diff --git a/packages/tenable_io/_dev/build/docs/README.md b/packages/tenable_io/_dev/build/docs/README.md index 5525366b20e..ac6b60761cd 100644 --- a/packages/tenable_io/_dev/build/docs/README.md +++ b/packages/tenable_io/_dev/build/docs/README.md @@ -18,7 +18,7 @@ The Tenable Vulnerability Management integration collects logs for five types of **Vulnerability** is used to retrieve all vulnerabilities on each asset, including the vulnerability state. See more details in the API documentation [here](https://developer.tenable.com/reference/exports-vulns-request-export). -**Scan** is used to retrieve details about existing scans, including scan statuses, assigned targets, and more. See more details in the API documentation [here](https://developer.tenable.com/reference/scans-list). +**Scan** is used to retrieve details about existing scans and scan details, including scan statuses, assigned targets, and more. See more details in the API documentation for [Scan](https://developer.tenable.com/reference/scans-list) and [Scan Details](https://developer.tenable.com/reference/was-v2-scans-details). ## Compatibility diff --git a/packages/tenable_io/_dev/deploy/docker/files/config.yml b/packages/tenable_io/_dev/deploy/docker/files/config.yml index 902e9b7bf9c..3a48704ef99 100644 --- a/packages/tenable_io/_dev/deploy/docker/files/config.yml +++ b/packages/tenable_io/_dev/deploy/docker/files/config.yml @@ -62,6 +62,22 @@ rules: {"id":226,"name":"Targeted Scans","type":"custom","custom":1,"unread_count":0,"default_tag":0} ] } + - path: /was/v2/scans/195 + methods: ["GET"] + responses: + - status_code: 200 + body: | + { + "scan_id":"195","user_id":"53e1d711-f18f-4a75-a86e-1c47bccff1b7","config_id":"a772daba-3d6d-412c-8ee0-3279b19650b2","target":"http://192.0.2.119","created_at":"2020-02-05T23:11:49.342Z","updated_at":"2020-02-05T23:22:15.510Z","requested_action":"start","status":"completed","metadata":{"queued_urls":0,"scan_status":"stopping","crawled_urls":1,"queued_pages":0,"audited_pages":1,"request_count":74,"response_time":0} + } + - path: /was/v2/scans/423 + methods: ["GET"] + responses: + - status_code: 200 + body: | + { + "scan_id":"423","user_id":"53e1d711-f18f-4a75-a86e-1c47bccff1b7","config_id":"a772daba-3d6d-412c-8ee0-3279b19650b2","target":"http://192.0.2.119","created_at":"2020-02-05T23:11:49.342Z","updated_at":"2020-02-05T23:22:15.510Z","requested_action":"start","status":"completed","metadata":{"queued_urls":0,"scan_status":"stopping","crawled_urls":1,"queued_pages":0,"audited_pages":1,"request_count":74,"response_time":0} + } - path: /audit-log/v1/events methods: ["GET"] query_params: diff --git a/packages/tenable_io/changelog.yml b/packages/tenable_io/changelog.yml index a4ef3535b8d..61a2689bc0c 100644 --- a/packages/tenable_io/changelog.yml +++ b/packages/tenable_io/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "4.7.0" + changes: + - description: Added scan details to the scan data stream from the WAS v2 scan details API. + type: enhancement + link: https://github.com/elastic/integrations/pull/16222 - version: "4.6.1" changes: - description: Remove duplicated field definitions in transform. diff --git a/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log b/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log index 1af204a87a6..21213de6f13 100644 --- a/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log +++ b/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log @@ -1,2 +1,3 @@ {"control":true,"creation_date":1683282785,"enabled":true,"id":195,"last_modification_date":1683283158,"legacy":false,"name":"Client Discovery","owner":"jdoe@contoso.com","policy_id":194,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR","schedule_uuid":"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871","shared":true,"starttime":"20220708T033000","status":"completed","template_uuid":"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a456ef1c-cbd4-ad41-f654-119b766ff61f","wizard_uuid":"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf","progress":100,"total_targets":21,"status_times":{"initializing":2623,"pending":52799,"processing":1853,"publishing":300329,"running":15759}} -{"control":true,"creation_date":1683043551,"enabled":true,"id":423,"last_modification_date":1683049400,"legacy":false,"name":"Client Vulnerabiltiy Scan Group B","owner":"jdoe@contoso.com","policy_id":422,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=TU","schedule_uuid":"1d63c64e-a5d1-df57-0ecf-9f0e288d8a45fe84bcd54e39daaf","shared":true,"starttime":"20220714T090000","status":"completed","template_uuid":"731a8e52-3ea6-a291-ec0a-d2ff0d8af595bcd788d6be818b65","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a2389003-fec1-a45d-a45d-aece258c4133","wizard_uuid":"731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65","progress":100,"total_targets":2538,"status_times":{"initializing":6099,"pending":57966,"processing":393,"publishing":240537,"running":5544031}} \ No newline at end of file +{"control":true,"creation_date":1683043551,"enabled":true,"id":423,"last_modification_date":1683049400,"legacy":false,"name":"Client Vulnerabiltiy Scan Group B","owner":"jdoe@contoso.com","policy_id":422,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=TU","schedule_uuid":"1d63c64e-a5d1-df57-0ecf-9f0e288d8a45fe84bcd54e39daaf","shared":true,"starttime":"20220714T090000","status":"completed","template_uuid":"731a8e52-3ea6-a291-ec0a-d2ff0d8af595bcd788d6be818b65","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a2389003-fec1-a45d-a45d-aece258c4133","wizard_uuid":"731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65","progress":100,"total_targets":2538,"status_times":{"initializing":6099,"pending":57966,"processing":393,"publishing":240537,"running":5544031}} +{"control":true,"creation_date":1683282785,"enabled":true,"id":195,"last_modification_date":1683283158,"legacy":false,"name":"Client Discovery","owner":"jdoe@contoso.com","policy_id":194,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR","schedule_uuid":"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871","shared":true,"starttime":"20220708T033000","status":"completed","template_uuid":"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a456ef1c-cbd4-ad41-f654-119b766ff61f","wizard_uuid":"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf","progress":100,"total_targets":21,"status_times":{"initializing":2623,"pending":52799,"processing":1853,"publishing":300329,"running":15759},"scan_details":{"scan_id":"7f2fc25a-bdd8-4ad4-91dd-b9563ed69560","user_id":"53e1d711-f18f-4a75-a86e-1c47bccff1b7","config_id":"a772daba-3d6d-412c-8ee0-3279b19650b2","target":"http://192.0.2.119","created_at":"2020-02-05T23:11:49.342Z","updated_at":"2020-02-05T23:22:15.510Z","requested_action":"start","status":"completed","metadata":{"queued_urls":0,"scan_status":"stopping","crawled_urls":1,"queued_pages":0,"audited_pages":1,"request_count":74,"response_time":0}}} diff --git a/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json b/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json index dc1d80ba916..2e63307a9df 100644 --- a/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json +++ b/packages/tenable_io/data_stream/scan/_dev/test/pipeline/test-scan.log-expected.json @@ -109,6 +109,80 @@ "wizard_uuid": "731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65" } } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "state", + "original": "{\"control\":true,\"creation_date\":1683282785,\"enabled\":true,\"id\":195,\"last_modification_date\":1683283158,\"legacy\":false,\"name\":\"Client Discovery\",\"owner\":\"jdoe@contoso.com\",\"policy_id\":194,\"read\":false,\"rrules\":\"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR\",\"schedule_uuid\":\"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871\",\"shared\":true,\"starttime\":\"20220708T033000\",\"status\":\"completed\",\"template_uuid\":\"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf\",\"timezone\":\"America/Los_Angeles\",\"has_triggers\":false,\"type\":\"remote\",\"permissions\":128,\"user_permissions\":128,\"uuid\":\"a456ef1c-cbd4-ad41-f654-119b766ff61f\",\"wizard_uuid\":\"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf\",\"progress\":100,\"total_targets\":21,\"status_times\":{\"initializing\":2623,\"pending\":52799,\"processing\":1853,\"publishing\":300329,\"running\":15759},\"scan_details\":{\"scan_id\":\"7f2fc25a-bdd8-4ad4-91dd-b9563ed69560\",\"user_id\":\"53e1d711-f18f-4a75-a86e-1c47bccff1b7\",\"config_id\":\"a772daba-3d6d-412c-8ee0-3279b19650b2\",\"target\":\"http://192.0.2.119\",\"created_at\":\"2020-02-05T23:11:49.342Z\",\"updated_at\":\"2020-02-05T23:22:15.510Z\",\"requested_action\":\"start\",\"status\":\"completed\",\"metadata\":{\"queued_urls\":0,\"scan_status\":\"stopping\",\"crawled_urls\":1,\"queued_pages\":0,\"audited_pages\":1,\"request_count\":74,\"response_time\":0}}}", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tenable_io": { + "scan": { + "control": true, + "creation_date": "2023-05-05T10:33:05.000Z", + "enabled": true, + "has_triggers": false, + "id": 195, + "last_modification_date": "2023-05-05T10:39:18.000Z", + "legacy": false, + "name": "Client Discovery", + "owner": "jdoe@contoso.com", + "permissions": 128, + "policy_id": 194, + "progress": 100, + "read": false, + "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=FR", + "scan_details": { + "config_id": "a772daba-3d6d-412c-8ee0-3279b19650b2", + "created_at": "2020-02-05T23:11:49.342Z", + "metadata": { + "audited_pages": 1, + "crawled_urls": 1, + "queued_pages": 0, + "queued_urls": 0, + "request_count": 74, + "response_time": 0, + "scan_status": "stopping" + }, + "requested_action": "start", + "scan_id": "7f2fc25a-bdd8-4ad4-91dd-b9563ed69560", + "status": "completed", + "target": "http://192.0.2.119", + "updated_at": "2020-02-05T23:22:15.510Z", + "user_id": "53e1d711-f18f-4a75-a86e-1c47bccff1b7" + }, + "schedule_uuid": "11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871", + "shared": true, + "starttime": "2022-07-08T03:30:00.000Z", + "status": "completed", + "status_times": { + "initializing": 2623, + "pending": 52799, + "processing": 1853, + "publishing": 300329, + "running": 15759 + }, + "template_uuid": "a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf", + "timezone": "America/Los_Angeles", + "total_targets": 21, + "type": "remote", + "user_permissions": 128, + "uuid": "a456ef1c-cbd4-ad41-f654-119b766ff61f", + "wizard_uuid": "32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf" + } + } } ] } diff --git a/packages/tenable_io/data_stream/scan/agent/stream/cel.yml.hbs b/packages/tenable_io/data_stream/scan/agent/stream/cel.yml.hbs index e4583e86e55..61923ed8b68 100644 --- a/packages/tenable_io/data_stream/scan/agent/stream/cel.yml.hbs +++ b/packages/tenable_io/data_stream/scan/agent/stream/cel.yml.hbs @@ -22,36 +22,82 @@ redact: - access_key - secret_key program: | - request("GET", state.url.trim_right("/") + "/scans").with({ - "Header":{ - "X-ApiKeys": ["accessKey=" + state.access_key + ";secretKey=" + state.secret_key], - "User-Agent": ["Integration/1.0 (Elastic; Tenable.io; Build/3.0.0)"] - } - }).do_request().as(resp, - resp.StatusCode == 200 ? - bytes(resp.Body).decode_json().as(body, { - "events": has(body.scans) ? body.scans.map(e, { "message": e.encode_json() }) : [{}], - "access_key": state.access_key, - "secret_key": state.secret_key - }) + // Using worklist pattern: fetch scans, then process one at a time fetching details for each + state.with( + // If worklist has scans, skip fetching and proceed to details + (has(state.worklist) && size(state.worklist) > 0) ? + {} : - { - "events": { - "error": { - "code": string(resp.StatusCode), - "id": string(resp.Status), - "message": "GET:"+( - size(resp.Body) != 0 ? - string(resp.Body) - : - string(resp.Status) + ' (' + string(resp.StatusCode) + ')' - ), - }, - }, - "access_key": state.access_key, - "secret_key": state.secret_key - } + // Fetch all scans and populate worklist + request("GET", state.url.trim_right("/") + "/scans").with({ + "Header": { + "X-ApiKeys": ["accessKey=" + state.access_key + ";secretKey=" + state.secret_key], + "User-Agent": ["Integration/1.0 (Elastic; Tenable.io; Build/3.0.0)"] + } + }).do_request().as(resp, + resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body, { + "worklist": has(body.scans) ? body.scans : [], + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET /scans: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ) + } + }, + "want_more": false + } + ) + ).as(state, + // Process first scan in worklist + (has(state.worklist) && size(state.worklist) > 0) ? + state.worklist[0].as(scan, + state.with( + request("GET", state.url.trim_right("/") + "/was/v2/scans/" + string(scan.id)).with({ + "Header": { + "X-ApiKeys": ["accessKey=" + state.access_key + ";secretKey=" + state.secret_key], + "User-Agent": ["Integration/1.0 (Elastic; Tenable.io; Build/3.0.0)"] + } + }).do_request().as(details_resp, + details_resp.StatusCode == 200 ? + bytes(details_resp.Body).decode_json().as(scan_details, { + "events": [{"message": scan.with({"scan_details": scan_details}).encode_json()}], + "worklist": size(state.worklist) > 1 ? tail(state.worklist) : [], + "want_more": size(state.worklist) > 1 + }) + : + { + "events": { + "error": { + "code": string(details_resp.StatusCode), + "id": string(details_resp.Status), + "message": "GET /was/v2/scans/" + string(scan.id) + ": " + ( + size(details_resp.Body) != 0 ? + string(details_resp.Body) + : + string(details_resp.Status) + ' (' + string(details_resp.StatusCode) + ')' + ) + } + }, + "worklist": size(state.worklist) > 1 ? tail(state.worklist) : [], + "want_more": size(state.worklist) > 1 + } + ) + ) + ) + : + // No worklist or worklist is empty - pass through state + state ) + tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/tenable_io/data_stream/scan/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_io/data_stream/scan/elasticsearch/ingest_pipeline/default.yml index 87b487410fa..5f42e590e9d 100644 --- a/packages/tenable_io/data_stream/scan/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tenable_io/data_stream/scan/elasticsearch/ingest_pipeline/default.yml @@ -55,6 +55,18 @@ processors: if: ctx.json?.starttime != null && ctx.json.starttime != '' formats: - yyyyMMdd'T'HHmmss + - date: + field: json.scan_details.created_at + target_field: json.scan_details.created_at + if: ctx.json?.scan_details?.created_at != null && ctx.json.scan_details.created_at != '' + formats: + - ISO8601 + - date: + field: json.scan_details.updated_at + target_field: json.scan_details.updated_at + if: ctx.json?.scan_details?.updated_at != null && ctx.json.scan_details.updated_at != '' + formats: + - ISO8601 - rename: field: json target_field: tenable_io.scan diff --git a/packages/tenable_io/data_stream/scan/fields/fields.yml b/packages/tenable_io/data_stream/scan/fields/fields.yml index 6080557614e..ea879a28ba9 100644 --- a/packages/tenable_io/data_stream/scan/fields/fields.yml +++ b/packages/tenable_io/data_stream/scan/fields/fields.yml @@ -88,3 +88,56 @@ type: long - name: running type: long + - name: scan_details + type: group + description: Detailed scan information from the WAS v2 scan details API. + fields: + - name: scan_id + type: keyword + description: The unique identifier for the scan. + - name: user_id + type: keyword + description: The unique identifier of the user who created the scan. + - name: config_id + type: keyword + description: The unique identifier of the scan configuration. + - name: target + type: keyword + description: The target URL of the scan. + - name: created_at + type: date + description: The date and time when the scan was created. + - name: updated_at + type: date + description: The date and time when the scan was last updated. + - name: requested_action + type: keyword + description: The action requested for the scan (e.g., start, stop). + - name: status + type: keyword + description: The current status of the scan. + - name: metadata + type: group + description: Metadata about the scan progress and statistics. + fields: + - name: queued_urls + type: long + description: The number of URLs queued for scanning. + - name: scan_status + type: keyword + description: The detailed scan status. + - name: crawled_urls + type: long + description: The number of URLs that have been crawled. + - name: queued_pages + type: long + description: The number of pages queued for auditing. + - name: audited_pages + type: long + description: The number of pages that have been audited. + - name: request_count + type: long + description: The total number of requests made during the scan. + - name: response_time + type: long + description: The average response time in milliseconds. diff --git a/packages/tenable_io/data_stream/scan/sample_event.json b/packages/tenable_io/data_stream/scan/sample_event.json index c5ea70d02b6..3aea534b95f 100644 --- a/packages/tenable_io/data_stream/scan/sample_event.json +++ b/packages/tenable_io/data_stream/scan/sample_event.json @@ -1,24 +1,24 @@ { - "@timestamp": "2024-04-02T09:14:42.329Z", + "@timestamp": "2025-12-03T09:35:39.290Z", "agent": { - "ephemeral_id": "f945f2c2-fbaf-4b93-b6ca-7d51e6a0706d", - "id": "a0570906-16fc-4c38-821f-7c3aa6ed04bb", - "name": "docker-fleet-agent", + "ephemeral_id": "6c6451c2-8450-4887-a9dc-d0a16453249c", + "id": "db19321f-465d-4a59-869c-1b771084aa41", + "name": "elastic-agent-46431", "type": "filebeat", - "version": "8.12.0" + "version": "9.1.3" }, "data_stream": { "dataset": "tenable_io.scan", - "namespace": "ep", + "namespace": "47734", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a0570906-16fc-4c38-821f-7c3aa6ed04bb", + "id": "db19321f-465d-4a59-869c-1b771084aa41", "snapshot": false, - "version": "8.12.0" + "version": "9.1.3" }, "event": { "agent_id_status": "verified", @@ -26,9 +26,10 @@ "configuration" ], "dataset": "tenable_io.scan", - "ingested": "2024-04-02T09:14:52Z", + "ingested": "2025-12-03T09:35:42Z", "kind": "state", - "original": "{\"control\":true,\"creation_date\":1683282785,\"enabled\":true,\"has_triggers\":false,\"id\":195,\"last_modification_date\":1683283158,\"legacy\":false,\"name\":\"Client Discovery\",\"owner\":\"jdoe@contoso.com\",\"permissions\":128,\"policy_id\":194,\"progress\":100,\"read\":false,\"rrules\":\"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR\",\"schedule_uuid\":\"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871\",\"shared\":true,\"starttime\":\"20220708T033000\",\"status\":\"completed\",\"status_times\":{\"initializing\":2623,\"pending\":52799,\"processing\":1853,\"publishing\":300329,\"running\":15759},\"template_uuid\":\"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf\",\"timezone\":\"America/Los_Angeles\",\"total_targets\":21,\"type\":\"remote\",\"user_permissions\":128,\"uuid\":\"a456ef1c-cbd4-ad41-f654-119b766ff61f\",\"wizard_uuid\":\"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf\"}", + "module": "tenable_io", + "original": "{\"control\":true,\"creation_date\":1683282785,\"enabled\":true,\"has_triggers\":false,\"id\":195,\"last_modification_date\":1683283158,\"legacy\":false,\"name\":\"Client Discovery\",\"owner\":\"jdoe@contoso.com\",\"permissions\":128,\"policy_id\":194,\"progress\":100,\"read\":false,\"rrules\":\"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR\",\"scan_details\":{\"config_id\":\"a772daba-3d6d-412c-8ee0-3279b19650b2\",\"created_at\":\"2020-02-05T23:11:49.342Z\",\"metadata\":{\"audited_pages\":1,\"crawled_urls\":1,\"queued_pages\":0,\"queued_urls\":0,\"request_count\":74,\"response_time\":0,\"scan_status\":\"stopping\"},\"requested_action\":\"start\",\"scan_id\":\"195\",\"status\":\"completed\",\"target\":\"http://192.0.2.119\",\"updated_at\":\"2020-02-05T23:22:15.510Z\",\"user_id\":\"53e1d711-f18f-4a75-a86e-1c47bccff1b7\"},\"schedule_uuid\":\"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871\",\"shared\":true,\"starttime\":\"20220708T033000\",\"status\":\"completed\",\"status_times\":{\"initializing\":2623,\"pending\":52799,\"processing\":1853,\"publishing\":300329,\"running\":15759},\"template_uuid\":\"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf\",\"timezone\":\"America/Los_Angeles\",\"total_targets\":21,\"type\":\"remote\",\"user_permissions\":128,\"uuid\":\"a456ef1c-cbd4-ad41-f654-119b766ff61f\",\"wizard_uuid\":\"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf\"}", "type": [ "info" ] @@ -57,6 +58,25 @@ "progress": 100, "read": false, "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=FR", + "scan_details": { + "config_id": "a772daba-3d6d-412c-8ee0-3279b19650b2", + "created_at": "2020-02-05T23:11:49.342Z", + "metadata": { + "audited_pages": 1, + "crawled_urls": 1, + "queued_pages": 0, + "queued_urls": 0, + "request_count": 74, + "response_time": 0, + "scan_status": "stopping" + }, + "requested_action": "start", + "scan_id": "195", + "status": "completed", + "target": "http://192.0.2.119", + "updated_at": "2020-02-05T23:22:15.510Z", + "user_id": "53e1d711-f18f-4a75-a86e-1c47bccff1b7" + }, "schedule_uuid": "11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871", "shared": true, "starttime": "2022-07-08T03:30:00.000Z", @@ -77,4 +97,4 @@ "wizard_uuid": "32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf" } } -} \ No newline at end of file +} diff --git a/packages/tenable_io/docs/README.md b/packages/tenable_io/docs/README.md index 2472edb31cb..e2123bc972e 100644 --- a/packages/tenable_io/docs/README.md +++ b/packages/tenable_io/docs/README.md @@ -18,7 +18,7 @@ The Tenable Vulnerability Management integration collects logs for five types of **Vulnerability** is used to retrieve all vulnerabilities on each asset, including the vulnerability state. See more details in the API documentation [here](https://developer.tenable.com/reference/exports-vulns-request-export). -**Scan** is used to retrieve details about existing scans, including scan statuses, assigned targets, and more. See more details in the API documentation [here](https://developer.tenable.com/reference/scans-list). +**Scan** is used to retrieve details about existing scans and scan details, including scan statuses, assigned targets, and more. See more details in the API documentation for [Scan](https://developer.tenable.com/reference/scans-list) and [Scan Details](https://developer.tenable.com/reference/was-v2-scans-details). ## Compatibility @@ -1167,26 +1167,26 @@ An example event for `scan` looks as following: ```json { - "@timestamp": "2024-04-02T09:14:42.329Z", + "@timestamp": "2025-12-03T09:35:39.290Z", "agent": { - "ephemeral_id": "f945f2c2-fbaf-4b93-b6ca-7d51e6a0706d", - "id": "a0570906-16fc-4c38-821f-7c3aa6ed04bb", - "name": "docker-fleet-agent", + "ephemeral_id": "6c6451c2-8450-4887-a9dc-d0a16453249c", + "id": "db19321f-465d-4a59-869c-1b771084aa41", + "name": "elastic-agent-46431", "type": "filebeat", - "version": "8.12.0" + "version": "9.1.3" }, "data_stream": { "dataset": "tenable_io.scan", - "namespace": "ep", + "namespace": "47734", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a0570906-16fc-4c38-821f-7c3aa6ed04bb", + "id": "db19321f-465d-4a59-869c-1b771084aa41", "snapshot": false, - "version": "8.12.0" + "version": "9.1.3" }, "event": { "agent_id_status": "verified", @@ -1194,9 +1194,10 @@ An example event for `scan` looks as following: "configuration" ], "dataset": "tenable_io.scan", - "ingested": "2024-04-02T09:14:52Z", + "ingested": "2025-12-03T09:35:42Z", "kind": "state", - "original": "{\"control\":true,\"creation_date\":1683282785,\"enabled\":true,\"has_triggers\":false,\"id\":195,\"last_modification_date\":1683283158,\"legacy\":false,\"name\":\"Client Discovery\",\"owner\":\"jdoe@contoso.com\",\"permissions\":128,\"policy_id\":194,\"progress\":100,\"read\":false,\"rrules\":\"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR\",\"schedule_uuid\":\"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871\",\"shared\":true,\"starttime\":\"20220708T033000\",\"status\":\"completed\",\"status_times\":{\"initializing\":2623,\"pending\":52799,\"processing\":1853,\"publishing\":300329,\"running\":15759},\"template_uuid\":\"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf\",\"timezone\":\"America/Los_Angeles\",\"total_targets\":21,\"type\":\"remote\",\"user_permissions\":128,\"uuid\":\"a456ef1c-cbd4-ad41-f654-119b766ff61f\",\"wizard_uuid\":\"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf\"}", + "module": "tenable_io", + "original": "{\"control\":true,\"creation_date\":1683282785,\"enabled\":true,\"has_triggers\":false,\"id\":195,\"last_modification_date\":1683283158,\"legacy\":false,\"name\":\"Client Discovery\",\"owner\":\"jdoe@contoso.com\",\"permissions\":128,\"policy_id\":194,\"progress\":100,\"read\":false,\"rrules\":\"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR\",\"scan_details\":{\"config_id\":\"a772daba-3d6d-412c-8ee0-3279b19650b2\",\"created_at\":\"2020-02-05T23:11:49.342Z\",\"metadata\":{\"audited_pages\":1,\"crawled_urls\":1,\"queued_pages\":0,\"queued_urls\":0,\"request_count\":74,\"response_time\":0,\"scan_status\":\"stopping\"},\"requested_action\":\"start\",\"scan_id\":\"195\",\"status\":\"completed\",\"target\":\"http://192.0.2.119\",\"updated_at\":\"2020-02-05T23:22:15.510Z\",\"user_id\":\"53e1d711-f18f-4a75-a86e-1c47bccff1b7\"},\"schedule_uuid\":\"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871\",\"shared\":true,\"starttime\":\"20220708T033000\",\"status\":\"completed\",\"status_times\":{\"initializing\":2623,\"pending\":52799,\"processing\":1853,\"publishing\":300329,\"running\":15759},\"template_uuid\":\"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf\",\"timezone\":\"America/Los_Angeles\",\"total_targets\":21,\"type\":\"remote\",\"user_permissions\":128,\"uuid\":\"a456ef1c-cbd4-ad41-f654-119b766ff61f\",\"wizard_uuid\":\"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf\"}", "type": [ "info" ] @@ -1225,6 +1226,25 @@ An example event for `scan` looks as following: "progress": 100, "read": false, "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=FR", + "scan_details": { + "config_id": "a772daba-3d6d-412c-8ee0-3279b19650b2", + "created_at": "2020-02-05T23:11:49.342Z", + "metadata": { + "audited_pages": 1, + "crawled_urls": 1, + "queued_pages": 0, + "queued_urls": 0, + "request_count": 74, + "response_time": 0, + "scan_status": "stopping" + }, + "requested_action": "start", + "scan_id": "195", + "status": "completed", + "target": "http://192.0.2.119", + "updated_at": "2020-02-05T23:22:15.510Z", + "user_id": "53e1d711-f18f-4a75-a86e-1c47bccff1b7" + }, "schedule_uuid": "11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871", "shared": true, "starttime": "2022-07-08T03:30:00.000Z", @@ -1278,6 +1298,21 @@ An example event for `scan` looks as following: | tenable_io.scan.progress | The progress of the scan ranging from 0 to 100. | long | | tenable_io.scan.read | A value indicating whether the user account associated with the request message has viewed the scan in the Tenable Vulnerability Management user interface. If 1, the user account has viewed the scan results. | boolean | | tenable_io.scan.rrules | The interval at which the scan repeats. The interval is formatted as a string of three values delimited by semi-colons. These values are the frequency (FREQ=ONETIME or DAILY or WEEKLY or MONTHLY or YEARLY), the interval (INTERVAL=1 or 2 or 3 ... x), and the days of the week (BYDAY=SU,MO,TU,WE,TH,FR,SA). For a scan that runs every three weeks on Monday Wednesday and Friday, the string would be FREQ=WEEKLY;INTERVAL=3;BYDAY=MO,WE,FR. If the scan is not scheduled to recur, this attribute is null. For more information, see rrules Format. | keyword | +| tenable_io.scan.scan_details.config_id | The unique identifier of the scan configuration. | keyword | +| tenable_io.scan.scan_details.created_at | The date and time when the scan was created. | date | +| tenable_io.scan.scan_details.metadata.audited_pages | The number of pages that have been audited. | long | +| tenable_io.scan.scan_details.metadata.crawled_urls | The number of URLs that have been crawled. | long | +| tenable_io.scan.scan_details.metadata.queued_pages | The number of pages queued for auditing. | long | +| tenable_io.scan.scan_details.metadata.queued_urls | The number of URLs queued for scanning. | long | +| tenable_io.scan.scan_details.metadata.request_count | The total number of requests made during the scan. | long | +| tenable_io.scan.scan_details.metadata.response_time | The average response time in milliseconds. | long | +| tenable_io.scan.scan_details.metadata.scan_status | The detailed scan status. | keyword | +| tenable_io.scan.scan_details.requested_action | The action requested for the scan (e.g., start, stop). | keyword | +| tenable_io.scan.scan_details.scan_id | The unique identifier for the scan. | keyword | +| tenable_io.scan.scan_details.status | The current status of the scan. | keyword | +| tenable_io.scan.scan_details.target | The target URL of the scan. | keyword | +| tenable_io.scan.scan_details.updated_at | The date and time when the scan was last updated. | date | +| tenable_io.scan.scan_details.user_id | The unique identifier of the user who created the scan. | keyword | | tenable_io.scan.schedule_uuid | The UUID for a specific instance in the scan schedule. | keyword | | tenable_io.scan.shared | If true, the scan is shared with users other than the scan owner. The level of sharing is specified in the acls attribute of the scan details. | boolean | | tenable_io.scan.starttime | For one-time scans, the starting time and date for the scan. For recurrent scans, the first date on which the scan schedule is active and the time that recurring scans launch based on the rrules attribute. | date | diff --git a/packages/tenable_io/manifest.yml b/packages/tenable_io/manifest.yml index 2bde0441dca..ffaaa0beec8 100644 --- a/packages/tenable_io/manifest.yml +++ b/packages/tenable_io/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.4.0" name: tenable_io title: Tenable Vulnerability Management -version: "4.6.1" +version: "4.7.0" description: Collect logs from Tenable Vulnerability Management with Elastic Agent. type: integration categories: