Tenable.sc
Stack Serverless Observability Serverless Security
| Version | 1.31.0 (View all) |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
| Ingestion method(s) | API |
The Tenable Security Center integration collects and parses data from the Tenable Security Center APIs.
Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to Agentless integrations and the Agentless integrations FAQ. Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
This module has been tested against Tenable.sc version 5.23 and Tenable.sc version 6.4.0.
In order to ingest data from the Tenable.sc you must have the Access key and Secret Key.
Enable API keys to allow users to perform API key authentication.
See Tenable's documentation for more information on:
Note
The default value is the recommended value for a batch size by Tenable. It can be found under Advanced Options and can be configured as per requirements. A very large value might not work as intended depending on the API and instance limitations.
This is the asset dataset.
Example
{
"@timestamp": "2023-09-22T18:00:18.358Z",
"agent": {
"ephemeral_id": "87389b96-4d7e-4a86-a055-4d34d251c4c0",
"id": "f25d13cd-18cc-4e73-822c-c4f849322623",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.10.1"
},
"data_stream": {
"dataset": "tenable_sc.asset",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "f25d13cd-18cc-4e73-822c-c4f849322623",
"snapshot": false,
"version": "8.10.1"
},
"event": {
"agent_id_status": "verified",
"category": [
"host"
],
"created": "2023-09-22T18:00:18.358Z",
"dataset": "tenable_sc.asset",
"ingested": "2023-09-22T18:00:21Z",
"kind": "state",
"original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}",
"type": [
"info"
]
},
"host": {
"domain": "example",
"hostname": "rnkmigauv2l8zeyf.example",
"ip": [
"0.0.228.153"
],
"mac": [
"00-00-00-47-05-0D"
],
"name": "rnkmigauv2l8zeyf"
},
"input": {
"type": "httpjson"
},
"related": {
"hosts": [
"rnkmigauv2l8zeyf.example",
"rnkmigauv2l8zeyf",
"UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
],
"ip": [
"0.0.228.153"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"tenable_sc-asset"
],
"tenable_sc": {
"asset": {
"bios": {
"guid": "9e8c4d43-982b-4405-a76c-d56c1d6cf117"
},
"custom_hash": "ilZiksv+pbvyBkKXgFRLGuMuUovfGI0pjIX5yLMp+I8=",
"dns": {
"name": "rnkmigauv2l8zeyf.example"
},
"host_uniqueness": "repositoryID,ip,dnsName",
"ip": "0.0.228.153",
"mac": "00-00-00-47-05-0D",
"netbios": {
"name": "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
},
"os_cpe": "cpe:/o:microsoft:windows_10:::x64-home",
"plugin_set": "201901281542",
"policy": {
"name": "Basic Agent Scan"
},
"repository": {
"data_format": "IPv4",
"id": "2",
"name": "Staged-Large",
"sci": {
"id": "1"
}
},
"score": 307,
"severity": {
"critical": 6,
"high": 4,
"info": 131,
"low": 0,
"medium": 9
},
"total": 150,
"uniqueness": "repositoryID,ip,dnsName",
"uuid": "4add65d0-27fc-491c-91ba-3f498a61f49e"
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| tenable_sc.asset.bios.guid | GUID of bios. | keyword |
| tenable_sc.asset.custom_hash | Hash representing the values of the field names mentioned in uniqueness field in order to uniquely identify an asset. | keyword |
| tenable_sc.asset.dns.name | DNS name of the asset. | keyword |
| tenable_sc.asset.host_uniqueness | Host Uniqueness. | keyword |
| tenable_sc.asset.ip | The IPv4 address of the asset. | keyword |
| tenable_sc.asset.last_auth_run | The timestamp of last auth run. | keyword |
| tenable_sc.asset.last_unauth_run | The timestamp of last unauth run. | keyword |
| tenable_sc.asset.mac | The mac address of the asset. | keyword |
| tenable_sc.asset.mcafee.guid | GUID of McAfee. | keyword |
| tenable_sc.asset.netbios.name | Name of netbios of the asset. | keyword |
| tenable_sc.asset.os_cpe | OS CPE (Common Platform Enumeration is a standardized way to name software applications, operating systems, and hardware platforms). | keyword |
| tenable_sc.asset.plugin_set | The plugin set the asset fall in. | keyword |
| tenable_sc.asset.policy.name | The name of the policy that is assigned to the asset. | keyword |
| tenable_sc.asset.repository.data_format | Data format. | keyword |
| tenable_sc.asset.repository.description | Description of repository. | keyword |
| tenable_sc.asset.repository.id | ID of repository the asset belongs to. | keyword |
| tenable_sc.asset.repository.name | Name of repository the asset belongs to. | keyword |
| tenable_sc.asset.repository.sci.id | Sci ID. | keyword |
| tenable_sc.asset.score | The score of the asset. | long |
| tenable_sc.asset.severity.critical | The critical score of the asset. | long |
| tenable_sc.asset.severity.high | The high score of the asset. | long |
| tenable_sc.asset.severity.info | The info score of the asset. | long |
| tenable_sc.asset.severity.low | The low score of the asset. | long |
| tenable_sc.asset.severity.medium | The medium score of the asset. | long |
| tenable_sc.asset.total | The total score for the asset. | long |
| tenable_sc.asset.tpm.id | The ID of TPM. | keyword |
| tenable_sc.asset.uniqueness | Uniqueness. | keyword |
| tenable_sc.asset.uuid | The uuid of the asset. | keyword |
This is the plugin dataset.
Example
{
"@timestamp": "2021-09-27T01:33:53.000Z",
"agent": {
"ephemeral_id": "7f93fe8a-bef7-46ec-8a36-47d48e2f8e7c",
"id": "f25d13cd-18cc-4e73-822c-c4f849322623",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.10.1"
},
"data_stream": {
"dataset": "tenable_sc.plugin",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "f25d13cd-18cc-4e73-822c-c4f849322623",
"snapshot": false,
"version": "8.10.1"
},
"event": {
"agent_id_status": "verified",
"created": "2023-09-22T18:01:18.245Z",
"dataset": "tenable_sc.plugin",
"ingested": "2023-09-22T18:01:21Z",
"kind": "event",
"original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}",
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"related": {
"hash": [
"38b2147401eb5c3a15af52182682f345"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"tenable_sc-plugin"
],
"tenable_sc": {
"plugin": {
"base_score": 7.8,
"check_type": "remote",
"copyright": "This script is Copyright (C) 2003-2020 John Lampe",
"cvss_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C",
"cvss_vector_bf": "2164920932",
"dependencies": [
"find_service1.nasl",
"http_version.nasl",
"www_fingerprinting_hmap.nasl"
],
"description": "Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\n\nIf this machine serves a business-critical function, there could be an impact to the business.",
"exploit": {
"ease": "No known exploits are available",
"is_available": "false"
},
"family": {
"id": "11",
"name": "Web Servers",
"type": "active"
},
"id": "10585",
"is_patch_modified": false,
"is_patch_published": false,
"is_plugin_modified": true,
"is_plugin_published": true,
"is_vulnerability_published": true,
"md5": "38b2147401eb5c3a15af52182682f345",
"modified_time": "2021-09-27T01:33:53.000Z",
"name": "Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS",
"plugin_mod_date": "2020-06-12T12:00:00.000Z",
"plugin_pub_date": "2003-07-22T12:00:00.000Z",
"risk_factor": "High",
"see_also": [
"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100"
],
"solution": "Microsoft has released a set of patches for IIS 4.0 and 5.0.",
"source_file": "IIS_frontpage_DOS_2.nasl",
"synopsis": "The remote web server is vulnerable to a denial of service",
"temporal_score": 5.8,
"type": "active",
"version": 1.28,
"vpr": {
"context": {
"_original": [
{
"id": "age_of_vuln",
"name": "Vulnerability Age",
"type": "string",
"value": "730 days +"
},
{
"id": "cvssV3_impactScore",
"name": "CVSS v3 Impact Score",
"type": "number",
"value": 3.6
},
{
"id": "exploit_code_maturity",
"name": "Exploit Code Maturity",
"type": "string",
"value": "Unproven"
},
{
"id": "product_coverage",
"name": "Product Coverage",
"type": "string",
"value": "Low"
},
{
"id": "threat_intensity_last_28",
"name": "Threat Intensity",
"type": "string",
"value": "Very Low"
},
{
"id": "threat_recency",
"name": "Threat Recency",
"type": "string",
"value": "> 365 days"
},
{
"id": "threat_sources_last_28",
"name": "Threat Sources",
"type": "string",
"value": "No recorded events"
}
],
"age_of_vuln": "730 days +",
"cvssV3_impactScore": 3.6,
"exploit_code_maturity": "Unproven",
"product_coverage": "Low",
"threat_intensity_last_28": "Very Low",
"threat_recency": "> 365 days",
"threat_sources_last_28": "No recorded events"
},
"score": 4.4
},
"vuln_pub_date": "2000-12-22T12:00:00.000Z",
"xrefs": [
"CVE:CVE-2001-0096",
"BID:2144",
"MSFT:MS00-100",
"MSKB:280322"
]
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| tenable_sc.plugin.base_score | The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). | double |
| tenable_sc.plugin.check_type | The type of the compliance check that detected the vulnerability. | keyword |
| tenable_sc.plugin.copyright | The copyright information related to the plugin. | keyword |
| tenable_sc.plugin.cpe | A list of plugin target systems identified by Common Platform Enumeration (CPE). | keyword |
| tenable_sc.plugin.cvss_vector | The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation. | keyword |
| tenable_sc.plugin.cvss_vector_bf | N/A. | keyword |
| tenable_sc.plugin.cvssv3_base_score | The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). | double |
| tenable_sc.plugin.cvssv3_temporal_score | The CVSSv3 temporal metrics for the vulnerability. | double |
| tenable_sc.plugin.cvssv3_vector | The raw CVSSv3 metrics for the vulnerability. For more information, see CVSSv3 documentation. | keyword |
| tenable_sc.plugin.cvssv3_vector_bf | N/A. | keyword |
| tenable_sc.plugin.dependencies | N/A. | keyword |
| tenable_sc.plugin.description | The extended description of the plugin. | keyword |
| tenable_sc.plugin.dst_port | Destination port. | long |
| tenable_sc.plugin.exploit.ease | Description of how easy it is to exploit the vulnerability. | keyword |
| tenable_sc.plugin.exploit.frameworks | Frameworks used by the exploit. | keyword |
| tenable_sc.plugin.exploit.is_available | Indicates whether a known public exploit exists for the vulnerability. | boolean |
| tenable_sc.plugin.family.id | The ID of the plugin family. | keyword |
| tenable_sc.plugin.family.name | The name of the plugin family. | keyword |
| tenable_sc.plugin.family.type | The type of the plugin family. | keyword |
| tenable_sc.plugin.id | The ID of the plugin. | keyword |
| tenable_sc.plugin.is_patch_modified | Flag for if patch is modified. | boolean |
| tenable_sc.plugin.is_patch_published | Flag for if patch is published. | boolean |
| tenable_sc.plugin.is_plugin_modified | Flag for if plugin is modified. | boolean |
| tenable_sc.plugin.is_plugin_published | Flag for if plugin is published. | boolean |
| tenable_sc.plugin.is_vulnerability_published | Flag for if vulnerability is published. | boolean |
| tenable_sc.plugin.md5 | N/A. | keyword |
| tenable_sc.plugin.modified_time | Timestamp of last modification in plugin. | date |
| tenable_sc.plugin.name | The name of the plugin. | keyword |
| tenable_sc.plugin.patch_mod_date | The date when the vendor modified the patch for the vulnerability. | date |
| tenable_sc.plugin.patch_pub_date | The date when the vendor published a patch for the vulnerability. | date |
| tenable_sc.plugin.plugin_mod_date | The date when Tenable last updated the plugin. | date |
| tenable_sc.plugin.plugin_pub_date | The date when Tenable originally published the plugin. | date |
| tenable_sc.plugin.protocol | Protocol used by the vulnerability. | keyword |
| tenable_sc.plugin.required_ports | N/A. | keyword |
| tenable_sc.plugin.required_udp_ports | N/A. | keyword |
| tenable_sc.plugin.risk_factor | The risk factor associated with the plugin. | keyword |
| tenable_sc.plugin.see_also | Links to external websites that contain helpful information about the vulnerability. | keyword |
| tenable_sc.plugin.solution | Remediation information for the vulnerability. | keyword |
| tenable_sc.plugin.source | N/A. | keyword |
| tenable_sc.plugin.source_file | N/A. | keyword |
| tenable_sc.plugin.src_port | Source port. | long |
| tenable_sc.plugin.stig_severity | STIG severity code for the vulnarebility. | keyword |
| tenable_sc.plugin.synopsis | A brief summary of the vulnerability or vulnerabilities associated with the plugin. | keyword |
| tenable_sc.plugin.temporal_score | The raw CVSSv2 temporal metrics for the vulnerability. | double |
| tenable_sc.plugin.type | The type of the plugin. | keyword |
| tenable_sc.plugin.version | The version of the plugin. | version |
| tenable_sc.plugin.vpr.context | The matrix of Vulnerability Priority Rating (VPR) for the vulnerability. | flattened |
| tenable_sc.plugin.vpr.score | The Vulnerability Priority Rating (VPR) score for the vulnerability. | double |
| tenable_sc.plugin.vuln_pub_date | Vulnarebility publish date. | date |
| tenable_sc.plugin.xrefs | References to third-party information about the vulnerability, exploit, or update associated with the plugin presented as an array of objects. | keyword |
This is the vulnerability dataset.
Example
{
"@timestamp": "2021-09-25T16:08:45.000Z",
"agent": {
"ephemeral_id": "c643a0a5-89d8-4a1e-81f0-63a129501012",
"id": "ad0cabc5-f33b-4982-aba6-069a206e7c08",
"name": "elastic-agent-82139",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "tenable_sc.vulnerability",
"namespace": "94688",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "ad0cabc5-f33b-4982-aba6-069a206e7c08",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"threat",
"vulnerability"
],
"created": "2025-07-16T08:29:40.843Z",
"dataset": "tenable_sc.vulnerability",
"ingested": "2025-07-16T08:29:43Z",
"kind": "event",
"original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}",
"type": [
"info"
]
},
"host": {
"domain": "lxd",
"hostname": "_gateway.lxd",
"ip": [
"10.238.64.1"
],
"mac": [
"00-16-3E-A1-12-F7"
],
"name": "_gateway",
"os": {
"full": "Linux Kernel 2.6"
}
},
"input": {
"type": "httpjson"
},
"network": {
"transport": "icmp"
},
"related": {
"hosts": [
"_gateway.lxd",
"_gateway"
],
"ip": [
"10.238.64.1"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"tenable_sc-vulnerability"
],
"tenable_sc": {
"vulnerability": {
"accept_risk": "0",
"age": 940,
"base_score": "0.0",
"check_type": "remote",
"custom_hash": "qVUXK2YtClsBlXncLYHLhVzynYK4hG2NbT0hY6guQm0=",
"cvss_v3_vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"cvss_vector": "AV:L/AC:L/Au:N/C:N/I:N/A:N",
"dns": {
"name": "_gateway.lxd"
},
"exploit": {
"is_available": false
},
"family": {
"id": "30",
"name": "General",
"type": "active"
},
"first_seen": "2019-02-27T16:27:52.000Z",
"has_been_mitigated": false,
"host_uniqueness": "repositoryID,ip,dnsName",
"id": "1_10.238.64.1__gateway.lxd",
"ip": "10.238.64.1",
"is_vulnerability_published": true,
"last_seen": "2021-09-25T16:08:45.000Z",
"mac": "00-16-3E-A1-12-F7",
"operating_system": "Linux Kernel 2.6",
"patch": {
"is_published": false
},
"plugin": {
"id": "10114",
"info": "10114 (0/1) ICMP Timestamp Request Remote Date Disclosure",
"is_modified": true,
"is_published": true,
"mod_date": "2019-10-04T12:00:00.000Z",
"name": "ICMP Timestamp Request Remote Date Disclosure",
"pub_date": "1999-08-01T12:00:00.000Z",
"text": "<plugin_output>The remote clock is synchronized with the local clock.\n</plugin_output>"
},
"port": "0",
"protocol": "ICMP",
"recast_risk": "0",
"repository": {
"data_format": "IPv4",
"id": "1",
"name": "Live",
"sci_id": "1"
},
"risk_factor": "None",
"severity": {
"description": "Informative",
"id": "0"
},
"solution": "Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).",
"synopsis": "It is possible to determine the exact time set on the remote host.",
"uniqueness": "repositoryID,ip,dnsName",
"version": "1.48",
"vpr": {
"context": {
"_original": [
{
"id": "age_of_vuln",
"name": "Vulnerability Age",
"type": "string",
"value": "730 days +"
},
{
"id": "cvssV3_impactScore",
"name": "CVSS v3 Impact Score",
"type": "number",
"value": 0
},
{
"id": "exploit_code_maturity",
"name": "Exploit Code Maturity",
"type": "string",
"value": "Unproven"
},
{
"id": "product_coverage",
"name": "Product Coverage",
"type": "string",
"value": "Very High"
},
{
"id": "threat_intensity_last_28",
"name": "Threat Intensity",
"type": "string",
"value": "Very Low"
},
{
"id": "threat_recency",
"name": "Threat Recency",
"type": "string",
"value": "No recorded events"
},
{
"id": "threat_sources_last_28",
"name": "Threat Sources",
"type": "string",
"value": "No recorded events"
}
],
"age_of_vuln": "730 days +",
"cvssV3_impactScore": 0,
"exploit_code_maturity": "Unproven",
"product_coverage": "Very High",
"threat_intensity_last_28": "Very Low",
"threat_recency": "No recorded events",
"threat_sources_last_28": "No recorded events"
},
"score": 0.8
},
"vuln_pub_date": "1995-01-01T12:00:00.000Z",
"xref": [
"CWE #200"
]
}
},
"vulnerability": {
"category": [
"General"
],
"classification": "CVSS",
"description": "The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\n\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.",
"enumeration": "CVE",
"id": [
"CVE-1999-0524"
],
"reference": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0524"
],
"scanner": {
"vendor": "Tenable"
},
"score": {
"base": 0,
"version": "3.0"
},
"severity": "Info"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| tenable_sc.vulnerability.accept_risk | N/A. | keyword |
| tenable_sc.vulnerability.age | The time in days between the first and last time the vulnerability was seen. | long |
| tenable_sc.vulnerability.base_score | Intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. | keyword |
| tenable_sc.vulnerability.bid | The Bugtraq ID. | keyword |
| tenable_sc.vulnerability.check_type | The type of the compliance check that detected the vulnerability. | keyword |
| tenable_sc.vulnerability.cpe | The Common Platform Enumeration (CPE) number for the plugin. | keyword |
| tenable_sc.vulnerability.custom_hash | Hash of fields plugin_id, port, protocol, tenable_sc.vulnerability.id for uniqueidentifier of an vulnerability. | keyword |
| tenable_sc.vulnerability.cvss_v3_vector | Additional CVSSv3 metrics for the vulnerability. | keyword |
| tenable_sc.vulnerability.cvss_vector | Additional CVSSv2 metrics for the vulnerability. | keyword |
| tenable_sc.vulnerability.dns.name | DNS name. | keyword |
| tenable_sc.vulnerability.exploit.ease | Description of how easy it is to exploit the vulnerability. | keyword |
| tenable_sc.vulnerability.exploit.frameworks | Framework used by exploit. | keyword |
| tenable_sc.vulnerability.exploit.is_available | A value specifying whether a public exploit exists for the vulnerability. | boolean |
| tenable_sc.vulnerability.family.id | Family id of the vulnarebility. | keyword |
| tenable_sc.vulnerability.family.name | Family name of the vulnarebility. | keyword |
| tenable_sc.vulnerability.family.type | Family type of the vulnarebility. | keyword |
| tenable_sc.vulnerability.first_seen | The time and date when a scan first identified the vulnerability. | date |
| tenable_sc.vulnerability.has_been_mitigated | Indicates whether the vulnerability has been mitigated. | boolean |
| tenable_sc.vulnerability.host_uniqueness | Name of the fields used to determine the uniqueness of the host. | keyword |
| tenable_sc.vulnerability.id | String containing the values of the field names mentioned in uniqueness concatenated with '_'. | keyword |
| tenable_sc.vulnerability.ip | The ip address of the asset where a scan found the vulnerability. | keyword |
| tenable_sc.vulnerability.is_vulnerability_published | Flag for if vulnerablity is published. | boolean |
| tenable_sc.vulnerability.last_seen | The time and date when a scan most recently identified the vulnerability. | date |
| tenable_sc.vulnerability.mac | The MAC address of the asset where a scan found the vulnerability. | keyword |
| tenable_sc.vulnerability.netbios.name | NetBIOS name of the asset where a scan found the vulnerability. | keyword |
| tenable_sc.vulnerability.operating_system | The operating system of the asset where a scan found the vulnerability. | keyword |
| tenable_sc.vulnerability.patch.is_published | Flag for if vulnerablity is patched. | boolean |
| tenable_sc.vulnerability.patch.pub_date | The date on which the patch for the vulnerability was published. | date |
| tenable_sc.vulnerability.plugin.id | The ID of the plugin. | keyword |
| tenable_sc.vulnerability.plugin.info | Information regarding the plugin. | keyword |
| tenable_sc.vulnerability.plugin.is_modified | Flag for if plugin is modified. | boolean |
| tenable_sc.vulnerability.plugin.is_published | Flag for if plugin is published. | boolean |
| tenable_sc.vulnerability.plugin.mod_date | The date on which the vulnerability was modified. | date |
| tenable_sc.vulnerability.plugin.name | The name of the plugin. | keyword |
| tenable_sc.vulnerability.plugin.pub_date | The date on which the vulnerability was published. | date |
| tenable_sc.vulnerability.plugin.text | Text provided by plugin. (Usually plugin output text). | keyword |
| tenable_sc.vulnerability.port | The port the scanner used to communicate with the asset. | keyword |
| tenable_sc.vulnerability.protocol | The protocol the scanner used to communicate with the asset. | keyword |
| tenable_sc.vulnerability.recast_risk | Modified the severity risk measure of vulnerabilities using recast rules. | keyword |
| tenable_sc.vulnerability.repository.data_format | The data format of the repository. | keyword |
| tenable_sc.vulnerability.repository.description | The description of the repository. | keyword |
| tenable_sc.vulnerability.repository.id | The ID of the repository. | keyword |
| tenable_sc.vulnerability.repository.name | The name of the repository. | keyword |
| tenable_sc.vulnerability.repository.sci_id | N/A. | keyword |
| tenable_sc.vulnerability.risk_factor | The risk factor associated with the vulnerability. | keyword |
| tenable_sc.vulnerability.severity.description | The description of the severity. | keyword |
| tenable_sc.vulnerability.severity.id | The code for the severity assigned when a user recasts the risk associated with the vulnerability. | keyword |
| tenable_sc.vulnerability.solution | Remediation information for the vulnerability. | keyword |
| tenable_sc.vulnerability.stig_severity | Security Technical Implementation Guide (STIG) severity code for the vulnerability. | keyword |
| tenable_sc.vulnerability.synopsis | Brief description of the vulnerability. | keyword |
| tenable_sc.vulnerability.temporal_score | Characteristics of a vulnerability that change over time but not among user environments. | keyword |
| tenable_sc.vulnerability.uniqueness | Name of the fields used to determine the uniqueness of the vulnerability. | keyword |
| tenable_sc.vulnerability.uuid | N/A. | keyword |
| tenable_sc.vulnerability.version | The version of the vulnerability. | keyword |
| tenable_sc.vulnerability.vpr.context | The matrix of Vulnerability Priority Rating (VPR) for the vulnerability. | flattened |
| tenable_sc.vulnerability.vpr.score | The Vulnerability Priority Rating (VPR) score for the vulnerability. | double |
| tenable_sc.vulnerability.vuln_pub_date | The date on which the vulnerability was published. | date |
| tenable_sc.vulnerability.xref | References to third-party information about the vulnerability, exploit, or update associated with the plugin. | keyword |
This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.31.0 | Enhancement (View pull request) Enable Agentless deployment. |
8.18.0 or higher 9.0.0 or higher |
| 1.30.0 | Enhancement (View pull request) Add support for "Accept Risk Status" filter in vulnerability data stream. |
8.13.0 or higher 9.0.0 or higher |
| 1.29.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
8.13.0 or higher 9.0.0 or higher |
| 1.28.2 | Bug fix (View pull request) Updated SSL description in package manifest.yml to be uniform and to include links to documentation. |
8.13.0 or higher |
| 1.28.1 | Enhancement (View pull request) Add "vulnerability_management" category. |
8.13.0 or higher |
| 1.28.0 | Enhancement (View pull request) Update lastSeen parameter format in vulnerablity data-stream. Bug fix (View pull request) Update request header.User-Agent versions in input files. |
8.13.0 or higher |
| 1.27.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.26.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.25.0 | Enhancement (View pull request) Rename connector to Tenable Security Center. |
8.13.0 or higher |
| 1.24.0 | Enhancement (View pull request) Update tested versions note. Bug fix (View pull request) Conform agent user agent string to documented format requirement. |
8.13.0 or higher |
| 1.23.0 | Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.22.0 | Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.21.0 | Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.20.2 | Bug fix (View pull request) Clean up null handling |
8.7.1 or higher |
| 1.20.1 | Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.20.0 | Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.19.0 | Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.18.0 | Enhancement (View pull request) Improve 'event.original' check to avoid errors if set. |
8.7.1 or higher |
| 1.17.0 | Enhancement (View pull request) Update the package format_version to 3.0.0. |
8.7.1 or higher |
| 1.16.0 | Enhancement (View pull request) Update package to ECS 8.10.0 and align ECS categorization fields. |
8.7.1 or higher |
| 1.15.0 | Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.14.0 | Enhancement (View pull request) Update package-spec to 2.9.0. |
8.7.1 or higher |
| 1.13.0 | Enhancement (View pull request) Add tenable_sc.vulnerability.age field.Bug fix (View pull request) Update User-Agent version sent to API. |
8.7.1 or higher |
| 1.12.0 | Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.11.0 | Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.10.0 | Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.9.0 | Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.8.0 | Enhancement (View pull request) Update package to ECS 8.7.0. |
8.1.0 or higher |
| 1.7.1 | Bug fix (View pull request) Drop empty event sets. |
8.1.0 or higher |
| 1.7.0 | Enhancement (View pull request) Update package to ECS 8.6.0. |
8.1.0 or higher |
| 1.6.2 | Bug fix (View pull request) Sync the build version in User-Agent header with package version. |
8.1.0 or higher |
| 1.6.1 | Bug fix (View pull request) Adding more sanity checks to pipeline |
8.1.0 or higher |
| 1.6.0 | Enhancement (View pull request) Update Aggregation visualizations to Lens, Add an on_failure processor to the convert and date processors, remove unnecessary white spaces, and convert double quotes to single quotes. |
8.1.0 or higher |
| 1.5.0 | Enhancement (View pull request) Update package to ECS 8.5.0. |
8.1.0 or higher |
| 1.4.1 | Bug fix (View pull request) Fix an indefinite pagination bug by adding explicit pagination termination conditions. In Agent versions >= 8.2.0 pagination termination was never happening. |
8.1.0 or higher |
| 1.4.0 | Enhancement (View pull request) Update package to ECS 8.4.0 |
8.1.0 or higher |
| 1.3.1 | Bug fix (View pull request) Fix proxy URL documentation rendering. |
8.1.0 or higher |
| 1.3.0 | Enhancement (View pull request) Update package to ECS 8.3.0. |
8.1.0 or higher |
| 1.2.2 | Enhancement (View pull request) Update readme - added links to tenable documentation and made the English clearer. |
8.1.0 or higher |
| 1.2.1 | Bug fix (View pull request) Add mapping for event.created |
— |
| 1.2.0 | Enhancement (View pull request) Update to ECS 8.2 |
8.1.0 or higher |
| 1.1.1 | Enhancement (View pull request) Add documentation for multi-fields |
8.1.0 or higher |
| 1.1.0 | Enhancement (View pull request) Add custom User-Agent. Added configurable response size. Added filter in vulnerability dashboard to filter hostname and vulnerability cve id. Added unique identifier to asset. |
8.1.0 or higher |
| 1.0.0 | Enhancement (View pull request) Promote to GA. |
7.16.0 or higher 8.0.0 or higher |
| 0.2.0 | Enhancement (View pull request) Update to ECS 8.0 |
— |
| 0.1.0 | Enhancement (View pull request) initial release |
— |