Asset Inventory
Retrieves all assets and related metadata from Tenable for integration into third-party systems, collecting comprehensive data on each asset.
Sync Type: Incremental
Requirements
- Log in to Tenable.io and go to the Create a service account page.
- Enter
Monad Serviceas the name. - Fill out the rest of the service account fields using your organization's usual process.
- Set the Role to
Scan Managerand click Finish.
- Click the new service user and select API Keys on the left.
- Copy the access key and secret key. You'll need them when you set up the Monad connector.
Details
Monad uses the updated_at field to determine which assets to export this field is determined by the last time the export was run. If the input has never been run, it will export all assets.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Access Key | string | Yes | Access Key for the Tenable API. This is required to authenticate requests. |
| Secret Key | string | Yes | Secret Key for the Tenable API. This is required to authenticate requests. |
OCSF Conversion
The following JQ transformation converts Tenable Asset data to OCSF Version 1.1 compliant format.
JQ Transformation
{
# Static fields
category_uid: 5, # Discovery
class_uid: 5001, # Device Inventory Info
activity_id: 2, # Collect
type_uid: 500102, # Device Inventory Info: Collect
severity_id: 1, # Informational
# Dynamic time field - remove milliseconds and convert to epoch
time: (
if .updated_at then
.updated_at | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
else
now
end
),
# Device object with all available fields
device: {
type_id: 0, # Unknown
uid: .id,
hostname: (
if (.hostnames | length > 0) then
.hostnames[0]
else
""
end
),
ip: (
if (.ipv4s | length > 0) then
.ipv4s[0]
else
null
end
),
mac: (
if (.mac_addresses | length > 0) then
.mac_addresses[0]
else
null
end
),
# Additional fields
first_seen_time: (
if .first_seen then
.first_seen | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
else
null
end
),
last_seen_time: (
if .last_seen then
.last_seen | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
else
null
end
),
network_interfaces: (
if (.network_interfaces | length > 0) then
.network_interfaces
else
[]
end
),
region: (
if .aws_region then
.aws_region
else
null
end
),
type: (
if (.system_types | length > 0) then
.system_types[0]
else
null
end
),
domain: (
if (.fqdns | length > 0) then
.fqdns[0]
else
null
end
),
os: (
if (.operating_systems | length > 0) then
.operating_systems[0]
else
null
end
),
created_time: (
if .created_at then
.created_at | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
else
null
end
),
modified_time: (
if .updated_at then
.updated_at | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
else
null
end
),
zone: (
if .network_name then
.network_name
else
null
end
)
},
# Static metadata
metadata: {
version: "1.1.0",
product: {
vendor_name: "Tenable"
}
}
}
OCSF Mapping Details
The JQ transformation converts Tenable Assets to OCSF Version 1.1 with the following key mappings:
Core Fields
- Category UID: Set to 5 (Discovery)
- Class UID: Set to 5001 (Device Inventory Info)
- Activity ID: Set to 2 (Collect)
- Type UID: Set to 500102 (Device Inventory Info: Collect)
- Severity ID: Set to 1 (Informational)
- Time: Extracted from the asset's
updated_atfield- Strips milliseconds from the ISO timestamp
- Converts to Unix timestamp format using
fromdateiso8601
Cloud Provider Detection
The transformation includes logic to identify the cloud provider based on available fields:
- Sets to "AWS" if any AWS-specific fields are present:
- aws_owner_id
- aws_region
- aws_vpc_id
- aws_ec2_instance_id
- Sets to "Azure" if Azure-specific fields are present:
- azure_vm_id
- azure_resource_id
- Sets to "GCP" if GCP-specific fields are present:
- gcp_project_id
- gcp_zone
- gcp_instance_id
- Defaults to "Unknown" if no cloud-specific fields are found
Device Information
- Type ID: Set to 0 (Unknown)
- UID: Maps directly from the asset's
idfield - Hostname: Takes the first hostname from the
hostnamesarray, defaults to empty string if none exists - IP: Takes the first IPv4 address from the
ipv4sarray, defaults to null if none exists - MAC: Takes the first MAC address from the
mac_addressesarray, defaults to null if none exists
Metadata
- Version: Set to "1.0.0"
- Product: Includes vendor_name set to "Tenable"
Customization
The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential asset information and cloud provider detection while providing fallback values for optional fields.
Related Articles
- https://developer.tenable.com/reference/exports-assets-download-chunk
- https://docs.tenable.com/vulnerability-management/Content/Settings/access-control/CreateAUserAccount.htm
- https://developer.tenable.com/reference/exports-assets-request-export
- https://developer.tenable.com/reference/exports-assets-export-status
- https://developer.tenable.com/reference/exports-assets-download-chunk
Sample Record
{
"id": "b19b4fd5-6c20-4082-c50a-5bc511d4a03f",
"has_agent": false,
"has_plugin_results": true,
"created_at": "2021-02-01T08:04:40.311Z",
"terminated_at": null,
"terminated_by": null,
"updated_at": "2023-01-07T23:28:03.206Z",
"deleted_at": null,
"deleted_by": null,
"first_seen": "2025-08-11T23:46:44.837946Z",
"last_seen": "2025-08-11T23:46:44.837952Z",
"first_scan_time": "2025-08-11T23:46:44.837953Z",
"last_scan_time": "2025-08-11T23:46:44.837955Z",
"last_authenticated_scan_date": null,
"last_licensed_scan_date": "2025-08-11T23:46:44.837956Z",
"last_scan_id": "5d2a6b84-96dd-7604-bf66-420bbea7fff5",
"last_schedule_id": "template-67f498e8-2f74-1065-5419-d526a40b3c446594f84aecddf850",
"azure_vm_id": null,
"azure_resource_id": null,
"gcp_project_id": null,
"gcp_zone": null,
"gcp_instance_id": null,
"aws_ec2_instance_ami_id": null,
"aws_ec2_instance_id": null,
"agent_uuid": null,
"bios_uuid": null,
"network_id": "00000000-0000-0000-0000-000000000000",
"network_name": "Default",
"aws_owner_id": null,
"aws_availability_zone": null,
"aws_region": null,
"aws_vpc_id": null,
"aws_ec2_instance_group_name": null,
"aws_ec2_instance_state_name": null,
"aws_ec2_instance_type": null,
"aws_subnet_id": null,
"aws_ec2_product_code": null,
"aws_ec2_name": null,
"mcafee_epo_guid": null,
"mcafee_epo_agent_guid": null,
"servicenow_sysid": null,
"bigfix_asset_id": null,
"agent_names": [],
"installed_software": [],
"ipv4s": [
"192.210.93.21"
],
"ipv6s": [],
"fqdns": [],
"mac_addresses": [
"ae:d2:7c:d8:93:4c"
],
"netbios_names": [],
"operating_systems": [
"macOS Catalina"
],
"system_types": [
"Server"
],
"hostnames": [],
"ssh_fingerprints": [],
"qualys_asset_ids": [],
"qualys_host_ids": [],
"manufacturer_tpm_ids": [],
"symantec_ep_hardware_keys": [],
"sources": [
{
"name": "NESSUS_SCAN",
"first_seen": "2025-08-11T23:46:44.838032Z",
"last_seen": "2025-08-11T23:46:44.838033Z"
}
],
"tags": [
{
"uuid": "f1a11438-e18d-3e9e-fbe2-d412110cde95",
"key": "scan",
"value": "external",
"added_by": "461d3cab-02c0-4115-9b27-8e71778a41ea",
"added_at": "2025-08-11T23:46:44.838049Z"
},
{
"uuid": "dfe83932-5325-0b29-724d-420c57c9627b",
"key": "Tags_Converted_From_Access_Groups_more_more_more_more_more_more_more",
"value": "AG1",
"added_by": "5cb33990-1188-41e4-997e-50818766fe85",
"added_at": "2025-08-11T23:46:44.838063Z"
},
{
"uuid": "a49287da-730c-22f2-fff7-007245d79d2d",
"key": "Tags_Converted_From_Access_Groups_more_more_more_more_more_more_more",
"value": "Home",
"added_by": "5cb33990-1188-41e4-997e-50818766fe85",
"added_at": "2025-08-11T23:46:44.838092Z"
}
],
"network_interfaces": [
{
"name": "UNKNOWN",
"virtual": null,
"aliased": null,
"fqdns": [],
"mac_addresses": [
"2e:d9:31:96:0f:15"
],
"ipv4s": [
"192.204.100.109"
],
"ipv6s": []
}
],
"open_ports": [],
"acr_score": "-1",
"exposure_score": "-1"
}