Common Asset Attributes

You can filter returned data from various Tenable Vulnerability Management API endpoints based on asset attributes. In addition, Vulnerability Management allows you to export asset details that include these attributes.

The asset attributes supported as filters or included in an export depend on the API endpoint you use.

For a comparison of attributes by endpoint, see Asset Attribute Availability by Endpoint.

For a full list of possible asset attributes, see Asset Attribute Definitions.

Asset Attribute Availability by Endpoint

The following table summarizes attribute availability by the following endpoints:

  1. GET /assets
  2. GET /assets/{asset_uuid}
  3. GET /assets/export/{export_uuid}/chunks/{chunk_id}
  4. GET /workbenches/assets?all_fields=default
  5. GET /workbenches/assets?all_fields=full
  6. GET /workbenches/assets/{asset_id}/info
Attribute123456
acr_scoreyesyesnoyesyesyes
acr_driversyesyesnoyesyesyes
agent_nameyesyesnoyesyesyes
aws_availability_zonenoyesyesnoyesyes
aws_ec2_instance_ami_idnoyesyesnoyesyes
aws_ec2_instance_group_namenoyesyesnoyesyes
aws_ec2_instance_idnoyesyesnoyesyes
aws_ec2_instance_state_namenoyesyesnoyesyes
aws_ec2_instance_typenoyesyesnoyesyes
aws_ec2_nameyesyesyesyesyesyes
aws_ec2_product_codenoyesyesnoyesyes
aws_owner_idnoyesyesnoyesyes
aws_regionnoyesyesnoyesyes
aws_subnet_idnoyesyesnonoyes
aws_vpc_idnoyesyesnoyesyes
azure_resource_idnoyesyesnoyesyes
azure_vm_idnoyesyesnoyesyes
bigfix_asset_idnoyesyesyesyesyes
bios_uuidnoyesyesnoyesyes
countsnononononoyes
created_atnoyesyesnoyesyes
deleted_atnonoyesyesyesno
deleted_bynonoyesyesyesno
exposure_scoreyesyesnoyesyesyes
first_scan_timenonoyesnoyesno
first_seennoyesyesnoyesyes
fqdnyesyesyesyesyesyes
gcp_instance_idnoyesyesnoyesyes
gcp_project_idnoyesyesnoyesyes
gcp_zonenoyesyesnoyesyes
has_agentyesyesyesyesyesyes
hostnamenoyesyesnoyesyes
idyesyesyesyesyesyes
installed_softwarenoyesyesnoyesyes
ipv4yesyesyesyesyesyes
ipv6yesyesyesyesyesyes
last_authenticated_scan_datenoyesyesnoyesyes
last_licensed_scan_datenoyesyesnoyesyes
last_scan_targetyesyesnoyesyesyes
last_scan_timenonoyesnoyesno
last_seenyesyesyesyesyesyes
mac_addressyesyesyesyesyesyes
manufacturer_tpm_idnonoyesnoyesno
mcafee_epo_agent_guidnoyesyesnoyesyes
mcafee_epo_guidnoyesyesnoyesyes
netbios_nameyesyesyesyesyesyes
network_idnoyesnononono
network _namenononononono
operating_systemyesyesyesyesyesyes
qualys_asset_idnoyesyesnoyesyes
qualys_host_idnoyesyesnoyesyes
scan_frequencyyesyesnoyesyesyes
servicenow_sysidnoyesyesnoyesyes
sourcesyesyesyesyesyesyes
ssh_fingerprintnoyesyesnoyesyes
symantec_ep_hardware_keynonoyesnoyesno
system_typenoyesyesnoyesyes
tagsnoyesyesnoyesyes
tenable_uuidnoyesnononoyes
terminated_atnonoyesyesyesno
terminated_bynonoyesyesyesno
time_endnononononoyes
time_startnononononoyes
updated_atnoyesyesnoyesyes
uuidnononononoyes

Asset Attribute Definitions

AttributeTypeImportableDefinition
acr_scoreintegernoThe Asset Criticality Rating (ACR) for the asset. This attribute is only present if Lumin is added to your Vulnerability Management instance. For more information, see Lumin Metrics in the Tenable Vulnerability Management User Guide.
acr_driversarray of objectsnoThe key drivers that Tenable uses to calculate an asset's Tenable-provided ACR. This attribute is only present if Lumin is added to your Vulnerability Management instance. For more information, see Lumin Metrics in the Tenable Vulnerability Management User Guide.
agent_namestringnoThe names of any Nessus agents that scanned and identified the asset.
aws_availability_zonestringyesThe availability zone where Amazon Web Services hosts the virtual machine instance, for example, 'us-east-1a'. Availability zones are subdivisions of AWS regions. For more information, see "Regions and Availability Zones" in the AWS documentation.
aws_ec2_instance_ami_idstringyesThe unique identifier of the Linux AMI image in Amazon Elastic Compute Cloud (Amazon EC2). For more information, see the Amazon Elastic Compute Cloud Documentation.
aws_ec2_instance_group_namestringyesThe virtual machine instance's group in AWS.
aws_ec2_instance_idstringyesThe unique identifier of the Linux instance in Amazon EC2. For more information, see the Amazon Elastic Compute Cloud Documentation.
aws_ec2_instance_state_namestringyesThe state of the virtual machine instance in AWS at the time of the scan.
aws_ec2_instance_typestringyesThe type of instance in AWS EC2.
aws_ec2_namestringyesThe name of the virtual machine instance in AWS EC2.
aws_ec2_product_codestringyesThe product code associated with the AMI used to launch the virtual machine instance in AWS EC2.
aws_owner_idstringyesThe canonical user identifier for the AWS account associated with the asset. For more information, see "AWS Account Identifiers" in the AWS documentation.
aws_regionstringyesThe region where AWS hosts the virtual machine instance, for example, 'us-east-1'. For more information, see "Regions and Availability Zones" in the AWS documentation.
aws_subnetstringyesThe unique identifier of the AWS subnet where the virtual machine instance was running at the time of the scan.
aws_vpc_idstringyesThe unique identifier of the public cloud that hosts the AWS virtual machine instance. For more information, see the Amazon Virtual Private Cloud User Guide.
azure_resource_idstringyesThe unique identifier of the resource in the Azure Resource Manager. For more information, see the Azure Resource Manager Documentation.
azure_vm_idstringyesThe unique identifier of the Microsoft Azure virtual machine instance. For more information, see "Accessing and Using Azure VM Unique ID" in the Microsoft Azure documentation.
bios_uuidstringyesThe BIOS UUID of the asset.
bigfix_asset_idstringyesThe unique identifier of the asset in HCL BigFix. For more information, see the HCL BigFix documentation.
countsobjectnoCounts of vulnerabilities on the asset, as well as counts of audit checks performed on the asset.
counts[].vulnerabilitiesobjectnoCounts of vulnerabilities on the asset.
counts[].vulnerabilities[].totalintegernoThe total number of vulnerabilities that scans have detected on the asset.
counts[].vulnerabilities[].severitiesarray of objectsnoA count of vulnerabilities by severity.
counts[].vulnerabilities[].severities[].countintegernoThe number of vulnerabilities with the specified severity.
counts[].vulnerabilities[].severities[].levelintegernoThe code for the severity. Possible values include:
  • 0—The vulnerability has a CVSS score of 0, which corresponds to the "info" severity level.
  • 1—The vulnerability has a CVSS score between 0.1 and 3.9, which corresponds to the "low" severity level.
  • 2—The vulnerability has a CVSS score between 4.0 and 6.9, which corresponds to the "medium" severity level.
  • 3—The vulnerability has a CVSS score between 7.0 and 9.9, which corresponds to the "high" severity level.
  • 4—The vulnerability has a CVSS score of 10.0, which corresponds to the "critical" severity level.
counts.vulnerabilities[].severities[].namestringnoThe severity of the vulnerability as defined using the Common Vulnerability Scoring System (CVSS) base score. Possible values include 'info' (CVSS score of 0), 'low' (CVSS score between 0.1 and 3.9), 'medium' (CVSS score between 4.0 and 6.9), 'high' (CVSS score between 7.0 and 9.9), and 'critical' (CVSS score of 10.0).
counts[].auditsobjectnoCounts of audit checks performed on the asset. For more information about audit checks, see the Tenable Vulnerability Management User Guide.
counts[].audits[].totalintegernoThe total number of audit checks that scans have performed on the asset.
counts[].audits[].statusesarray of objectsnoCounts of audit checks performed on the asset, grouped by audit status.
counts[].audits[].statuses[].countintegernoThe number of audits of the specified level that scans have performed on the asset.
counts[].audits[].statuses[].levelintegernoThe audit status level. Possible values include:
  • 1—Corresponds to 'Passed'.
  • 2—Corresponds to 'Warning'.
  • 3—Corresponds to 'Failed'.
counts[].audits[].statuses[].namestringnoThe name of the audit status level. Possible values include 'Passed', 'Warning', and 'Failed'."
created_atstringnoThe ISO timestamp when Vulnerability Management created the asset record.
deleted_atintegernoThe Unix timestamp when a user deleted the asset.
deleted_bystringnoThe user who deleted the asset record.
exposure_scoreintegerThe Asset Exposure Score (AES) for the asset. This attribute is only present if Lumin is added to your Vulnerability Management instance. For more information, see Lumin Metrics in the Tenable Vulnerability Management User Guide.
first_scan_timestringnoThe ISO timestamp when a scan first ran against the asset.
first_seenstringnoThe ISO timestamp when a scan first identified the asset.
fqdnstringyesThe fully-qualified domain name that a scan has associated with the asset record.
gcp_instance_idstringyesThe unique identifier of the virtual machine instance in GCP.
gcp_project_idstringyesThe customized name of the project to which the virtual machine instance belongs in Google Cloud Platform (GCP). For more information see "Creating and Managing Projects" in the GCP documentation.
gcp_zonestringyesThe zone where the virtual machine instance runs in GCP. For more information, see "Regions and Zones" in the GCP documentation.
has_agentbooleannoA value specifying whether a Nessus agent scan detected the asset (true).
hostnamestring or array of strings (depending on endpoint)yesA list of hostnames that a scan has associated with an asset.
idstringnoThe UUID of the asset. For more information, see the uuid definition.
installed_softwarearray of stringsyesA list of Common Platform Enumeration (CPE) values that represent software applications a scan identified as present on an asset. This attribute contains data only if a scan using Nessus Plugin ID 45590 has evaluated the asset.
ipv4stringyesAn IPv4 address that a scan has associated with the asset record.

Note: A CIDR mask of /0 is not supported for this parameter, because that value would match all IP addresses. If you submit a /0 value for this parameter, Vulnerability Management returns a 400 Bad Request error message.
ipv6stringyesAn IPv6 address that a scan has associated with the asset record.
last_authenticated_scan_datestringnoThe ISO timestamp when a credentialed scan last ran on the asset.
last_licensed_scan_datestringnoThe ISO timestamp of the last scan that identified the asset as licensed. Vulnerability Management categorizes an asset as licensed if a scan of that asset has returned results from a non-discovery plugin within the last 90 days.
last_scan_targetstringThe IPv4 address, IPv6 address, or FQDN that the scanner last used to evaluate the asset.
last_scan_timestringnoThe ISO timestamp when a scan last ran against the asset.
last_seenstringnoThe ISO timestamp when the the asset was last observed by any source. For example, from a Nessus scan, agent scan, or a cloud connector.
mac_addressstringyesA MAC address that a scan has associated with the asset record.
manufacturer_tpm_idstringyesThe manufacturer's unique identifier of the Trusted Platform Module (TPM) associated with the asset.
mcafee_epo_agent_guidstringyesThe unique identifier of the McAfee ePO agent that identified the asset. For more information, see the McAfee documentation.
mcafee_epo_guidstringyesThe unique identifier of the asset in McAfee ePolicy Orchestrator (ePO). For more information, see the McAfee documentation.
netbios_namestringyesThe NetBIOS name for the asset.
network_idstringnoThe ID of the network object to which the asset belongs. For more information about network objects, see Manage Networks.
network_namestringnoThe name of the network object to which the asset belongs. For more information about network objects, see Manage Networks.
operating_systemarray of stringsyesThe operating systems that scans have associated with the asset record.
qualys_asset_idstringyesThe Asset ID of the asset in Qualys. For more information, see the Qualys documentation.
qualys_host_idstringyesThe Host ID of the asset in Qualys. For more information, see the Qualys documentation.
scan_frequencyarray of objectsnoInformation about how often scans ran against the asset during specified intervals. This attribute is only present if Lumin is added to your Vulnerability Management instance. For more information, see Lumin Metrics in the Tenable Vulnerability Management User Guide.
servicenow_sysidstringyesThe unique record identifier of the asset in ServiceNow. For more information, see the ServiceNow documentation.
sourcesobjectnoThe entity that reported the asset details. Sources can include sensors, connectors, and API imports. Source names can be customized by your organization (for example, you specify a name when you import asset records). If your organization does not customize source names, system-generated names include:
  • AWS—You obtained the asset data from an Amazon Web Services connector.
  • NESSUS_AGENT—You obtained the asset data obtained from a Nessus agent scan.
  • PVS—You obtained the asset data from a Nessus Network Monitor (NNM) scan.
  • NESSUS_SCAN—You obtained the asset data from a Nessus scan.
  • WAS—You obtained the asset data from a Web Application Scanning scan.
ssh_fingerprintstringyesThe SSH key fingerprint that a scan has associated with the asset record.
symantec_ep_hardware_keystringyesThe hardware key for the asset in Symantec Endpoint Protection.
system_typestringyesThe system types as reported by Plugin ID 54615. Possible values include 'router', 'general-purpose', 'scan-host', and 'embedded'.
tagsobjectnoInformation about a tag assigned to the asset. With tags, you can categorize and create logical groupings of network assets in Vulnerability Management. For more information, see Tenable Vulnerability Management User Guide.
tenable_uuidarray of stringsnoThe UUID of the agent if an agent is present on the asset. If no agent is present on the asset, then the UUID is a unique identifier assigned by Vulnerability Management during a credentialed scan when the Create unique identifier on hosts scanned with credentials option is enabled. Note that no UUID is set for uncredentialed, non-agent scans.
terminated_atstringnoThe ISO timestamp when a user terminated the Amazon Web Service (AWS) virtual machine instance of the asset.
terminated_bystringnoThe user who terminated the AWS instance of the asset.
time_endstringnoThe scan end timestamp, in ISO-8601 format, when the asset was first detected.
time_startstringnoThe scan start timestamp, in ISO-8601 format, when the asset was first detected.
updated_atstringnoThe ISO timestamp when the asset record was last updated.
uuidstringnoThe UUID of the asset. Use this value as a unique key for the asset. Vulnerability Management assigns this UUID when a scan first discovers the asset. On each subsequent scan, Vulnerability Management uses multiple asset attributes to reliably identify the scanned asset (including IPv4 address, BIOS UUID, the system’s MAC Address, NetBIOS name, and FQDN). The asset UUID represents the result of Vulnerability Management's internal synchronization of asset data based on multiple scans.