Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
To open the correct user guide for your setup and version, go to the connector's setup page and click How to connect.
Connector details
About Tenable Cloud Security
Tenable Cloud Security is a platform designed to secure cloud-native environments by providing continuous monitoring, risk assessment, and automated remediation for cloud resources. It helps organizations manage and reduce risks across public cloud infrastructures like AWS, Azure, and Google Cloud by identifying real-time vulnerabilities, misconfigurations, and compliance issues. The platform allows visibility into cloud environments, enabling organizations to ensure security best practices are followed while offering tools to detect threats and prioritize vulnerabilities based on the potential impact on the business.
Support scope
Supported products | |
Category | Cloud |
Ingestion type | Assets and vulnerabilities |
Ingested asset type(s) | Hosts Images Cloud Resources Websites |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Tenable Cloud user with a Viewer role for API.
Credentials [API/Token/Username and pass]
Generating credentials/API token
Log into your Tenable Cloud Security Console.
Navigate to Settings > API.
Select an account scope in the Organization tree on the left. By default, the entire Organization (all accounts) is selected.
Click + Add Token on the top right of the page.
Assign the token with a meaningful name.
Select the Viewer permission Role.
Click Add Token.
Copy the generated token to use later on the connector's setup page on the Vulcan platform.
Configuring the Tenable Cloud connector
Login to the Vulcan ExposureOS platform and go to Connectors > Add a Connector.
Click on the Tenable Cloud icon.
Set up the Connector as follows:
If your setup is through a gateway, refer to the Vulcan Gateway guide to configure the gateway before proceeding. If not, continue following the steps in this guide.
Select the API Server URL of your Tenable Cloud account.
Enter the Token you generated earlier.
The Data pulling configuration configuration is dynamic, with available settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector:
Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Tenable Cloud instance.
Notes:
A successful connectivity test confirms that the platform can connect to the Tenable Cloud instance. However, it does not guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
Example:
If the connectivity test fails, an error message with details about the issue will appear. Click the arrow next to the error message for more information about the exact error.
Example:
Connector scheduling: Set the connector's sync time and days. By default, all days are selected.
Click Create to start syncing the new connector, or Save Changes if editing an existing connector.
Allow some time for the sync to complete. Then, you can review the sync status on the Connectors main page or under Connector sync logs on the connector's specific setup page.
To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the Tenable Cloud icon shows Connected.
Example:
Tenable Cloud in the Vulcan platform
Viewing findings
To view findings (instances) ingested by the Tenable Cloud connector:
Go to the Findings page.
Click on Filter and set the condition to Vulnerability > Source > is > Tenable Cloud.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on a finding for more details.
Viewing vulnerabilities
To view vulnerabilities ingested by the Tenable Cloud connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Source > is > Tenable Cloud.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on a vulnerability for more details.
Viewing assets
To view assets ingested by the Tenable Cloud connector:
Go to the Assets page.
Click on Filter and set the condition to Asset > Source > is > Tenable Cloud.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on an asset for more details.
Taking action on vulnerabilities and assets
To take remediation action on vulnerabilities and assets ingested by Tenable Cloud:
Go to the Vulnerabilities or Assets Page.
Use the Filter to view the assets/vulnerabilities by source. You can always filter by Business Group and add more filters to narrow your search.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.
Example:
Automating remediation actions on vulnerabilities
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
Data Mapping
The Vulcan Platform integrates with X through an API that pulls relevant vulnerability and asset data and maps it to the platform's pages and fields. The vulnerabilities and/or assets data is ingested from the vendor platform and mapped into the Vulcan
ExposureOs platform.
Host data mapping
Asset data
Tenable Cloud host field (API) | Vulcan field |
Id | Asset Uniqueness criteria |
{% if CloudProvider == 'AWS' %}{{ Id.split('/')[-1] }}{% else %}{{ Ocid or Id }}{% endif %} | Cloud ID cloud_instance_id |
Name | Host Name (hostname) |
OperatingSystem or OperatingSystemType | Host OS (os) |
PublicIpAddresses PrivateIpAddresses | Host IP (ip ) |
CreationTime | Host first Seen (first_seen) |
SyncTime | Host Last report (last_seen) |
CloudProvider AccountId AccountName Id __typename OperatingSystemType CustomProperties PrivateDnsNames PublicIpAddressDnsNames Arn Region Location ResourceGroupId RawId Ocid Shape | Host details(added_data)
|
Tags | Host Tags - Vendor’s tags (tags) |
CloudProvider __typename AccountId | Host Tags - Additional (tags) |
Finding (instance) data
Tenable Cloud host field (API) | Vulcan field |
Id | Vulnerability instance uniqueness criteria |
finding_creation_time | Vulnerability instance First seen (first_seen) |
finding_status_update_time | Vulnerability instance Last seen (last_seen) |
finding_link finding_starred finding_sub_status finding_account_id finding_account_name finding_id | Vulnerability instance details (added_data) |
Status | Vulnerability instance Fixed mechanism (report_item_status)
|
Unique vulnerability data
Tenable Cloud host field (API) | Vulcan field |
PolicyNmae | Unique Vulnerability uniqueness criteria |
PolicyNmae | Vulnerability title (title) |
Severity | Vulnerability score (cvss_score) |
Description | Vulnerability description (description) |
tenable_cloud|host|{{ PolicyName }} | cloud_vv_id |
Solution (fix) data
Tenable Cloud host field (API) | Vulcan field |
PolicyName | Solution uniqueness criteria |
Fix from Tenable Cloud | Fix - Title (title) |
Remediation.Console.Steps | Fix - Description(description) |
Link | Fix - References (reference + reference_link) |
| Fix details (added_data) |
Image data mapping
Asset data
Tenable Cloud image field (API) | Vulcan field |
id | Asset Uniqueness criteria |
Name | Image Name (name) |
OperatingSystem or OperatingSystemType | Image OS (os) |
OperatingSystem or OperatingSystemType | Image OS Version (os_version) |
Images | Image’s repository type (repository_type) |
Path | Image path location (path) |
Digest | Image sha256 (sha256) |
N/A | Image hash (hash) |
N/A | Image tag (image_tag) |
CreationTime | Image first Seen (first_seen) |
SyncTime | Image Last report (last_seen) |
CloudProvider AccountId AccountName Id __typename OperatingSystemType CustomProperties Used Arn Region Location Ocid | Image details (added_data)
|
Tags + ImageTags | Image Tags - Vendor’s tags (tags) |
CloudProvider __typename AccountId | Image Tags - Additional (tags) |
Finding (instance) data
Tenable Cloud image field (API) | Vulcan field |
finding_creation_time | Vulnerability instance First seen (first_seen) |
finding_status_update_time | Vulnerability instance Last seen (last_seen) |
finding_link finding_starred finding_sub_status finding_account_id finding_account_name finding_id | Vulnerability instance details (added_data) |
Unique vulnerability data
Tenable Cloud image field (API) | Vulcan field |
PolicyName | Vulnerability title (title) |
Severity | Vulnerability score (cvss_score) |
Description | Vulnerability description (description) |
tenable_cloud|image|{{ PolicyName }} | cloud_vv_id |
Solution (fix) data
Tenable Cloud image field (API) | Vulcan field |
Fix - Title (title) | Fix from Tenable Cloud |
Fix - Description(description) | Remediation.Console.Steps |
Fix - References (reference + reference_link) | Link |
Websites data mapping
Asset data
Tenable Cloud website field (API) | Vulcan field |
Id | Asset Uniqueness criteria |
Name | Website Name (hostname) |
Url | Website address (address) |
CreationTime | Website first Seen (first_seen) |
SyncTime | Website Last report (last_seen) |
CloudProvider AccountId AccountName Id __typename OperatingSystemType CustomProperties Location ResourceGroupId AppType AuthenticationType HttpsOnly TlsMinVersion ScmUrl Status | Website details(added_data)
|
Tags | Website Tags - Vendor’s tags (tags) |
CloudProvider __typename AccountId | Website Tags - Additional (tags) |
Url | Website Component - URLS (url) |
Finding (instance) data
Tenable Cloud website field (API) | Vulcan field |
Id | Vulnerability instance uniqueness criteria |
finding_creation_time | Vulnerability instance First seen (first_seen) |
finding_status_update_time | Vulnerability instance Last seen (last_seen) |
finding_link finding_starred finding_sub_status finding_account_id finding_account_name finding_id | Vulnerability instance details (added_data) |
Status | Vulnerability instance Fixed mechanism (report_item_status)
|
Unique vulnerability data
Tenable Cloud website field (API) | Vulcan field |
PolicyNmae | Unique Vulnerability uniqueness criteria |
PolicyNmae | Vulnerability title (title) |
Severity | Vulnerability score (cvss_score) |
Description | Vulnerability description (description) |
tenable_cloud|website|{{ PolicyName }} | cloud_vv_id |
Solution (fix) data
Tenable Cloud website field (API) | Vulcan field |
PolicyName | Solution uniqueness criteria |
Fix from Tenable Cloud | Fix - Title (title) |
Remediation.Console.Steps | Fix - Description(description) |
Link | Fix - References (reference + reference_link) |
Cloud resources data mapping
Asset data
Tenable cloud resource field (API) | Vulcan field |
Id | Asset Uniqueness criteria |
Name | Cloud resource Name (name) |
CloudProvider | Cloud type(cloud_type) |
__typename | resource type(resource_type) |
Id | Cloud id (native_id) |
N/A | Cloud resource first Seen (first_seen) |
SyncTime | Cloud resource Last report (last_seen) |
CloudProvider AccountId AccountName Id __typename CustomProperties | Cloud resource details(added_data)
|
Tags | Cloud resource Tags - Vendor’s tags (tags) |
CloudProvider __typename AccountId | Cloud resource Tags - Additional (tags) |
Finding (instance) data
Tenable cloud resource field (API) | Vulcan field |
Id | Vulnerability instance uniqueness criteria |
finding_creation_time | Vulnerability instance First seen (first_seen) |
finding_status_update_time | Vulnerability instance Last seen (last_seen) |
finding_link finding_starred finding_sub_status finding_account_id finding_account_name finding_id | Vulnerability instance details(added_data) |
Status | Vulnerability instance Fixed mechanism (report_item_status)
|
Unique vulnerability data
Tenable cloud resource field (API) | Vulcan field |
PolicyName | Unique Vulnerability uniqueness criteria |
PolicyName | Vulnerability title (title) |
Severity | Vulnerability score (cvss_score) |
Description | Vulnerability description (description) |
tenable_cloud|cloud_resource|{{ PolicyName }} | cloud_vv_id |
Solution (fix) data
Tenable cloud resource field (API) | Vulcan field |
PolicyName | Solution uniqueness criteria |
Fix from Tenable Cloud | Fix - Title (title) |
Remediation.Console.Steps | Fix - Description(description) |
Link | Fix - References (reference + reference_link) |
Vulnerability status mapping
Based on the
Statusfield
Tenable Cloud status | Vulcan status |
All the rest (Open) | Vulnerable |
Not returned | Fixed |
- | Ignored - false positive |
Ignored | Ignored risk acknowledged |
Vulnerability score mapping
Tenable Cloud score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
Informational | 0 |
Status update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.
The table below lists how the status update mechanism works in the Tenable Cloud for the vulnerabilities and assets in the Vulcan Platform.
Status change | When? |
The asset is archived | - Asset not found on the connector's last sync - Asset not seen for X days according to "Last Seen" |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings - Vulnerability status on the connector's side changes to |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
Support limitations and expected behavior
This section outlines any irregularities, expected behaviors, or limitations related to integrating the Vulcan Cyber ExposureOS platform and Tenable Cloud. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.
Mapping:
Asset: Mapped using its unique ID.
Vulnerability (Vuln): Mapped using the policy name.
Solution: Also mapped using the policy name.
Unique Finding Identifier: Defined as a combination of the asset’s unique ID, the vulnerability’s unique identifier, and the finding ID.
Status and Data Fetching:
The Tenable API uses cursor-based pagination, which requires sequential requests. The next cursor value must be obtained from the current request. Each request returns up to 1,000 results, preventing parallel processing.
Only open findings are fetched, and assets are created based on findings. As a result, a complete inventory of assets will not be available.
API endpoints in use
API | Use in Vulcan |
https://{{region}}.app.ermetic.com/api/graph | get all data |