Export File Formats

nessus_export

Data from a workbench represented in the XML-based .nessus format. Within the Report node, one or more ReportHost nodes will be found, and within the ReportHost node, one or more ReportItem nodes will be found. The 'name' attribute in the ReportHost node usually defaults to the value used to scan the host. If this was an IP, then it will be the IP specified; if this is a FQDN, it will be the FQDN. The values for 'example-tag' and 'example_node' are explained respectively in the nessus_export_host and nessus_export_plugin sections below.

<?xml version="1.0" ?>
<NessusClientData_v2>
    <Report name="{string}" xmlns:cm="http://www.nessus.org/cm">
        <ReportHost name="{string}">
            <HostProperties>
                <tag name="example-tag">{value type}</tag>
                ...
            </HostProperties>
            <ReportItem pluginFamily="{string}" severity="{string}" protocol="{string}" pluginName="{string}" pluginID="{string}" svc_name="{string}" port="{string}">
                <example_node>{value type}</example_node>
                ...
            </ReportItem>
            ...
        </ReportHost>
        ...
    </Report>
</NessusClientData_v2>

nessus_export_host

A sample HostProperties node from a workbench .nessus export representing a host that has been found to have one or more vulnerabilities.

<HostProperties>
    <tag name="bios-uuid">{string}</tag>
    <tag name="host-fqdn">{string}</tag>
    <tag name="hostname">{string}</tag>
    <tag name="host-ip">{string}</tag>
    <tag name="host-uuid">{string}</tag>
    <tag name="HOST_START">{string}</tag>
    <tag name="HOST_END">{string}</tag>
    <tag name="local-checks-proto">{string}</tag>
    <tag name="mac-address">{string}</tag>
    <tag name="mcafee-epo-guid">{string}</tag>
    <tag name="netbios-name">{string}</tag>
    <tag name="operating-system">{string}</tag>
    <tag name="system-type">{string}</tag>
</HostProperties>

nessus_export_plugin

A sample ReportItem node from a workbench .nessus export representing a single instance of a vulnerability found by a Nessus or Nessus Network Monitor (NNM) plugin. The same vulnerability could also be found again on a different Port for the same host, which would result in another ReportItem for the same vulnerability.

<ReportItem pluginFamily="{string}" severity="{string}" protocol="{string}" pluginName="{string}" pluginID="{string}" svc_name="{string}" port="{string}">
    <bid>{string}</bid>
    <canvas_package>{string}</canvas_package>
    <cve>{string}</cve>
    <cvss_base_score>{string}</cvss_base_score>
    <cvss_temporal_score>{string}</cvss_temporal_score>
    <cvss_temporal_vector>{string</cvss_temporal_vector>
    <cvss_vector>{string}</cvss_vector>
    <cvss3_base_score>{string}</cvss3_base_score>
    <cvss3_temporal_score>{string}</cvss3_temporal_score>
    <cvss3_temporal_vector>{string}</cvss3_temporal_vector>
    <cvss3_vector>{string}</cvss3_vector>
    <d2_elliot_name>{string}</d2_elliot_name>
    <description>{string}</description>
    <exploit_available>{boolean}</exploit_available>
    <exploited_by_nessus>{boolean}</exploited_by_nessus>
    <exploit_framework_canvas>{string}</exploit_framework_canvas>
    <exploit_framework_core>{string}</exploit_framework_core>
    <exploit_framework_exploithub>{string}</exploit_framework_exploithub>
    <exploit_framework_metasploit>{string}</exploit_framework_metasploit>
    <exploit_framework_d2_elliot>{string}</exploit_framework_d2_elliot>
    <exploited_by_malware>{boolean}</exploited_by_malware>
    <first_found>{string}</first_found>
    <has_patch>{boolean}</has_patch>
    <in_the_news>{boolean}</in_the_news>
    <last_found>{string}</last_found>
    <last_fixed>{string}</last_fixed>
    <malware>{boolean}</malware>
    <metasploit_name>{string}</metasploit_name>
    <patch_publication_date>{string}</patch_publication_date>
    <plugin_modification_date>{string}</plugin_modification_date>
    <plugin_publication_date>{string}</plugin_publication_date>
    <plugin_output>{string}</plugin_output>
    <plugin_type>{string}</plugin_type>
    <plugin_version>{string}</plugin_version>
    <risk_factor>{string}</risk_factor>
    <solution>{string}</solution>
    <synopsis>{string}</synopsis>
    <unsupported_by_vendor>{boolean}</unsupported_by_vendor>
    <vulnerability_state>{string}</vulnerability_state>
    <vuln_publication_date>{string}</vuln_publication_date>
    <xref>{string}</xref>
    <see_also>{string}</see_also>
</ReportItem>

csv_export

The field names used in a CSV export:

  • Plugin ID
  • CVE
  • CVSS
  • Risk
  • Host
  • Protocol
  • Port
  • Name
  • Synopsis
  • Description
  • Solution
  • See Also
  • Plugin Output