Security Center

Managed on-premises, the Tenable Security Center suite of products provides the industry's most comprehensive vulnerability coverage with real-time continuous assessment of your network. It's your complete end-to-end vulnerability management solution.

Validation Criteria

Your integration with Security Center should meet the following criteria:

  • Ensure that all API calls made by your integration uses a standard User-Agent string as described in the User-Agent Header guide. This helps Tenable to identify your integration's API calls to assist with debugging and troubleshooting.
  • Contact Tenable via the Tech Alliances Application to demonstrate your third-party integration with Tenable's product or platform.
  • Explain how your integration uses Tenable's API and the specific endpoints that are being utilized. Tenable may ask to look at your integration's code to ensure scalability and to suggest best practices.
  • Ensure that your integration uses the proper naming conventions, trademarks, and logos in your integration's user interface. You can download a Media Kit on Tenable's media page.

Data Model

Security Center has multiple types of repositories or databases each with a different understanding of how to construct a composite key for a finding. The hostUniqueness attribute is used to determine which attributes were used to determine a unique host for the repository that the finding resides within. The attributes from hostUniqueness in combination with the port, protocol, and pluginID attributes define a unique finding.

The following diagram illustrates the relationships between these three data types.

Security Center Data Model

Several plugins can detect vulnerabilities on several assets, and a single plugin might detect vulnerabilities on the same asset but on different ports, so you can only uniquely identify a single finding by using a composite key (as shown in the data model diagram) with these fields:

  • hostUniqueness (use attribute values listed)
  • pluginID
  • port
  • protocol

Data Exports

Tenable Security Center integrations are powered by the same API as the user interface. Due to this lack of an asynchronous API to pull data from, you should be careful how you extract data from the platform since it's possible to significantly impact the performance of the Security Center console. You can use the analysis API to export vulnerability findings from Security Center. The analysis API is a synchronous, paginated API that pulls data from the underlying data repositories.

A high-level workflow for exporting data from Security Center is illustrated in the following diagram.

Security Center Export Flow

Requests to the analysis API include three items:

  1. Data Type & Source—The type of data being exported (cumulative data, individual scans, mobile data, etc.). The most commonly used values are as follows:
    • Type
      • vuln—For vulnerability and compliance findings.
    • SourceTypes
      • cumulative—For current active vulnerability data (stateful).
      • patched—For fixed or remediated vulnerability data (stateful).
      • individual—For singular scan results (not stateful).
  2. Visibility Tool—Determines how the data should be summarized (if at all). The tool informs Security Center what level of summarization you want from the data. Typically, for most data exports, you should avoid summarization and opt for raw data. Tenable recommends using the vulndetails tool for the majority of cases.
  3. Filters—Determines the subset of the information to include in the export. Security Center has powerful filtering capabilities, covering everything from asset groups, finding specifics, to temporal state, and vulnerability plugin specifics. Leverage the Query API to use a predetermined filter set, and then augment that filter set with known filters like temporal filters. If you follow the recommendation of fetching a predetermined filter set from the query API, then you only need to consider the following filters:
    • lastSeen (temporal, source: cumulative_)—Filters the results by the last time a scan observed the vulnerability.
    • lastMitigated (temporal, source:patched)—Filters the results by the time in which a vulnerability was observed as fixed, patched, or remediated.

Note that temporal filters can be used in several ways, the most common are:

  • Temporal Delta:—Filters the results by calendar days. The format is NUM:NUM where each number represents the number of calendar days in the past. For example, 0:30 equates to "30 days ago to today." The user interface typically defaults to this style.
  • Unix Timestamp—Filters the results by Unix timestamp. This is the most commonly used format for large-scale exports. The format is NUM-NUM (note the dash instead of a colon) where each number is a Unix timestamp. Note that the order in which the numbers are used is reversed from the previous example. The first number is the oldest time and the second number is the newest. For example, 1668961007-1671552959 equates to "from Nov 20, 2022 at 16:16:47 to Dec 20, 2022 at 16:15:59."

For an exhaustive list of the supported data types and supported filters, refer to the Query Data Types detailed within the Query POST API.

Additionally, Tenable recommends a page size between 2000 to 10000 for the pagination of export data from Security Center. If page size is too large the Security Center console might not be able to field the request since it first constructs the page in memory before sending the response. If the page size is too small, Security Center experience additional churn on the system as it pulls data from the various repositories and it takes a long time to return the entire dataset.

Example export request for cumulative vulnerability data from the previous day

POST /rest/analysis
    "type": "vuln",
    "sourceType": "cumulative",
    "query": {
        "tool": "vulndetails",
        "type": "vuln",
        "filters": [ {
            "filterName ": "lastSeen",
            "operator ": "=",
            "value": "0:1"
        } ],
        "startOffset": 0,
        "endOffset": 5000

Example pyTenable code snippet for cumulative vulnerability data from the previous day

from import TenableSC

tsc = TenableSC(url='https://sc-instance', access_key='abc', secret_key='def')

for finding in tsc.analysis.vulns(('lastSeen', '=', '0:1')):