Data transformation for the Tenable Vulnerability Integration

  • Release version: Yokohama
  • Updated May 21, 2026
  • 35 minutes to read

    • After you identify the data to import, it’s retrieved from the Tenable product and processed through a set of data sources and transforms in your instance.

    During installation, normalized severity maps are installed in the Normalized Severity Mapping module. These maps transform imported Tenable severity levels to standard severity levels for processing in your instance. For information about creating severity maps, see Create a Vulnerability Response severity map in the Vulnerability Response documentation.

    Tenable.io asset import

    Imported asset data is first loaded into the Tenable.io Asset Import [sn_vul_tenable_io_asset_import] Table.

    The Tenable.io Asset Integration transform map is used to transform the imported assets information. Changes to this transform alter how data from the Tenable Asset import is processed. To access this transform map, navigate to System Import Sets > Transform Maps. Search for Tenable.io Asset Transform.

    The following table lists the transform map fields by integration.

    Table 1. Tenable.io Asset transform map fields
    Source field Target field Description
    u_id source_id Tenable provides a unique id for assets and maps to the discovered item record and is used for CI lookup.
    u_ipv4s ip_address Maps the first ip value to the ip_address field on the discovered item record.
    u_mac_addresses mac_address Maps the first mac_address value to the mac address field on the discovered item record.
    u_fqdns fqdn Maps the first fqdn value to the fqdn field on the discovered item record.
    u_netbios_names netbios Maps the first netbios value to the netbios field on the discovered item record.
    u_plugin.cvss4_base_score v4_base_score CVSS v4 base score is mapped to the v4 base score in third-party entry record.
    u_plugin.cvss4_threat_score v4_threat_score CVSS v4 threat score is mapped to the v4 threat score in third-party entry record.
    u_operating_systems os Maps the first OS value to the os field on the discovered item record.
    (Prior to v14.0 Vulnerability Response and v2.2 of the Tenable Vulnerability Integration)u_last_scan_time last_scan_date Maps to the last_scan_date field on the discovered item record.
    u_last_authenticated_scan_date last_auth_scan_date Maps to the last_auth_scan_date field on the discovered item record.
    [script] name Maps the host name using the script's logic.
    u_tags The Tags are saved in sn_sec_cmn_host_tag. The mapping from tags to assets is saved in sn_sec_cmn_m2m_src_ci_tag.

    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.

    Tenable.io asset transform map script timing and purpose

    When the script is run Purpose
    onStart (when an import set has started transformation) Initializes the values in the import_set for the integration process. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Updates values in the host and verify if the host exists. Based on the results, modifies the values in an import_set. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). Sets the values of new CIs created, and CIs that have been updated and ignored.This script is for internal use, and modifying or deleting them isn’t recommended.

    Tenable.io plugins integration

    The Tenable.io plugins transform map is used to transform plugins imported from Tenable.io.

    Note:
    Changes to this transform map alters how data received from the Tenable plugins is processed.

    To access this transform map, navigate to System Import Sets > Transform Maps. Search for the Tenable.io Plugin Transform.

    The tenable.io plugins payload contains all the fields in the u_attributes column of the sn_vul_tenable_io_plugin_import table. The attributes field is parsed and mapped to the third-party entry table records as listed in the following table.

    Source field Target field Description
    id id Maps id from source and adds the TEN-prefix to it. For example, if the id received is 12345, the id in the target table is TEN-12345.
    Description summary Maps the description of the plugin to the summary column.
    [script] source The source for imported third-party entry (TPE) is Tenable.io.
    [script] source_instance Reference to the Tenable deployment that imports this record.
    family category Maps the family of plugin to the category column.
    plugin_modification_date last_modified Maps the plugin_modification_date to the last modified field.
    plugin_publication_date date_published Maps the plugin_publication_date to the published date.
    has_patch remediation_type Maps the remediation type from has_patch value.
    synopsis threat Maps the threat information about this vulnerability.
    cvss_base__score score Maps the Common Vulnerability Scoring System (CVSS) base score to the score column in third-party entry table.
    solution solution Maps the solution provided by scanner to the solution column in the third-party entry table.
    exploit_available exploit Maps the exploit_available provided by scanner to the exploit column in the third-party entry table.
    vpr.score source_risk_score Maps the vpr score provided by scanner to the source_risk_score in the third-party entry table.
    [script] source_risk_rating Maps the vpr score to the standard risk rating based on the score ranges:
    • 9–10 – Critical
    • 7–9 – High
    • 4–7 – Medium
    • 0–4 - Low
    vpr.drivers.age_of_vuln age_of_vuln Maps the age of the vulnerability from the scanner to the age_of_vuln column in the third-party entry table.
    vpr.drivers.exploit_code_maturity exploit_code_maturity Maps exploit code maturity from the scanner to exploit_code_maturity in the third-party entry table.
    vpr.drivers.product_coverage product_coverage Maps product coverage from the scanner to product_coverage in the third-party entry table.
    vpr.drivers.threat_sources_last28 threat_sources Maps threat sources in the last 28 days from the scanner to the threat_sources in the third-party table.
    vpr.drivers.threat_intensity_last28 threat_intensity Maps threat intensity in the last 28 days from the scanner to threat_intensity in the third-party entry table.
    vpr.drivers.threat_recency threat_recency Maps the threat recency information from scanner to threat_recency in the third-party entry table.
    vpr.drivers.cvss3_impact_score v3_impact_subscore Maps cvss3 impact score to v3_impact_subscore column in the third-party entry table.
    cvss_temporal_score cvss_temporal_score Maps the temporal score for CVSS v2.
    cvss_v3_temporal_score v3_temporal_score Maps the temporal score for CVSS v3.
    risk_factor source_severity Maps to the source severity in the third-party entry table.
    name name Maps the name of the plugin to name in third-party entry table.
    stig_severity stig_severity Maps the vpr score provided by the scanner to the source_risk_score in the third-party entry table.
    plugin_type check_type Maps the plugin type to check_type in third-party entry table.
    unsupported_by_vendor unsupported_by_vendor Maps the unsupported_by_vendor field to the unsupported_by_vendor column.
    [script] exploit_attack_vector The exploit_attack_vector column in the third-party entry table is populated based on exploit_available and v3_attack_vector of columns.

    In addition to the direct fields, other information is added as related lists to third-party entries.

    Source field Description
    cve Inserts CVE-related data into the reference table (sn_vul_nvd_entry). If the same Common Vulnerabilities and Exposures (CVE) in the NVD entry table (sn_vul_nvd_entry) is found, it associates the current vulnerability to the NVD entry. The mapping can be found in sn_vul_m2m_entry_cve.
    bid The list of bug traqs is added as a reference.
    see_also The list of URLs is added as a reference.
    xrefs The list of X-REF is added as a reference.
    [script] The list of exploits for that plugin and inserts mapping for applicable exploit framework and plugin to sn_vul_m2m_framework_vul.

    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.

    When the script is run Purpose
    onStart (when an import set has started transformation) Initializes the values in the import_set for the integration process. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Updates the values in the third-party entry, and verify if the third-party entry exists. Based on the results, modifies the values in a third-party entry. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). Sets the values of new CIs created, and CIs that have been updated and ignored. This script is for internal use, and modifying or deleting them isn’t recommended.

    The TenableIOPluginsImportProcessor script include is called from the onBefore transform script. It takes the output from Tenable.io plugins integration and transforms it into ServiceNow AI Platform third-party vulnerability entries. Any changes to this script include may alter the transformation of Tenable.io plugins data in the third-party entry table.

    Tenable.io vulnerabilities import

    The Tenable.io Vulnerable Item transform map is used to transform open and fixed vulnerabilities information imported from Tenable.io.
    Note:
    Changes to this transform map alter how data from the Tenable Vulnerabilities Import is processed.

    The same transform map is used for both the Tenable.io Fixed Vulnerabilities Integration and the Tenable.io Open Vulnerabilities Integration. To access this transform map, navigate to System Import Sets > Transform Maps. Search for the Tenable.io Vulnerable Item transform map.

    Source field Target field Description
    u_asset.uuid id Uuid is mapped to the id field of the cmdb_ci record.
    u_asset.ipv4 ip_address The ipv4 field is mapped to the ip address field of the cmdb_ci record.
    u_asset.last_authenticated_results last_auth_scan_date The last authenticated scan date is mapped to the last auth scan date of the cmdb_ci record.
    u_asset.mac_addess mac_address Mac address is mapped to the host mac address field of the cmdb_ci record.
    u_asset.netbios_name netbios Netbios is mapped to the netbios field of cmdb_ci record.
    u._plugin.cvss3_base_score v3_base_score CVSS v3 base score is mapped to the v3 base score of the third-party entry record. These changes will be implemented as part of Tenable 5.2.1 Version.
    u._plugin.cvss3_temporal_score v3_temporal_score CVSS v3 temporal score is mapped to the v3 temporal score in the third-party entry record. These changes will be implemented as part of Tenable 5.2.1 Version.
    u._plugin.cvss_base_score score CVSS base score is mapped to the score field of the third-party entry record.
    u._plugin.cvss_temporal_score temporal_score Temporal Score is mapped to the temporal score in the third-party entry record.
    u_plugin.description summary Description is mapped to the summary field in the third-party entry record.
    u_plugin.family category Maps the family of plugin to the category column of the third-party entry record.
    u_plugin.modification_date last_modified Last modified date is mapped to the plugin last modified date in the third-party entry record.
    u_plugin.publication_date date_published Publication date is mapped to the date published field of the third-party entry record.
    u_plugin.risk_factor source_severity Risk factor is mapped to the source_severity field of the third-party entry record.
    u_plugin.solution solution Solution is mapped to the solution field of the third-party entry record.
    u_plugin.synopsis threat Synopsis is mapped to the threat field of the third-party entry record.
    u_severity_id priority Priority is mapped to the severity id from the payload. The default value is 5.
    u_plugin.exploit_available exploit Maps the exploit_available provided by the scanner to the exploit column in the third-party entry table.
    vpr.score source_risk_score Maps the vpr score provided by the scanner to the source_risk_score in the third-party entry table.
    [script] source_risk_rating Maps the vpr score to the standard risk rating based on the score ranges:
    • 9–10 – Critical
    • 7–9 – High
    • 4–7 – Medium
    • 0–4 - Low
    u_plugin.vpr.drivers.age_of_vuln age_of_vuln Maps the age of vulnerability from the scanner to age_of_vuln in the third-party entry table.
    u_plugin.vpr.drivers.exploit_code_maturity exploit_code_maturity Maps exploit code maturity from the scanner to exploit_code_maturity in the third-party entry table.
    u_plugin.vpr.drivers.product_coverage product_coverage Maps product coverage from the scanner to product_coverage in the third-party entry table.
    u_plugin.vpr.drivers.threat_sources_last28 threat_sources Maps threat sources in the last 28 days from the scanner to threat_sources in the third-party entry table.
    u_plugin.vpr.drivers.threat_intensity_last28 threat_intensity Maps threat intensity in the last 28 days from the scanner to threat_intensity in the third-party entry table.
    u_plugin.vpr.drivers.threat_recency threat_recency Maps the threat recency information from the scanner to threat_recency in the third-party entry table.
    u_plugin.vpr.drivers.cvss3_impact_score v3_impact_subscore Maps CVSS3 v3 impact score to v3_impact_subscore column in the third-party entry table.
    u_plugin.type check_type Maps the plugin type to check_type in third-party entry table.
    u_plugin.unsupported_by_vendor unsupported_by_vendor Maps the unsupported_by_vendor field in plugin to the unsupported_by_vendor column.
    [script] exploit_attack_vector The exploit_attack_vector column in the third-party entry table is populated based on exploit_available and v3_attack_vector of columns.
    U_plugin.on_cisa_kev cisa_exists Maps on_cisa_kev field with cisa_exists in third-party entry table.
    u_plugin.family_id Family_id Maps the plugin Family id to family_id column in third-party entry table.
    port port Port is mapped to the port field of the vulnerable item record.
    protocol protocol Protocol is mapped to the protocol field of the vulnerable item record.
    u_first_found first_found First found is mapped to the first found field of the vulnerable item record.
    u_last_found last_found Last found is mapped to the last found field of the vulnerable item record.
    u_state state State is mapped to the State field in the vulnerable item record
    [script] source The source of the integration is populated. The vulnerable items created from this integration have Tenable.io as the source.
    [script] integration_instance The integration_instance is the name of the instance from which the vulnerable item is imported.
    u_plugin.name name Maps the name of the plugin to name in third-party entry table.
    u_plugin.stig_severity stig_severity Maps the stig severity of the plugin to stig severity column in third-party entry table
    u_plugin.vpr_v2.malware_observations_intensity_last30 vprv2_malware_observations_intensity Maps the VPRv2 malware_observations_intensity_last30 value to the vprv2_malware_observations_intensity field in the Tenable TPE Additional Attributes table.
    u_plugin.vpr_v2.targeted_industries vprv2_targeted_industries Maps the VPRv2 targeted_industries value to the vprv2_targeted_industries field in the Tenable TPE Additional Attributes table.
    u_plugin.vpr_v2.targeted_regions vprv2_targeted_regions Maps the VPRv2 targeted_regions value to the vprv2_targeted_regions field in the Tenable TPE Additional Attributes table.
    u_plugin.vpr_v2.threat_summary vprv2_threat_summary Maps the VPRv2 threat_summary value to the vprv2_threat_summary field in the Tenable TPE Additional Attributes table.
    u_plugin.vpr_v2.remediation vprv2_remediation Maps the VPRv2 remediation value to the vprv2_remediation field in the Tenable TPE Additional Attributes table.
    u_plugin.d2_elliot_name d2_elliot_name Maps the d2_elliot_name value to the d2_elliot_name field in the Tenable TPE Additional Attributes table.
    u_plugin.canvas_package canvas_package Maps the canvas_package value to the canvas_package field in the Tenable TPE Additional Attributes table.
    u_plugin. checks_for_default_account checks_for_default_account Maps the checks_for_default_account value to the checks_for_default_account field in the Tenable TPE Additional Attributes table.
    u_plugin.checks_for_malware checks_for_malware Maps the checks_for_malware value to the checks_for_malware field in the Tenable TPE Additional Attributes table.
    u_plugin.exploitability_ease exploitability_ease Maps the exploitability_ease value to the exploitability_ease field in the Tenable TPE Additional Attributes table.
    u_plugin.exploithub_sku exploithub_sku Maps the exploithub_sku value to the exploithub_sku field in the Tenable TPE Additional Attributes table.
    u_plugin.in_the_news in_the_news Maps the in_the_news value to the in_the_news field in the Tenable TPE Additional Attributes table.
    u_plugin.metasploit_name metasploit_name Maps the metasploit_name value to the metasploit_name field in the Tenable TPE Additional Attributes table.
    u_plugin.ms_bulletin ms_bulletin Maps the ms_bulletin value to the ms_bulletin field in the Tenable TPE Additional Attributes table.
    u_plugin.usn usn Maps the usn value to the usn field in the Tenable TPE Additional Attributes table.
    u_plugin.version version Maps the version value to the version field in the Tenable TPE Additional Attributes table.
    u_plugin.vuln_publication_date vuln_publication_date Maps the vuln_publication_date value to the vuln_publication_date field in the Tenable TPE Additional Attributes table.
    u_plugin.workaround workaround Maps the workaround value to the workaround field in the Tenable TPE Additional Attributes table.
    u_plugin.workaround_type workaround_type Maps the workaround_type value to the workaround_type field in the Tenable TPE Additional Attributes table.
    u_plugin.workaround_published workaround_published Maps the workaround_published value to the workaround_published field in the Tenable TPE Additional Attributes table.
    u_plugin.vendor_unpatched vendor_unpatched Maps the vendor_unpatched value to the vendor_unpatched field in the Tenable TPE Additional Attributes table.
    u_plugin.has_workaround has_workaround Maps the has_workaround value to the has_workaround field in the Tenable TPE Additional Attributes table.
    u_plugin.vendor_severity vendor_severity Maps the vendor_severity value to the vendor_severity field in the Tenable TPE Additional Attributes table.
    u_plugin.vpr_v2.cve_id vprv2_cve_id Maps the VPRv2 cve_id value to the vprv2_cve_id field in the Tenable TPE Additional Attributes table.
    u_plugin.epss_score epss_score Maps the epss_score value to the epss_score field in the Tenable TPE Additional Attributes table.

    In addition to the direct fields, other information is added as related lists to third-party entries.

    Source field Description
    cve Inserts CVE-related data into the reference table (sn_vul_nvd_entry). If the same CVE in the NVD entry table (sn_vul_nvd_entry) is found, it associates the current vulnerability to the NVD entry. The mapping can be found in sn_vul_m2m_entry_cve.
    bid The list of bug traqs is added as a reference.
    see_also The list of URLs is added as a reference.
    xrefs The list of X-REF is added as a reference.
    [script] The list of exploits for that plugin and Inserts mapping for applicable exploit framework and plugin to sn_vul_m2m_framework_vul.

    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.

    When the script is run Purpose
    onStart (when an import set has started transformation) TTriggers Tenable IO Vulnerabilities Processor which imports data from Tenable.io using the import set and loads each record into the CMDB CI table, the Vulnerable Items table, and the Third-party vulnerability table. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Checks if the Third-Party Entry and Detections exist. If not, these records are created in their respective tables. isn’tThis script is for internal use, and modifying or deleting them is not recommended.
    onComplete (when an import set has completed transformation). Updates the count of CIs, VITs, and Detections as imported from Tenable.io. This script is for internal use, and modifying or deleting them isn’t recommended.

    Tenable.io compliance results integration

    Tenable.io Compliance Results transform map enables you to import secure configuration assessment findings from Tenable.io into ServiceNow. This integration leverages Tenable’s compliance export APIs to retrieve test results on assets, supporting regular differential imports to keep data up to date.

    Imported data is first loaded into the Tenable.io Test Results Import [sn_vul_tenable_io_tr_import] table.

    To access the transform map, navigate to System Import Sets > Transform Maps. Search for Tenable.io Compliance Results Transform.

    The following table lists the transform map fields by integration.
    Table 2. Tenable.io Compliance Results fields
    Source field Table Target field Description
    asset_uuid sn_vulc_result sn_sec_cmn_src_ci -> source_id Unique identifier for the asset in Tenable.io, mapped to the corresponding CMDB CI in ServiceNow after transformation.
    first_seen sn_vulc_result first_seen Date and time when the compliance check was first observed on the asset.
    last_seen sn_vulc_result last_seen Date and time when the compliance check was last observed on the asset.
    audit_file sn_vulc_policy short_description Name or identifier of the audit file used for the compliance check.
    check_id sn_vulc_test source_id Unique identifier for the compliance check within Tenable.io.
    check_name sn_vulc_test short_description Human-readable name of the compliance check.
    check_info sn_vulc_test description Detailed information about the compliance check, including its purpose and context.
    expected_value sn_vulc_result expected_values The value expected for the configuration setting according to the compliance policy.
    actual_value sn_vulc_result actual_values The actual value found on the asset during the compliance check.
    status sn_vulc_result result Result of the compliance evaluation. Possible values (from Tenable): PASSED, FAILED.
    see_also sn_vulc_result remediation Additional references or links for remediation guidance.
    reference.framework sn_vulc_auth_src short_description Compliance framework associated with the check (e.g., CIS, NIST).
    reference.control sn_vulc_citation section Specific control or section within the compliance framework.
    solution sn_vulc_test remediation Recommended steps to remediate the compliance failure.
    profile_name sn_vulc_citation section_name Name of the compliance profile or benchmark applied.
    db_type sn_vulc_technology name Database type or technology associated with the compliance check.
    Note:
    Tenable does not provide a risk score for compliance test results. ServiceNow calculates risk scores using Configuration Compliance calculators and applies the default Medium risk value of 20 when no risk score is available. To ensure accurate prioritization, review and customize the risk calculator rules to reflect your organization’s priorities.

    For more information, see Configuration Compliance calculators and calculator rules.

    Tenable.sc asset import

    Asset data imported from Tenable.sc is first loaded into the Tenable.sc Asset Import table (sn_vul_tenable_sc_asset_import). The Tenable.sc Asset Integration transform map is used to transform the imported assets information. Changes to this transform alter how data from the Tenable Asset import is Processed. To access this transform map, navigate to System Import Sets > Transform Maps. Search for the Tenable.sc Asset Transform.

    Source field Target field Description
    u_uuid id The uuid isn’t populated from the Tenable API, so the ‘u_uniqueness’ attribute is used to create a unique uuid field for assets and map it to the Discovered Items [sn_sec_cmn_src_ci] record.
    u_ip
    u_macaddress mac_address Maps the mac address field from the API to the address field on the Discovered Items [sn_sec_cmn_src_ci] record.
    u_dnsname fqdn Maps the dnsname field from the API to the fqdn field on the Discovered Items [sn_sec_cmn_src_ci] record.
    u_netbiosname netbios Maps the netbios field from the API to the netbios field on the Discovered Items [sn_sec_cmn_src_ci] record.
    u_oscpe os The OS information is extracted from the oscpe attribute in the payload and maps it to the os field on the Discovered Items [sn_sec_cmn_src_ci] record.
    u_lastauthrun last_auth_scan_date Maps the lastauthrun field from the API to the last_auth_scan_date field on the discovered item record.
    u_lastauthrun and u_lastunauthrun last_scan_date The lastauthrun is extracted from the Tenable API or lastunauthrun. The last_scan_date field on the discovered item record is populated based on the value that appears in the payload.

    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.

    When the script is run Purpose
    onStart (when an import set has started transformation) Initializes the values in the import_set for the integration process. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Updates the values in the host and verify if the host exists. Based on the results, modifies the values in an import_set. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). Sets the values of new CIs created, and CIs that have been updated and ignored. This script is for internal use, and modifying or deleting them isn’t recommended.

    Tenable.sc plugins import

    Plugins data imported from Tenable.sc is first loaded into the Tenable.sc Plugins Import table (sn_vul_tenable_sc_plugin_import). The Tenable.sc Plugin Transform Map is used to transform the plugins information that has been imported. Changes to this transform alter how data from the Tenable Plugin import is Processed. To access this transform map, navigate to System Import Sets > Transform Maps. Search for Tenable.sc Plugin Transform Map.

    Source field Target field Description
    u_id id Maps id from source and adds the TEN-prefix. For example, if the id received is 12345, the id in the target table is TEN-12345.
    u_description summary Maps the description of the plugin to the summary column.
    [script] source Imported TPE from this integration has Tenable.sc as the source.
    [script] source_instance Reference to the Tenable deployment that imports this record.
    u_family category Maps the name field in family object of plugin to the category column.
    u_plugin_modification_date last_modified Maps the plugin_modification_date to the last modified field.
    u_plugin_publication_date date_published Maps the plugin_publication_date to published date.
    u_has_patch Remediation_type Maps the remediation type from has_patch value.
    u_synopsis threat Maps the threat information about this vulnerability.
    u_cvss_base_score score Maps the CVSS base score to the score column in third-party entry table.
    u_solution solution Maps the solution provided by the scanner to the solution column in the third-party entry table.
    u_cvss_temporal_score cvss_temporal_score Maps the temporal score for CVSS v2.
    u_cvss_v3_temporal_score v3_temporal_score Maps the temporal score for CVSS v3.
    u_risk_factor source severity Maps to the source severity in the third-party entry table.
    u_cvss_v3_base_score v3_base_score Maps the CVSS base score in the third-party entry table.
    u_exploit_available exploit Maps the exploitAvailable provided by the scanner to the exploit column in the third-party entry table.
    u_vpr_score source_risk_score Maps VPR score from the scanner to the Source risk score in the third-party entry table.
    [script] source_risk_rating Maps the vpr score to the standard risk rating based on the score ranges:
    • 9–10 – Critical
    • 7–9 – High
    • 4–7 – Medium
    • 0–4 - Low
    u_vpr_context[id=age_of_vuln] age_of_vuln Maps the age of the vulnerability from the scanner to age_of_vuln in the third-party entry table.
    u_vpr_context[id=exploit_code_maturity] exploit_code_maturity Maps exploit code maturity from the scanner to exploit_code_maturity in the third-party entry table.
    u_vpr_context[id=product_coverage] product_coverage Maps product coverage from the scanner to product_coverage in the third-party entry table.
    u_vpr_context[id=”threat_sources_last_28] threat_sources Maps threat sources in the last 28 days from scanner to threat_sources in the third-party table.
    u_vpr_context[id=”threat_intensity_last_28] threat_intensity Maps threat intensity in the last 28 days from the scanner to threat_intensity in the third-party entry table.
    u_vpr_context[id=”threat_recency”] threat_recency Maps the threat recency information from the scanner to threat_recency in the third-part entry table.
    u_vpr_context[id=cvssV3_impactScore] v3_impact_subscore Maps CVSS v3 impact score from the scanner to v3_impact_subscore in the third-party entry table.
    u_name name Maps the name of the plugin to the name column in the third-party entry table.
    u_stig_severity stig_severity Maps the stig_severity field in the plugin to stig_severity in the third-party entry table.
    u_check_type check_type Maps the check type to check_type in the third-party entry table.
    u_family.id family_id Maps the plugin family_id to family_id in the third-party entry table.
    [script] exploit_attack_vector The exploit_attack_vector column in the third-party entry table is populated based on exploit_available and v3_attack_vector of columns.

    In addition to the direct fields, other information is added as related lists to third-party entries.

    Source field Description
    u_cpe The list of CPEs is added as a reference.
    u_see_also The list of URLs is added as a reference.
    u_exploit_frameworks The list of exploits for that plugin and inserts mapping for applicable exploit framework and plugin to sn_vul_m2m_framework_vul.

    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.

    When the script is run Purpose
    onStart (when an import set has started transformation) This transform is used to initialize the values in the import_set for the integration process. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Function used to update the values in the third-party entry and verify if the third-party entry exists. Based on the results, modifies the values in a third-party entry. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). This transform is used to set the values of Plugins created and ignored. This script is for internal use, and modifying or deleting them isn’t recommended.

    The TenableSCPluginsImportProcessor script include is called from the onBefore transform script. It takes the output from the Tenable.sc plugins integration and transforms it into ServiceNow third-party vulnerability entries. Any changes to this script include may alter the transformation of Tenable.sc plugins data in the third-party entry table.

    Tenable.sc vulnerabilities import

    The Tenable.sc Open Vulnerabilities transform map is used to transform imported data from the Tenable.sc Open Vulnerabilities integration, and the Tenable.sc and Fixed Vulnerabilities transform map is used to transform imported data from the Tenable.sc Fixed Vulnerabilities Integration.
    Note:
    Changes to these transform maps alter how data from the Fixed/Open Tenable Vulnerabilities Import is processed.
    To access the Tenable.sc Open and Fixed Vulnerabilities transform maps, navigate to Tenable Vulnerability Integration > Administration > Integration Instances > Tenable.sc Fixed/Open Vulnerabilities Integration > Data Sources > Tenable.sc Open/Fixed Vulnerabilities > Tranforms.
    Source field Target field Description
    u_pluginID Id Used as the identifier for the plugin. This field is mapped to the plugin Id in the third-party entry record.
    u_riskfactor source_severity This field is mapped to source_severity in the third-party entry record.
    u_severity priority The priority field is mapped with the severity. The default value is 5.
    u_hasbeenmitigated state Has been mitigated is mapped to the state field of vulnerability record. For the Fixed vulnerabilities integration, all the VIs are in the 'Closed' state.
    u_ip ip_address Ip address is mapped to the host ip field of cmdb_ci table.
    u_port port Port is mapped to the port field of the vulnerable item record.
    u_protocol protocol Protocol is mapped to the port field of the vulnerfable item record.
    u_firstSeen first_found The first seen value is mapped to the first found field of the VI record.
    u_lastSeen last_found The last seen value is mapped to the last found field of the VI record.
    u_exploitAvailable exploit ExploitAvailable is mapped to the exploit field in the third-party entry record.
    u_synopsis threat Synopsis is mapped to the threat field in the third-party entry record.
    u_description summary Description is mapped to the summary field in the third-party entry record.
    u_solution solution Solution is mapped to the solution field in the third-party entry record.
    u_basescore score BaseScore is mapped to the score field in the third-party entry record.
    u_temporalScore temporal_score Temporal Score is mapped to the temporal score in the third-party entry record.
    u_cvssv3basescore v3_base_score Cvssv3basescore is mapped to the v3 base score in the third-party entry record.
    u_cvsstemporalscore v3_temporal_score Cvssv3temporal score is mapped to the v3 temporal score in the third-party entry record.
    u_pluginpubdate date_published Plugin published date is mapped to the plugin published date in the third-party entry record.
    u_pluginmoddate last_modified Last modified date is mapped to the plugin last modified date in the third-party entry record.
    u_dnsname fqdn DnsName is mapped to the FQDN field of the cmdb_ci record.
    u_macaddress mac_address MacAddress is mapped to the mac_address field of the cmdb_ci record.
    u_netbiosName netbios NetbiosName is mapped to the NETBIOS field of the cmdb_ci record.
    u_ip ip IP is mapped to the IP field of cmdb_ci record.
    hostUniqueness uuid Host uniqueness is not mapped to any field but is used to determine uuid for the host.
    u_family category Maps the name field in the family object of the plugin to the category column of third-party entry record.
    u_plugintext proof Plugin text is mapped to proof in tpe record.
    [script] source The source of the integration is populated. The vulnerable items created from this integration have Tenable.sc as the source.
    [script} integration_instance The integration_instance is the name of the instance from which the vulnerable item is imported.
    u_vpr_score source_risk_score Maps VPR score from the scanner to the Source risk score in the third-party entry table.
    [script] source_risk_rating Maps the vpr score to the standard risk rating based on the score ranges:
    • 9 - 10 – Critical
    • 7 – 9 – High
    • 4–7 – Medium
    • 0–4 - Low
    u_vpr_context[id=age_of_vuln] age_of_vuln Maps the age of the vulnerability from the scanner to age_of_vuln in the third-party entry table.
    u_vpr_context[id=exploit_code_maturity] exploit_code_maturity Maps exploit code maturity from the scanner to exploit_code_maturity in the third-party entry table.
    u_vpr_context[id=product_coverage] product_coverage Maps product coverage from the scanner to product_coverage in the third-party entry table.
    u_vpr_context[id=”threat_sources_last_28] threat_sources Maps threat sources in the last 28 days from the scanner to threat_sources in the third-party table.
    u_vpr_context[id=”threat_intensity_last_28] threat_intensity Maps threat intensity in the last 28 days from the scanner to threat_intensity in the third-party entry table.
    u_vpr_context[id=”threat_recency”] threat_recency Maps the threat recency information from the scanner to threat_recency in the third-part entry table.
    u_vpr_context[id=cvssV3_impactScore] v3_impact_subscore Maps CVSS v3 impact score from the scanner to v3_impact_subscore in the third-party entry table.
    u_pluginname name Maps the name of the plugin to name column in third-party entry table.
    u_stigseverity stig_severity Maps the stig_severity field in the plugin to stig_severity in third-party entry table.
    u_checktype check_type Maps the check type to check_type in third-party entry table.
    u_family.id family_id Maps the plugin family.id to family_id in the third-party entry table.
    [script] exploit_attack_vector The exploit_attack_vector column in the third_party_entry table is populated based on exploit_available and v3_attack_vector of columns.
    Source field Description
    u_cve Inserts CVE-related data into the reference table (sn_vul_nvd_entry). If the same CVE in the NVD entry table (sn_vul_nvd_entry) is found, it associates the current vulnerability to the NVD entry. The mapping is found in sn_vul_m2m_entry_cve.
    u_bid The list of bug traqs is added as a reference.
    u_cpe The list of CPEs is added as a reference.
    u_seealso The list of URLs is added as a reference.
    u_xrefs The list of X-REFs is added as a reference.
    u_exploitframeworks The list of exploits for that plugin and Inserts mapping for applicable exploit framework and plugin to sn_vul_m2m_framework_vul.

    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.

    When the script is run Purpose
    onStart (when an import set has started transformation) This transform is used to initialize the values in the import_set for the integration process. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Function used to update the values in the vulnerability and verify if the vulnerability exists. Based on the results, modifies the values in a vulnerable items table. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). This transform is used to set the values of new VIs created, and VIs that have been updated and ignored. This script is for internal use, and modifying or deleting them isn’t recommended.

    Tenable.cs container asset import

    Imported asset data is first loaded into the Tenable.cs Container Asset Import [sn_vul_tenable_cs_container_asset_import] Table.

    The Tenable.cs Container Asset transform map is used to transform the imported assets information. Changes to this transform alter how data from the Tenable.cs Container Asset import is processed. To access this transform map, navigate to System Import Sets > Transform Maps. Search for Tenable.cs Container Asset Transform.

    The following tables lists the transform map fields by integration.
    Table 3. Tenable.cs Container Asset transform map fields
    Source field Target field Description
    u_digest Image_id Tenable provides a unique digest for the container assets and maps to the discovered container image and docker image record and is used for CI lookup.
    u_digest Image_digest Tenable provides a unique digest for the container assets and maps to the discovered container image and docker image record and is used for CI lookup.
    u_name name Maps to the name field of the docker image record.
    u_repositoryuri name Maps to the container repository record
    u_repositoryuri repo Maps to the discovered container image record.
    u_virtualmachines host_list Maps to the discovered container image record
    u_labels Image_labels
    u_clusters image_cluster Maps to the discovered container image record
    u_imagetags tags Maps to the discovered container image record
    u_cloudprovider cloud_providers Maps to the discovered container image record
    u_accountid cloud_account_ids Maps to the discovered container image record
    u_region cloud_regions Maps to the discovered container image record
    u_operatingsystem os Maps to the discovered container image record
    u_scantime last_scan_date Maps to the discovered container image record
    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.
    Table 4. Tenable.cs Container Asset transform map script timing and purpose
    When the script is run Purpose
    onStart (when an import set has started transformation) This transform is used to initialize the values in the import_set for the integration process. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation).

    A function used to update values in the host and verify if the host exists. Based on the results, modifies the values in an import_set. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). This transform is used to set the values of new CIs created, and CIs that have been updated and ignored. This script is for internal use, and modifying or deleting them isn’t recommended.

    Tenable.cs container vulnerability import

    Imported container vulnerability data is first loaded into the Tenable.cs Container Vulnerability Import [sn_vul_tenable_cs_container_vuln_import] Table.

    The Tenable.cs Container Vuln transform map is used to transform the imported container vulnerability information. Changes to this transform alter how data from the Tenable.cs Container Vulnerability Import is processed. To access this transform map, navigate to System Import Sets > Transform Maps. Search for Tenable.cs Container Vuln Transform.

    The following tables list the transform map fields by integration.
    Table 5. Tenable.cs Container Vuln transform map fields
    Source field Target field Description
    [script] Image_id Digest is extracted from the Resource.Id field from the API and mapped to image_id field of discovered container image and docker image record.
    [script] Image_digest Digest is extracted from the Resource.Id field from the API and mapped to image_digest field of discovered container image and docker image record.
    [script] name Repository information is extracted from name field and mapped to docker image and container repository record.
    [script] repo Repository information is extracted from name field and mapped to discover container image record.
    u_resource.Labels Image_labels Maps to the discovered container image record
    u_resource.CloudProvider cloud_providers Maps to the discovered container image record
    u_resource. AccountId cloud_account_ids Maps to the discovered container image record
    u_resource.Region cloud_regions Maps to the discovered container image record
    u_vulnerability. Id id Maps id from source and adds the TEN- prefix. For example, if the id received is 12345, the id in the third-party entry table is TEN-12345.
    u_vulnerability. Description Id summaryid Maps to the third-party entry record. or CVE record.
    u_vulnerability.Severity v4_base_severity Maps to the third-party entry record.
    u_vulnerability.VprScore source_risk_score Maps to the third-party entry record.
    u_vulnerability.VprSeverity source_severity Maps to the third-party entry record.
    u_vulnerability.AttackVector v4_attack_vector Maps to the third-party entry record.
    u_vulnerability.ExploitMaturity v4_exploit_maturity Maps to the third-party entry record.
    [script] source he source for imported TPE is Tenable.cs.
    u_vulnerability.Id name Maps to the vulnerability references record
    u_vulnerability. Links url Maps to the vulnerability references record
    vulnerability Reference of TPE or CVE in vulnerability references record
    u_software.Name name Maps to the container image package record
    u_software.Version version Maps to the container image package record
    u_software.Type package_type Maps to the container image package record
    u_softwarepaths path Maps to the container image package record
    u_resolved status Maps to the container image finding record
    u_firstscantime first_found Maps to the container image finding record
    u_resource.ScanTime last_found Maps to the container image finding record
    u_vulnerability.Description proof Maps to the container image finding record
    u_resolved state Maps to the container vulnerable item record
    u_firstscantime first_found Maps to the container vulnerable item record
    u_resource.ScanTime last_found Maps to the container vulnerable item record
    [script] source The source for container vulnerable item record is Tenable.cs.
    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.
    Table 6. Tenable.cs Container Vuln transform map script timing and purpose
    When the script is run Purpose
    onStart (when an import set has started transformation) Triggers TenableCS Container Vulnerabilities Processor which imports data from Tenable.cs using the import set and loads each record into the CMDB CI table, the Vulnerable Item table, Third-party Vulnerability Entry table, Vulnerability Reference table, Container Image Package, Container Image Finding, and Container Vulnerable Item. Modifying or deleting isn’t recommended.
    onBefore (before an import set has completed transformation) Checks if the third-party Entry and Image Findings exist. If not, these records are created in their respective tables. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation) Updates the count of CIs, VITs, and Findings as imported from Tenable.cs. This script is for internal use, and modifying or deleting them isn’t recommended.

    Tenable.cs compute vulnerability import

    Imported host vulnerability data is first loaded into the Tenable.cs Compute Vulnerability Import [sn_vul_tenable_cs_compute_vuln_import] Table.

    The Tenable.cs Compute Vuln transform map is used to transform the imported host vulnerability information. Changes to this transform alter how data from the Tenable.cs Compute Vulnerability Import is processed. To access this transform map, navigate to System Import Sets > System Import Sets. Search for Tenable.cs Compute Vuln Transform.

    The following table lists the transform map fields by integration.
    Table 7. Tenable.cs Container Vuln transform map fields
    Source field Target field Description
    u_resource.Id object_id Maps to the CMDB Ci record.
    u_resource.Name name Maps to the CMDB Ci record.
    asset_category Cloud is mapped as Asset Category in discovered item record.
    U_resource.CloudProvider cloud_service_provider Maps to the discovered item record
    u_resource.Region cloud_region Maps to the discovered item record
    u_resource.AccountId cloud_account Maps to the discovered item record
    u_resource. CloudProvider cloud_resource_type Maps to the discovered item record
    u_resource.Id resource_id Maps to the discovered item record
    u_resource.Name resource_name Maps to the discovered item record
    u_vulnerability.Id id

    Maps id from source and adds the TEN- prefix. For example, if the id received is 12345, the id in the third-party entry table is TEN-12345.

    Maps id to CVEs as well.
    u_vulnerability. Description summary Maps to the third-party entry record.
    u_vulnerability.Severity v4_base_severity Maps to the third-party entry record.
    u_vulnerability.VprScore source_risk_score Maps to the third-party entry record.
    u_vulnerability.VprSeverity source_severity Maps to the third-party entry record.
    u_vulnerability.AttackVector v4_attack_vector Maps to the third-party entry record.
    u_vulnerability.ExploitMaturity v4_exploit_maturity Maps to the third-party entry record.
    [script] source The source for imported TPE is Tenable.cs.
    u_vulnerability.Id name Maps to the vulnerability references record
    u_vulnerability.Links url Maps to the vulnerability references record
    vulnerability Reference of TPE or CVE in vulnerability references record
    u_resolved status Maps to the vulnerable item detection record
    u_firstscantime first_found Maps to the vulnerable item detection record
    u_resource.ScanTime last_found Maps to the vulnerable item detection record
    u_softwarepaths proof Maps to the vulnerable item detection record
    u_softwareresolutionversions solution_summary Maps to the vulnerable item detection record
    u_resolved state Maps to the vulnerable item record
    u_firstscantime first_found Maps to the vulnerable item record
    u_resource.ScanTime last_found Maps to the vulnerable item record
    [script] source The source for vulnerable item record is Tenable.cs.
    There are three transform scripts executed during the transformation process. The following table lists when each script runs and its purpose.
    Table 8. Tenable.cs Compute Vuln transform map script timing and purpose
    When the script is run Purpose
    onStart (when an import set has started transformation) Triggers Tenable CS Compute Vulnerabilities Processor which imports data from Tenable.cs using the import set and loads each record into the CMDB CI table, the Vulnerable Items table, and the Third-party vulnerability table. This script is for internal use, and modifying or deleting them isn’t recommended.
    onBefore (before an import set has completed transformation). Checks if the third-party entry and detections exist. If not, these records are created in their respective tables. This script is for internal use, and modifying or deleting them isn’t recommended.
    onComplete (when an import set has completed transformation). Updates the count of CIs, VITs, and detections as imported from Tenable.cs. This script is for internal use, and modifying or deleting them isn’t recommended.
    Table 9. Tenable.cs Container Vuln transform map fields
    Source field Target field Description
    u_digest Image_id A unique digest provided by Tenable for the container assets. It maps to the discovered container image and docker image record and is used for CI lookup.
    u_name name Maps to the name field of the docker image record.

    Standardized logic for calculating source_risk_score and source_risk_rating

    As part of the standardized data-transformation, the Tenable integration uses a centralized business rule to populate both source_risk_score and source_risk_rating.

    During the integration run, if either vprv1_risk_score or vprv2_risk_score is updated, the system automatically recalculates and populates source_risk_score and source_risk_rating using the values from the vprv2_risk_score and vprv1_risk_score fields in the Third-Party Entry table.
    • If vprv2_risk_score is present, it takes precedence overvprv1_risk_score.
    • If the vprv1_risk_score and vprv2_risk_score are empty, then source_risk_score will not be changed.
    • source_risk_rating is derived from the finalized source_risk_score using the standardized thresholds:
      • 9-10 → Critical
      • 7-9 → High
      • 4-7 → Medium
      • 0-4 → Low
      • NaN → None
    Note:
    The before changes will be implemented as part of Tenable 5.2.1 Version.