elastic · efd6 · May 12, 2023 · May 4, 2023 · May 6, 2023 · May 6, 2023
@@ -16,6 +16,10 @@ The Tenable.io integration collects logs for three types of events: Asset, Plugi
 
 **Vulnerability** is used to retrieve all vulnerabilities on each asset, including the vulnerability state. See more details in the API documentation [here](https://developer.tenable.com/reference/exports-vulns-request-export).
 
+**Scanner** is used to retrieve the current state of scanners, including licensing and activity. See more details in the API documentation [here](https://developer.tenable.com/reference/scanners-list).
+
+**Scan** is used to retrieve details about existing scans, including scan statuses, assigned targets, and more. See more details in the API documentation [here](https://developer.tenable.com/reference/scans-list).
+
 ## Compatibility
 
 This module has been tested against `Tenable.io release` [December 6, 2022](https://docs.tenable.com/releasenotes/Content/tenableio/tenableio202212.htm).
@@ -72,3 +76,23 @@ This is the `vulnerability` dataset.
 {{event "vulnerability"}}
 
 {{fields "vulnerability"}}
+
+### scanner
+
+This is the `scanner` dataset.
+
+#### Example
+
+{{event "scanner"}}
+
+{{fields "scanner"}}
+
+### scan
+
+This is the `scan` dataset.
+
+#### Example
+
+{{event "scan"}}
+
+{{fields "scan"}}
@@ -46,3 +46,30 @@ rules:
       - status_code: 200
         body: |
           [{"asset":{"fqdn":"example.com","hostname":"89.160.20.112","uuid":"cf165808-6a31-48e1-9cf3-c6c3174df51d","ipv4":"81.2.69.142","operating_system":["Test Demo OS X 10.5.8"],"network_id":"00000000-0000-0000-0000-000000000000","tracked":true},"output":"The observed version of Test  is : \n /21.0.1180.90","plugin":{"cve":["CVE-2016-1620","CVE-2016-1614","CVE-2016-1613","CVE-2016-1612","CVE-2016-1618","CVE-2016-1617","CVE-2016-1616","CVE-2016-1615","CVE-2016-1619"],"cvss_base_score": 9.3,"cvss_temporal_score":6.9,"cvss_temporal_vector":{"exploitability":"Unproven","remediation_level":"Official-fix","report_confidence":"Confirmed","raw":"E:U/RL:OF/RC:C"},"cvss_vector":{"access_complexity":"Medium","access_vector":"Network","authentication":"None required","confidentiality_impact":"Complete","integrity_impact":"Complete","availability_impact":"Complete","raw":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},"description":"The version of Test  on the remote host is prior to 48.0.2564.82 and is affected by the following vulnerabilities: \n\n - An unspecified vulnerability exists in Test V8 when handling compatible receiver checks hidden behind receptors.  An attacker can exploit this to have an unspecified impact.  No other details are available. (CVE-2016-1612)\n - A use-after-free error exists in `PDFium` due to improper invalidation of `IPWL_FocusHandler` and `IPWL_Provider` upon destruction.  An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-1613)\n - An unspecified vulnerability exists in `Blink` that is related to the handling of bitmaps.  An attacker can exploit this to access sensitive information.  No other details are available. (CVE-2016-1614)\n - An unspecified vulnerability exists in `omnibox` that is related to origin confusion.  An attacker can exploit this to have an unspecified impact.  No other details are available. (CVE-2016-1615)\n - An unspecified vulnerability exists that allows an attacker to spoof a displayed URL.  No other details are available. (CVE-2016-1616)\n - An unspecified vulnerability exists that is related to history sniffing with HSTS and CSP. No other details are available. (CVE-2016-1617)\n - A flaw exists in `Blink` due to the weak generation of random numbers by the ARC4-based random number generator.  An attacker can exploit this to gain access to sensitive information.  No other details are available. (CVE-2016-1618)\n - An out-of-bounds read error exists in `PDFium` in file `fx_codec_jpx_opj.cpp` in the `sycc4{22,44}_to_rgb()` functions. An attacker can exploit this to cause a denial of service by crashing the application linked using the library. (CVE-2016-1619)\n - Multiple vulnerabilities exist, the most serious of which allow an attacker to execute arbitrary code via a crafted web page. (CVE-2016-1620)\n - A flaw in `objects.cc` is triggered when handling cleared `WeakCells`, which may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (CVE-2016-2051)","family":"Web Clients","family_id": 1000020,"has_patch":false,"id":9062,"name":"Test  &lt; 48.0.2564.82 Multiple Vulnerabilities","risk_factor":"HIGH","see_also":["http://testreleases.blogspot.com/2016/01/beta-channel-update_20.html"],"solution":"Update the  browser to 48.0.2564.82 or later.","synopsis":"The remote host is utilizing a web browser that is affected by multiple vulnerabilities.","vpr":{"score":5.9,"drivers":{"age_of_vuln":{"lower_bound":366,"upper_bound":730},"exploit_code_maturity":"UNPROVEN","cvss_impact_score_predicted":false,"cvss3_impact_score":5.9,"threat_intensity_last28":"VERY_LOW","threat_sources_last28":["No recorded events"],"product_coverage":"LOW"},"updated":"2019-12-31T10:08:58Z"}},"port":{"port":"0","protocol":"TCP"},"scan":{"completed_at":"2018-12-31T20:59:47Z","schedule_uuid":"6f7db010-9cb6-4870-b745-70a2aea2f81ce1b6640fe8a2217b","started_at":"2018-12-31T20:59:47Z","uuid":"0e55ec5d-c7c7-4673-a618-438a84e9d1b78af3a9957a077904"},"severity":"low","severity_id":3,"severity_default_id":3,"severity_modification_type":"NONE","first_found":"2018-12-31T20:59:47Z","last_found":"2018-12-31T20:59:47Z","indexed":"2022-11-30T14:09:12.061Z","state":"OPEN"}]
+  - path: /scanners
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {"scanners":
+              [
+                {"creation_date":1603821746,"group":true,"id":123456,"key":"db8bbcddce265942ec66fc56aa17e6f8239b9d355580b58af96a5eab1f309199","last_connect":null,"last_modification_date":1603821746,"license":{"record_id":"001600000ASDA71CCD","type":"vm","activation_code":"7A1F-BT5R-7B5R","agents":-1,"ips":11000,"scanners":-1,"users":-1,"enterprise_pause":false,"expiration_date":1704326399,"evaluation":false,"apps":{"pci":{"mode":"basic"},"was":{"mode":"eval","expiration_date":1659585599,"ui_mode":"NEW"},"consec":{"mode":"eval","expiration_date":1658289599},"lumin":{"mode":"standard","expiration_date":1704326399,"assets":11000,"activation_code":"T8G9-A1EG-ERT4"},"vm":{"assets":11000,"vm_expiration_date":1704326399,"vm_activation_code":"TB7R-QWEG-ASD8","agents":0},"cns":{"mode":"eval","expiration_date":1663473599}},"scanners_used":10,"agents_used":4286},"linked":1,"name":"APAC Cloud Scanners","network_name":"Default","num_scans":0,"owner":"system","owner_id":1258789,"owner_name":"system","owner_uuid":"ab12we5wr-asdf1-etah5-asd8-d5yhf7ew4394","pool":true,"scan_count":0,"shared":1,"source":"service","status":"on","timestamp":1603821746,"type":"local","user_permissions":64,"uuid":"akd78gte-d58g-adsd-34fg-4fde5ugh52dw","supports_remote_logs":false,"supports_webapp":true,"supports_remote_settings":false},
+                {"creation_date":1659982715,"distro":"ubuntu1404-x86-64","engine_version":"19.5.1","group":false,"hostname":"Scanner02","id":216324,"ip_addresses":["10.0.1.70"],"key":"ed3a5dfk7djh328deeas5d8gfdp3d2a8c24be99c8dd85g4hejd8se2466bf426e","last_connect":1683307347,"last_modification_date":1683230726,"linked":1,"loaded_plugin_set":"202305041802","name":"Scanner02","network_name":"Default","num_scans":0,"owner":"system","owner_id":1978564,"owner_name":"system","owner_uuid":"1adfj78e-a45d-5eqr-asd5-a58dfjg876dj","platform":"LINUX","pool":false,"scan_count":0,"shared":1,"source":"service","status":"on","timestamp":1683230726,"type":"managed","ui_build":"8","ui_version":"10.5.1","user_permissions":128,"uuid":"d581s325-5bc2-45bf-asd8-6e48a312576c","remote_uuid":"d58dhf87-d87j-dja2-3282-dkjs7dfh26he09jksjdm3dsa2hg8","supports_remote_logs":true,"supports_webapp":false,"supports_remote_settings":true},
+                {"creation_date":1603990307,"group":true,"id":183251,"key":"5ae5d8f4g5da4368f4gd5d02c4a7133ffa777dcc010fb8b90f871371254a7594","last_connect":null,"last_modification_date":1603991208,"linked":1,"name":"Contoso Scanner Group","network_name":"Default","num_scans":0,"owner":"system","owner_id":4587863,"owner_name":"system","owner_uuid":"0adefc78-bd61-1af2-2fa1-12ac35cb84f6","pool":true,"scan_count":0,"shared":1,"source":"service","status":"on","timestamp":1603991208,"type":"pool","user_permissions":128,"uuid":"1a56bf7c-e0a1-452c-a89b-1abc568eb45a","supports_remote_logs":false,"supports_webapp":false,"supports_remote_settings":false}
+              ]
+          }
+  - path: /scans
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+            {
+                "scans": [
+                    {"control":true,"creation_date":1683282785,"enabled":true,"id":195,"last_modification_date":1683283158,"legacy":false,"name":"Client Discovery","owner":"jdoe@contoso.com","policy_id":194,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR","schedule_uuid":"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871","shared":true,"starttime":"20220708T033000","status":"completed","template_uuid":"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a456ef1c-cbd4-ad41-f654-119b766ff61f","wizard_uuid":"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf","progress":100,"total_targets":21,"status_times":{"initializing":2623,"pending":52799,"processing":1853,"publishing":300329,"running":15759}},
+                    {"control":true,"creation_date":1683043551,"enabled":true,"id":423,"last_modification_date":1683049400,"legacy":false,"name":"Client Vulnerabiltiy Scan Group B","owner":"jdoe@contoso.com","policy_id":422,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=TU","schedule_uuid":"1d63c64e-a5d1-df57-0ecf-9f0e288d8a45fe84bcd54e39daaf","shared":true,"starttime":"20220714T090000","status":"completed","template_uuid":"731a8e52-3ea6-a291-ec0a-d2ff0d8af595bcd788d6be818b65","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a2389003-fec1-a45d-a45d-aece258c4133","wizard_uuid":"731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65","progress":100,"total_targets":2538,"status_times":{"initializing":6099,"pending":57966,"processing":393,"publishing":240537,"running":5544031}}
+                ],
+                "folders": [
+                    {"id":227,"name":"Cloud Audit Scans","type":"custom","custom":1,"unread_count":0,"default_tag":0},
+                    {"id":226,"name":"Targeted Scans","type":"custom","custom":1,"unread_count":0,"default_tag":0}
+                ]
+            }
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.0"
+  changes:
+    - description: Added datasets for scanner and scan logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6113
 - version: "0.5.0"
   changes:
     - description: Add a new flag to enable request tracing

@@ -22,7 +22,7 @@ request.transforms:
       # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
       # NOTE: The "Build" version must be kept in sync with this package's version.
       target: header.User-Agent
-      value: '[[userAgent "Integration/1.0 (Elastic; Tenable.io; Build/0.4.0)"]]'
+      value: '[[userAgent "Integration/1.0 (Elastic; Tenable.io; Build/0.5.0)"]]'
   - set:
       target: header.X-ApiKeys
       value: 'accessKey={{access_key}}; secretKey={{secret_key}};'

@@ -21,7 +21,7 @@ request.transforms:
       # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
       # NOTE: The "Build" version must be kept in sync with this package's version.
       target: header.User-Agent
-      value: '[[userAgent "Integration/1.0 (Elastic; Tenable.io; Build/0.4.0)"]]'
+      value: '[[userAgent "Integration/1.0 (Elastic; Tenable.io; Build/0.5.0)"]]'
   - set:
       target: header.X-ApiKeys
       value: 'accessKey={{access_key}}; secretKey={{secret_key}};'

@@ -0,0 +1,7 @@
+fields:
+  tags:
+    - preserve_original_event
+    - preserve_duplicate_custom_fields
+dynamic_fields:
+  "@timestamp": ".*"
+  event.ingested: ".*"
@@ -0,0 +1,2 @@
+{"control":true,"creation_date":1683282785,"enabled":true,"id":195,"last_modification_date":1683283158,"legacy":false,"name":"Client Discovery","owner":"jdoe@contoso.com","policy_id":194,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR","schedule_uuid":"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871","shared":true,"starttime":"20220708T033000","status":"completed","template_uuid":"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a456ef1c-cbd4-ad41-f654-119b766ff61f","wizard_uuid":"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf","progress":100,"total_targets":21,"status_times":{"initializing":2623,"pending":52799,"processing":1853,"publishing":300329,"running":15759}}
+{"control":true,"creation_date":1683043551,"enabled":true,"id":423,"last_modification_date":1683049400,"legacy":false,"name":"Client Vulnerabiltiy Scan Group B","owner":"jdoe@contoso.com","policy_id":422,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=TU","schedule_uuid":"1d63c64e-a5d1-df57-0ecf-9f0e288d8a45fe84bcd54e39daaf","shared":true,"starttime":"20220714T090000","status":"completed","template_uuid":"731a8e52-3ea6-a291-ec0a-d2ff0d8af595bcd788d6be818b65","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a2389003-fec1-a45d-a45d-aece258c4133","wizard_uuid":"731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65","progress":100,"total_targets":2538,"status_times":{"initializing":6099,"pending":57966,"processing":393,"publishing":240537,"running":5544031}}