Tenable Vulnerability Management Audit Events
Tenable Vulnerability Management provides comprehensive audit logging for monitoring user activities, authentication events, and administrative actions. These logs capture information such as user authentication attempts, scan management operations, API access, and configuration changes. They help administrators track platform usage, ensure compliance, and audit changes for troubleshooting and security analysis.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
Tenable supports API polling to collect audit log events from your Tenable Vulnerability Management platform.
Setup
- Go to Sources in RunReveal
- Click the Tenable source tile
- Give it a name and click Connect Source
- Fill in the required fields with your Tenable API credentials
Tenable API Key Configuration
To generate API keys for RunReveal:
Prerequisites:
- You will need an Administrator role (role ID 64) to access and create API keys
Creating the API Key:
- Sign in to Tenable Vulnerability Management as an Administrator
- Go to Settings > My Account
- Click Generate under the API Keys section
- Copy both the Access Key and Secret Key immediately
- Paste the Access Key and Secret Key into the RunReveal source configuration form
API Key Security: Each Tenable user account can only have one valid API key pair at a time. Generating a new key pair invalidates the previous one. Store your keys securely as the Secret Key will not be displayed again.
Tenable Event Types
The Tenable integration collects comprehensive audit events from your Tenable Vulnerability Management platform. These events provide visibility into user activities, platform operations, and administrative actions across your organization.
Event Categories Collected
User Authentication
- Password Authentication - User login attempts via username and password
- API Key Authentication - API access using access key and secret key pairs
- Session Management - User session creation, expiration, and logout events
Scan Management
- Scan Lifecycle - Scan creation, launch, pause, resume, and completion events
- Scan Configuration - Changes to scan templates, policies, and schedules
- Scanner Management - Scanner group creation, updates, and agent management
Administrative Actions
- User Management - User creation, role changes, group assignments, and account modifications
- Permission Changes - Updates to access controls, roles, and authorization policies
- Configuration Changes - Modifications to platform settings and organization preferences
API Access
- API Operations - REST API calls and their outcomes
- Export Operations - Vulnerability and asset export requests and completions
- Plugin Management - Plugin feed updates and custom plugin modifications
Event Data Structure
Each Tenable audit event includes:
- Actor Information - User ID, name, and authentication context
- Event Details - Action type, CRUD operation, timestamp, and description
- Target Information - Target resource ID, name, and type
- Status Flags - Whether the action was anonymous or resulted in a failure
- Additional Fields - Key-value pairs with extra context about the event
Data Collection
- Collection Method: API polling every 5 minutes
- Data Retention: Tenable provides audit events from the past 3 years
- Event Format: JSON with normalized fields for consistent querying
- Real-time Updates: New events appear in RunReveal within 5-10 minutes
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: tenable_audit_logs (47 columns)
tenable_audit_logs (47 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
| Column | Type |
|---|---|
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
action | String |
crud | String |
actorID | String |
actorName | String |
targetID | String |
targetName | String |
targetType | String |
description | String |
isAnonymous | Bool |
isFailure | Bool |
fields | String |
Helpful Links
- Tenable Audit Log API - API reference for querying audit log events
- Tenable API Authorization - How to generate and use API keys for authentication