Tenable Identity Exposure
Overview
Tenable Identity Exposure (formerly Tenable.ad) continuously monitors Active Directory for security weaknesses and attacks. This integration pulls security data from your Identity Exposure deployment into Coralogix, where you can investigate it alongside the rest of your telemetry and retain it to meet compliance requirements.
It collects three data types, each of which you can enable independently:
- Alerts — identity alert instances raised by Identity Exposure.
- Attacks — detected attacks (Indicators of Attack).
- Deviances — Active Directory configuration deviances (Indicators of Exposure).
Collection starts from when you set up the integration: existing alerts, attacks, and deviances are not imported, and each run collects only records created after setup.
Poll intervals
Each data type is polled about once a minute, collecting records created since the previous run. Alerts and deviances advance on a record identifier; attacks advance on the detection time.
What you need
- A Tenable Identity Exposure deployment reachable over HTTPS from the Coralogix cloud-collector. Network reachability is a deployment prerequisite on your side.
- A Tenable Identity Exposure API key for a user with permission to read the enabled data types.
- Permission to create integrations in your Coralogix account.
Prepare an API key in Identity Exposure
- Log in to your Tenable Identity Exposure console.
- Select your user profile icon, then select Preferences.
- Select API key.
- Copy the API key and store it securely.
The API key inherits the permissions of the user it belongs to. Use a user that can read the data types you plan to collect.
Set up
- From your Coralogix toolbar, navigate to Data Flow > Integrations, select Tenable Identity Exposure, and select Connect.
- Select Add New.
- Define the integration settings:
- Integration name — a meaningful name for this integration.
- Application name — the Coralogix application name to ingest under.
- Subsystem name — the Coralogix subsystem name to ingest under.
- Endpoint — the base URL of your Identity Exposure instance, for example
https://identityexposure.example.com. - API key — the API key you copied from Identity Exposure.
- Data types (select at least one): Alerts, Attacks, Deviances.
- Select Create.
Log format
Each collected record is ingested as a log with the Tenable Identity Exposure payload nested under a tenable_identity_exposure top-level field:
{
"tenable_identity_exposure": {
"...": "the Tenable Identity Exposure record"
}
}
Validate the integration
In Explore, filter by the application and subsystem names you configured. You should see logs whose body contains a top-level tenable_identity_exposure field. If you enabled Deviances, those records carry deviance fields (such as checkerId, directoryId, and eventDate); attacks carry an attackTypeId and a date.
Troubleshoot common issues
No data appears after setup. Cause: the collector cannot reach the Identity Exposure URL, or the API key lacks the required read permissions. Fix: confirm the Endpoint is reachable from the collector's network and that the API key belongs to a user permitted to read the enabled data types.
The integration test fails with an authorization error. Cause: the configured API key is incorrect or its user lacks permission for the enabled data type being tested. Fix: re-enter or regenerate the API key in Identity Exposure, then confirm the user can read the selected data types.