We've reorganized our navigation structure to align directly with your operational workflows. See the Google SecOps release notes for more information.

Collect Tenable Vulnerability Management logs

Supported in:

Google secops SIEM

This document explains how to ingest Tenable Vulnerability Management (formerly Tenable.io) logs to Google Security Operations. It describes two ingestion methods: a Cloud Storage pipeline that pulls data from the Tenable export API, and a Tenable Data Stream that pushes data to an Amazon S3 bucket. Choose the method that matches your environment.

Tenable Vulnerability Management (formerly Tenable.io) is a cloud-based vulnerability management platform powered by Nessus technology that provides comprehensive vulnerability coverage with the ability to predict which security issues to remediate first.

The parser extracts vulnerability and asset findings from Tenable JSON logs and maps the fields to the UDM, handling domain, IPv4 and IPv6 indicators, severity, and asset attributes.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Privileged access to the Tenable Vulnerability Managementconsole (the Administratorrole)
For Method 1 (Google Cloud Storage): a Google Cloud project with billing enabled and permissions to create Cloud Storage buckets, service accounts, Pub/Sub topics, Cloud Run functions, and Cloud Scheduler jobs
For Method 2 (Amazon S3): an AWS account with permissions to create S3 buckets and Identity and Access Management (IAM) roles and users

Choose one of the following methods:

Method 1: Google Cloud Storage. A Cloud Run function pulls vulnerability and asset data from the Tenable export API and writes it to a Cloud Storage bucket. Use this method to keep the pipeline entirely on Google Cloud.
Method 2: Amazon S3. Tenable Data Stream continuously pushes your Tenable data to an Amazon S3 bucket. Use this method if you prefer the built-in Tenable push integration. Tenable Data Stream supports Amazon S3 only.

Method 1: Google Cloud Storage

This method uses a Cloud Run function, triggered by Cloud Scheduler through Pub/Sub, to pull vulnerability and asset data from the Tenable Vulnerability Management export API and write it to a Cloud Storage bucket. Google SecOps then ingests the data from the bucket.

Collect Tenable Vulnerability Management API credentials

Sign in to Tenable Vulnerability Managementat https://cloud.tenable.com .
In the upper-right corner, click your user-profile icon and select My Account.
Click API Keys.
Click Generate.
Copy and save the Access Keyand Secret Key.

Note: The keys are shown only once. Generating new keys invalidates the existing keys. Use a dedicated integration user with at least the Basicrole.

Create a Google Cloud Storage bucket

In the Google Cloud console, go to Cloud Storage > Buckets.
Click Create.
Provide the following configuration details:
- Name: Enter a globally unique name (for example, tenable-vulnerability-logs ).
- Location type: Choose a location.
- Storage class: Select Standard.
Click Create.

Create a service account for the Cloud Run function

In the Google Cloud console, go to IAM & Admin > Service Accounts.
Click Create Service Account.
Provide the following configuration details:
- Service account name: Enter tenable-collector-sa .
- Service account description: Enter Service account for the Tenable export collector .
Click Create and Continue.
Click Done.

Grant the service account access to the bucket

Go to Cloud Storage > Buckets.
Click your bucket name (for example, tenable-vulnerability-logs ).
Go to the Permissionstab.
Click Grant access.
Provide the following configuration details:
- Add principals: Enter the service account email (for example, tenable-collector-sa@PROJECT_ID.iam.gserviceaccount.com ).
- Assign roles: Select Storage Object Admin.
Click Save.

Create a Pub/Sub topic

In the Google Cloud console, go to Pub/Sub > Topics.
Click Create topic.
Enter a Topic ID(for example, tenable-collector-trigger ).
Click Create.

Create the Cloud Run function to collect logs

The Cloud Run function is triggered by Pub/Sub messages from Cloud Scheduler. It authenticates to the Tenable export API with your API keys, runs the vulnerability and asset exports, and writes each export chunk to the bucket in JSON format.

In the Google Cloud console, go to Cloud Run.
Click Create service.
Select Functionto use the inline code editor.
Provide the following configuration details:
- Service name: Enter tenable-collector .
- Region: Select the region matching your bucket (for example, us-central1 ).
- Runtime: Select Python 3.12or later.
In the Triggersection:
1. Click Add trigger.
2. Select Cloud Pub/Sub.
3. In Select a Cloud Pub/Sub topic, select tenable-collector-trigger .
4. Click Save.
In the Authenticationsection, select Require authentication.
Expand Containers, Networking, Security, and on the Securitytab set Service accountto tenable-collector-sa .

On the Containers > Variables & Secretstab, add the following environment variables:

Variable name	Example value
`TIO_ACCESS_KEY`	`your-tenable-access-key`
`TIO_SECRET_KEY`	`your-tenable-secret-key`
`GCS_BUCKET`	`tenable-vulnerability-logs`
`GCS_PREFIX`	`tenable/`
`NUM_ASSETS`	`1000`
`ASSET_CHUNK_SIZE`	`1000`
`SEVERITIES`	`low,medium,high,critical`
`HTTP_TIMEOUT`	`120`

Set the Request timeoutto 600 seconds and Memoryto 512 MiBor higher.
Click Create. After the service is created, the inline code editor opens.

Add the function code

In the Function entry pointfield, enter main .
In the inline code editor, replace the contents of requirements.txt with the following:
```
 functions-framework==3.*
google-cloud-storage==2.*
requests==2.* 
```

Replace the contents of main.py with the following code:

  import 
  
 json 
 import 
  
 os 
 import 
  
 time 
 import 
  
 functions_framework 
 import 
  
 requests 
 from 
  
 google.cloud 
  
 import 
  storage 
 
 BASE 
 = 
 "https://cloud.tenable.com" 
 ACCESS_KEY 
 = 
 os 
 . 
 environ 
 [ 
 "TIO_ACCESS_KEY" 
 ] 
 SECRET_KEY 
 = 
 os 
 . 
 environ 
 [ 
 "TIO_SECRET_KEY" 
 ] 
 GCS_BUCKET 
 = 
 os 
 . 
 environ 
 [ 
 "GCS_BUCKET" 
 ] 
 GCS_PREFIX 
 = 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "GCS_PREFIX" 
 , 
 "tenable/" 
 ) 
 NUM_ASSETS 
 = 
 int 
 ( 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "NUM_ASSETS" 
 , 
 "1000" 
 )) 
 ASSET_CHUNK_SIZE 
 = 
 int 
 ( 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "ASSET_CHUNK_SIZE" 
 , 
 "1000" 
 )) 
 SEVERITIES 
 = 
 [ 
 s 
 for 
 s 
 in 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "SEVERITIES" 
 , 
 "low,medium,high,critical" 
 ) 
 . 
 split 
 ( 
 "," 
 ) 
 if 
 s 
 ] 
 HTTP_TIMEOUT 
 = 
 int 
 ( 
 os 
 . 
 environ 
 . 
 get 
 ( 
 "HTTP_TIMEOUT" 
 , 
 "120" 
 )) 
 HEADERS 
 = 
 { 
 "X-ApiKeys" 
 : 
 f 
 "accessKey= 
 { 
 ACCESS_KEY 
 } 
 ;secretKey= 
 { 
 SECRET_KEY 
 } 
 " 
 , 
 "Content-Type" 
 : 
 "application/json" 
 , 
 "Accept" 
 : 
 "application/json" 
 , 
 } 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 def 
  
 _request 
 ( 
 method 
 , 
 path 
 , 
 ** 
 kwargs 
 ): 
  
 """Call the Tenable API, honoring HTTP 429 Retry-After. Do not multi-thread.""" 
 while 
 True 
 : 
 resp 
 = 
 requests 
 . 
 request 
 ( 
 method 
 , 
 f 
 " 
 { 
 BASE 
 }{ 
 path 
 } 
 " 
 , 
 headers 
 = 
 HEADERS 
 , 
 timeout 
 = 
 HTTP_TIMEOUT 
 , 
 ** 
 kwargs 
 ) 
 if 
 resp 
 . 
 status_code 
 == 
 429 
 : 
 time 
 . 
 sleep 
 ( 
 int 
 ( 
 resp 
 . 
 headers 
 . 
 get 
 ( 
 "Retry-After" 
 , 
 "30" 
 ))) 
 continue 
 resp 
 . 
 raise_for_status 
 () 
 return 
 resp 
 def 
  
 _write_chunk 
 ( 
 bucket 
 , 
 name 
 , 
 payload 
 ): 
  
 """Write one export chunk (a JSON array) to the bucket.""" 
 blob 
 = 
 bucket 
 . 
 blob 
 ( 
 f 
 " 
 { 
 GCS_PREFIX 
 }{ 
 name 
 } 
 " 
 ) 
 blob 
 . 
  upload_from_string 
 
 ( 
 json 
 . 
 dumps 
 ( 
 payload 
 ), 
 content_type 
 = 
 "application/json" 
 ) 
 def 
  
 _run_export 
 ( 
 bucket 
 , 
 label 
 , 
 request_path 
 , 
 status_kind 
 , 
 body 
 ): 
  
 """Request an export, poll until FINISHED, and write each chunk to the bucket.""" 
 export_uuid 
 = 
 _request 
 ( 
 "POST" 
 , 
 request_path 
 , 
 json 
 = 
 body 
 ) 
 . 
 json 
 ()[ 
 "export_uuid" 
 ] 
 written 
 = 
 set 
 () 
 while 
 True 
 : 
 status 
 = 
 _request 
 ( 
 "GET" 
 , 
 f 
 "/ 
 { 
 status_kind 
 } 
 /export/ 
 { 
 export_uuid 
 } 
 /status" 
 ) 
 . 
 json 
 () 
 for 
 chunk_id 
 in 
 status 
 . 
 get 
 ( 
 "chunks_available" 
 , 
 []): 
 if 
 chunk_id 
 in 
 written 
 : 
 continue 
 chunk 
 = 
 _request 
 ( 
 "GET" 
 , 
 f 
 "/ 
 { 
 status_kind 
 } 
 /export/ 
 { 
 export_uuid 
 } 
 /chunks/ 
 { 
 chunk_id 
 } 
 " 
 ) 
 . 
 json 
 () 
 _write_chunk 
 ( 
 bucket 
 , 
 f 
 " 
 { 
 label 
 } 
 _ 
 { 
 export_uuid 
 } 
 _ 
 { 
 chunk_id 
 } 
 .json" 
 , 
 chunk 
 ) 
 written 
 . 
 add 
 ( 
 chunk_id 
 ) 
 state 
 = 
 status 
 . 
 get 
 ( 
 "status" 
 ) 
 if 
 state 
 == 
 "FINISHED" 
 : 
 break 
 if 
 state 
 in 
 ( 
 "ERROR" 
 , 
 "CANCELLED" 
 ): 
 raise 
 RuntimeError 
 ( 
 f 
 " 
 { 
 label 
 } 
 export 
 { 
 export_uuid 
 } 
 ended as 
 { 
  state 
 
 } 
 " 
 ) 
 time 
 . 
 sleep 
 ( 
 15 
 ) 
 print 
 ( 
 f 
 " 
 { 
 label 
 } 
 : wrote 
 { 
 len 
 ( 
 written 
 ) 
 } 
 chunk(s) for export 
 { 
 export_uuid 
 } 
 " 
 ) 
 @functions_framework 
 . 
 cloud_event 
 def 
  
 main 
 ( 
 cloud_event 
 ): 
 bucket 
 = 
 storage_client 
 . 
  bucket 
 
 ( 
 GCS_BUCKET 
 ) 
 # Vulnerabilities: request path and status/chunk paths both use /vulns/export; body uses num_assets. 
 _run_export 
 ( 
 bucket 
 , 
 "vulns" 
 , 
 "/vulns/export" 
 , 
 "vulns" 
 , 
 { 
 "num_assets" 
 : 
 NUM_ASSETS 
 , 
 "include_unlicensed" 
 : 
 False 
 , 
 "filters" 
 : 
 { 
 "severity" 
 : 
 SEVERITIES 
 }}, 
 ) 
 # Assets: request path is /assets/v2/export (body uses chunk_size); status/chunk paths drop the v2. 
 _run_export 
 ( 
 bucket 
 , 
 "assets" 
 , 
 "/assets/v2/export" 
 , 
 "assets" 
 , 
 { 
 "chunk_size" 
 : 
 ASSET_CHUNK_SIZE 
 }, 
 ) 
 return 
 "ok"

Click Save and deploy.

Create a Cloud Scheduler job

In the Google Cloud console, go to Cloud Scheduler.
Click Create job.
Provide the following configuration details:
- Name: Enter tenable-collector-schedule .
- Region: Select the same region as the Cloud Run function.
- Frequency: Enter a cron schedule (for example, 0 */6 * * * to run every six hours).
- Timezone: Select your timezone.
For Target type, select Pub/Sub.
Select the tenable-collector-trigger topic.
In the Message body, enter run .
Click Create.

Configure a feed in Google SecOps to ingest from Google Cloud Storage

Go to SIEM Settings > Feeds.
Click Add New Feed.
Click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Tenable Vulnerability Management GCS ).
Select Google Cloud Storage V2as the Source type.
Select tenable.ioas the Log type.
Click Get Service Account. Copy the displayed service account email.
Click Next.
Specify values for the following input parameters:
- Storage bucket URI: Enter the bucket URI, including the prefix (for example, gs://tenable-vulnerability-logs/tenable/ ).
- Source deletion option: Select the deletion option according to your preference.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
Click Next, review the configuration, and then click Submit.

Grant the Google SecOps service account access to the bucket

Go to Cloud Storage > Bucketsand click your bucket name.
Go to the Permissionstab and click Grant access.
In Add principals, enter the service account email you copied from the feed.
Assign the Storage Object Viewerrole (or Storage Object Adminif you selected a source deletion option).
Click Save.

Method 2: Amazon S3

This method uses Tenable Data Stream to continuously push your Tenable data to an Amazon S3 bucket in JSON format. Google SecOps then ingests the data from the bucket. Tenable Data Stream supports Amazon S3 only and authenticates to your AWS account using an IAM role that Tenable assumes (a cross-account trust relationship with an External ID).

Create an Amazon S3 bucket

Create an Amazon S3 bucketby following the AWS guide: Creating a bucket .
Save the bucket Nameand Regionfor later reference (for example, tenable-vm-logs ).

Create an IAM role for Tenable Data Stream

Tenable assumes this role to write data to your bucket. Tenable provides the exact trust policy and bucket policy in the console, including the Tenable AWS account and a generated External ID.

In Tenable Vulnerability Management, go to Settings > Tenable Data Streamand click Add an Integration. Keep this dialog open to copy the trust policy and External ID in a later step.
In the AWS console, go to IAM > Roles > Create role.

Select Custom trust policyand paste the trust policy from the Tenable IAM Role Guidelinespanel (click Copy Trust Policy). The trust policy has the following shape:

  { 
  
 "Version" 
 : 
  
 "2012-10-17" 
 , 
  
 "Statement" 
 : 
  
 [ 
  
 { 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Principal" 
 : 
  
 { 
  
 "AWS" 
 : 
  
 "arn:aws:iam::<TENABLE_AWS_ACCOUNT_ID>:root" 
  
 }, 
  
 "Action" 
 : 
  
 "sts:AssumeRole" 
 , 
  
 "Condition" 
 : 
  
 { 
  
 "StringEquals" 
 : 
  
 { 
  
 "sts:ExternalId" 
 : 
  
 "<TENABLE_EXTERNAL_ID>" 
  
 } 
  
 } 
  
 } 
  
 ] 
 }

Click Next, then create and attach a policy that grants Tenable write access to the bucket (replace tenable-vm-logs with your bucket name):

  { 
  
 "Version" 
 : 
  
 "2012-10-17" 
 , 
  
 "Statement" 
 : 
  
 [ 
  
 { 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Action" 
 : 
  
 [ 
 "s3:PutObject" 
 , 
  
 "s3:GetBucketLocation" 
 , 
  
 "s3:ListBucket" 
 ], 
  
 "Resource" 
 : 
  
 [ 
  
 "arn:aws:s3:::tenable-vm-logs" 
 , 
  
 "arn:aws:s3:::tenable-vm-logs/*" 
  
 ] 
  
 } 
  
 ] 
 }

Enter a role name (for example, TenableDataStreamRole ) and click Create role. Save the Role Nameand your AWS Account ID.

Configure Tenable Data Stream

Return to the Add an Integrationdialog in Tenable Vulnerability Management( Settings > Tenable Data Stream).
Provide the following configuration details:
- Integration Name: Enter a descriptive name (for example, Google SecOps Integration ).
- Integration Type: Select AWS S3(the only available option).
- Integration Data: Select the data types to stream (for example, Assets, Vulnerabilities, and Host Audit).
- Email Notification(optional): Enter an email address to be notified if the stream state changes.
Click Nextand provide the IAM role details:
- AWS Account ID: Enter your AWS account ID.
- IAM Role Name: Enter the role you created (for example, TenableDataStreamRole ).
- External ID: Use the External ID shown by Tenable in this dialog (the same value referenced in the trust policy).
Click Nextand provide the bucket details:
- S3 Bucket Name: Enter your bucket name (for example, tenable-vm-logs ).
- Path Prefix: Enter a prefix for organizing files (for example, tenable/ ).
Click Save. Tenable continuously writes JSON data to your bucket.

Note: Don't delete the role, change its trust relationship, or remove the bucket permissions after setup, because these are the most common causes of a failed stream.

Create an IAM user for Google SecOps to read the bucket

Google SecOps reads the bucket using a separate read-only IAM user (this identity is independent of the role Tenable uses to write).

In the AWS console, go to IAM > Users > Create user.
Enter a username (for example, secops-tenable-reader ) and click Next.
Click Next, then Create user.

Select the user, go to the Permissionstab, and click Add permissions > Create inline policy > JSON. Paste the following read-only policy (replace tenable-vm-logs with your bucket name):

  { 
  
 "Version" 
 : 
  
 "2012-10-17" 
 , 
  
 "Statement" 
 : 
  
 [ 
  
 { 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Action" 
 : 
  
 [ 
 "s3:GetObject" 
 , 
  
 "s3:ListBucket" 
 , 
  
 "s3:GetBucketLocation" 
 ], 
  
 "Resource" 
 : 
  
 [ 
  
 "arn:aws:s3:::tenable-vm-logs" 
 , 
  
 "arn:aws:s3:::tenable-vm-logs/*" 
  
 ] 
  
 } 
  
 ] 
 }

Go to the Security credentialstab and click Create access key.
Select Third-party serviceas the use case, click Next, then Create access key.
Copy and save the Access keyand Secret access key.

Configure a feed in Google SecOps to ingest from Amazon S3

Go to SIEM Settings > Feeds.
Click Add New Feed.
Click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Tenable Vulnerability Management S3 ).
Select Amazon S3 V2as the Source type.
Select tenable.ioas the Log type.
Click Next.
Specify values for the following input parameters:
- S3 URI: Enter the bucket URI, including the prefix (for example, s3://tenable-vm-logs/tenable/ ).
- Source deletion option: Select the deletion option according to your preference.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Access Key ID: Enter the read-only IAM user access key.
- Secret Access Key: Enter the read-only IAM user secret key.
Click Next, review the configuration, and then click Submit.

UDM mapping table

Log Field	UDM Mapping	Logic
`payload.path`	`about.file.full_path`	Directly mapped
`payload.md5`	`about.file.md5`	Directly mapped
`asset.uuid`	`entity.asset.asset_id`	Directly mapped
`id`	`entity.asset.asset_id`	Directly mapped
`payload_id`	`entity.asset.asset_id`	Directly mapped
`ssh_fingerprints.0`	`entity.asset.attribute.labels.value`	Directly mapped
`system_types.0`	`entity.asset.attribute.labels.value`	Directly mapped
`asset.hostname`	`entity.asset.hostname`	Directly mapped
`asset.last_scan_target`	`entity.asset.hostname`	Directly mapped
`host`	`entity.asset.hostname`	Directly mapped
`scan.target`	`entity.asset.hostname`	Directly mapped
`asset.ipv4`	`entity.asset.ip`	Merged
`ip`	`entity.asset.ip`	Merged
`ipaddr`	`entity.asset.ip`	Merged
`prinIP`	`entity.asset.ip`	Merged
`scan_ipaddr`	`entity.asset.ip`	Merged
`updateIndex`	`entity.asset.ip`	Mapped: `0` → `update_ipv4_0`
`update_ipv4_0`	`entity.asset.ip`	Merged
`asset.mac_address`	`entity.asset.mac`	Merged
`mac`	`entity.asset.mac`	Merged
`fqdns.0`	`entity.asset.network_domain`	Directly mapped
`netbios_names.0`	`entity.asset.network_domain`	Directly mapped
`os_family`	`entity.asset.platform_software.platform`	Directly mapped
`asset.operating_system.0`	`entity.asset.platform_software.platform_version`	Directly mapped
`asset.uuid`	`entity.asset.product_object_id`	Directly mapped
`id`	`entity.asset.product_object_id`	Directly mapped
`payload_id`	`entity.asset.product_object_id`	Directly mapped
`vuln.vulnerabilities`	`entity.asset.vulnerabilities`	Merged
`vuln1.vulnerabilities`	`entity.asset.vulnerabilities`	Merged
`vuln2.vulnerabilities`	`entity.asset.vulnerabilities`	Merged
`asset.device_type`	`metadata.description`	Directly mapped
`plugin.description`	`metadata.description`	Directly mapped
`has_entity_asset`	`metadata.entity_type`	Mapped: `true` → `ASSET`
`first_found`	`metadata.event_timestamp`	Parsed as `ISO8601`
`last_found`	`metadata.event_timestamp`	Parsed as `ISO8601`
`scan.completed_at`	`metadata.event_timestamp`	Parsed as `ISO8601`
`scan.started_at`	`metadata.event_timestamp`	Parsed as `ISO8601`
`has_entity_asset`	`metadata.product_name`	Mapped: `true` → `Tenable IO`
`has_entity_asset`	`metadata.vendor_name`	Mapped: `true` → `Tenable IO`
`port.protocol`	`network.ip_protocol`	Directly mapped
`asset.network_id`	`network.session_id`	Directly mapped
`sec_res.description`	`security_result.description`	Directly mapped
`asset_agent_uuid_label`	`security_result.detection_fields`	Merged
`asset_bios_uuid_label`	`security_result.detection_fields`	Merged
`asset_netbios_name_label`	`security_result.detection_fields`	Merged
`finding_id_label`	`security_result.detection_fields`	Merged
`plugin_family_id_label`	`security_result.detection_fields`	Merged
`plugin_family_label`	`security_result.detection_fields`	Merged
`plugin_risk_factor_label`	`security_result.detection_fields`	Merged
`plugin_xrefs_label`	`security_result.detection_fields`	Merged
`risk_factor_label`	`security_result.detection_fields`	Merged
`scan_label`	`security_result.detection_fields`	Merged
`scan_schedule_uuid_label`	`security_result.detection_fields`	Merged
`scan_started_at_label`	`security_result.detection_fields`	Merged
`scan_uuid_label`	`security_result.detection_fields`	Merged
`see_also_label`	`security_result.detection_fields`	Merged
`severity_default_id_label`	`security_result.detection_fields`	Merged
`severity_id_label`	`security_result.detection_fields`	Merged
`severity_label`	`security_result.detection_fields`	Merged
`severity_modification_type_label`	`security_result.detection_fields`	Merged
`update_finding_id_label`	`security_result.detection_fields`	Merged
`update_first_scan_time_label`	`security_result.detection_fields`	Merged
`update_last_licensed_scan_date_label`	`security_result.detection_fields`	Merged
`update_last_scan_id_label`	`security_result.detection_fields`	Merged
`update_last_scan_time_label`	`security_result.detection_fields`	Merged
`update_last_schedule_id_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_access_complexity_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_access_vector_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_authentication_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_availability_impact_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_confidentiality_impact_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_integrity_impact_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_privileges_required_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_raw_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss3_vector_user_interaction_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_base_score_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_access_complexity_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_access_vector_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_authentication_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_availability_impact_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_confidentiality_impact_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_integrity_impact_label`	`security_result.detection_fields`	Merged
`update_plugin_cvss_vector_raw_label`	`security_result.detection_fields`	Merged
`update_plugin_see_also_label`	`security_result.detection_fields`	Merged
`update_plugin_stig_severity_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_driver_cvss3_impact_score_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_age_of_vuln_lower_bound_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_age_of_vuln_upper_bound_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_cvss_impact_score_predicted_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_exploit_code_maturity_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_product_coverage_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_threat_intensity_last28_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_threat_recency_lower_bound_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_drivers_threat_recency_upper_bound_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_score_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_updated_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_cve_id_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_exploit_code_maturity_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_in_the_news_intensity_last30_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_in_the_news_recency_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_malware_observations_intensity_last30_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_malware_observations_recency_label`	`security_result.detection_fields`	Merged
`update_plugin_vpr_v2_on_cisa_kev_label`	`security_result.detection_fields`	Merged
`update_plugin_vuln_publication_date_label`	`security_result.detection_fields`	Merged
`update_plugin_xrefs_id_type_label`	`security_result.detection_fields`	Merged
`update_plugin_xrefs_type_label`	`security_result.detection_fields`	Merged
`update_scan_started_at_label`	`security_result.detection_fields`	Merged
`update_severity_default_id_label`	`security_result.detection_fields`	Merged
`update_severity_id_label`	`security_result.detection_fields`	Merged
`update_severity_modification_type_label`	`security_result.detection_fields`	Merged
`updates_asset_netbios_name_label`	`security_result.detection_fields`	Merged
`updates_plugin_vpr_v2_exploit_probability_label`	`security_result.detection_fields`	Merged
`updates_plugin_vpr_v2_label`	`security_result.detection_fields`	Merged
`updates_plugin_vpr_v2_percentile_label`	`security_result.detection_fields`	Merged
`updates_plugin_vpr_v2_vpr_severity_label`	`security_result.detection_fields`	Merged
`version_label`	`security_result.detection_fields`	Merged
`xref_label`	`security_result.detection_fields`	Merged
`severity`	`security_result.severity`	Directly mapped
N/A	`entity.asset.attribute.labels.key`	Constant: `ssh_fingerprints`
N/A	`metadata.entity_type`	Constant: `ASSET`
N/A	`metadata.product_name`	Constant: `Tenable IO`
N/A	`metadata.vendor_name`	Constant: `Tenable IO`
N/A	`security_result.severity`	Constant: `CRITICAL`

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.