# Tenable
Connecting Tenable gives SureCloud read access to your vulnerability scan results, asset inventory, scan configurations, and plugin data across your Tenable environment. SureCloud collects open vulnerability findings by severity and CVE across all scanned assets, verifies that scans are scheduled and running within expected intervals, checks that critical asset groups have active scan coverage, and monitors overall asset coverage to identify gaps in the scanning programme. This provides continuous evidence that your vulnerability management process is capturing findings across the full asset estate.
{% hint style="info" %}
SureCloud connects to Tenable using an Access Key and Secret Key pair generated in the Tenable console. This applies to both Tenable Vulnerability Management (formerly Tenable.io) and Tenable Security Center (formerly Tenable.sc / Nessus). The two products use different API structures — SureCloud supports both via separate connection flows.
{% endhint %}
## Authentication and setup
{% tabs %}
{% tab title="Tenable Vulnerability Management (cloud)" %}
{% stepper %}
{% step %}
#### Create a dedicated service account
In Tenable Vulnerability Management, navigate to **Settings → Users → Invite User** and create a service account (e.g. `surecloud-ccm@yourcompany.com`).
Assign the **Basic** user role. The Basic role provides read access to assets and vulnerabilities without granting scan launch or administrative permissions.
{% endstep %}
{% step %}
#### Generate API Keys
Log in as the `surecloud-ccm` account and navigate to **Settings → My Account → API Keys → Generate**.
Tenable generates an **Access Key** and a **Secret Key** together. Copy both values immediately — they are only shown once. If they are lost, generate a new pair (which invalidates the previous keys).
{% hint style="warning" %}
API keys in Tenable Vulnerability Management do not expire automatically, but should be rotated every 90 days as a security best practice. Regenerating keys invalidates the previous pair — update the new values in **SureCloud → Integrations → Tenable → Edit Connection** immediately after rotation.
{% endhint %}
{% endstep %}
{% step %}
#### Enter credentials in SureCloud
In SureCloud, navigate to **Integrations → Tenable → Connect** and provide:
* **Connection type**: Tenable Vulnerability Management
* **Access Key**
* **Secret Key**
Click **Test Connection**, then **Save**.
{% endstep %}
{% endstepper %}
{% endtab %}
{% tab title="Tenable Security Center (on-premises)" %}
{% stepper %}
{% step %}
#### Create a dedicated service account
In Tenable Security Center, navigate to **System → Users → Add** and create a service account named `surecloud-ccm`. Assign the **Security Manager** role (read-only operations are included) or a custom role with the following permissions:
| Permission | Purpose |
| ----------------------- | ------------------------------------------ |
| View Vulnerability Data | Read vulnerability findings and asset data |
| View Scan Results | Read scan run records and results |
| View Scan Policies | Read scan policy configuration |
| View Assets | Read asset inventory and tags |
| {% endstep %} | |
{% step %}
#### Generate API Keys
Log in as `surecloud-ccm` and navigate to **Username → Profile → API Keys → Generate**. Copy the **Access Key** and **Secret Key**.
{% endstep %}
{% step %}
#### Enter credentials in SureCloud
In SureCloud, navigate to **Integrations → Tenable → Connect** and provide:
* **Connection type**: Tenable Security Center
* **Tenable Security Center base URL** (e.g. `https://sc.yourcompany.com`)
* **Access Key**
* **Secret Key**
Click **Test Connection**, then **Save**.
{% endstep %}
{% endstepper %}
{% endtab %}
{% endtabs %}
## Endpoints
**Tenable Vulnerability Management**
| API Call | Use Case |
| ------------------------------------------ | ------------------------------------------------------------------------ |
| `GET /assets` | Enumerate all assets with last scan date and network information |
| `POST /workbenches/assets/vulnerabilities` | Retrieve open vulnerability findings per asset with severity and CVE |
| `GET /workbenches/vulnerabilities` | Aggregate vulnerability summary across all assets by severity and plugin |
| `GET /scans` | List all scans with their schedule, last run time, and status |
| `GET /scans/{scan_id}` | Read full scan configuration and host coverage |
| `GET /policies` | Enumerate scan policies and their plugin family selections |
| `GET /users` | Enumerate Tenable console users and their role assignments |
**Tenable Security Center**
| API Call | Use Case |
| ------------------------- | -------------------------------------------------------------------------- |
| `GET /rest/asset` | Enumerate asset objects and their membership in asset groups |
| `GET /rest/vulnerability` | Retrieve vulnerability findings with severity, CVE, and remediation status |
| `GET /rest/scan` | List scans and their schedules, policy, and credential configuration |
| `GET /rest/scanResult` | Read scan run results and completion status |
| `GET /rest/policy` | Enumerate scan policies |
| `GET /rest/user` | Enumerate Security Center users and their roles |
## Pagination
**Tenable Vulnerability Management** uses offset-based pagination via `offset` and `limit` query parameters for most endpoints. SureCloud increments `offset` by `limit` (up to 5,000 per page for vulnerability endpoints) until the response `total_asset_count` or equivalent is reached.
```json
{
"total_asset_count": 8432,
"assets": [
{ "id": "abc123", "fqdns": ["server1.yourcompany.com"], "last_seen": "2025-06-01T10:00:00Z", ... }
]
}
```
**Tenable Security Center** uses `startOffset` and `endOffset` parameters. SureCloud advances `startOffset` by the page size until it equals or exceeds the `totalRecords` count.
## Required permissions
For Tenable Vulnerability Management, the **Basic** user role is sufficient for all SureCloud data collection endpoints. API keys must be generated by the service account, not an administrator account — keys inherit the generating user's permissions.
For Tenable Security Center, the service account must have at minimum **View** permissions on Vulnerability Data, Scan Results, Scan Policies, and Assets.
## Polling frequency
| Data type | Collection interval |
| ------------------------------- | ------------------- |
| Asset inventory | 24 hours |
| Vulnerability findings | 24 hours |
| Scan configuration and schedule | 24 hours |
| Scan run results | 24 hours |
| User inventory | 24 hours |
## Troubleshooting
Test Connection fails with "403 Forbidden" for Tenable Vulnerability Management
The Access Key or Secret Key is invalid, or the keys were generated by a different account than expected and may have been regenerated since SureCloud was configured.
In Tenable Vulnerability Management, navigate to **Settings → My Account → API Keys**. If new keys have been generated (a new pair invalidates the previous one), update both keys in **SureCloud → Integrations → Tenable → Edit Connection**.
Vulnerability findings are returning but CVE identifiers are missing for some
Not all Tenable plugins map to a CVE — informational findings, configuration audit findings, and some compliance checks do not have associated CVEs. SureCloud includes CVE data where it is present in the plugin output and leaves the field empty for findings without a CVE reference.
If CVEs are missing for findings where you expect them, confirm the plugin family covers software vulnerability detection (not compliance or configuration auditing) and that the scan policy includes the relevant plugin families.
Some assets are not appearing in SureCloud's inventory
Tenable only includes assets that have been scanned within the asset visibility window (default 180 days for Tenable Vulnerability Management). Assets that have not been scanned within this window are aged out of the active inventory.
To include aged-out assets, reduce the scan interval for the relevant asset groups or extend the visibility window in **Tenable → Settings → Sensors → Asset visibility**.
Scans appear in SureCloud but show no last run time
Scans that have been created but never launched will have no last run time. SureCloud reports these as never-run scans — this may indicate a scan schedule that was configured but not activated, or a scan that was paused before its first execution.
In Tenable, confirm the scan schedule is enabled and the next scheduled run time is in the future. If the scan is on-demand only (no schedule), it will remain unrun until manually triggered.
Tenable Vulnerability Management API reference Tenable Security Center API documentation
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/tenable.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.