How do you calculate the Scan integrity using Net host against credentialed net host with Tenable.sc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Hello SecOps Community,
Currently for our Vulnerability management we are using third party vulnerability Tenable.sc. Our customer has asked me to build a dashboard using Performance analytics metrics to get the percentage count of the Scan integrity (which is not an oob field in servicenow) by identifying the Host Count(HC), Failed Credential host(FCH) and Net credentialed host(NCH) while gettinb vulnerability data from the Tenable.sc. In our customers tenable.sc they conduct both Nessus and agent scan.
Here,
NCH = SCH-FCH
where, Scan Integrity = NCH/HC *100
Can someone help me understand how do I find the count of those fields when there is not oob field that is available to get those counts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Hi @GauravT47983100,
There's no OOB "Scan Integrity" field because ServiceNow doesn't need one, Tenable already flags failed credentialed checks itself. Every host where local checks didn't run gets a hit on Tenable plugin 21745 (Authentication Failure / Local Checks Not Run), and that shows up as a Vulnerable Item on sn_vul_vulnerable_item tied to the sn_vul_third_party_entry for that plugin (Tenable formats the entry as TEN-21745). Build your three counts as Performance Analytics scripted-aggregate indicators against that table instead of hitting any API:
- Host Count (HC): distinct cmdb_ci from sn_vul_vulnerable_item where the discovery source is Tenable.sc, scoped to your date window
- Failed Credential Host (FCH): distinct cmdb_ci where the linked third-party entry is TEN-21745
- Net Credentialed Host (NCH): HC minus FCH, combined in a Formula Indicator, then NCH/HC*100
Each of those is a scripted GlideAggregate on the indicator, so it's all in-process, no loopback REST calls needed. One real gotcha for you specifically: plugin 21745 is a network-scan artifact, agent-scanned hosts get local checks by design and never trigger it, so pull agent-scanned assets out of HC or you'll understate integrity.
References
- Understanding the Tenable Vulnerability Integration
- How Risk Score on Third-Party Vulnerability Entry (sn_vul_third_party_entry) is calculated
- Useful plugins to troubleshoot credentialed scans
- Tenable Nessus Credentialed Checks
- Performance Analytics Automated Indicator using a Script Include
Thank you,
Vikram Karety
Octigo Solutions INC