Tenable Attack Surface Management
Overview
Tenable Attack Surface Management (ASM) continuously discovers the internet-facing assets that make up your organization's external attack surface — hostnames, IP addresses, open ports, and detected CVEs. This integration pulls your ASM asset inventory into Coralogix, where you can investigate it alongside the rest of your telemetry and retain it to meet compliance requirements.
It collects one data type:
- Assets — the external attack surface assets discovered for your organization, including hostname, IP address, DNS record type, severity ranking, open ports, and detected CVEs.
The first collection performs a one-time full inventory backfill and can ingest a large volume of records, depending on the size of your attack surface; later collections capture only assets whose metadata changed since the previous run. Collection runs about once a minute.
What you need
- A Tenable Attack Surface Management subscription.
- A Tenable ASM API key.
- Permission to create integrations in your Coralogix account.
Prepare an API key in Tenable ASM
-
Log in to your Tenable Attack Surface Management console.
-
Open Settings, then select API Keys.
-
Generate an API key and copy it.
NoteStore the key securely — it will be used in the steps below.
The API key inherits the permissions of the user it belongs to. Use a user that can view the asset inventory.
Set up
- From your Coralogix toolbar, navigate to Data Flow > Integrations, select Tenable Attack Surface Management, and select Connect.
- Select Add New.
- Define the integration settings:
- Integration name — a meaningful name for this integration.
- Application name — the Coralogix application name to ingest under.
- Subsystem name — the Coralogix subsystem name to ingest under.
- Endpoint — the base URL of your Tenable ASM instance. Defaults to
https://asm.cloud.tenable.com. - API key — the API key you copied from Tenable ASM.
- Assets — select to collect external attack surface assets.
- Select Create. Coralogix validates the credentials against the ASM inventory API; if validation fails, the error message indicates whether the API key or the endpoint URL is the problem.
Log format
Each collected asset is ingested as a log with the Tenable ASM record nested under a tenable_asm top-level field:
{
"tenable_asm": {
"...": "the Tenable ASM asset record"
}
}
Validate the integration
In Explore, filter by the application and subsystem names you configured. You should see logs whose body contains a top-level tenable_asm field with asset properties such as bd.hostname, bd.ip_address, and bd.last_metadata_change.
Troubleshoot common issues
No data appears after setup. Cause: the API key is invalid, or the endpoint URL is wrong. Fix: confirm the Endpoint matches your ASM instance and regenerate the API key in Tenable ASM if needed.
Data stops after the initial backfill. Cause: assets are collected incrementally based on their last metadata change, so quiet periods are normal. New records appear when ASM discovers new assets or updates existing ones.