Skip to main content

Cyware Orchestrate

Tenable Vulnerability Management

App Vendor: Tenable

App Category: Vulnerability Management

Connector Version: 2.0.0

API Version: 1.0.0

Note

This app is currently released as a beta version.

About App

This connector allows the analyst to connect to the Vulnerability Management API and configure scans and list asset data.

The Tenable Vulnerability Management app is configured with Cyware Orchestrate to perform the following actions:

Action Name

Description

Create Basic Scan 

This action creates a basic scan configuration.

Create Configured Scan 

This action creates a scan configuration.

Create Detailed Scan 

This action creates a detailed scan configuration.

Create Folder 

This action creates a new custom folder for the current user.

Get Scans List 

This action retrieves the list of scans currently set in Tenable Vulnerability Management.

Get Server Properties 

This action retrieves the server version and other properties.

Get Server Status 

This action retrieves the server status.

Get Templates 

This action retrieves the list of tenable-provided scan templates. The types of scan templates to retrieve are scan, policy, or remediation.

List Assets by Severity 

This action retrieves a list of assets with a set VPR score. The list is limited to 5,000.

List Assets by VPR 

This action retrieves a list of assets with a set VPR score. The list is limited to 5,000.

List Assets With Specific Vulnerability 

This action retrieves a list of assets with a set plugin ID. The list is limited to 5,000.

List Assets With Vulnerability 

This action retrieves a list of assets with vulnerabilities. The list is limited to 5,000. Use the Export Request API to retrieve more than 5,000 assets.

List Folders 

This action retrieves the list of both tenable-provided folders and the current user's custom folders.

List Policies 

This action retrieves a list of policies.

List Scanners 

This action retrieves the scanner list.

List Scan Timezones 

This action retrieves the time zones list for creating a recurring scan.

List Target Groups 

This action retrieves the current target groups.

Update Scan 

This action updates a scan configuration.

Generic Action

This is a generic action used to make requests to any Tenable Vulnerability Management endpoint.

Configuration Parameters

The following configuration parameters are required for the Tenable Vulnerability Management app to communicate with the Tenable Vulnerability Management enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Access Key 

Enter the API access key for authentication.

Example:

2c935f507d0686382bb383e4daf92eef8b4a349b9b9de2bf85343c0f7e7265db

Text

Required

Secret Key 

Enter the API secret key for authentication.

Example:

0553ac5757e8e741d6ef034dc06618106e7855887428e662adcde8862d017cf9

Password

Required

Verify 

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection.

Boolean

Optional

By default, this is enabled.

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Tenable Vulnerability Management.

Integer

Optional

Allowed range:

15-120

Default value:

15

Action: Create Basic Scan

This action creates a basic scan configuration.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

UUID

Enter the UUID for the tenable-provided scan template to use.

Example:

ua123d-1231wed1dsadase

Text

Required

You can retrieve this using the action Get Templates.

Scan Name 

Enter the name of the scan.

Example:

log4j_scan

Text

Required

Enabled 

Enter your preference to enable the schedule for the scan.

Example:

$JSON[Yes]

Bool

Optional

Allowed values:

  • True

  • False

Default value:

False

Extra Params 

Enter the values that can be added to the scan. This will be updated to the settings of the payload to be sent. 

Key Value

Optional

Allowed keys:

description, policy_id, folder_id, scanner_id, target_network_uuid, enabled, launch, scan_time_window, starttime, rrules, timezone, text_targets, target_groups, file_targets, tag_targets, host_tagging, agent_group_id, agent_scan_launch_type, triggers, refresh_reporting_type, refresh_reporting_frequency_scans, refresh_reporting_frequency_days, disable_refresh_reporting, emails, acls

Example Request 

[
   {
      "uuid":"ua123d-1231wed1dsadase",
      "scan_name":"log4j_scan",
      "enabled": True,
      "extra_params":{
         "text_targets":”192.0.2.255”
      }
   }
]
Action: Create Configured Scan

This action creates a scan configuration.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

UUID 

Enter the UUID for the tenable-provided scan template to use.

Example:

ua123d-1231wed1dsadase

Text

Required

You can retrieve this using the action Get Templates.

Scan Name 

Enter the name of the scan.

Example:

log4j_scan

Text

Required

Enabled 

Enter your preference to enable the schedule for the scan.

Example:

$JSON[True]

Boolean

Required

Allowed values:

  • True

  • False

Default value:

False

Launch 

Enter your preference to launch the scan.

Example:

on-demand

Text

Required

Allowed values:

on-demand, daily, weekly, monthly, yearly

Start Time 

Enter the start time and date for the scan to begin. Enter a valid start time string per RFC 5545, minus Time Zone (see timezone below) if different than UTC, in which case use Z at the end.

Example:

19970105T083000

Text

Required

Timezone 

The timezone of the scheduled start time for the scan. A valid time zone per RFC 5545. 

Example:

America/New_York

Text

Required

Default value:

UTC

ACLs 

An array containing permissions to apply to the scan.

Example:

$LIST[user, d30881ae-6b5c-4b1e-ad60-f2643d0da492, view]

List

Required

Recurring Rules Frequency 

Enter the frequency at which the scan must repeat. The interval is formatted as texting of three values.

Example:

onetime

Text

Required

Allowed values:

onetime, daily, weekly, monthly, yearly

Recurring Rules Interval 

Enter the interval at which the scan must repeat. The interval is formatted as texting of three values.

Example:

1

Text

Required

Recurring Rules By Day 

Enter the interval at which the scan must repeat. The interval is formatted as texting of three values.

Example:

MO

Text

Required

Allowed values:

SU - Sunday, MO - Monday, TU - Tuesday, WE - Wednesday, TH - Thursday, FR - Friday, SA - Saturday

Target Groups 

Enter an array of target group IDs to scan.

Example:

345

Text

Optional

Default value:

  • None

Agent Group ID 

Enter an array of agent group UUIDs to scan.

Example:

1002

Text

Optional

Default value:

  • None

Emails 

Enter the email as a comma-separated list of accounts that receive the email summary report.

Example:

johndoe@exampledomain.com

Text

Optional

Default value:

  • None

Extra Params 

Enter extra parameters as key-value pairs. This will be updated to the settings of the payload to be sent.

Key Value

Optional

Allowed keys:

description, policy_id, folder_id, scanner_id, target_network_uuid, scan_time_window, text_targets, file_targets, tag_targets, host_tagging, agent_scan_launch_type, triggers, refresh_reporting_type, refresh_reporting_frequency_scans, refresh_reporting_frequency_days, disable_refresh_reporting

Example Request 

[
   {
      "uuid":"ua123d-1231wed1dsadase",
      "scan_name":"log4j_scan",
      "enabled":false,
      "launch":"DAILY",
      "start_time":"19970105T083000",
      "timezone":"America/New_York",
      "acls":{
         "user",
         "d30881ae-6b5c-4b1e-ad60-f2643d0da492",
         "view"
      }
      "rrules_frequency":"onetime",
      "rrules_interval":"1",
      "rrules_by_day":"MO",
      "target_groups":"345",
      "agent_group_id":"1002",
      "emails":"sampleuser@exampledomain.com"
   }
]
Action: Create Detailed Scan

This action creates a detailed scan configuration.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

UUID 

Enter the UUID for the tenable-provided scan template to use.

Example:

ua123d-1231wed1dsadase

Text

Required

You can retrieve this using the action Get Templates.

Scan Name 

Enter the name of the scan.

Example:

log4j_scan

Text

Required

Enabled 

Enter your preference to enable schedules scan.

Example:

$JSON[True]

Boolean

Required

Allowed values:

  • True

  • False

Default value:

False

Description 

Enter the description of the scan.

Example:

Scan for log4j vulnerability

Text

Required

Scanner UUID 

Enter the unique ID of the scanner to use.

Example:

xnsooik-123dsaf

Text

Required

You can retrieve this using the action List Scanners.

Policy ID 

Enter the unique ID of the policy to use to create the scan.

Example:

log4jmachines

Text

Required

You can retrieve this using the action List Policies.

Launch 

Enter your preference to launch the scan.

Example:

DAILY

Text

Required

Allowed values:

ON-DEMAND, DAILY, WEEKLY, MONTHLY, YEARLY

Start Time 

Enter the starting date and time for one-time scans. For recurrent scans, enter the first date on which the scan schedule is active and the time that recurring scans launch based on the rrules parameter.

Example:

20140826T133000

Text

Required

Supported format:

YYYYMMDDTHHMMSS

Timezone 

Enter the timezone for the scheduled start time for the scan.

Example:

America/New_York

Text

Required

Agent Group ID 

Enter an array of agent group UUIDs to scan.

Example:

243

Text

Required

Default value: 

None

Emails 

Enter the emails as comma-separated list of accounts to receive the email summary report.

Example:

johndoe@exampledomain.com

Text

Required

Default value: 

None

Text Targets 

Enter the list of targets to scan.

Example:

$LIST[machine1, machine2]

Text

Required

Tag Targets 

Enter the list of asset tag identifiers that the scan uses to determine which assets it evaluates.

Example:

Windows

Text

Required

File Targets 

Enter the name of a file containing the list of targets to scan.

Example:

regular_targets.txt

Text

Required

Scan Time Window 

Enter the time frame, in minutes, during which agents must transmit scan results to tenable.io and include them in dashboards and reports.

Example:

60

Int

Required

Default value: 

180

ACLs

Enter an array containing permissions to apply to the scan.

Example:

$LIST[user, d30881ae-6b5c-4b1e-ad60-f2643d0da492, view]

List

Required

Recurring Rules Frequency 

Enter the interval at which the scan repeats. The interval is formatted as texting of three values.

Example:

MONTHLY

Text

Required

Allowed values:

ONETIME, DAILY, WEEKLY, MONTHLY, YEARLY

Recurring Rules Interval 

Enter the interval at which the scan repeats. The interval is formatted as texting of three values.

Example:

1

Text

Required

Recurring Rules by Day 

The interval at which the scan repeats. the interval is formatted as texting of three values.

Example:

MO

Text

Required

Allowed values:

SU - Sunday, MO - Monday, TU - Tuesday, WE - Wednesday, TH - Thursday, FR - Friday, SA - Saturday

Scanner ID 

Enter the unique ID of the scanner to use.

Example:

0we345rYI0-4223-Fr45-7yh6-000sjvefah78yryg9q8equkg00001

Text

Required

You can retrieve this using the action List Scanners.

Target Network UUID 

Enter the network unique ID. This field is required if the scanner_id parameters are auto-routed.

Example:

9afd5e49-b4a8-4ab3-8c44-4ed329a505c44e51e1f403febe40

Text

Optional

Default value: 

None

Folder ID 

Enter the unique ID of the folder where you want to store the scan.

Example:

345

Text

Optional

You can retrieve this using the action List Folders.

Extra Params 

Enter the extra parameters as key-value of values that can be added to the scan. The parameter values will be updated to the settings of the payload to be sent.

Key Value

Optional

Allowed keys:

target_groups, host_tagging, refresh_reporting_type, refresh_reporting_frequency_scans, refresh_reporting_frequency_days, disable_refresh_reporting

Example Request 

[
    {
        "uuid": "ua123d-1231wed1dsadase",
        "scan_name": " log4j_scan",
        "enabled": False,
        "description": "Scan for log4j vulnerability",
        "scanner_uuid": "xnsooik-123dsaf",
        "policy_id": "log4jmachines",
        "launch": "ON_DEMAND",
        "starttime": "20140826T133000",
        "timezone": "America/New_York",
        "agent_group_id": "243",
        "emails": "user@exampledomain.com",
        "text_targets": {
            "machine1",
            "machine2"
        }
        "tag_targets": "Windows",
        "file_targets": "regular_targets.txt",
        "scan_time_window": 60,
        "acls":{
           "user",
           "d30881ae-6b5c-4b1e-ad60-f2643d0da492",
           "view"
        }
        "rrules_frequency": "MONTHLY",
        "rrules_interval": "1",
        "rrules_by_day": "MO",
        "scanner_id": "0we345rYI0-4223-Fr45-7yh6-000sjvefah78yryg9q8equkg00001",
        "target_network_uuid": "9afd5e49-b4a8-4ab3-8c44-4ed329a505c44e51e1f403febe40",
        "folder_id": "345"
    }
]
Action: Create Folder

This action creates a new custom folder for the current user.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Folder Name 

Enter the name of the folder. Folder names can only contain letters, numbers, underscores, hyphens, and whitespace.

Example:

temp_scans

Text

Required

Example Request 

[
    {
        "folder_name": "temp_scans"
    }
]
Action: Get Scans List

This action retrieves the list of scans currently set in Tenable Vulnerability Management.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Folder ID 

Enter the folder ID you want to scan for the stored list.

Example:

15

Integer

Optional

You can retrieve this using the action List Folders.

Last Modification Date 

Enter a limit for the scan list results. This will retrieve the scans that have run since the specified time.

Example:

2022-02-02 00:00:00

Text

Optional

Supported format:

yyyy-mm-dd or yyyy-mm-dd hh:mm:ss

Default value:

None

Example Request 

[
    {
        "folder_id": 15,
        "last_modification_date": "2022-02-02 00:00:00"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.scans

Array of objects

Array of scan objects

app_instance.response.scans.object

Object

Scan object

app_instance.response.scans.control

Boolean

If true, the scan has a schedule and can be launched.

app_instance.response.scans.creation_date

Int32

For newly-created scans, the date on which the scan configuration was originally created. For scans that have been launched at least once, this attribute does not represent the date on which the scan configuration was originally created. Instead, it represents the date on which the scan was first launched, in Unix time format.

app_instance.response.scans.enabled

Boolean

Indicates whether the scan schedule is active (true) or inactive (false).

app_instance.response.scans.id

Int32

The unique ID of the scan.

app_instance.response.scans.last_modification_date

Int32

For newly-created scans, the date on which the scan configuration was created. For scans that have been launched at least once, this attribute does not represent the date on which the scan configuration was last modified. Instead, it represents the date on which the scan was last launched, in Unix time format. Tenable Vulnerability Management updates this attribute each time the scan launches.

app_instance.response.scans.legacy

Boolean

A value indicating whether the scan results were created before a change in storage method. If true, Tenable Vulnerability Management stores the results in the old storage method. If false, Tenable Vulnerability Management stores the results in the new storage method.

app_instance.response.scans.name

String

The name of the scan.

app_instance.response.scans.owner

String

The owner of the scan.

app_instance.response.scans.policy_id

Integer

The unique ID of the user-defined template (policy) on which the scan configuration is based.

app_instance.response.scans.read

Boolean

A value indicating whether the user account associated with the request message has viewed the scan in the Tenable Vulnerability Management user interface. If 1, the user account has viewed the scan results.

app_instance.response.scans.schedule_uuid

String

The UUID for a specific instance in the scan schedule.

app_instance.response.scans.shared

Boolean

If true, the scan is shared with users other than the scan owner. The level of sharing is specified in the acls attribute of the scan details.

app_instance.response.scans.status

String

The status of the scan. For a list of possible values, see Scan Status

app_instance.response.scans.template_uuid

String

The UUID of the template.

app_instance.response.scans.type

String

The type of scan.

app_instance.response.scans.permissions

Int32

The requesting user's permissions for the scan.

app_instance.response.scans.user_permissions

Int32

The sharing permissions for the scan.

app_instance.response.scans.uuid

String

The UUID of the scan.

app_instance.response.scans.wizard_uuid

String

The UUID of the Tenable-provided template used to create either the scan or the user-defined template (policy) on which the scan configuration is based.

app_instance.response.scans.progress

Integer

The progress of the scan ranging from 0 to 100.

app_instance.response.scans.timezone

String

The timezone of the scheduled start time for the scan.

app_instance.response.scans.rrules

String

The interval at which the scan repeats. The interval is formatted as a string of three values delimited by semi-colons. These values are: the frequency (FREQ=ONETIME or DAILY or WEEKLY or MONTHLY or YEARLY), the interval (INTERVAL=1 or 2 or 3 ... x), and the days of the week (BYDAY=SU,MO,TU,WE,TH,FR,SA). For a scan that runs every three weeks on Monday Wednesday and Friday, the string would be FREQ=WEEKLY;INTERVAL=3;BYDAY=MO,WE,FR. If the scan is not scheduled to recur, this attribute is null. For more information, see rrules Format.

app_instance.response.scans.starttime

String

For one-time scans, the starting time and date for the scan. For recurrent scans, the first date on which the scan schedule is active and the time that recurring scans launch based on the rrules attribute. This attribute has the following format: YYYYMMDDTHHMMSS.

app_instance.response.scans.total_targets

Integer

The total number of targets in the scan.

app_instance.response.folders

Array of objects

Array of folder objects

app_instance.response.folders.object

Object

Folder object

app_instance.response.folders.id

Integer

The unique ID of the folder.

app_instance.response.folders.name

String

The name of the folder. This value corresponds to the folder type as follows: main—My Scans, trash—Trash, custom—user-defined string.

app_instance.response.folders.type

String

The type of the folder: main—Tenable-provided folder. Contains all scans that you create but do not assign to a custom folder, as well as any scans shared with you by other users. If you do not specify a scan folder when creating a scan, Tenable Vulnerability Management stores scans in this folder by default. This folder corresponds to the My Scans folder in the Tenable Vulnerability Management user interface. trash—Tenable-provided folder. This folder corresponds to the Trash folder in the Tenable Vulnerability Management user interface. It contains all scans that the current user has moved to the trash folder. After you move a scan to the trash folder, the scan remains in the trash folder until a user with at least Can Edit [64] scan permissions permanently deletes the scan. custom—User-created folder. Contains scans as assigned by the current user. You can create custom folders to meet your organizational needs.

app_instance.response.folders.default_tag

Integer

Indicates whether or not the folder is the default: 1—The folder is the default. 0—The folder is not the default. The main folder is the default folder. You cannot change the default folder.

app_instance.response.folders.custom

Integer

Indicates whether or not the folder is a custom folder: 1—User-created folder. You can rename or delete this folder. 0—System-created folder. You cannot rename or delete this folder.

app_instance.response.folders.unread_count

Integer

The number of scans in the folder that the current user has not yet viewed in the Tenable Vulnerability Management user interface.

app_instance.response.timestamp

Int32

The Unix timestamp when Tenable Vulnerability Management received the list request.

Action: Get Server Properties

This action retrieves the server version and other properties.

Action Input Parameters 

This action does not require any input parameter.

Action Response Parameters

Parameter

Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response  

JSON Object

Includes the response received from the app action.

app_instance.response.capabilities

Object

Returns the capability details of the server, such as multi_user, multi_scanner, report_email_config, and two_factor.

app_instance.response.enterprise

Boolean

True if the server is enterprise.

app_instance.response.expiration

Integer

Expiration time in epoch format.

Example:

1551160800

app_instance.response.expiration_time

Integer

Time to expire.

Example:

60

app_instance.response.idle_timeout

Integer

Idle time out.

Example:

30

app_instance.response.license

Object

License details of the server.

app_instance.response.loaded_plugin_set

String

Loaded plugin set.

Example:

201812271241

app_instance.response.login_banner

Boolean

Login banner.

app_instance.response.nessus_type

String

Nessus type.

Example:

Nessus Cloud

app_instance.response.nessus_ui_version

String

Nessus UI version.

Example:

11.0.52

app_instance.response.notifications

Array of Strings

List of notifications.

app_instance.response.plugin_set

String

Plugin set.

Example:

201812271241

app_instance.response.scanner_boottime

Integer

Scanner boot time.

Example:

1545191736

app_instance.response.server_version

String

Server version.

Example:

6.9.1

app_instance.response.server_uuid

String

Server UUID.

Example:

b6a6d233-9f14-4ce9-b4cf-7440e027cf5c27789b39c292efc6

app_instance.response.update

Object

Update details of the server.

app_instance.response.analytics

Object

Analytics details of the server.

app_instance.response.limitEnabled

Boolean

True if limit is enabled.

app_instance.response.msp

Boolean

MSP of the server.

app_instance.response.server_build

String

Server build.

Example:

C20023

app_instance.response.force_ui_reload

Boolean

True if force UI reload is done.

app_instance.response.nessus_ui_build

String

Nessus UI build.

Example:

161

app_instance.response.container_db_version

String

Container DB version.

Example:

10.43.0

Action: Get Server Status

This action retrieves the server status.

Action Input Parameters 

This action does not require any input parameter.

Action Response Parameters

Parameter

Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.code

Integer

Returns the HTTP status code.

app_instance.response.status

String

Returns the server status. Status values can include:

  • loading

  • ready

  • corrupt-db

  • feed-expired

  • eval-expired

  • locked

  • register

  • register-locked

  • download-failed

  • feed-error

Action: Get Templates

This action retrieves the list of tenable-provided scan templates. The types of scan templates to retrieve are scan, policy, or remediation.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Template Type 

Enter the type of scan template to retrieve.

Example:

scan

Text

Optional

Allowed values:

scan, policy, remediation

Default value:

scan

Example Request 

[
    {
        "template_type": "scan"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.pagination

Object

Pagination information

app_instance.response.pagination.total

Int32

The total number of records matching your search criteria

app_instance.response.pagination.limit

Int32

The number of records requested (or the default value if omitted from the request)

app_instance.response.pagination.offset

Int32

The starting record you requested (or zero if omitted)

app_instance.response.pagination.sort

Array of Objects

An array of objects representing the fields and sort order you specified in the request

app_instance.response.pagination.sort.name

String

The field on which Tenable Web App Scanning sorted the results

app_instance.response.pagination.sort.order

String

The direction of the sort order. Supported values are asc (ascending) and desc (descending)

app_instance.response.items

Array of Objects

A list of Tenable-provided templates

app_instance.response.items.template_id

String

The UUID of the Tenable-provided template

app_instance.response.items.name

String

The name of the Tenable-provided template

app_instance.response.items.description

String

The description of the Tenable-provided template

app_instance.response.items.plugin_state

String

Indicates whether the user of the Tenable-provided template has the ability to redefine the settings for the template. Possible values are: locked, open

app_instance.response.items.scanner_types

String

Indicates which scanners you can use to run scans based on the Tenable-provided template. Possible values are: scanner, container_group, cloud_group

app_instance.response.items.settings

Object

The restricted settings for the Tenable-provided template. This is a free-form object as each template can define different parameters for a configuration

app_instance.response.items.defaults

Object

The default settings for this template

app_instance.response.items.plugins

Array of Objects

An array of plugins available to the template

app_instance.response.items.plugins.plugin_id

Integer

The ID of the plugin

app_instance.response.items.plugins.name

String

The name of the plugin

app_instance.response.items.plugins.family

String

The name of the plugin family

Action: List Assets by Severity

This action retrieves a list of assets with a set VPR score. The list is limited to 5,000.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Severity 

Enter the severity of the vulnerability if any present in the asset.

Example:

4

Integer

Optional

Allowed values:

0 - info, 1 - low, 2 - medium, 3 - high, 4 - critical

Date Range 

Enter the number of days of data prior to and including today that should be returned.

Example:

24

Integer

Optional

Default value: None

Example Request 

[
    {
        "severity": 4,
        "date_range": 24
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.assets

Array of Objects

An array of asset objects

app_instance.response.assets.id

String

The UUID of the asset

app_instance.response.assets.has_agent

Boolean

A value specifying whether a Nessus agent scan detected the asset (true)

app_instance.response.assets.last_seen

String

The ISO timestamp of the scan that most recently detected the asset

app_instance.response.assets.last_scan_target

String

The IPv4 address, IPv6 address, or FQDN that the scanner last used to evaluate the asset

app_instance.response.assets.sources

Array of Objects

A list of sources for the asset record

app_instance.response.assets.sources.name

String

The name of the entity that reported the asset details. Sources can include sensors, connectors, and API imports

app_instance.response.assets.sources.first_seen

String

The ISO timestamp when the source first reported the asset

app_instance.response.assets.sources.last_seen

String

The ISO timestamp when the source last reported the asset

app_instance.response.assets.sources.acr_score

Integer

The Asset Criticality Rating (ACR) for the asset

app_instance.response.assets.sources.acr_drivers

Array of Objects

The key drivers that Tenable uses to calculate an asset's Tenable-provided ACR

app_instance.response.assets.sources.exposure_score

Integer

The Asset Exposure Score (AES) for the asset

app_instance.response.assets.sources.scan_frequency

Array of Objects

Information about how often scans ran against the asset during specified intervals

app_instance.response.assets.sources.licensed

Boolean

Indicates whether the asset was licensed at the time of the identified scans

app_instance.response.assets.ipv4

Array of Strings

A list of IPv4 addresses for the asset

app_instance.response.assets.ipv6

Array of Strings

A list of IPv6 addresses for the asset

app_instance.response.assets.fqdn

Array of Strings

A list of fully-qualified domain names (FQDNs) for the asset

app_instance.response.assets.netbios_name

Array of Strings

The NetBIOS name for the asset

app_instance.response.assets.operating_system

Array of Strings

The operating system installed on the asset

app_instance.response.assets.agent_name

Array of Strings

The names of any Nessus agents that scanned and identified the asset

app_instance.response.assets.aws_ec2_name

Array of Strings

The name of the virtual machine instance in AWS EC2

app_instance.response.assets.mac_address

Array of Strings

A list of MAC addresses for the asset

app_instance.response.assets.bigfix_asset_id

Array of Strings

The unique identifier of the asset in HCL BigFix

app_instance.response.assets.total

Integer

The total count of returned assets

Action: List Assets by VPR

This action retrieves a list of assets with a set VPR score. The list is limited to 5,000.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

VPR Score 

Enter the vulnerability priority rating score.

Example:

3.5

Float

Optional

Date Range 

Enter the number of days of data prior to and including today that should be returned.

Example:

24

Integer

Optional

Default value: 

None

Example Request 

[
    {
        "vpr_score": 3.5,
        "date_range": 24
    }
]
Action: List Assets With Specific Vulnerability

This action retrieves a list of assets with a set plugin ID. The list is limited to 5,000.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Plugin ID 

Enter the plugin ID that is assigned to a vulnerability.

Example:

154783

Integer

Optional

Date Range 

Enter the number of days of data prior to and including today that should be returned.

Example:

24

Integer

Optional

Example Request 

[
    {
        "plugin_id": 154783,
        "date_range": 24
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.assets

Array of JSON Objects

Returns the list of assets with vulnerabilities.

app_instance.response.assets.id

String

The UUID of the asset. 

Example: 

b822ac94-663b-4f85-bd8c-fd1310ccff44

app_instance.response.assets.severities

Array of Objects

A count of vulnerabilities by severity.

app_instance.response.assets.severities.object.count

Integer

The number of vulnerabilities with the specified severity.

app_instance.response.assets.severities.object.level

Integer

The code for the severity. Possible values include: 

  • 0: The vulnerability has a CVSS score of 0, which corresponds to the "info" severity level. 

  • 1: The vulnerability has a CVSS score between 0.1 and 3.9, which corresponds to the "low" severity level. 

  • 2: The vulnerability has a CVSS score between 4.0 and 6.9, which corresponds to the "medium" severity level. 

  • 3: The vulnerability has a CVSS score between 7.0 and 9.9, which corresponds to the "high" severity level. 

  • 4: The vulnerability has a CVSS score of 10.0, which corresponds to the "critical" severity level.

app_instance.response.assets.severities.object.name

String

The severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info (CVSS score of 0), low (CVSS score between 0.1 and 3.9), medium (CVSS score between 4.0 and 6.9), high (CVSS score between 7.0 and 9.9), and critical (CVSS score of 10.0).

app_instance.response.assets.total

Integer

The total number of vulnerabilities detected on the asset. 

Example:

1

app_instance.response.assets.fqdn

Array of Strings

A list of fully qualified domain names (FQDNs) for the asset.

Example:

app_instance.response.assets.ipv4

Array of Strings

A list of IPv4 addresses for the asset.

Example:

192.0.2.57

app_instance.response.assets.ipv6

Array of Strings

A list of IPv6 addresses for the asset.

Example:

0000:0000:0000:0000:0000:ffff:c000:0239

app_instance.response.assets.last_seen

String

The ISO timestamp of the scan that most recently detected the asset.

Example:

2018-12-31T17:28:28.000Z

app_instance.response.assets.netbios_name

Array of Strings

The NetBIOS name for the asset.

Example:

contoso

app_instance.response.assets.agent_name

Array of Strings

The names of any Nessus agents that scanned and identified the asset.

Action: List Assets With Vulnerability

This action retrieves a list of assets with vulnerabilities. The list is limited to 5,000. Use the Export Request API to retrieve more than 5,000 assets.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Date Range 

Enter the number of days of data prior to and including today to return, defaults to none.

Example:

24

Integer

Optional

Filter Set 

Enter the filter set to apply to the exported scan report.

Example:

$LIST[$JSON[{'filter':'severity', 'quality': 'eq', 'value': '4'}], $JSON[{'filter':'severity', 'quality': 'eq', 'value': '5'}]]

List

Optional

Default value:

None

Example Request 

[
   {
      "date_range":24,
      "filter_set":[
         {
            "filter":"Severity",
            "Quality":"eq",
            "value":4
         },
         {
            "filter":"Severity",
            "quality":"eq",
            "value":5
         }
      ]
   }
]

Action Response Parameters 

Parameter 

Field Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.id 

String

The UUID of the asset

app_instance.response.severities 

Array of Objects

A count of vulnerabilities by severity

app_instance.response.severities[].count 

Integer

The number of vulnerabilities with the specified severity

app_instance.response.severities[].level 

Integer

The code for the severity. Possible values include: 0, 1, 2, 3, 4

app_instance.response.severities[].name 

String

The severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include info, low, medium, high, critical

app_instance.response.total 

Integer

The total number of vulnerabilities detected on the asset

app_instance.response.fqdn 

Array of Strings

A list of fully-qualified domain names (FQDNs) for the asset

app_instance.response.ipv4 

Array of Strings

A list of IPv4 addresses for the asset

app_instance.response.ipv6 

Array of Strings

A list of IPv6 addresses for the asset

app_instance.response.last_seen 

String

The ISO timestamp of the scan that most recently detected the asset

app_instance.response.netbios_name 

Array of Strings

The NetBIOS name for the asset

app_instance.response.agent_name 

Array of Strings

The names of any Nessus agents that scanned and identified the asset

Action: List Folders

This action retrieves the list of both tenable-provided folders and the current user's custom folders.

Action Input Parameters 

This action does not require any input parameter.

Action Response Parameters 

Parameter 

Field Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.id 

Integer

The unique ID of the folder.

app_instance.response.name 

String

The name of the folder. This value corresponds to the folder type as follows:

  • main—My Scans

  • trash—Trash

  • custom—user-defined string.

app_instance.response.type 

String

The type of the folder:

  • main—Tenable-provided folder. Contains all scans that you create but do not assign to a custom folder, as well as any scans shared with you by other users. If you do not specify a scan folder when creating a scan, Tenable Vulnerability Management stores scans in this folder by default. This folder corresponds to the My Scans folder in the Tenable Vulnerability Management user interface.

  • trash—Tenable-provided folder. This folder corresponds to the Trash folder in the Tenable Vulnerability Management user interface. It contains all scans that the current user has moved to the trash folder. After you move a scan to the trash folder, the scan remains in the trash folder until a user with at least Can Edit [64] scan permissions permanently deletes the scan.

  • custom—User-created folder. Contains scans as assigned by the current user. You can create custom folders to meet your organizational needs.

app_instance.response.default_tag 

Integer

Indicates whether or not the folder is the default:

  • 1—The folder is the default.

  • 0—The folder is not the default.

The main folder is the default folder. You cannot change the default folder.

app_instance.response.custom 

Integer

Indicates whether or not the folder is a custom folder:

  • 1—User-created folder. You can rename or delete this folder.

  • 0—System-created folder. You cannot rename or delete this folder.

app_instance.response.unread_count 

Integer

The number of scans in the folder that the current user has not yet viewed in the Tenable Vulnerability Management user interface.

Action: List Policies

This action retrieves a list of policies.

Action Input Parameters 

This action does not require any input parameter.

Action Response Parameters 

Parameter 

Field Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.id 

Integer

The unique ID of the policy.

app_instance.response.template_uuid 

String

The UUID for the Tenable-provided template used to create the policy.

app_instance.response.name 

String

The name of the policy.

app_instance.response.description 

String

The description of the policy.

app_instance.response.owner_id 

String

The unique ID of the owner of the policy.

app_instance.response.owner 

String

The username for the owner of the policy.

app_instance.response.shared 

Integer

The shared status of the policy (1 if shared with users other than owner, 0 if not shared).

app_instance.response.user_permissions 

Integer

The sharing permissions for the policy.

app_instance.response.creation_date 

Integer

The creation date of the policy in Unix time format.

app_instance.response.last_modification_date 

Integer

The last modification date for the policy in Unix time format.

app_instance.response.visibility 

Integer

The visibility of the target (private or shared).

app_instance.response.no_target 

Boolean

If true, the policy configuration does not include targets.

Action: List Scanners

This action retrieves the scanner list.

Action Input Parameters 

This action does not require any input parameter.

Action Response Parameters 

Parameter 

Field Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.creation_date 

Integer

The Unix timestamp when the scanner was created. This attribute specifies the original creation date if the scanner was migrated.

app_instance.response.distro 

String

The scanner operating system distribution.

app_instance.response.group 

Boolean

Indicates whether the scanner belongs to a scanner group ('true') or not ('false').

app_instance.response.hostname 

String

The hostname of the scanner.

app_instance.response.id 

Integer

The unique ID of the scanner.

app_instance.response.ip_addresses 

Array of Strings

A list of IP addresses associated with the scanner.

app_instance.response.key 

String

The linking key, that is, the alpha-numeric sequence of characters you use to link a scanner to Tenable Vulnerability Management. For more information about linking a scanner, see the Link a Sensor in the Tenable Vulnerability Management User Guide.

app_instance.response.last_connect 

String

The Unix timestamp when any of the scanner's tasks have provided its last update.

app_instance.response.last_modification_date 

Integer

The Unix timestamp when the scanner was last modified.

app_instance.response.engine_version 

String

The version of the scanner.

app_instance.response.loaded_plugin_set 

String

The current plugin set on the scanner.

app_instance.response.registration_code 

String

The registration code of the scanner.

app_instance.response.license 

Object

License object

app_instance.response.linked 

Integer

Specifies whether you disabled (0) or enabled (1) the scanner. For more information, see the PUT /scanners/{scanner_id}/link endpoint.

app_instance.response.name 

String

The user-defined name of the scanner.

app_instance.response.network_name 

String

The name of the network object associated with the scanner. For more information about network objects, see Manage Networks.

app_instance.response.num_scans 

Integer

The number of scans (tasks) the scanner is currently executing.

app_instance.response.owner 

String

The owner of the scanner.

app_instance.response.owner_id 

Integer

The ID of the owner of the scanner.

app_instance.response.owner_name 

String

The username of the owner of the scanner.

app_instance.response.owner_uuid 

String

The UUID of the owner of the scanner.

app_instance.response.platform 

String

The platform of the scanner.

app_instance.response.pool 

Boolean

Indicates whether the scanner is part of a scanner group ('true') or not ('false'). For more information about scanner groups, see the Scanner Groups endpoints.

app_instance.response.scan_count 

Integer

The number of scans that the scanner is currently running.

app_instance.response.shared 

Boolean

Indicates whether anyone other than the scanner owner has explicit access to the scanner (1).

app_instance.response.source 

String

Always set to service.

app_instance.response.status 

String

The status of the scanner (on or off).

app_instance.response.timestamp 

Integer

Equivalent to the last_modification_date attribute.

app_instance.response.type 

String

The type of scanner (local, managed, managed_pvs, pool, remote, or webapp).

app_instance.response.ui_build 

Integer

The backend build of Nessus that is running on the scanner.

app_instance.response.ui_version 

String

The backend version of Nessus that is running on the scanner.

app_instance.response.user_permissions 

Integer

The permissions you (the current user) have been assigned for the scanner. See Permissions.

app_instance.response.uuid 

String

The UUID of the scanner.

app_instance.response.remote_uuid 

String

The UUID of the Nessus installation on the scanner.

app_instance.response.supports_remote_logs 

Boolean

Indicates if the scanner supports remote logging.

app_instance.response.supports_webapp 

Boolean

Indicates if the scanner supports Tenable Web App Scanning.

app_instance.response.aws_update_interval 

Integer

Specifies how often, in minutes, the scanner checks in with Tenable Vulnerability Management (Amazon Web Services scanners only).

Action: List Scan Timezones

This action retrieves the time zones list for creating a recurring scan.

Action Input Parameters 

This action does not require any input parameter.

Action: List Target Groups

This action retrieves the current target groups.

Action Input Parameters 

This action does not require any input parameter.

Action Response Parameters 

Parameter 

Field Type 

Description 

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.acls 

Array of Objects

The Access Control Lists applicable to the group

app_instance.response.acls.type 

String

The type of permission (default, user, group)

app_instance.response.acls.id 

Integer

The unique ID of the user or group

app_instance.response.acls.uuid 

String

The UUID of the owner of the object

app_instance.response.acls.name 

String

The name of the user or group

app_instance.response.acls.display_name 

String

The display-friendly name of the user or group

app_instance.response.acls.permissions 

Int32

The permission value to grant access as described in Permissions

app_instance.response.owner 

Integer

The ID of the owner of the object

app_instance.response.id 

Integer

The unique ID of the group

app_instance.response.default_group 

Boolean

If true, this group is the default

app_instance.response.name 

String

The name of the group

app_instance.response.members 

String

The members of the group

app_instance.response.type 

String

The group type (user or system). Note that the system group type is deprecated. Tenable recommends that you create only user target groups

app_instance.response.owner 

String

The name of the owner of the group. A user of nessus_ms_agent indicates it is a system target group

app_instance.response.owner_id 

Integer

The unique ID of the owner of the group

app_instance.response.last_modification_date 

Integer

The last modification date for the group in unixtime

app_instance.response.shared 

Integer

The shared status of the group

app_instance.response.user_permissions 

Integer

The current user permissions for the group

Action: Update Scan

This action updates a scan configuration.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

UUID 

Enter the UUID for the tenable-provided scan template to use.

Example:

9afd5e49-b4a8-4ab3-8c44-4ed329a505c44e51e1f403febe40

Text

Required

You can retrieve this using the actionGet Templates.

Scan Name 

Enter the name of the scan.

Example:

Log4j Scan

Text

Required

Enabled 

Enter your preference to enable the schedule for the scan.

Example:

$JSON[Yes]

Boolean

Optional

Extra Params 

Enter the extra parameters as key values that can be added to the scan. The parameters will be updated to the settings of the payload to be sent.

Key Value

Optional

Allowed keys:

description, owner_id, folder_id, scanner_id, target_network_uuid, launch, scan_time_window, starttime, rrules, timezone, text_targets, target_groups, file_targets, tag_targets, host_tagging, agent_group_id, agent_scan_launch_type, triggers, refresh_reporting_type, refresh_reporting_frequency_scans, refresh_reporting_frequency_days, disable_refresh_reporting, emails, acls

Example Request 

[
    {
        "uuid": "9afd5e49-b4a8-4ab3-8c44-4ed329a505c44e51e1f403febe40",
        "scan_name": "Log4j Scan",
        "enabled": False
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.tag_type

String

The type of tag

app_instance.response.container_id

String

The unique ID of your Tenable Vulnerability Management instance

app_instance.response.owner_uuid

String

The unique ID of the scan owner

app_instance.response.uuid

String

The UUID of the schedule for the scan

app_instance.response.name

String

The user-defined scan name

app_instance.response.description

String

A brief user-defined description of the scan

app_instance.response.policy_id

Integer

The unique ID of the policy associated with the scan

app_instance.response.scanner_uuid

String

The UUID of the scanner that the scan is configured to use, if the scan is not configured for scan routing

app_instance.response.target_network_uuid

String

The UUID of the network object that Tenable Vulnerability Management associates with the scan results if the scan is configured for scan routing

app_instance.response.emails

String

A comma-separated list of accounts that receive the email summary report

app_instance.response.sms

String

A comma-separated list of mobile phone numbers that receive notification of the scan

app_instance.response.enabled

Boolean

A value indicating whether the scan schedule is active (true) or inactive (false)

app_instance.response.dashboard_file

String

The name of the dashboard file associated with the scan

app_instance.response.remediation

Integer

If 1, your vulnerability remediation actions on scan targets have been successful

app_instance.response.include_aggregate

Boolean

A value indicating whether the scan results appear in dashboards

app_instance.response.scan_time_window

String

Depends on the type of scan

app_instance.response.custom_targets

String

Targets specified in the alt_targets parameter of the POST /scans/{scan_id}/launch request body used to run the scan

app_instance.response.triggers

Array of Objects

For Nessus Agent scans, describes the scan triggers used when agent_scan_launch_type is set to triggered

app_instance.response.triggers.type

String

The type of scan launch trigger (periodic or file-exists)

app_instance.response.triggers.options

Object

Options object

app_instance.response.triggers.reporting_mode

String

Indicates the reporting mode for Nessus Agent scans

app_instance.response.triggers.interval_type

String

For Nessus Agent scans, indicates whether the info-level reporting setting (refresh_reporting_type) is set to scans or days

app_instance.response.triggers.interval_value

Integer

For Nessus Agent scans, indicates the interval value for info-level reporting

app_instance.response.triggers.baseline_next_scan

String

Indicates whether or not the next Nessus Agent scan is a baseline scan

app_instance.response.triggers.agent_scan_launch_type

String

For Nessus Agent scans, indicates whether the agent scan should use the scan window (scheduled) or rule-based (triggered) method for scan launches

app_instance.response.triggers.starttime

String

For one-time scans, the starting time and date for the scan. For recurrent scans, the first date on which the scan schedule is active and the time that recurring scans launch based on the rrules parameter

app_instance.response.triggers.rrules

String

The interval at which the scan repeats

app_instance.response.triggers.timezone

String

The timezone of the scheduled start time for the scan

app_instance.response.notification_filters

Array of Objects

A list of filters that Tenable Vulnerability Management applies to determine whether it sends a notification email on scan completion to the recipients specified in the emails attribute

app_instance.response.notification_filters.value

String

The attribute value Tenable Vulnerability Management filters on

app_instance.response.notification_filters.quality

String

The operator Tenable Vulnerability Management applies to the filter value

app_instance.response.notification_filters.filter

String

The attribute name

app_instance.response.tag_targets

Array of Strings

The list of asset tag identifiers the scan uses to determine which assets it evaluates

app_instance.response.shared

Boolean

If 1, the scan is shared with users other than the scan owner. The level of sharing is specified in the acls attribute of the scan details

app_instance.response.user_permissions

Int32

The sharing permissions for the scan

app_instance.response.default_permissions

Int32

The default permissions for the scan

app_instance.response.owner

String

The owner of the scan

app_instance.response.owner_id

Integer

The unique ID of the owner of the scan

app_instance.response.last_modification_date

Int32

For newly-created scans, the date on which the scan configuration was created. For scans that have been launched at least once, this attribute does not represent the date on which the scan configuration was last modified. Instead, it represents the date on which the scan was last launched, in Unix time format. Tenable Vulnerability Management updates this attribute each time the scan launches

app_instance.response.creation_date

Int32

For newly-created scans, the date on which the scan configuration was originally created. For scans that have been launched at least once, this attribute does not represent the date on which the scan configuration was originally created. Instead, it represents the date on which the scan was first launched, in Unix time format

app_instance.response.type

String

The type of scan

app_instance.response.id

Int32

The unique ID of the scan

Action: Generic Action

This is a generic action used to make requests to any Tenable Vulnerability Management endpoint.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to use while making the request. 

Example: 

GET

Text

Required

Allowed values:

GET, POST, PUT, DELETE

Endpoint 

Enter the endpoint to make the request. 

Example: 

/api/v2/detections

Text

Required

Query Params 

Enter the query parameters to pass to the API.

Key Value

Optional

Payload 

Enter the payload for the request.

Any

Optional

Extra Fields 

Enter any additional fields to pass to the API.

Key Value

Optional