Home Paris Security Incident Management Security Operations Vulnerability Response Vulnerability Response integrations Understanding the Tenable Vulnerability Integration

Understanding the Tenable Vulnerability Integration

The Vulnerability Response Integration with Tenable application developed by ServiceNow engineering for the Tenable Vulnerability Integration uses data imported from the Tenable.io and Tenable.sc products to help you prioritize and remediate vulnerabilities for your assets. The application is available with a separate subscription from the ServiceNow® Store.

Starting with version 12.1 of Vulnerability Response, the Tenable Vulnerability Integration employs two Tenable integrations, Tenable.io and Tenable.sc, to import third-party scanner data about your assets and vulnerabilities. The Vulnerability Response Integration with Tenable application supports the Tenable.sc product starting with version 5.13.

Tenable.io is a cloud-based enterprise integration.
Tenable.sc is an on-premises integration that gives you the option to use a MID Server if the Tenable.sc product and your Now Platform instance are in the same environment.
If the Tenable.sc product and your Now Platform instance are not in the same environment, you are required to use a MID Server.

The Vulnerability Response Integration with Tenable application is available on the ServiceNow Store with a separate subscription.

Available versions for Paris


Release version	Release notes
Vulnerability Response Integration with Tenable v2.1 Vulnerability Response Integration with Tenable v2.0	Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Terms and Key features of the integrations

Vulnerable items and vulnerabilities

A vulnerable item is created in your Now Platform instance when:

An imported vulnerability from a third-party scanner is matched to an existing asset (a configuration item in your CMDB). The Tenable product refers to these matches as vulnerabilities.
An imported vulnerability from a third-party scanner is not matched to an existing asset in your CMDB. In this case, an unmatched CI is also created along with a vulnerable item.
For unmatched CIs, you can also use the Identification and Reconciliation Engine (IRE) to create CIs in two new classes when an existing CI cannot be matched with a host. Otherwise, unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine.

Third-party vulnerability entries and plugins

Third-party vulnerability entries are imported from third-party scanners and listed in the Third-Party Vulnerability Entries table in your Now Platform instance. Third-party vulnerability entries from Tenable are ingested and used to search for matches to existing assets listed in your CMDB. Tenable refers to third-party vulnerability entries as Plugins.

Configuration item (CI)

Configuration items are the existing assets listed in your CMDB.

Discovered item

Assets ingested from the Tenable asset import are matched to existing configuration items in your CMDB. Imported assets are updated.

If a match is not found, a CI is created in the Unmatched CI class of the CMDB. If the CMDB CI Class Models plugin is enabled, the Identification and Reconciliation Engine (IRE) creates new CIs using new classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. If the original, unmatched CI is reclassified, discovered item records are updated to reflect the state. Discovered items give you visibility into how assets are identified and mapped to CIs in the CMDB.

CI lookup rules

When data is imported from a third-party integration, Vulnerability Response automatically uses host (asset) data to search for matches in the Configuration Management Database (CMDB). CI lookup rules are used to identify CIs and add them to VI records when VIs are created to aid you with remediation.

Rescan and remediation scan

You can initiate a targeted rescan command on a specific configuration item, vulnerability group, or third-party entry directly from vulnerable item, vulnerability group, and third-party vulnerability entry records in your Now Platform instance. Tenable refers to this rescan as a remediation scan.

Automatically close older VIs

With the Auto-Close Stale Vulnerable Items module in your Now Platform, you can clean up older, stale vulnerable items (VI)s not recently found by your third-party integrations. Moving these VIs to Closed helps you reduce the number of active vulnerable items and vulnerability groups and reconcile assets in your CMDB. You can use all the integrations with the Vulnerability Response Integration with Tenable to automatically close stale VIs.

The Tenable.io and Tenable.sc integrations also include the following key features:

Starting with v2.1 of the Tenable Vulnerability Integration, create unique configuration items (CIs) that include different network partition identifiers for assets in your environment that share the same IP address. Identify the distinct assets across your environment and update the CIs on your existing discovered item, vulnerable item, and detection records to give you more details about your vulnerabilities.
You can schedule when you want the jobs to run for all the Tenable.io and Tenable.sc integrations. You can also execute scheduled jobs manually on-demand.
For asset imports with Tenable.io, you can enable asset tags to organize and track the assets listed in your CMDB in the Tenable.io environment.
The Tenable.io and Tenable.sc integrations permit you to configure CI Lookup Rules to define how asset data from third-party sources are used to identify Configuration Items (CIs) in your Now Platform CMDB.
The Tenable.io and Tenable.sc integrations permit you to set import filters on the vulnerabilities import so that you import only the vulnerabilities from Tenable that you want. For Tenable.io, you have the option to import Fixed vulnerabilities from Tenable with the vulnerabilities import.
For Tenable.sc, you have the option to initiate rescans on-demand directly from vulnerable item, vulnerability group, and third-party entry records in your Now Platform instance. If VIs have been transitioned to Closed/Fixed but are not yet updated in your instance, you can verify vulnerabilities on specific configuration items have been remediated. See Initiate rescan for the Tenable.sc integration.

The following sections list more details about the Tenable integrations.

Required Now Platform roles

The integration tasks require the following roles in your Now Platform instance.

Starting with v10.3, persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

admin: The system admin uses Setup Assistant to install the Vulnerability Response Integration with Tenable application. If not assigned, the admin assigns the vulnerability admin (sn_vul.vulnerability_admin) and other roles in Setup Assistant.
sn_vul.vulnerability_admin: Once assigned, the vulnerability admin completes the configuration of the Tenable integrations in Setup Assistant. This role has complete access to the Vulnerability Response (VR) application and its records. The vulnerability admin configures all VR applications and rules for installed third-party integrations.
sn_vul_tenable.configure_integration: This role contains the sn_vul_tenable.read_integration granular role and users with this role can configure the Vulnerability Response Integration with Tenable application.
sn_vul_tenable.read_integration: Users with this roles can view (read) but not edit records of the Vulnerability Response Integration with Tenable application.
Vulnerability Response group: By default, the Vulnerability Response group is available in Setup Assistant. Users assigned to the Vulnerability Response group inherit the sn_vul.read_all and sn_vul.remediation_owner roles automatically.

Tenable.io and Tenable.sc Integrations

Multi-source is supported for all of the Tenable.io and Tenable.sc integrations. You can add and deploy multiple instances of the following integrations across your environment from Setup Assistant in Vulnerability Response. You also install and configure the Vulnerability Response Integration with Tenable application from Setup Assistant.

Table 1. Tenable.io integrations
Integration	Description
Tenable.io Assets Integration	Retrieves all asset data, including asset tags, from the Tenable.io product and processes it in your instance. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Asset API. The output of this integration is discovered items. Data is imported in chunks and stored in the [sn_vul_tenable_chunk_status] table. Table cleaner automatically removes stored data from this table after 30 days.
Tenable.io Plugin Integration	Retrieves the plugin data from the Tenable.io product. Retrieved data are based on the date the plugins were last updated by a Tenable.io integration run. This import ensures that the Tenable.io Identifiers (Ten IDs) are current. Coordinates the REST message calls to the Plugin API. The output of this integration is third-party vulnerabilities.
Tenable.io Fixed Vulnerabilities Integration	Retrieves vulnerability data based on severity filters from the Tenable.io product and processes it in your instance. When the flag Fixed Vulnerabilities is enabled in Setup Assistant, it creates new VIs in the Fixed state. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don't exist. Data is imported in chunks and stored in the [sn_vul_tenable_chunk_status] table. Table cleaner automatically removes stored data from this table after 30 days. This integration run is scheduled. It is a chained integration, which means after a run is successfully completed, the open vulnerabilities integration described below is triggered.
Tenable.io Open Vulnerabilities Integration	This integration is triggered upon successful completion of the Tenable.io Fixed Vulnerabilities Integration. Retrieves vulnerability data based on the severity filters from the Tenable.io product and processes it in your instance. Creates corresponding vulnerable items for active vulnerabilities. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is New/Reopened vulnerable items (VIs). It also creates configuration items and third-party entries if they don't exist. Data is imported in chunks and stored in the [sn_vul_tenable_chunk_status] table. Table cleaner automatically removes stored data from this table after 30 days.

Table 2. Tenable.sc integrations
Integration	Description
Tenable.sc Assets Integration	Retrieves all asset data from the Tenable.sc product and processes it in your instance. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Assets API. The output of this integration is discovered items.
Tenable.sc Plugin Integration	Retrieves the plugin data from the Tenable.sc product. Retrieved data are based on the date the plugins were last updated by a Tenable.sc integration run. This import ensures that the Tenable.sc Identifiers (Ten IDs) are current and only active vulnerabilities are imported. Coordinates the REST message calls to the Plugins API. The output of this integration is third-party vulnerabilities.
Tenable.sc Fixed Vulnerabilities Integration	Retrieves vulnerability data based on the query filters you configure for the Tenable.sc product and selected in Setup Assistant and processes it in your instance. When the flag Fixed Vulnerabilities is enabled in Setup Assistant, it creates new VIs in the Fixed state. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don't exist. This integration run is a scheduled run. It is a chained integration which means after a run is successfully completed, the Tenable.sc Open Vulnerabilities Integration described below is triggered.
Tenable.sc Open Vulnerabilities Integration	This integration is triggered upon successful completion of the Tenable.sc Fixed Vulnerabilities Integration. Retrieves vulnerability data based on the query filters selected from the Tenable.sc product and processes it in your instance. Creates corresponding vulnerable items for active vulnerabilities. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is Update/Create new vulnerable items (VIs) if they do not already exist. It also creates configuration items and third-party entries if they don't exist.
Tenable.sc Scan Credential Integration	This integration retrieves the scan credentials configured in Tenable.sc. Coordinates the REST message calls to the Credentials API. The output of this integration is scan credentials populated in table, [sn_vul_tenable_scan_credential]. The imported credentials are used to access the scanner when scan requests are initiated from the Now Platform. This integration is scheduled to run weekly.

Vulnerable items are grouped into vulnerability groups according to group rules and assigned for remediation based on your assignment rules. For more information, see Vulnerability Response groups and group rules overview and Vulnerability Response assignment rules overview.

Configuration item (CI) lookup rules

CI Lookup Rules identify CIs and determine when to add them to a vulnerable item. For more information on how CI lookup rules work, see CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.

Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, disable them when creating new ones.

The following Tenable.io lookup rules are shipped with the base system.

MAC_ADDRESS
FQDN
NetBIOS
HostName
DNS
IP

The following Tenable.sc lookup rules are shipped with the base system.

MAC_ADDRESS
FQDN
NetBIOS
IP

Note: Multiple values for ip_address, mac_address, fqdns and network_interfaces are used for an asset. All values are considered in CI lookup rules for matching. All values are used to create multiple network adapters using IRE.

New properties to ignore IP addresses

In Tenable.io, there are two properties available if you want to ignore multiple IP addresses or multiple Mac addresses as part of your CI lookup rules:

ignoreIPAddress: A list of IP addresses to be ignored for CI lookup and CI creation.
ignoreMacAddress: A list of MAC addresses to be ignored for CI lookup or CI creation.

Discovered items

This module lists configuration items detected during import from the Tenable Vulnerable Item integrations and the Tenable Asset integrations.

Note: The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

For more information on the Discovered Items module, see Discovered Items.

Asset tags

Asset tags (also referred to as host tags) are used for organizing and tracking the assets in your organization. You can assign tags to your assets. Then, when launching scans, you can select tags associated with the assets you want to scan. The Asset Tags module allows you to download asset tag data from Tenable.io to your instance on a scheduled basis. Asset data that includes asset tags is pulled from Tenable.io and transformed using the Tenable.io Asset Transform integration transformation maps.

All Asset tags are imported as part of the Tenable.io Asset integration. Asset tags are generally used for filtering in Vulnerability Response assignment rules and Vulnerability Group Rules. The tags are displayed in the Discovered Item form.

Note: Run the Tenable.io Asset Integration prior to creating Vulnerability Response assignment rules or Vulnerability group rules in the Vulnerability Response application so that all tags are available for these rules before vulnerable items are imported and grouped. Also note the following points about tags:

Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Asset tag table. San Diego and SAN DIEGO are considered to be the same asset tag by the system. Whichever tag is imported first is the tag that is stored and recognized going forward.
Using asset tags as a Group Key in a Vulnerability Group Rule may have unexpected results. Asset tags are intended for use only in the Condition builder.
Asset tags are controlled by the global system property sn_vul.import_asset_tags. This property is set to true by default. Disabling tags disables them across all Now Platform® instances.

Data retrieval filters

Data retrieval settings help you determine specifically the type and scope of data you want to import from the Tenable application to your Now Platform® instance. For a list of the most commonly used settings, see Data retrieval settings for the Tenable Vulnerability Integration.

Vulnerability Priority Rating (VPR)

The Vulnerability Priority Rating (VPR) is an attribute from the Tenable product that is imported and used with a new default risk calculator in Vulnerability Response. The Tenable Risk Rule is installed with the Vulnerability Response Integration with Tenable application as part of the Default Risk Calculator in the Vulnerability Calculators from Vulnerability Response.

This risk rule is disabled by default.

By enabling the Tenable risk calculator rule, the imported VPR values are used to calculate the Risk Score for vulnerable items. The default weight distribution for this risk calculator: VPR = 70%, Asset=15%, and Business Criticality=15%. Enabling this Tenable Risk Calculator rule may impact your data ingestion performance. For more information about Vulnerability Response calculators and the Tenable risk calculator rule, see Vulnerability Response calculators and vulnerability calculator rules.

Installation and configuration

After you download the Vulnerability Response Integration with Tenable from the ServiceNow® Store, installation and configuration is supported by the Setup Assistant in Vulnerability Response. See Configuring Vulnerability Response using the Setup Assistant for more information.

Previous topic

Next topic

Release version

Understanding the Tenable Vulnerability Integration

Tenable.io is a cloud-based enterprise integration.
Tenable.sc is an on-premises integration that gives you the option to use a MID Server if the Tenable.sc product and your Now Platform instance are in the same environment.
If the Tenable.sc product and your Now Platform instance are not in the same environment, you are required to use a MID Server.

The Vulnerability Response Integration with Tenable application is available on the ServiceNow Store with a separate subscription.

Available versions for Paris


Release version	Release notes
Vulnerability Response Integration with Tenable v2.1 Vulnerability Response Integration with Tenable v2.0	Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Terms and Key features of the integrations

Vulnerable items and vulnerabilities

A vulnerable item is created in your Now Platform instance when:

An imported vulnerability from a third-party scanner is matched to an existing asset (a configuration item in your CMDB). The Tenable product refers to these matches as vulnerabilities.
An imported vulnerability from a third-party scanner is not matched to an existing asset in your CMDB. In this case, an unmatched CI is also created along with a vulnerable item.
For unmatched CIs, you can also use the Identification and Reconciliation Engine (IRE) to create CIs in two new classes when an existing CI cannot be matched with a host. Otherwise, unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine.

Third-party vulnerability entries and plugins

Configuration item (CI)

Configuration items are the existing assets listed in your CMDB.

Discovered item

Assets ingested from the Tenable asset import are matched to existing configuration items in your CMDB. Imported assets are updated.

CI lookup rules

Rescan and remediation scan

Automatically close older VIs

The Tenable.io and Tenable.sc integrations also include the following key features:

Starting with v2.1 of the Tenable Vulnerability Integration, create unique configuration items (CIs) that include different network partition identifiers for assets in your environment that share the same IP address. Identify the distinct assets across your environment and update the CIs on your existing discovered item, vulnerable item, and detection records to give you more details about your vulnerabilities.
You can schedule when you want the jobs to run for all the Tenable.io and Tenable.sc integrations. You can also execute scheduled jobs manually on-demand.
For asset imports with Tenable.io, you can enable asset tags to organize and track the assets listed in your CMDB in the Tenable.io environment.
The Tenable.io and Tenable.sc integrations permit you to configure CI Lookup Rules to define how asset data from third-party sources are used to identify Configuration Items (CIs) in your Now Platform CMDB.
The Tenable.io and Tenable.sc integrations permit you to set import filters on the vulnerabilities import so that you import only the vulnerabilities from Tenable that you want. For Tenable.io, you have the option to import Fixed vulnerabilities from Tenable with the vulnerabilities import.
For Tenable.sc, you have the option to initiate rescans on-demand directly from vulnerable item, vulnerability group, and third-party entry records in your Now Platform instance. If VIs have been transitioned to Closed/Fixed but are not yet updated in your instance, you can verify vulnerabilities on specific configuration items have been remediated. See Initiate rescan for the Tenable.sc integration.

The following sections list more details about the Tenable integrations.

Required Now Platform roles

The integration tasks require the following roles in your Now Platform instance.

admin: The system admin uses Setup Assistant to install the Vulnerability Response Integration with Tenable application. If not assigned, the admin assigns the vulnerability admin (sn_vul.vulnerability_admin) and other roles in Setup Assistant.
sn_vul.vulnerability_admin: Once assigned, the vulnerability admin completes the configuration of the Tenable integrations in Setup Assistant. This role has complete access to the Vulnerability Response (VR) application and its records. The vulnerability admin configures all VR applications and rules for installed third-party integrations.
sn_vul_tenable.configure_integration: This role contains the sn_vul_tenable.read_integration granular role and users with this role can configure the Vulnerability Response Integration with Tenable application.
sn_vul_tenable.read_integration: Users with this roles can view (read) but not edit records of the Vulnerability Response Integration with Tenable application.
Vulnerability Response group: By default, the Vulnerability Response group is available in Setup Assistant. Users assigned to the Vulnerability Response group inherit the sn_vul.read_all and sn_vul.remediation_owner roles automatically.

Tenable.io and Tenable.sc Integrations

Table 1. Tenable.io integrations
Integration	Description
Tenable.io Assets Integration	Retrieves all asset data, including asset tags, from the Tenable.io product and processes it in your instance. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Asset API. The output of this integration is discovered items. Data is imported in chunks and stored in the [sn_vul_tenable_chunk_status] table. Table cleaner automatically removes stored data from this table after 30 days.
Tenable.io Plugin Integration	Retrieves the plugin data from the Tenable.io product. Retrieved data are based on the date the plugins were last updated by a Tenable.io integration run. This import ensures that the Tenable.io Identifiers (Ten IDs) are current. Coordinates the REST message calls to the Plugin API. The output of this integration is third-party vulnerabilities.
Tenable.io Fixed Vulnerabilities Integration	Retrieves vulnerability data based on severity filters from the Tenable.io product and processes it in your instance. When the flag Fixed Vulnerabilities is enabled in Setup Assistant, it creates new VIs in the Fixed state. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don't exist. Data is imported in chunks and stored in the [sn_vul_tenable_chunk_status] table. Table cleaner automatically removes stored data from this table after 30 days. This integration run is scheduled. It is a chained integration, which means after a run is successfully completed, the open vulnerabilities integration described below is triggered.
Tenable.io Open Vulnerabilities Integration	This integration is triggered upon successful completion of the Tenable.io Fixed Vulnerabilities Integration. Retrieves vulnerability data based on the severity filters from the Tenable.io product and processes it in your instance. Creates corresponding vulnerable items for active vulnerabilities. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is New/Reopened vulnerable items (VIs). It also creates configuration items and third-party entries if they don't exist. Data is imported in chunks and stored in the [sn_vul_tenable_chunk_status] table. Table cleaner automatically removes stored data from this table after 30 days.

Table 2. Tenable.sc integrations
Integration	Description
Tenable.sc Assets Integration	Retrieves all asset data from the Tenable.sc product and processes it in your instance. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Assets API. The output of this integration is discovered items.
Tenable.sc Plugin Integration	Retrieves the plugin data from the Tenable.sc product. Retrieved data are based on the date the plugins were last updated by a Tenable.sc integration run. This import ensures that the Tenable.sc Identifiers (Ten IDs) are current and only active vulnerabilities are imported. Coordinates the REST message calls to the Plugins API. The output of this integration is third-party vulnerabilities.
Tenable.sc Fixed Vulnerabilities Integration	Retrieves vulnerability data based on the query filters you configure for the Tenable.sc product and selected in Setup Assistant and processes it in your instance. When the flag Fixed Vulnerabilities is enabled in Setup Assistant, it creates new VIs in the Fixed state. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is Closed/Fixed vulnerable items (VIs). It also creates assets and third-party entries if they don't exist. This integration run is a scheduled run. It is a chained integration which means after a run is successfully completed, the Tenable.sc Open Vulnerabilities Integration described below is triggered.
Tenable.sc Open Vulnerabilities Integration	This integration is triggered upon successful completion of the Tenable.sc Fixed Vulnerabilities Integration. Retrieves vulnerability data based on the query filters selected from the Tenable.sc product and processes it in your instance. Creates corresponding vulnerable items for active vulnerabilities. Creates unique CIs for unmatched assets, or updates existing CIs with the network partition identifier attribute for assets across your environment that share the same IP address. Coordinates the REST message calls to the Vulnerabilities API. The output of this integration is Update/Create new vulnerable items (VIs) if they do not already exist. It also creates configuration items and third-party entries if they don't exist.
Tenable.sc Scan Credential Integration	This integration retrieves the scan credentials configured in Tenable.sc. Coordinates the REST message calls to the Credentials API. The output of this integration is scan credentials populated in table, [sn_vul_tenable_scan_credential]. The imported credentials are used to access the scanner when scan requests are initiated from the Now Platform. This integration is scheduled to run weekly.

Configuration item (CI) lookup rules

Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, disable them when creating new ones.

The following Tenable.io lookup rules are shipped with the base system.

MAC_ADDRESS
FQDN
NetBIOS
HostName
DNS
IP

The following Tenable.sc lookup rules are shipped with the base system.

MAC_ADDRESS
FQDN
NetBIOS
IP

New properties to ignore IP addresses

In Tenable.io, there are two properties available if you want to ignore multiple IP addresses or multiple Mac addresses as part of your CI lookup rules:

ignoreIPAddress: A list of IP addresses to be ignored for CI lookup and CI creation.
ignoreMacAddress: A list of MAC addresses to be ignored for CI lookup or CI creation.

Discovered items

This module lists configuration items detected during import from the Tenable Vulnerable Item integrations and the Tenable Asset integrations.

Note: The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

For more information on the Discovered Items module, see Discovered Items.

Asset tags

Tag storage is not case sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Asset tag table. San Diego and SAN DIEGO are considered to be the same asset tag by the system. Whichever tag is imported first is the tag that is stored and recognized going forward.
Using asset tags as a Group Key in a Vulnerability Group Rule may have unexpected results. Asset tags are intended for use only in the Condition builder.
Asset tags are controlled by the global system property sn_vul.import_asset_tags. This property is set to true by default. Disabling tags disables them across all Now Platform® instances.

Data retrieval filters

Vulnerability Priority Rating (VPR)

This risk rule is disabled by default.

Installation and configuration

How search works:

Topics are ranked in search results by how closely they match your search terms

Understanding the Tenable Vulnerability Integration

Understanding the Tenable Vulnerability Integration

Available versions for Paris

Terms and Key features of the integrations

Required Now Platform roles

Tenable.io and Tenable.sc Integrations

Configuration item (CI) lookup rules

New properties to ignore IP addresses

Discovered items

Asset tags

Data retrieval filters

Vulnerability Priority Rating (VPR)

Installation and configuration

On this page

Understanding the Tenable Vulnerability Integration

Understanding the Tenable Vulnerability Integration

Available versions for Paris

Terms and Key features of the integrations

Required Now Platform roles

Tenable.io and Tenable.sc Integrations

Configuration item (CI) lookup rules

New properties to ignore IP addresses

Discovered items

Asset tags

Data retrieval filters

Vulnerability Priority Rating (VPR)

Installation and configuration

Log in to personalize your search results and subscribe to topics