Skip to main content

Vulnerability Findings Cron

Retrieves vulnerability data and associated metadata for assets from Tenable, including details like CVE identifiers, CVSS scores, descriptions, solution information, and affected systems.

Sync Type: Full Synchronization

Requirements

  • Log in to Tenable.io and go to the Create a service account page.
  • Enter Monad Service as the name.
  • Fill out the rest of the service account fields using your organization's usual process.
  • Set the Role to Scan Manager and click Finish.
  • Click the new service user and select API Keys on the left.
  • Copy the access key and secret key. You'll need them when you set up the Monad connector.

Details

The same vulnerabilities from Tenable Vulnerability Findings are returned but a full sync is performed based on a set cron schedule.

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

SettingTypeRequiredDescription
CronstringYesCron string for scheduling tasks. Ex: '0 0 * * *' for daily execution at midnight.

Secrets

SecretTypeRequiredDescription
Access KeystringYesAccess Key for the Tenable API. This is required to authenticate requests.
Secret KeystringYesSecret Key for the Tenable API. This is required to authenticate requests.

OCSF Conversion

The following JQ transformation converts Tenable Vulnerability data to OCSF Version 1.0.0-rc.2 compliant format.

JQ Transformation

{
  class_uid: 2002, #Vulnerability Finding
  category_uid: 2, #Findings
  type_uid: 200200, #Vulnerability Finding: Unknown
  activity_id: 0, #Unknown
  time: (.scan.started_at | gsub("\\.\\d+Z$"; "") | strptime("%Y-%m-%dT%H:%M:%S") | mktime),
  severity_id: .severity_id,
  metadata: {
    version: "1.1.0",
    product: {
      vendor_name: "Tenable",
      name: "Nessus"
    }
  },
  raw_data: (. | tostring),
  finding_info: {
    title: .plugin.name,
    uid: (.plugin.id | tostring),
    last_seen_time: (.last_found | gsub("\\.\\d+Z$"; "") | strptime("%Y-%m-%dT%H:%M:%S") | mktime),
    first_seen_time: (.first_found | gsub("\\.\\d+Z$"; "") | strptime("%Y-%m-%dT%H:%M:%S") | mktime)
  },
  vulnerabilities: [{
    desc: .plugin.description,
    name: .plugin.name,
    uid: (.plugin.id | tostring),
    cvss: {
      version: "3.0",
      vector: .plugin.cvss3_vector.raw,
      base_score: .plugin.cvss3_base_score
    },
    remediation: {
      desc: .plugin.solution
    }
  }]
}

OCSF Mapping Details

The JQ transformation converts Tenable Vulnerabilities to OCSF Version 1.0.0-rc.2 with the following key mappings:

Core Fields

  • Class UID: Set to 2002 (Vulnerability Finding)
  • Category UID: Set to 2 (Findings)
  • Type UID: Set to 200200 (Vulnerability Finding: Unknown)
  • Activity ID: Set to 0 (Unknown)
  • Time: Extracted from the scan's started_at field
    • Strips milliseconds from the ISO timestamp
    • Converts to Unix timestamp format
  • Severity ID: Maps directly from the vulnerability's severity_id

Finding Information

  • Title: Maps from the plugin's name
  • UID: Converts the plugin ID to string format
  • Last Seen Time: Converts last_found timestamp to Unix format
  • First Seen Time: Converts first_found timestamp to Unix format

Vulnerability Details

  • Description: Maps from plugin description
  • Name: Maps from plugin name
  • UID: Plugin ID in string format
  • CVSS Information:
    • Version: Set to "3.0"
    • Vector: Maps from raw CVSS3 vector
    • Base Score: Maps from CVSS3 base score
  • Remediation: Maps solution information from plugin

Metadata

  • Version: Set to "1.0.0-rc.2"
  • Product:
    • Vendor name: "Tenable"
    • Name: "Nessus"

Customization

The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential asset information and cloud provider detection while providing fallback values for optional fields.