Tenable.io integration with the Vulnerability Response and Configuration Compliance applications

List of Tenable.io integrations

The Tenable.io and Tenable.sc integrations support multi-source deployments. You can add and deploy multiple instances of these integrations across your environment using Setup Assistant in Vulnerability Response. You also install and configure the Vulnerability Response Integration with Tenable application from Setup Assistant.

Tenable.io is a cloud-based enterprise integration. The following sections describe the supported Tenable.io integrations and their behavior.

Tenable.io integrations

The following table lists the supported integrations for the Tenable.io product..


Integration	Description
Tenable.io Assets Integration	Retrieves all asset data, including asset tags, from the Tenable.io product. Creates unique CIs for unmatched assets.
Tenable.io Compliance Results Integration	Retrieves secure configuration assessment data from Tenable.io and processes it in your ServiceNow AI Platform instance. Starting with v[VERSION], this integration is deprecated and replaced by the Tenable.io Fixed Compliance Results Integration and Tenable.io Open Compliance Results Integration.
Tenable.io Fixed Compliance Results Integration	Retrieves compliance test results in a fixed state (Passed, Skipped) and processes associated policies, tests, and citations.
Tenable.io Open Compliance Results Integration	Retrieves compliance test results in an open state (Failed, Warning, Error, Unknown) for investigation and remediation. Triggered after the Tenable.io Fixed Compliance Results integration.
Tenable.io Compliance Results Backfill Integration	Matches compliance results with assets that were previously missing. Runs automatically after the Assets Integration and removes resolved entries from the missing asset table.
Tenable.io Scan Credential Integration	Retrieves scan credentials configured in Tenable.io for use in rescan requests. Runs weekly.
Tenable.io Template Integration	Retrieves available Tenable.io credentials for rescans. Stores a single template record temporarily.
Tenable.io Plugin Integration	Retrieves plugin data from Tenable.io to keep Tenable Identifiers (Ten IDs) current.
Tenable.io Fixed Vulnerabilities Integration	Retrieves vulnerability data based on severity filters. Outputs Closed/Fixed vulnerable items. Scheduled; chains to Open.
Tenable.io Open Vulnerabilities Integration	Retrieves open vulnerability data. Triggered after the Fixed Vulnerabilities integration. Outputs New/Reopened VIs.
Tenable.io Scan Metadata Integration	Retrieves scan metadata from the /scans endpoint using the last_schedule_id from existing asset data and associates scan records with discovered items and vulnerabilities.

Activate Tenable.io integrations

The Tenable.io Compliance Results Integration and the Tenable.io Compliance Results Backfill Integration are inactive by default. Follow these steps to activate an integration:

Navigate to Tenable Vulnerability Integration > Administration > Integrations.
From the Tenable Integrations list, open the integration record.
Select the Active check box.
Select Update.

You can keep the default schedule settings when activating these integrations initially.

注:

Starting with v[VERSION], the original Tenable.io Compliance Results Integration is no longer available. You must activate both the Fixed and Open Compliance Results integrations to continue ingesting compliance data.

Tenable.io Assets Integration

Retrieves all asset data, including asset tags, from the Tenable.io product and processes it in your instance.

Starting with v3.0, if the Tenable.io Compliance Results Integration is activated, you can import secure configuration assessment data along with imported asset data. This data can help you identify and respond to configuration-related vulnerabilities on your assets.
Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address.
Coordinates the REST message calls to the Asset API.
The output of this integration is discovered items.
Data is imported in chunks and stored in the sn_vul_tenable_chunk_status table. Table cleaner automatically removes stored data from this table after 30 days.
Starting with v2.2, Last Scan Time is imported and updated only for assets that have vulnerabilities.

Tenable.io Compliance Results Integration

注:

Deprecated starting with v[VERSION]. This integration is replaced by the Tenable.io Fixed Compliance Results Integration and the Tenable.io Open Compliance Results Integration.

This integration retrieves all secure configuration assessment data and processes it in your ServiceNow instance. Imported data includes test results along with policies, configuration tests (controls), and citations with authoritative sources.

Assessment data for missing assets or assets without asset IDs aren’t imported.
If a test result is imported and its corresponding asset couldn’t be matched in your instance, the test result is ignored and the ID for the missing asset is stored in a temporary record in the sn_vul_tenable_missing_asset table.
The total number of ignored (missing) assets are listed in the Ignored CIs field on the Configuration tab of the integration run record.

Tenable.io Fixed Compliance Results Integration

Retrieves secure configuration assessment data for compliance test results with a status of Passed or Skipped and processes it in your ServiceNow instance.

Imported data includes test results along with associated policies, configuration tests (controls), and citations with authoritative sources.
This integration is scheduled and executes first in the compliance chain. Upon successful completion, it automatically triggers the Tenable.io Open Compliance Results Integration, provided the Open integration is active and configured in the Next Integration field.
Assessment data for missing assets or assets without asset IDs isn’t imported.
If a test result is imported and its corresponding asset can’t be matched in your instance, the test result is ignored and the missing asset ID is stored in a temporary record in the sn_vul_tenable_missing_asset table.
The total number of ignored (missing) assets is listed in the Ignored CIs field on the Configuration tab of the integration run record.

Tenable.io Open Compliance Results Integration

Retrieves secure configuration assessment data for compliance test results with a status of Failed, Warning, Error, or Unknown and processes it in your ServiceNow instance.

This integration is triggered upon successful completion of the Tenable.io Fixed Compliance Results Integration.
By default, this integration is configured to run on demand. You can modify the scheduling configuration from the integration record in Tenable Vulnerability Integration > Integrations.
Assessment data for missing assets or assets without asset IDs isn’t imported.
If a test result is imported and its corresponding asset can’t be matched in your instance, the test result is ignored and the missing asset ID is stored in the sn_vul_tenable_missing_asset table.
The total number of ignored (missing) assets is listed in the Ignored CIs field on the Configuration tab of the integration run record.

Execution behavior for the split compliance results integrations:

The Fixed Compliance Results Integration is designed to execute first. When active, it automatically triggers the Open Compliance Results Integration upon successful completion, provided the Open integration is active and configured in the Next Integration field of the Fixed integration record.
If the Fixed Compliance Results Integration is inactive or encounters an error during execution, the Open Compliance Results Integration isn’t triggered. You must execute it manually or configure its own schedule.
Execution details and error information are captured in the integration run record.

Tenable.io Compliance Results Backfill Integration

When activated, this integration runs automatically after the Assets integration completes as part of a chained integration run. It matches configuration assessment data with missing assets listed in the sn_vul_tenable_missing_asset table.

Imports up to 200 asset IDs for any missing assets discovered or present in your instance after the Assets integration import completes successfully.
Removes the temporary records from the sn_vul_tenable_missing_asset table when assets can be matched with corresponding configuration assessment data.
Coordinates the REST message calls to the Compliance Export API.

Tenable.io Scan Credential Integration

Retrieves the scan credentials configured in Tenable.io for use in rescan requests initiated from the ServiceNow AI Platform.

Coordinates the REST message calls to the Credentials API.
The output of this integration is scan credentials populated in the sn_vul_tenable_scan_credential table.
The imported credentials are used to access the scanner when you initiate scan requests from the ServiceNow AI Platform.
This integration is scheduled to run weekly.

Tenable.io Template Integration

A template record is sent to Tenable.io during rescan. This integration retrieves available Tenable.io credentials to use for rescans. Credentials are instance-specific, and a single template record is imported and securely stored temporarily on the sn_vul_tenable_io_template table.

Tenable.io Plugin Integration

Retrieves the plugin data from the Tenable.io product to keep Tenable Identifiers (Ten IDs) current.

Retrieved data is based on the date that the plugins were last updated by a Tenable.io integration run.
Coordinates the REST message calls to the Plugin API.
The output of this integration is third-party vulnerabilities.

Tenable.io Fixed Vulnerabilities Integration

Retrieves vulnerability data based on severity filters from the Tenable.io product and processes it in your instance.

Vulnerable items are created for detection records in the Open and Reopened states because these records require remediation. Existing vulnerable items are updated if detections are Fixed, but vulnerable items aren’t created for Fixed detections by default because Tenable considers Fixed vulnerabilities Mitigated.
When you activate the flag Create vulnerable items for Fixed Vulnerability detections in Setup Assistant, new VIs are created in the Fixed state so you have visibility into the detections that created them. Since VIs are created for Fixed detections that don’t exist in your instance, this might negatively impact your import performance. You may prefer to leave this feature deactivated so that Fixed detections only update the states of existing vulnerable items.
Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address.
Coordinates the REST message calls to the Vulnerabilities API.
The output of this integration is Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don’t exist.
Data is imported in chunks and stored in the sn_vul_tenable_chunk_status table. Table cleaner automatically removes stored data from this table after 30 days.

This integration run is scheduled. It’s a chained integration, which means after a run is successfully completed, the Open Vulnerabilities integration is triggered.

Starting from Tenable v3.3, you can view the following information for vulnerability integration runs:

Total chunks: The total number of chunks being generated by Tenable.
Available chunks: Number of chunks available for download for ServiceNow.

Tenable.io Open Vulnerabilities Integration

This integration is triggered upon successful completion of the Tenable.io Fixed Vulnerabilities Integration.

Retrieves vulnerability data based on the severity filters from the Tenable.io product and processes it in your instance.
Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address.
Coordinates the REST message calls to the Vulnerabilities API.
The output of this integration is New/Reopened vulnerable items (VIs). It also creates configuration items and third-party entries if they don’t exist. Tenable considers active vulnerabilities Cumulative (current).
Data is imported in chunks and stored in the sn_vul_tenable_chunk_status table. Table cleaner automatically removes stored data from this table after 30 days.

Starting from Tenable v3.3, you can view the following information for vulnerability integration runs:

Total chunks: The total number of chunks being generated by Tenable.
Available chunks: Number of chunks available for download for ServiceNow.

Tenable.io Scan Metadata Integration

Retrieves metadata from the /scans endpoint. It pulls scan information based on the last_schedule_id from the existing asset data in Tenable.io.

Table Creation: A new custom table, sn_vul_tenable_scan, stores scan metadata retrieved from the Tenable.io /scans endpoint, including scan ID, name, status, start time, end time, and scan type.
Data Association: A reference field is established between discovered items (configuration items or vulnerabilities) and the corresponding latest scan record in the sn_vul_tenable_scan table. This linkage enables you to:
- View the most recent scan information associated with each discovered item.
- Improve the context for vulnerability triage and remediation decisions.
- Enhance auditability and reporting capabilities by maintaining a historical record of scan activities.