# Tenable Identity Exposure

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable-identity-exposure.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable-identity-exposure.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

## Overview[​](#overview "Direct link to Overview")

Tenable Identity Exposure (formerly Tenable.ad) continuously monitors Active Directory for security weaknesses and attacks. This integration pulls security data from your Identity Exposure deployment into Coralogix, where you can investigate it alongside the rest of your telemetry and retain it to meet compliance requirements.

It collects three data types, each of which you can enable independently:

* **Alerts** — identity alert instances raised by Identity Exposure.
* **Attacks** — detected attacks (Indicators of Attack).
* **Deviances** — Active Directory configuration deviances (Indicators of Exposure).

Collection starts from when you set up the integration: existing alerts, attacks, and deviances are not imported, and each run collects only records created after setup.

### Poll intervals[​](#poll-intervals "Direct link to Poll intervals")

Each data type is polled about once a minute, collecting records created since the previous run. Alerts and deviances advance on a record identifier; attacks advance on the detection time.

## What you need[​](#what-you-need "Direct link to What you need")

* A Tenable Identity Exposure deployment reachable over HTTPS from the Coralogix cloud-collector. Network reachability is a deployment prerequisite on your side.
* A Tenable Identity Exposure API key for a user with permission to read the enabled data types.
* Permission to create integrations in your Coralogix account.

## Prepare an API key in Identity Exposure[​](#prepare-an-api-key-in-identity-exposure "Direct link to Prepare an API key in Identity Exposure")

1. Log in to your Tenable Identity Exposure console.
2. Select your user profile icon, then select **Preferences**.
3. Select **API key**.
4. Copy the API key and store it securely.

The API key inherits the permissions of the user it belongs to. Use a user that can read the data types you plan to collect.

## Set up[​](#set-up "Direct link to Set up")

1. From your Coralogix toolbar, navigate to **Data Flow** > **Integrations**, select **Tenable Identity Exposure**, and select **Connect**.

2. Select **Add New**.

3. Define the integration settings:

   <!-- -->

   * **Integration name** — a meaningful name for this integration.
   * **Application name** — the Coralogix application name to ingest under.
   * **Subsystem name** — the Coralogix subsystem name to ingest under.
   * **Endpoint** — the base URL of your Identity Exposure instance, for example `https://identityexposure.example.com`.
   * **API key** — the API key you copied from Identity Exposure.
   * **Data types** (select at least one): **Alerts**, **Attacks**, **Deviances**.

4. Select **Create**.

## Log format[​](#log-format "Direct link to Log format")

Each collected record is ingested as a log with the Tenable Identity Exposure payload nested under a `tenable_identity_exposure` top-level field:

```
{

  "tenable_identity_exposure": {

    "...": "the Tenable Identity Exposure record"

  }

}
```

## Validate the integration[​](#validate-the-integration "Direct link to Validate the integration")

In **Explore**, filter by the application and subsystem names you configured. You should see logs whose body contains a top-level `tenable_identity_exposure` field. If you enabled Deviances, those records carry deviance fields (such as `checkerId`, `directoryId`, and `eventDate`); attacks carry an `attackTypeId` and a `date`.

## Troubleshoot common issues[​](#troubleshoot-common-issues "Direct link to Troubleshoot common issues")

**No data appears after setup.** Cause: the collector cannot reach the Identity Exposure URL, or the API key lacks the required read permissions. Fix: confirm the **Endpoint** is reachable from the collector's network and that the API key belongs to a user permitted to read the enabled data types.

**The integration test fails with an authorization error.** Cause: the configured API key is incorrect or its user lacks permission for the enabled data type being tested. Fix: re-enter or regenerate the API key in Identity Exposure, then confirm the user can read the selected data types.

## Related resources[​](#related-resources "Direct link to Related resources")

* [Tenable Identity Exposure public API](https://docs.tenable.com/identity-exposure/SaaS/Content/Admin/api-identity.htm)
* [Tenable developer portal](https://developer.tenable.com/reference/navigate)
