elastic · ShourieG · Dec 2, 2025 · Dec 3, 2025 · Dec 3, 2025 · Dec 3, 2025
@@ -18,7 +18,7 @@ The Tenable Vulnerability Management integration collects logs for five types of
 
 **Vulnerability** is used to retrieve all vulnerabilities on each asset, including the vulnerability state. See more details in the API documentation [here](https://developer.tenable.com/reference/exports-vulns-request-export).
 
-**Scan** is used to retrieve details about existing scans, including scan statuses, assigned targets, and more. See more details in the API documentation [here](https://developer.tenable.com/reference/scans-list).
+**Scan** is used to retrieve details about existing scans and scan details, including scan statuses, assigned targets, and more. See more details in the API documentation for [Scan](https://developer.tenable.com/reference/scans-list) and [Scan Details](https://developer.tenable.com/reference/was-v2-scans-details).
 
 ## Compatibility
 

@@ -62,6 +62,22 @@ rules:
                   {"id":226,"name":"Targeted Scans","type":"custom","custom":1,"unread_count":0,"default_tag":0}
               ]
           }
+  - path: /was/v2/scans/195
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {
+            "scan_id":"195","user_id":"53e1d711-f18f-4a75-a86e-1c47bccff1b7","config_id":"a772daba-3d6d-412c-8ee0-3279b19650b2","target":"http://192.0.2.119","created_at":"2020-02-05T23:11:49.342Z","updated_at":"2020-02-05T23:22:15.510Z","requested_action":"start","status":"completed","metadata":{"queued_urls":0,"scan_status":"stopping","crawled_urls":1,"queued_pages":0,"audited_pages":1,"request_count":74,"response_time":0}
+          }
+  - path: /was/v2/scans/423
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {
+            "scan_id":"423","user_id":"53e1d711-f18f-4a75-a86e-1c47bccff1b7","config_id":"a772daba-3d6d-412c-8ee0-3279b19650b2","target":"http://192.0.2.119","created_at":"2020-02-05T23:11:49.342Z","updated_at":"2020-02-05T23:22:15.510Z","requested_action":"start","status":"completed","metadata":{"queued_urls":0,"scan_status":"stopping","crawled_urls":1,"queued_pages":0,"audited_pages":1,"request_count":74,"response_time":0}
+          }
   - path: /audit-log/v1/events
     methods: ["GET"]
     query_params:

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "4.7.0"
+  changes:
+    - description: Added scan details to the scan data stream from the WAS v2 scan details API.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16222
 - version: "4.6.1"
   changes:
     - description: Remove duplicated field definitions in transform.

@@ -1,2 +1,3 @@
 {"control":true,"creation_date":1683282785,"enabled":true,"id":195,"last_modification_date":1683283158,"legacy":false,"name":"Client Discovery","owner":"[email protected]","policy_id":194,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR","schedule_uuid":"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871","shared":true,"starttime":"20220708T033000","status":"completed","template_uuid":"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a456ef1c-cbd4-ad41-f654-119b766ff61f","wizard_uuid":"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf","progress":100,"total_targets":21,"status_times":{"initializing":2623,"pending":52799,"processing":1853,"publishing":300329,"running":15759}}
-{"control":true,"creation_date":1683043551,"enabled":true,"id":423,"last_modification_date":1683049400,"legacy":false,"name":"Client Vulnerabiltiy Scan Group B","owner":"[email protected]","policy_id":422,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=TU","schedule_uuid":"1d63c64e-a5d1-df57-0ecf-9f0e288d8a45fe84bcd54e39daaf","shared":true,"starttime":"20220714T090000","status":"completed","template_uuid":"731a8e52-3ea6-a291-ec0a-d2ff0d8af595bcd788d6be818b65","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a2389003-fec1-a45d-a45d-aece258c4133","wizard_uuid":"731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65","progress":100,"total_targets":2538,"status_times":{"initializing":6099,"pending":57966,"processing":393,"publishing":240537,"running":5544031}}
+{"control":true,"creation_date":1683043551,"enabled":true,"id":423,"last_modification_date":1683049400,"legacy":false,"name":"Client Vulnerabiltiy Scan Group B","owner":"[email protected]","policy_id":422,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=TU","schedule_uuid":"1d63c64e-a5d1-df57-0ecf-9f0e288d8a45fe84bcd54e39daaf","shared":true,"starttime":"20220714T090000","status":"completed","template_uuid":"731a8e52-3ea6-a291-ec0a-d2ff0d8af595bcd788d6be818b65","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a2389003-fec1-a45d-a45d-aece258c4133","wizard_uuid":"731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65","progress":100,"total_targets":2538,"status_times":{"initializing":6099,"pending":57966,"processing":393,"publishing":240537,"running":5544031}}
+{"control":true,"creation_date":1683282785,"enabled":true,"id":195,"last_modification_date":1683283158,"legacy":false,"name":"Client Discovery","owner":"[email protected]","policy_id":194,"read":false,"rrules":"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR","schedule_uuid":"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871","shared":true,"starttime":"20220708T033000","status":"completed","template_uuid":"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf","timezone":"America/Los_Angeles","has_triggers":false,"type":"remote","permissions":128,"user_permissions":128,"uuid":"a456ef1c-cbd4-ad41-f654-119b766ff61f","wizard_uuid":"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf","progress":100,"total_targets":21,"status_times":{"initializing":2623,"pending":52799,"processing":1853,"publishing":300329,"running":15759},"scan_details":{"scan_id":"7f2fc25a-bdd8-4ad4-91dd-b9563ed69560","user_id":"53e1d711-f18f-4a75-a86e-1c47bccff1b7","config_id":"a772daba-3d6d-412c-8ee0-3279b19650b2","target":"http://192.0.2.119","created_at":"2020-02-05T23:11:49.342Z","updated_at":"2020-02-05T23:22:15.510Z","requested_action":"start","status":"completed","metadata":{"queued_urls":0,"scan_status":"stopping","crawled_urls":1,"queued_pages":0,"audited_pages":1,"request_count":74,"response_time":0}}}
@@ -109,6 +109,80 @@
                     "wizard_uuid": "731a8e52-a4d5-54f2-acd4-d2ffd7afec9645d788d6be818b65"
                 }
             }
+        },
+        {
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "configuration"
+                ],
+                "kind": "state",
+                "original": "{\"control\":true,\"creation_date\":1683282785,\"enabled\":true,\"id\":195,\"last_modification_date\":1683283158,\"legacy\":false,\"name\":\"Client Discovery\",\"owner\":\"[email protected]\",\"policy_id\":194,\"read\":false,\"rrules\":\"FREQ=WEEKLY;INTERVAL=1;BYDAY=FR\",\"schedule_uuid\":\"11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871\",\"shared\":true,\"starttime\":\"20220708T033000\",\"status\":\"completed\",\"template_uuid\":\"a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf\",\"timezone\":\"America/Los_Angeles\",\"has_triggers\":false,\"type\":\"remote\",\"permissions\":128,\"user_permissions\":128,\"uuid\":\"a456ef1c-cbd4-ad41-f654-119b766ff61f\",\"wizard_uuid\":\"32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf\",\"progress\":100,\"total_targets\":21,\"status_times\":{\"initializing\":2623,\"pending\":52799,\"processing\":1853,\"publishing\":300329,\"running\":15759},\"scan_details\":{\"scan_id\":\"7f2fc25a-bdd8-4ad4-91dd-b9563ed69560\",\"user_id\":\"53e1d711-f18f-4a75-a86e-1c47bccff1b7\",\"config_id\":\"a772daba-3d6d-412c-8ee0-3279b19650b2\",\"target\":\"http://192.0.2.119\",\"created_at\":\"2020-02-05T23:11:49.342Z\",\"updated_at\":\"2020-02-05T23:22:15.510Z\",\"requested_action\":\"start\",\"status\":\"completed\",\"metadata\":{\"queued_urls\":0,\"scan_status\":\"stopping\",\"crawled_urls\":1,\"queued_pages\":0,\"audited_pages\":1,\"request_count\":74,\"response_time\":0}}}",
+                "type": [
+                    "info"
+                ]
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "tenable_io": {
+                "scan": {
+                    "control": true,
+                    "creation_date": "2023-05-05T10:33:05.000Z",
+                    "enabled": true,
+                    "has_triggers": false,
+                    "id": 195,
+                    "last_modification_date": "2023-05-05T10:39:18.000Z",
+                    "legacy": false,
+                    "name": "Client Discovery",
+                    "owner": "[email protected]",
+                    "permissions": 128,
+                    "policy_id": 194,
+                    "progress": 100,
+                    "read": false,
+                    "rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=FR",
+                    "scan_details": {
+                        "config_id": "a772daba-3d6d-412c-8ee0-3279b19650b2",
+                        "created_at": "2020-02-05T23:11:49.342Z",
+                        "metadata": {
+                            "audited_pages": 1,
+                            "crawled_urls": 1,
+                            "queued_pages": 0,
+                            "queued_urls": 0,
+                            "request_count": 74,
+                            "response_time": 0,
+                            "scan_status": "stopping"
+                        },
+                        "requested_action": "start",
+                        "scan_id": "7f2fc25a-bdd8-4ad4-91dd-b9563ed69560",
+                        "status": "completed",
+                        "target": "http://192.0.2.119",
+                        "updated_at": "2020-02-05T23:22:15.510Z",
+                        "user_id": "53e1d711-f18f-4a75-a86e-1c47bccff1b7"
+                    },
+                    "schedule_uuid": "11c56dea-as5f-65ce-ad45-9978045df65ecade45b6e3a76871",
+                    "shared": true,
+                    "starttime": "2022-07-08T03:30:00.000Z",
+                    "status": "completed",
+                    "status_times": {
+                        "initializing": 2623,
+                        "pending": 52799,
+                        "processing": 1853,
+                        "publishing": 300329,
+                        "running": 15759
+                    },
+                    "template_uuid": "a1efc3b4-cd45-a65d-fbc4-0079ebef4a56cd32a05ec2812bcf",
+                    "timezone": "America/Los_Angeles",
+                    "total_targets": 21,
+                    "type": "remote",
+                    "user_permissions": 128,
+                    "uuid": "a456ef1c-cbd4-ad41-f654-119b766ff61f",
+                    "wizard_uuid": "32cbd657-fe65-a45e-a45f-0079eb89e56a1c23fd5ec2812bcf"
+                }
+            }
         }
     ]
 }
@@ -22,36 +22,82 @@ redact:
     - access_key
     - secret_key
 program: |
-  request("GET", state.url.trim_right("/") + "/scans").with({
-    "Header":{
-      "X-ApiKeys": ["accessKey=" + state.access_key + ";secretKey=" + state.secret_key],
-      "User-Agent": ["Integration/1.0 (Elastic; Tenable.io; Build/3.0.0)"]
-    }
-  }).do_request().as(resp,
-    resp.StatusCode == 200 ?
-      bytes(resp.Body).decode_json().as(body, {
-        "events": has(body.scans) ? body.scans.map(e, { "message": e.encode_json() }) : [{}],
-        "access_key": state.access_key,
-        "secret_key": state.secret_key
-      })
+  // Using worklist pattern: fetch scans, then process one at a time fetching details for each
+  state.with(
+    // If worklist has scans, skip fetching and proceed to details
+    (has(state.worklist) && size(state.worklist) > 0) ?
+      {}
     :
-      {
-        "events": {
-          "error": {
-            "code": string(resp.StatusCode),
-            "id": string(resp.Status),
-            "message": "GET:"+(
-              size(resp.Body) != 0 ?
-                string(resp.Body)
-              :
-                string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
-            ),
-          },
-        },
-        "access_key": state.access_key,
-        "secret_key": state.secret_key
-      }
+      // Fetch all scans and populate worklist
+      request("GET", state.url.trim_right("/") + "/scans").with({
+        "Header": {
+          "X-ApiKeys": ["accessKey=" + state.access_key + ";secretKey=" + state.secret_key],
+          "User-Agent": ["Integration/1.0 (Elastic; Tenable.io; Build/3.0.0)"]
+        }
+      }).do_request().as(resp,
+        resp.StatusCode == 200 ?
+          bytes(resp.Body).decode_json().as(body, {
+            "worklist": has(body.scans) ? body.scans : [],
+          })
+        :
+          {
+            "events": {
+              "error": {
+                "code": string(resp.StatusCode),
+                "id": string(resp.Status),
+                "message": "GET /scans: " + (
+                  size(resp.Body) != 0 ?
+                    string(resp.Body)
+                  :
+                    string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+                )
+              }
+            },
+            "want_more": false
+          }
+      )
+  ).as(state,
+    // Process first scan in worklist
+    (has(state.worklist) && size(state.worklist) > 0) ?
+      state.worklist[0].as(scan,
+        state.with(
+          request("GET", state.url.trim_right("/") + "/was/v2/scans/" + string(scan.id)).with({
+            "Header": {
+              "X-ApiKeys": ["accessKey=" + state.access_key + ";secretKey=" + state.secret_key],
+              "User-Agent": ["Integration/1.0 (Elastic; Tenable.io; Build/3.0.0)"]
+            }
+          }).do_request().as(details_resp,
+            details_resp.StatusCode == 200 ?
+              bytes(details_resp.Body).decode_json().as(scan_details, {
+                "events": [{"message": scan.with({"scan_details": scan_details}).encode_json()}],
+                "worklist": size(state.worklist) > 1 ? tail(state.worklist) : [],
+                "want_more": size(state.worklist) > 1
+              })
+            :
+              {
+                "events": {
+                  "error": {
+                    "code": string(details_resp.StatusCode),
+                    "id": string(details_resp.Status),
+                    "message": "GET /was/v2/scans/" + string(scan.id) + ": " + (
+                      size(details_resp.Body) != 0 ?
+                        string(details_resp.Body)
+                      :
+                        string(details_resp.Status) + ' (' + string(details_resp.StatusCode) + ')'
+                    )
+                  }
+                },
+                "worklist": size(state.worklist) > 1 ? tail(state.worklist) : [],
+                "want_more": size(state.worklist) > 1
+              }
+          )
+        )
+      )
+    :
+      // No worklist or worklist is empty - pass through state
+      state
   )
+
 tags:
 {{#if preserve_original_event}}
   - preserve_original_event

@@ -55,6 +55,18 @@ processors:
       if: ctx.json?.starttime != null && ctx.json.starttime != ''
       formats:
         - yyyyMMdd'T'HHmmss
+  - date:
+      field: json.scan_details.created_at
+      target_field: json.scan_details.created_at
+      if: ctx.json?.scan_details?.created_at != null && ctx.json.scan_details.created_at != ''
+      formats:
+        - ISO8601
+  - date:
+      field: json.scan_details.updated_at
+      target_field: json.scan_details.updated_at
+      if: ctx.json?.scan_details?.updated_at != null && ctx.json.scan_details.updated_at != ''
+      formats:
+        - ISO8601
   - rename:
       field: json
       target_field: tenable_io.scan

@@ -88,3 +88,56 @@
           type: long
         - name: running
           type: long
+    - name: scan_details
+      type: group
+      description: Detailed scan information from the WAS v2 scan details API.
+      fields:
+        - name: scan_id
+          type: keyword
+          description: The unique identifier for the scan.
+        - name: user_id
+          type: keyword
+          description: The unique identifier of the user who created the scan.
+        - name: config_id
+          type: keyword
+          description: The unique identifier of the scan configuration.
+        - name: target
+          type: keyword
+          description: The target URL of the scan.
+        - name: created_at
+          type: date
+          description: The date and time when the scan was created.
+        - name: updated_at
+          type: date
+          description: The date and time when the scan was last updated.
+        - name: requested_action
+          type: keyword
+          description: The action requested for the scan (e.g., start, stop).
+        - name: status
+          type: keyword
+          description: The current status of the scan.
+        - name: metadata
+          type: group
+          description: Metadata about the scan progress and statistics.
+          fields:
+            - name: queued_urls
+              type: long
+              description: The number of URLs queued for scanning.
+            - name: scan_status
+              type: keyword
+              description: The detailed scan status.
+            - name: crawled_urls
+              type: long
+              description: The number of URLs that have been crawled.
+            - name: queued_pages
+              type: long
+              description: The number of pages queued for auditing.
+            - name: audited_pages
+              type: long
+              description: The number of pages that have been audited.
+            - name: request_count
+              type: long
+              description: The total number of requests made during the scan.
+            - name: response_time
+              type: long
+              description: The average response time in milliseconds.