVSSv2 integrity impact metric for the vulnerability the plugin covers. The possible values are: N — None P — Partial C — Complete
updates[].plugin.cvss2_vector.raw	string	The complete cvss_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.cvss3_temporal_vector	object	An object containing the CVSS v3 temporal vector details.
updates[].plugin.cvss3_temporal_vector.exploitability	string	The CVSSv3 Exploit Maturity Code (E) for the vulnerability the plugin covers. The possible values are: Unproven — Corresponds to the Unproven (U) value for the E metric. Proof-of-concept — Corresponds to the Proof-of-Concept (POC) value for the E metric. Functional — Corresponds to the Functional (F) value for the E metric. High — Corresponds to the High (H) value for the E metric. Not-defined — Corresponds to the Not Defined (ND) value for the E metric.
updates[].plugin.cvss3_temporal_vector.remediation_level	string	The CVSSv3 Remediation Level (RL) temporal metric for the vulnerability the plugin covers. The valid values are: O — Official Fix T — Temporary Fix W — Workaround U — Unavailable X — Not Defined
updates[].plugin.cvss3_temporal_vector.report_confidence	string	The CVSSv3 Report Confidence (RC) temporal metric for the vulnerability the plugin covers. The possible values are: U — Unknown R — Reasonable C — Confirmed X — Not Defined
updates[].plugin.cvss3_temporal_vector.raw	string	The complete cvss3_temporal_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, E:U/RL:OF/RC:C.
updates[].plugin.cvss3_vector	object	Additional CVSSv3 metrics for the vulnerability.
updates[].plugin.cvss3_vector.access_complexity	string	The CVSSv3 Access Complexity (AC) metric for the vulnerability the plugin covers. The possible values are: H — High M — Medium L — Low
updates[].plugin.cvss3_vector.access_vector	string	The CVSSv3 Attack Vector (AV) metric for the vulnerability the plugin covers. The possible values are: Network — Corresponds to the Network (N) value for the AV metric. Adjacent Network — Corresponds to the Adjacent Network (A) value for the AV metric. Local — Corresponds to the Local (L) value for the AV metric.
updates[].plugin.cvss3_vector.authentication	string	The CVSSv3 Authentication (Au) metric for the vulnerability the plugin covers. The possible values are: None required — Corresponds to the None (N) value for the Au metric. Requires-single-instance — Corresponds to the Single (S) value for the Au metric. Requires-multiple-instances — Corresponds to the Multiple (M) value for the Au metric.
updates[].plugin.cvss3_vector.availability_impact	string	The CVSSv3 availability impact metric for the vulnerability the plugin covers. The possible values are: H — High L — Low N — None
updates[].plugin.cvss3_vector.confidentiality_impact	string	The CVSSv3 confidentiality impact metric for the vulnerability the plugin covers.The possible values are: H — High L — Low N — None
updates[].plugin.cvss3_vector.integrity_impact	string	The CVSSv3 integrity impact metric for the vulnerability the plugin covers. The possible values are: H — High L — Low N — None
updates[].plugin.cvss3_vector.raw	string	The complete cvss3_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].plugin.cvss4_base_score	number	The CVSS v4.0 base score (intrinsic and fundamental characteristics of a finding that are constant over time and user environments).
updates[].plugin.cvss4_threat_vector	object	An object representing the CVSS v4.0 Threat metrics for the vulnerability. These metrics provide context on current, observed threat activity in the wild, such as evidence of exploitation or the presence of available exploit code. Threat metrics can help refine the severity and prioritization of vulnerabilities beyond their intrinsic characteristics. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_threat_vector.exploit_maturity	string	The CVSS v4.0 Exploit Maturity (E) metric, indicating the current development status of exploit techniques or code for the vulnerability. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_threat_vector.raw	string	The complete cvss4_threat_vector metrics and their result values for the vulnerability, expressed as a concise, coded string. This threat vector is typically appended to the CVSSv4 Base vector. For example, CVSS:4.0/E:U. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_threat_vector.threat_score	string	The CVSS v4.0 threat score (CVSS-T), which adjusts the base score by incorporating real-world threat intelligence, such as the presence of active exploitation, exploit code availability, or observed malware activity. This score reflects the current threat landscape for the vulnerability. For more details, see the CVSS v4.0 Specification.
updates[].plugin.cvss4_vector	object	Additional CVSS v4.0 metrics for the vulnerability.
updates[].plugin.cvss4_vector.attack_vector	string	The context where vulnerability exploitation is possible, such as Network or Local.
updates[].plugin.cvss4_vector.attack_complexity	string	The conditions beyond the attacker's control that must exist to exploit the vulnerability.
updates[].plugin.cvss4_vector.attack_requirements	string	The resources, access, or specialized conditions required for an attacker to exploit the vulnerability.
updates[].plugin.cvss4_vector.privileges_required	string	The permission level attackers require to exploit the vulnerability. Options are High, Low, or None. For example, None means attackers need no permissions in your environment and can exploit the vulnerability while unauthorized.
updates[].plugin.cvss4_vector.user_interaction	string	The level of user involvement required for an attacker to exploit the vulnerability.
updates[].plugin.cvss4_vector.vulnerable_system_availability	string	The impact on the availability of the vulnerable system when successfully exploited.
updates[].plugin.cvss4_vector.vulnerable_system_confidentiality	string	The impact on the confidentiality of the vulnerable system when successfully exploited.
updates[].plugin.cvss4_vector.vulnerable_system_integrity	string	The impact on the integrity of the vulnerable system when successfully exploited.
updates[].plugin.cvss4_vector.subsequent_system_availability	string	The impact on the availability of systems that can be impacted after the vulnerable system is exploited.
updates[].plugin.cvss4_vector.subsequent_system_confidentiality	string	The impact on the confidentiality of systems that can be impacted after the vulnerable system is exploited.
updates[].plugin.cvss4_vector.subsequent_system_integrity	string	The impact on the integrity of systems that can be impacted after the vulnerable system is exploited.
updates[].plugin.cvss4_vector.raw	string	The complete cvss4_vector metrics and result values for the vulnerability the plugin covers in a condensed and coded format. For example, AV:N/AC:M/Au:N/C:C/I:C/A:C.
updates[].asset	object	Information about the asset where the scan detected the vulnerability.
updates[].asset.uuid	string	The UUID of the asset where a scan found the vulnerability.
updates[].asset.fqdn	string	The fully qualified domain name for the asset.
updates[].asset.ipv4s[]	array of strings	This value always returns as null.
updates[].asset.ipv4	string	This value always returns as null.
updates[].scan	object	Information about the latest scan that detected the vulnerability.
updates[].scan.completed_at	string	The ISO timestamp when the scan completed.
updates[].scan.schedule_uuid	string	The schedule UUID for the scan that found the vulnerability.
updates[].scan.started_at	string	The ISO timestamp when the scan started.
updates[].scan.uuid	string	The UUID of the scan that found the vulnerability.
updates[].scan.target	string or null	The target IP or hostname of the scan.
deletes[]	array of objects	Contains the host audit objects deleted in the payload.
deletes[].id	string	The ID of the deleted host audit.
deletes[].deleted_at	string	An ISO timestamp indicating the date and time when the host audit was deleted.
first_ts	string	A Unix timestamp indicating the date and time of the first entry in the payload.
last_ts	string	A Unix timestamp indicating the date and time of the last entry in the payload.