Tenable.sc

edit

Version

1.26.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

The Tenable Security Center integration collects and parses data from the Tenable Security Center APIs.

Compatibility

edit

This module has been tested against Tenable.sc version 5.23 and Tenable.sc version 6.4.0.

Requirements

edit

In order to ingest data from the Tenable.sc you must have the Access key and Secret Key.

Enable API keys to allow users to perform API key authentication.

See Tenable’s documentation for more information on:

The default value is the recommended value for a batch size by Tenable. It can be found under Advanced Options and can be configured as per requirements. A very large value might not work as intended depending on the API and instance limitations.

Logs

edit
Asset
edit

This is the asset dataset.

Example

An example event for asset looks as following:

{
    "@timestamp": "2023-09-22T18:00:18.358Z",
    "agent": {
        "ephemeral_id": "87389b96-4d7e-4a86-a055-4d34d251c4c0",
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.1"
    },
    "data_stream": {
        "dataset": "tenable_sc.asset",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "snapshot": false,
        "version": "8.10.1"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "host"
        ],
        "created": "2023-09-22T18:00:18.358Z",
        "dataset": "tenable_sc.asset",
        "ingested": "2023-09-22T18:00:21Z",
        "kind": "state",
        "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}",
        "type": [
            "info"
        ]
    },
    "host": {
        "domain": "example",
        "hostname": "rnkmigauv2l8zeyf.example",
        "ip": [
            "0.0.228.153"
        ],
        "mac": [
            "00-00-00-47-05-0D"
        ],
        "name": "rnkmigauv2l8zeyf"
    },
    "input": {
        "type": "httpjson"
    },
    "related": {
        "hosts": [
            "rnkmigauv2l8zeyf.example",
            "rnkmigauv2l8zeyf",
            "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
        ],
        "ip": [
            "0.0.228.153"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "tenable_sc-asset"
    ],
    "tenable_sc": {
        "asset": {
            "bios": {
                "guid": "9e8c4d43-982b-4405-a76c-d56c1d6cf117"
            },
            "custom_hash": "ilZiksv+pbvyBkKXgFRLGuMuUovfGI0pjIX5yLMp+I8=",
            "dns": {
                "name": "rnkmigauv2l8zeyf.example"
            },
            "host_uniqueness": "repositoryID,ip,dnsName",
            "ip": "0.0.228.153",
            "mac": "00-00-00-47-05-0D",
            "netbios": {
                "name": "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
            },
            "os_cpe": "cpe:/o:microsoft:windows_10:::x64-home",
            "plugin_set": "201901281542",
            "policy": {
                "name": "Basic Agent Scan"
            },
            "repository": {
                "data_format": "IPv4",
                "id": "2",
                "name": "Staged-Large",
                "sci": {
                    "id": "1"
                }
            },
            "score": 307,
            "severity": {
                "critical": 6,
                "high": 4,
                "info": 131,
                "low": 0,
                "medium": 9
            },
            "total": 150,
            "uniqueness": "repositoryID,ip,dnsName",
            "uuid": "4add65d0-27fc-491c-91ba-3f498a61f49e"
        }
    }
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Input type

keyword

log.offset

Log offset

long

tenable_sc.asset.bios.guid

GUID of bios.

keyword

tenable_sc.asset.custom_hash

Hash representing the values of the field names mentioned in uniqueness field in order to uniquely identify an asset.

keyword

tenable_sc.asset.dns.name

DNS name of the asset.

keyword

tenable_sc.asset.host_uniqueness

Host Uniqueness.

keyword

tenable_sc.asset.ip

The IPv4 address of the asset.

keyword

tenable_sc.asset.last_auth_run

The timestamp of last auth run.

keyword

tenable_sc.asset.last_unauth_run

The timestamp of last unauth run.

keyword

tenable_sc.asset.mac

The mac address of the asset.

keyword

tenable_sc.asset.mcafee.guid

GUID of McAfee.

keyword

tenable_sc.asset.netbios.name

Name of netbios of the asset.

keyword

tenable_sc.asset.os_cpe

OS CPE (Common Platform Enumeration is a standardized way to name software applications, operating systems, and hardware platforms).

keyword

tenable_sc.asset.plugin_set

The plugin set the asset fall in.

keyword

tenable_sc.asset.policy.name

The name of the policy that is assigned to the asset.

keyword

tenable_sc.asset.repository.data_format

Data format.

keyword

tenable_sc.asset.repository.description

Description of repository.

keyword

tenable_sc.asset.repository.id

ID of repository the asset belongs to.

keyword

tenable_sc.asset.repository.name

Name of repository the asset belongs to.

keyword

tenable_sc.asset.repository.sci.id

Sci ID.

keyword

tenable_sc.asset.score

The score of the asset.

long

tenable_sc.asset.severity.critical

The critical score of the asset.

long

tenable_sc.asset.severity.high

The high score of the asset.

long

tenable_sc.asset.severity.info

The info score of the asset.

long

tenable_sc.asset.severity.low

The low score of the asset.

long

tenable_sc.asset.severity.medium

The medium score of the asset.

long

tenable_sc.asset.total

The total score for the asset.

long

tenable_sc.asset.tpm.id

The ID of TPM.

keyword

tenable_sc.asset.uniqueness

Uniqueness.

keyword

tenable_sc.asset.uuid

The uuid of the asset.

keyword

Plugin
edit

This is the plugin dataset.

Example

An example event for plugin looks as following:

{
    "@timestamp": "2021-09-27T01:33:53.000Z",
    "agent": {
        "ephemeral_id": "7f93fe8a-bef7-46ec-8a36-47d48e2f8e7c",
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.1"
    },
    "data_stream": {
        "dataset": "tenable_sc.plugin",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "snapshot": false,
        "version": "8.10.1"
    },
    "event": {
        "agent_id_status": "verified",
        "created": "2023-09-22T18:01:18.245Z",
        "dataset": "tenable_sc.plugin",
        "ingested": "2023-09-22T18:01:21Z",
        "kind": "event",
        "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability.  An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "related": {
        "hash": [
            "38b2147401eb5c3a15af52182682f345"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "tenable_sc-plugin"
    ],
    "tenable_sc": {
        "plugin": {
            "base_score": 7.8,
            "check_type": "remote",
            "copyright": "This script is Copyright (C) 2003-2020 John Lampe",
            "cvss_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C",
            "cvss_vector_bf": "2164920932",
            "dependencies": [
                "find_service1.nasl",
                "http_version.nasl",
                "www_fingerprinting_hmap.nasl"
            ],
            "description": "Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability.  An attacker, exploiting this vulnerability, will be able to render the service unusable.\n\nIf this machine serves a business-critical function, there could be an impact to the business.",
            "exploit": {
                "ease": "No known exploits are available",
                "is_available": "false"
            },
            "family": {
                "id": "11",
                "name": "Web Servers",
                "type": "active"
            },
            "id": "10585",
            "is_patch_modified": false,
            "is_patch_published": false,
            "is_plugin_modified": true,
            "is_plugin_published": true,
            "is_vulnerability_published": true,
            "md5": "38b2147401eb5c3a15af52182682f345",
            "modified_time": "2021-09-27T01:33:53.000Z",
            "name": "Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS",
            "plugin_mod_date": "2020-06-12T12:00:00.000Z",
            "plugin_pub_date": "2003-07-22T12:00:00.000Z",
            "risk_factor": "High",
            "see_also": [
                "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100"
            ],
            "solution": "Microsoft has released a set of patches for IIS 4.0 and 5.0.",
            "source_file": "IIS_frontpage_DOS_2.nasl",
            "synopsis": "The remote web server is vulnerable to a denial of service",
            "temporal_score": 5.8,
            "type": "active",
            "version": 1.28,
            "vpr": {
                "context": {
                    "_original": [
                        {
                            "id": "age_of_vuln",
                            "name": "Vulnerability Age",
                            "type": "string",
                            "value": "730 days +"
                        },
                        {
                            "id": "cvssV3_impactScore",
                            "name": "CVSS v3 Impact Score",
                            "type": "number",
                            "value": 3.6
                        },
                        {
                            "id": "exploit_code_maturity",
                            "name": "Exploit Code Maturity",
                            "type": "string",
                            "value": "Unproven"
                        },
                        {
                            "id": "product_coverage",
                            "name": "Product Coverage",
                            "type": "string",
                            "value": "Low"
                        },
                        {
                            "id": "threat_intensity_last_28",
                            "name": "Threat Intensity",
                            "type": "string",
                            "value": "Very Low"
                        },
                        {
                            "id": "threat_recency",
                            "name": "Threat Recency",
                            "type": "string",
                            "value": "> 365 days"
                        },
                        {
                            "id": "threat_sources_last_28",
                            "name": "Threat Sources",
                            "type": "string",
                            "value": "No recorded events"
                        }
                    ],
                    "age_of_vuln": "730 days +",
                    "cvssV3_impactScore": 3.6,
                    "exploit_code_maturity": "Unproven",
                    "product_coverage": "Low",
                    "threat_intensity_last_28": "Very Low",
                    "threat_recency": "> 365 days",
                    "threat_sources_last_28": "No recorded events"
                },
                "score": 4.4
            },
            "vuln_pub_date": "2000-12-22T12:00:00.000Z",
            "xrefs": [
                "CVE:CVE-2001-0096",
                "BID:2144",
                "MSFT:MS00-100",
                "MSKB:280322"
            ]
        }
    }
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Input type

keyword

log.offset

Log offset

long

tenable_sc.plugin.base_score

The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).

double

tenable_sc.plugin.check_type

The type of the compliance check that detected the vulnerability.

keyword

tenable_sc.plugin.copyright

The copyright information related to the plugin.

keyword

tenable_sc.plugin.cpe

A list of plugin target systems identified by Common Platform Enumeration (CPE).

keyword

tenable_sc.plugin.cvss_vector

The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation.

keyword

tenable_sc.plugin.cvss_vector_bf

N/A.

keyword

tenable_sc.plugin.cvssv3_base_score

The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).

double

tenable_sc.plugin.cvssv3_temporal_score

The CVSSv3 temporal metrics for the vulnerability.

double

tenable_sc.plugin.cvssv3_vector

The raw CVSSv3 metrics for the vulnerability. For more information, see CVSSv3 documentation.

keyword

tenable_sc.plugin.cvssv3_vector_bf

N/A.

keyword

tenable_sc.plugin.dependencies

N/A.

keyword

tenable_sc.plugin.description

The extended description of the plugin.

keyword

tenable_sc.plugin.dst_port

Destination port.

long

tenable_sc.plugin.exploit.ease

Description of how easy it is to exploit the vulnerability.

keyword

tenable_sc.plugin.exploit.frameworks

Frameworks used by the exploit.

keyword

tenable_sc.plugin.exploit.is_available

Indicates whether a known public exploit exists for the vulnerability.

boolean

tenable_sc.plugin.family.id

The ID of the plugin family.

keyword

tenable_sc.plugin.family.name

The name of the plugin family.

keyword

tenable_sc.plugin.family.type

The type of the plugin family.

keyword

tenable_sc.plugin.id

The ID of the plugin.

keyword

tenable_sc.plugin.is_patch_modified

Flag for if patch is modified.

boolean

tenable_sc.plugin.is_patch_published

Flag for if patch is published.

boolean

tenable_sc.plugin.is_plugin_modified

Flag for if plugin is modified.

boolean

tenable_sc.plugin.is_plugin_published

Flag for if plugin is published.

boolean

tenable_sc.plugin.is_vulnerability_published

Flag for if vulnerability is published.

boolean

tenable_sc.plugin.md5

N/A.

keyword

tenable_sc.plugin.modified_time

Timestamp of last modification in plugin.

date

tenable_sc.plugin.name

The name of the plugin.

keyword

tenable_sc.plugin.patch_mod_date

The date when the vendor modified the patch for the vulnerability.

date

tenable_sc.plugin.patch_pub_date

The date when the vendor published a patch for the vulnerability.

date

tenable_sc.plugin.plugin_mod_date

The date when Tenable last updated the plugin.

date

tenable_sc.plugin.plugin_pub_date

The date when Tenable originally published the plugin.

date

tenable_sc.plugin.protocol

Protocol used by the vulnerability.

keyword

tenable_sc.plugin.required_ports

N/A.

keyword

tenable_sc.plugin.required_udp_ports

N/A.

keyword

tenable_sc.plugin.risk_factor

The risk factor associated with the plugin.

keyword

tenable_sc.plugin.see_also

Links to external websites that contain helpful information about the vulnerability.

keyword

tenable_sc.plugin.solution

Remediation information for the vulnerability.

keyword

tenable_sc.plugin.source

N/A.

keyword

tenable_sc.plugin.source_file

N/A.

keyword

tenable_sc.plugin.src_port

Source port.

long

tenable_sc.plugin.stig_severity

STIG severity code for the vulnarebility.

keyword

tenable_sc.plugin.synopsis

A brief summary of the vulnerability or vulnerabilities associated with the plugin.

keyword

tenable_sc.plugin.temporal_score

The raw CVSSv2 temporal metrics for the vulnerability.

double

tenable_sc.plugin.type

The type of the plugin.

keyword

tenable_sc.plugin.version

The version of the plugin.

version

tenable_sc.plugin.vpr.context

The matrix of Vulnerability Priority Rating (VPR) for the vulnerability.

flattened

tenable_sc.plugin.vpr.score

The Vulnerability Priority Rating (VPR) score for the vulnerability.

double

tenable_sc.plugin.vuln_pub_date

Vulnarebility publish date.

date

tenable_sc.plugin.xrefs

References to third-party information about the vulnerability, exploit, or update associated with the plugin presented as an array of objects.

keyword

Vulnerability
edit

This is the vulnerability dataset.

Example

An example event for vulnerability looks as following:

{
    "@timestamp": "2021-09-25T16:08:45.000Z",
    "agent": {
        "ephemeral_id": "4e859f73-e37a-4b88-926b-cb67d01e20e1",
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.1"
    },
    "data_stream": {
        "dataset": "tenable_sc.vulnerability",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "f25d13cd-18cc-4e73-822c-c4f849322623",
        "snapshot": false,
        "version": "8.10.1"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat",
            "vulnerability"
        ],
        "created": "2023-09-22T18:02:19.559Z",
        "dataset": "tenable_sc.vulnerability",
        "ingested": "2023-09-22T18:02:22Z",
        "kind": "event",
        "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request.  This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}",
        "type": [
            "info"
        ]
    },
    "host": {
        "domain": "lxd",
        "hostname": "_gateway.lxd",
        "ip": [
            "10.238.64.1"
        ],
        "mac": [
            "00-16-3E-A1-12-F7"
        ],
        "name": "_gateway",
        "os": {
            "full": "Linux Kernel 2.6"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "network": {
        "transport": "icmp"
    },
    "related": {
        "hosts": [
            "_gateway.lxd",
            "_gateway"
        ],
        "ip": [
            "10.238.64.1"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "tenable_sc-vulnerability"
    ],
    "tenable_sc": {
        "vulnerability": {
            "accept_risk": "0",
            "age": 940,
            "base_score": "0.0",
            "check_type": "remote",
            "custom_hash": "qVUXK2YtClsBlXncLYHLhVzynYK4hG2NbT0hY6guQm0=",
            "cvss_v3_vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
            "cvss_vector": "AV:L/AC:L/Au:N/C:N/I:N/A:N",
            "dns": {
                "name": "_gateway.lxd"
            },
            "exploit": {
                "is_available": false
            },
            "family": {
                "id": "30",
                "name": "General",
                "type": "active"
            },
            "first_seen": "2019-02-27T16:27:52.000Z",
            "has_been_mitigated": false,
            "host_uniqueness": "repositoryID,ip,dnsName",
            "id": "1_10.238.64.1__gateway.lxd",
            "ip": "10.238.64.1",
            "is_vulnerability_published": true,
            "last_seen": "2021-09-25T16:08:45.000Z",
            "mac": "00-16-3E-A1-12-F7",
            "operating_system": "Linux Kernel 2.6",
            "patch": {
                "is_published": false
            },
            "plugin": {
                "id": "10114",
                "info": "10114 (0/1) ICMP Timestamp Request Remote Date Disclosure",
                "is_modified": true,
                "is_published": true,
                "mod_date": "2019-10-04T12:00:00.000Z",
                "name": "ICMP Timestamp Request Remote Date Disclosure",
                "pub_date": "1999-08-01T12:00:00.000Z",
                "text": "<plugin_output>The remote clock is synchronized with the local clock.\n</plugin_output>"
            },
            "port": "0",
            "protocol": "ICMP",
            "recast_risk": "0",
            "repository": {
                "data_format": "IPv4",
                "id": "1",
                "name": "Live",
                "sci_id": "1"
            },
            "risk_factor": "None",
            "severity": {
                "description": "Informative",
                "id": "0"
            },
            "solution": "Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).",
            "synopsis": "It is possible to determine the exact time set on the remote host.",
            "uniqueness": "repositoryID,ip,dnsName",
            "version": "1.48",
            "vpr": {
                "context": {
                    "_original": [
                        {
                            "id": "age_of_vuln",
                            "name": "Vulnerability Age",
                            "type": "string",
                            "value": "730 days +"
                        },
                        {
                            "id": "cvssV3_impactScore",
                            "name": "CVSS v3 Impact Score",
                            "type": "number",
                            "value": 0
                        },
                        {
                            "id": "exploit_code_maturity",
                            "name": "Exploit Code Maturity",
                            "type": "string",
                            "value": "Unproven"
                        },
                        {
                            "id": "product_coverage",
                            "name": "Product Coverage",
                            "type": "string",
                            "value": "Very High"
                        },
                        {
                            "id": "threat_intensity_last_28",
                            "name": "Threat Intensity",
                            "type": "string",
                            "value": "Very Low"
                        },
                        {
                            "id": "threat_recency",
                            "name": "Threat Recency",
                            "type": "string",
                            "value": "No recorded events"
                        },
                        {
                            "id": "threat_sources_last_28",
                            "name": "Threat Sources",
                            "type": "string",
                            "value": "No recorded events"
                        }
                    ],
                    "age_of_vuln": "730 days +",
                    "cvssV3_impactScore": 0,
                    "exploit_code_maturity": "Unproven",
                    "product_coverage": "Very High",
                    "threat_intensity_last_28": "Very Low",
                    "threat_recency": "No recorded events",
                    "threat_sources_last_28": "No recorded events"
                },
                "score": 0.8
            },
            "vuln_pub_date": "1995-01-01T12:00:00.000Z",
            "xref": [
                "CWE #200"
            ]
        }
    },
    "vulnerability": {
        "category": [
            "General"
        ],
        "classification": "CVSS",
        "description": "The remote host answers to an ICMP timestamp request.  This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\n\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.",
        "enumeration": "CVE",
        "id": [
            "CVE-1999-0524"
        ],
        "reference": [
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0524"
        ],
        "scanner": {
            "vendor": "Tenable"
        },
        "score": {
            "base": 0,
            "version": "3.0"
        },
        "severity": "Info"
    }
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Input type

keyword

log.offset

Log offset

long

tenable_sc.vulnerability.accept_risk

N/A.

keyword

tenable_sc.vulnerability.age

The time in days between the first and last time the vulnerability was seen.

long

tenable_sc.vulnerability.base_score

Intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.

keyword

tenable_sc.vulnerability.bid

The Bugtraq ID.

keyword

tenable_sc.vulnerability.check_type

The type of the compliance check that detected the vulnerability.

keyword

tenable_sc.vulnerability.cpe

The Common Platform Enumeration (CPE) number for the plugin.

keyword

tenable_sc.vulnerability.custom_hash

Hash of fields plugin_id, port, protocol, tenable_sc.vulnerability.id for uniqueidentifier of an vulnerability.

keyword

tenable_sc.vulnerability.cvss_v3_vector

Additional CVSSv3 metrics for the vulnerability.

keyword

tenable_sc.vulnerability.cvss_vector

Additional CVSSv2 metrics for the vulnerability.

keyword

tenable_sc.vulnerability.dns.name

DNS name.

keyword

tenable_sc.vulnerability.exploit.ease

Description of how easy it is to exploit the vulnerability.

keyword

tenable_sc.vulnerability.exploit.frameworks

Framework used by exploit.

keyword

tenable_sc.vulnerability.exploit.is_available

A value specifying whether a public exploit exists for the vulnerability.

boolean

tenable_sc.vulnerability.family.id

Family id of the vulnarebility.

keyword

tenable_sc.vulnerability.family.name

Family name of the vulnarebility.

keyword

tenable_sc.vulnerability.family.type

Family type of the vulnarebility.

keyword

tenable_sc.vulnerability.first_seen

The time and date when a scan first identified the vulnerability.

date

tenable_sc.vulnerability.has_been_mitigated

Indicates whether the vulnerability has been mitigated.

boolean

tenable_sc.vulnerability.host_uniqueness

Name of the fields used to determine the uniqueness of the host.

keyword

tenable_sc.vulnerability.id

String containing the values of the field names mentioned in uniqueness concatenated with _.

keyword

tenable_sc.vulnerability.ip

The ip address of the asset where a scan found the vulnerability.

keyword

tenable_sc.vulnerability.is_vulnerability_published

Flag for if vulnerablity is published.

boolean

tenable_sc.vulnerability.last_seen

The time and date when a scan most recently identified the vulnerability.

date

tenable_sc.vulnerability.mac

The MAC address of the asset where a scan found the vulnerability.

keyword

tenable_sc.vulnerability.netbios.name

NetBIOS name of the asset where a scan found the vulnerability.

keyword

tenable_sc.vulnerability.operating_system

The operating system of the asset where a scan found the vulnerability.

keyword

tenable_sc.vulnerability.patch.is_published

Flag for if vulnerablity is patched.

boolean

tenable_sc.vulnerability.patch.pub_date

The date on which the patch for the vulnerability was published.

date

tenable_sc.vulnerability.plugin.id

The ID of the plugin.

keyword

tenable_sc.vulnerability.plugin.info

Information regarding the plugin.

keyword

tenable_sc.vulnerability.plugin.is_modified

Flag for if plugin is modified.

boolean

tenable_sc.vulnerability.plugin.is_published

Flag for if plugin is published.

boolean

tenable_sc.vulnerability.plugin.mod_date

The date on which the vulnerability was modified.

date

tenable_sc.vulnerability.plugin.name

The name of the plugin.

keyword

tenable_sc.vulnerability.plugin.pub_date

The date on which the vulnerability was published.

date

tenable_sc.vulnerability.plugin.text

Text provided by plugin. (Usually plugin output text).

keyword

tenable_sc.vulnerability.port

The port the scanner used to communicate with the asset.

keyword

tenable_sc.vulnerability.protocol

The protocol the scanner used to communicate with the asset.

keyword

tenable_sc.vulnerability.recast_risk

Modified the severity risk measure of vulnerabilities using recast rules.

keyword

tenable_sc.vulnerability.repository.data_format

The data format of the repository.

keyword

tenable_sc.vulnerability.repository.description

The description of the repository.

keyword

tenable_sc.vulnerability.repository.id

The ID of the repository.

keyword

tenable_sc.vulnerability.repository.name

The name of the repository.

keyword

tenable_sc.vulnerability.repository.sci_id

N/A.

keyword

tenable_sc.vulnerability.risk_factor

The risk factor associated with the vulnerability.

keyword

tenable_sc.vulnerability.severity.description

The description of the severity.

keyword

tenable_sc.vulnerability.severity.id

The code for the severity assigned when a user recasts the risk associated with the vulnerability.

keyword

tenable_sc.vulnerability.solution

Remediation information for the vulnerability.

keyword

tenable_sc.vulnerability.stig_severity

Security Technical Implementation Guide (STIG) severity code for the vulnerability.

keyword

tenable_sc.vulnerability.synopsis

Brief description of the vulnerability.

keyword

tenable_sc.vulnerability.temporal_score

Characteristics of a vulnerability that change over time but not among user environments.

keyword

tenable_sc.vulnerability.uniqueness

Name of the fields used to determine the uniqueness of the vulnerability.

keyword

tenable_sc.vulnerability.uuid

N/A.

keyword

tenable_sc.vulnerability.version

The version of the vulnerability.

keyword

tenable_sc.vulnerability.vpr.context

The matrix of Vulnerability Priority Rating (VPR) for the vulnerability.

flattened

tenable_sc.vulnerability.vpr.score

The Vulnerability Priority Rating (VPR) score for the vulnerability.

double

tenable_sc.vulnerability.vuln_pub_date

The date on which the vulnerability was published.

date

tenable_sc.vulnerability.xref

References to third-party information about the vulnerability, exploit, or update associated with the plugin.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

1.26.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

8.13.0 or higher

1.25.0

Enhancement (View pull request)
Rename connector to Tenable Security Center.

8.13.0 or higher

1.24.0

Enhancement (View pull request)
Update tested versions note.

Bug fix (View pull request)
Conform agent user agent string to documented format requirement.

8.13.0 or higher

1.23.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.22.0

Enhancement (View pull request)
Improve handling of empty responses.

8.12.0 or higher

1.21.0

Enhancement (View pull request)
Set sensitive values as secret.

8.12.0 or higher

1.20.2

Bug fix (View pull request)
Clean up null handling

8.7.1 or higher

1.20.1

Enhancement (View pull request)
Changed owners

8.7.1 or higher

1.20.0

Enhancement (View pull request)
Limit request tracer log count to five.

8.7.1 or higher

1.19.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

8.7.1 or higher

1.18.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

8.7.1 or higher

1.17.0

Enhancement (View pull request)
Update the package format_version to 3.0.0.

8.7.1 or higher

1.16.0

Enhancement (View pull request)
Update package to ECS 8.10.0 and align ECS categorization fields.

8.7.1 or higher

1.15.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

1.14.0

Enhancement (View pull request)
Update package-spec to 2.9.0.

8.7.1 or higher

1.13.0

Enhancement (View pull request)
Add tenable_sc.vulnerability.age field.

Bug fix (View pull request)
Update User-Agent version sent to API.

8.7.1 or higher

1.12.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

8.7.1 or higher

1.11.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

8.7.1 or higher

1.10.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.7.1 or higher

1.9.0

Enhancement (View pull request)
Add a new flag to enable request tracing

8.7.1 or higher

1.8.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

8.1.0 or higher

1.7.1

Bug fix (View pull request)
Drop empty event sets.

8.1.0 or higher

1.7.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

8.1.0 or higher

1.6.2

Bug fix (View pull request)
Sync the build version in User-Agent header with package version.

8.1.0 or higher

1.6.1

Bug fix (View pull request)
Adding more sanity checks to pipeline

8.1.0 or higher

1.6.0

Enhancement (View pull request)
Update Aggregation visualizations to Lens, Add an on_failure processor to the convert and date processors, remove unnecessary white spaces, and convert double quotes to single quotes.

8.1.0 or higher

1.5.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

8.1.0 or higher

1.4.1

Bug fix (View pull request)
Fix an indefinite pagination bug by adding explicit pagination termination conditions. In Agent versions >= 8.2.0 pagination termination was never happening.

8.1.0 or higher

1.4.0

Enhancement (View pull request)
Update package to ECS 8.4.0

8.1.0 or higher

1.3.1

Bug fix (View pull request)
Fix proxy URL documentation rendering.

8.1.0 or higher

1.3.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

8.1.0 or higher

1.2.2

Enhancement (View pull request)
Update readme - added links to tenable documentation and made the English clearer.

8.1.0 or higher

1.2.1

Bug fix (View pull request)
Add mapping for event.created

1.2.0

Enhancement (View pull request)
Update to ECS 8.2

8.1.0 or higher

1.1.1

Enhancement (View pull request)
Add documentation for multi-fields

8.1.0 or higher

1.1.0

Enhancement (View pull request)
Add custom User-Agent. Added configurable response size. Added filter in vulnerability dashboard to filter hostname and vulnerability cve id. Added unique identifier to asset.

8.1.0 or higher

1.0.0

Enhancement (View pull request)
Promote to GA.

7.16.0 or higher
8.0.0 or higher

0.2.0

Enhancement (View pull request)
Update to ECS 8.0

0.1.0

Enhancement (View pull request)
initial release