Copy page

Tenable

Asset Inventory

Retrieves all assets and related metadata from Tenable for integration into third-party systems, collecting comprehensive data on each asset.

Sync Type: Incremental

Requirements

• Log in to Tenable.io and go to the Create a service account page.
• Enter Monad Service as the name.
• Fill out the rest of the service account fields using your organization's usual process.
• Set the Role to Scan Manager and click Finish.
• Click the new service user and select API Keys on the left.
• Copy the access key and secret key. You'll need them when you set up the Monad connector.

Details

Monad uses the updated_at field to determine which assets to export this field is determined by the last time the export was run. If the input has never been run, it will export all assets.

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

Setting	Type	Required	Description
Backfill Start Time	string	No	The date to start fetching data from. If not specified, no past records will be fetched.

Secrets

Secret	Type	Required	Description
Access Key	string	Yes	Access Key for the Tenable API. This is required to authenticate requests.
Secret Key	string	Yes	Secret Key for the Tenable API. This is required to authenticate requests.

OCSF Conversion

The following JQ transformation converts Tenable Asset data to OCSF Version 1.1 compliant format.

JQ Transformation

Code
{
  # Static fields
  category_uid: 5,                    # Discovery
  class_uid: 5001,                    # Device Inventory Info
  activity_id: 2,                     # Collect
  type_uid: 500102,                   # Device Inventory Info: Collect
  severity_id: 1,                     # Informational

  # Dynamic time field - remove milliseconds and convert to epoch
  time: (
    if .updated_at then
      .updated_at | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
    else
      now
    end
  ),

  # Device object with all available fields
  device: {
    type_id: 0,                       # Unknown
    uid: .id,
    hostname: (
      if (.hostnames | length > 0) then
        .hostnames[0]
      else
        ""
      end
    ),
    ip: (
      if (.ipv4s | length > 0) then
        .ipv4s[0]
      else
        null
      end
    ),
    mac: (
      if (.mac_addresses | length > 0) then
        .mac_addresses[0]
      else
        null
      end
    ),
    # Additional fields
    first_seen_time: (
      if .first_seen then
        .first_seen | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
      else
        null
      end
    ),
    last_seen_time: (
      if .last_seen then
        .last_seen | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
      else
        null
      end
    ),
    network_interfaces: (
      if (.network_interfaces | length > 0) then
        .network_interfaces
      else
        []
      end
    ),
    region: (
      if .aws_region then
        .aws_region
      else
        null
      end
    ),
    type: (
      if (.system_types | length > 0) then
        .system_types[0]
      else
        null
      end
    ),
    domain: (
      if (.fqdns | length > 0) then
        .fqdns[0]
      else
        null
      end
    ),
    os: (
      if (.operating_systems | length > 0) then
        .operating_systems[0]
      else
        null
      end
    ),
    created_time: (
      if .created_at then
        .created_at | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
      else
        null
      end
    ),
    modified_time: (
      if .updated_at then
        .updated_at | sub("\\.[0-9]+Z$"; "Z") | fromdateiso8601
      else
        null
      end
    ),
    zone: (
      if .network_name then
        .network_name
      else
        null
      end
    )
  },

  # Static metadata
  metadata: {
    version: "1.1.0",
    product: {
      vendor_name: "Tenable"
    }
  }
}

OCSF Mapping Details

The JQ transformation converts Tenable Assets to OCSF Version 1.1 with the following key mappings:

Core Fields

• Category UID: Set to 5 (Discovery)
• Class UID: Set to 5001 (Device Inventory Info)
• Activity ID: Set to 2 (Collect)
• Type UID: Set to 500102 (Device Inventory Info: Collect)
• Severity ID: Set to 1 (Informational)
• Time: Extracted from the asset's updated_at field
  • Strips milliseconds from the ISO timestamp
  • Converts to Unix timestamp format using fromdateiso8601

Cloud Provider Detection

The transformation includes logic to identify the cloud provider based on available fields:

• Sets to "AWS" if any AWS-specific fields are present:
  • aws_owner_id
  • aws_region
  • aws_vpc_id
  • aws_ec2_instance_id
• Sets to "Azure" if Azure-specific fields are present:
  • azure_vm_id
  • azure_resource_id
• Sets to "GCP" if GCP-specific fields are present:
  • gcp_project_id
  • gcp_zone
  • gcp_instance_id
• Defaults to "Unknown" if no cloud-specific fields are found

Device Information

• Type ID: Set to 0 (Unknown)
• UID: Maps directly from the asset's id field
• Hostname: Takes the first hostname from the hostnames array, defaults to empty string if none exists
• IP: Takes the first IPv4 address from the ipv4s array, defaults to null if none exists
• MAC: Takes the first MAC address from the mac_addresses array, defaults to null if none exists

Metadata

• Version: Set to "1.0.0"
• Product: Includes vendor_name set to "Tenable"

Customization

The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential asset information and cloud provider detection while providing fallback values for optional fields.

Related Articles

• https://developer.tenable.com/reference/exports-assets-download-chunk
• https://docs.tenable.com/vulnerability-management/Content/Settings/access-control/CreateAUserAccount.htm
• https://developer.tenable.com/reference/exports-assets-request-export
• https://developer.tenable.com/reference/exports-assets-export-status
• https://developer.tenable.com/reference/exports-assets-download-chunk

Sample Record

Code
{
  "id": "b19b4fd5-6c20-4082-c50a-5bc511d4a03f",
  "has_agent": false,
  "has_plugin_results": true,
  "created_at": "2021-02-01T08:04:40.311Z",
  "terminated_at": null,
  "terminated_by": null,
  "updated_at": "2023-01-07T23:28:03.206Z",
  "deleted_at": null,
  "deleted_by": null,
  "first_seen": "2025-08-11T23:46:44.837946Z",
  "last_seen": "2025-08-11T23:46:44.837952Z",
  "first_scan_time": "2025-08-11T23:46:44.837953Z",
  "last_scan_time": "2025-08-11T23:46:44.837955Z",
  "last_authenticated_scan_date": null,
  "last_licensed_scan_date": "2025-08-11T23:46:44.837956Z",
  "last_scan_id": "5d2a6b84-96dd-7604-bf66-420bbea7fff5",
  "last_schedule_id": "template-67f498e8-2f74-1065-5419-d526a40b3c446594f84aecddf850",
  "azure_vm_id": null,
  "azure_resource_id": null,
  "gcp_project_id": null,
  "gcp_zone": null,
  "gcp_instance_id": null,
  "aws_ec2_instance_ami_id": null,
  "aws_ec2_instance_id": null,
  "agent_uuid": null,
  "bios_uuid": null,
  "network_id": "00000000-0000-0000-0000-000000000000",
  "network_name": "Default",
  "aws_owner_id": null,
  "aws_availability_zone": null,
  "aws_region": null,
  "aws_vpc_id": null,
  "aws_ec2_instance_group_name": null,
  "aws_ec2_instance_state_name": null,
  "aws_ec2_instance_type": null,
  "aws_subnet_id": null,
  "aws_ec2_product_code": null,
  "aws_ec2_name": null,
  "mcafee_epo_guid": null,
  "mcafee_epo_agent_guid": null,
  "servicenow_sysid": null,
  "bigfix_asset_id": null,
  "agent_names": [],
  "installed_software": [],
  "ipv4s": [
    "192.210.93.21"
  ],
  "ipv6s": [],
  "fqdns": [],
  "mac_addresses": [
    "ae:d2:7c:d8:93:4c"
  ],
  "netbios_names": [],
  "operating_systems": [
    "macOS Catalina"
  ],
  "system_types": [
    "Server"
  ],
  "hostnames": [],
  "ssh_fingerprints": [],
  "qualys_asset_ids": [],
  "qualys_host_ids": [],
  "manufacturer_tpm_ids": [],
  "symantec_ep_hardware_keys": [],
  "sources": [
    {
      "name": "NESSUS_SCAN",
      "first_seen": "2025-08-11T23:46:44.838032Z",
      "last_seen": "2025-08-11T23:46:44.838033Z"
    }
  ],
  "tags": [
    {
      "uuid": "f1a11438-e18d-3e9e-fbe2-d412110cde95",
      "key": "scan",
      "value": "external",
      "added_by": "461d3cab-02c0-4115-9b27-8e71778a41ea",
      "added_at": "2025-08-11T23:46:44.838049Z"
    },
    {
      "uuid": "dfe83932-5325-0b29-724d-420c57c9627b",
      "key": "Tags_Converted_From_Access_Groups_more_more_more_more_more_more_more",
      "value": "AG1",
      "added_by": "5cb33990-1188-41e4-997e-50818766fe85",
      "added_at": "2025-08-11T23:46:44.838063Z"
    },
    {
      "uuid": "a49287da-730c-22f2-fff7-007245d79d2d",
      "key": "Tags_Converted_From_Access_Groups_more_more_more_more_more_more_more",
      "value": "Home",
      "added_by": "5cb33990-1188-41e4-997e-50818766fe85",
      "added_at": "2025-08-11T23:46:44.838092Z"
    }
  ],
  "network_interfaces": [
    {
      "name": "UNKNOWN",
      "virtual": null,
      "aliased": null,
      "fqdns": [],
      "mac_addresses": [
        "2e:d9:31:96:0f:15"
      ],
      "ipv4s": [
        "192.204.100.109"
      ],
      "ipv6s": []
    }
  ],
  "open_ports": [],
  "acr_score": "-1",
  "exposure_score": "-1"
}