# Tenable OT Security

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable-ot-security.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable-ot-security.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

## Overview[​](#overview "Direct link to Overview")

Tenable OT Security (formerly Indegy) is an on-premise security platform for operational technology (OT) and industrial control system (ICS) environments. This integration polls the appliance's GraphQL API and pulls security data into Coralogix, where you can investigate it alongside the rest of your telemetry and retain it to meet compliance requirements.

It collects three data types, each of which you can enable independently:

* **Vulnerabilities** — vulnerability findings, one record per affected asset and detecting plugin, with the asset's context and a summary of the plugin.
* **Assets** — the full OT asset inventory records.
* **Plugins** — the vulnerability-definition metadata behind findings, including CVSS scores and CVE references. Match plugin records to vulnerability findings on the plugin `id`.

### Poll intervals[​](#poll-intervals "Direct link to Poll intervals")

Assets and vulnerabilities are collected incrementally based on each asset's last-update time and are polled about once a minute. The first run collects your full asset estate and its findings; later runs collect only assets updated since the previous run, and their findings. Plugins are collected as a full catalog sweep about every 6 hours; after the first sweep, only new and changed plugins are ingested.

## What you need[​](#what-you-need "Direct link to What you need")

* A Tenable OT Security appliance reachable over HTTPS from the Coralogix cloud-collector. On-premise network reachability is a deployment prerequisite on your side.
* A Tenable OT Security API key for a user with permission to read the enabled data types.
* A TLS certificate on the appliance that public certificate authorities trust, or the **Skip TLS certificate verification** option enabled in the integration settings. See [TLS certificate verification](#tls-certificate-verification).
* Permission to create integrations in your Coralogix account.

## Prepare an API key in OT Security[​](#prepare-an-api-key-in-ot-security "Direct link to Prepare an API key in OT Security")

1. Log in to your Tenable OT Security console.
2. Generate an API key for the user the integration runs as. API keys are managed in the console's local settings, under user management; for the exact steps in your version, see the [Tenable OT Security documentation](https://docs.tenable.com/OT-security/).
3. Copy the API key and store it securely.

The API key inherits the permissions of the user it belongs to. Use a user that can read the data types you plan to collect.

## TLS certificate verification[​](#tls-certificate-verification "Direct link to TLS certificate verification")

The collector verifies the appliance's TLS certificate against public certificate authorities. OT Security appliances often ship with self-signed or privately issued certificates, which fail this verification. Select one of two options:

* Install a certificate issued by a publicly trusted certificate authority on the appliance. Coralogix recommends this option.
* Enable **Skip TLS certificate verification** in the integration settings. The connection stays encrypted, but the collector no longer confirms the identity of the endpoint it connects to, which leaves the connection open to interception. Use this option only when installing a trusted certificate is impractical.

## Set up[​](#set-up "Direct link to Set up")

1. From your Coralogix toolbar, navigate to **Data Flow** > **Integrations**, select **Tenable OT Security**, and select **Connect**.

2. Select **Add New**.

3. Define the integration settings:

   <!-- -->

   * **Integration name** — a meaningful name for this integration.
   * **Application name** — the Coralogix application name to ingest under.
   * **Subsystem name** — the Coralogix subsystem name to ingest under.
   * **OT Security URL** — the base URL of your OT Security appliance, for example `https://ot.example.com`.
   * **API key** — the API key you generated in OT Security.
   * **Skip TLS certificate verification** — disabled by default. Enable only if the appliance's certificate is not publicly trusted and you accept the tradeoff described in [TLS certificate verification](#tls-certificate-verification).
   * **Collect Vulnerabilities**, **Collect Assets**, **Collect Plugins** — all enabled by default. Keep at least one enabled.

4. Select **Create**.

## Log format[​](#log-format "Direct link to Log format")

Each collected record is ingested as a log with the Tenable OT Security payload nested under a `tenable_ot` top-level field. A vulnerability record carries the affected asset and a summary of the detecting plugin:

```
{

  "tenable_ot": {

    "asset": {

      "id": "6a9f1e5c-...",

      "name": "PLC-Line-4",

      "type": "PlcType",

      "criticality": "HIGH",

      "ips": ["10.0.20.14"]

    },

    "plugin": {

      "id": 500123,

      "name": "Siemens SIMATIC S7-300 Denial of Service",

      "severity": "High",

      "vprScore": 6.7

    }

  }

}
```

Asset records carry the full inventory record under `tenable_ot`, and plugin records carry the vulnerability-definition metadata, including CVSS and CVE details. Match plugins to vulnerability findings on the plugin `id`.

## Validate the integration[​](#validate-the-integration "Direct link to Validate the integration")

In **Explore**, filter by the application and subsystem names you configured. You should see logs whose body contains a top-level `tenable_ot` field. Data from the first full sweep typically appears within minutes of setup.

## Troubleshoot common issues[​](#troubleshoot-common-issues "Direct link to Troubleshoot common issues")

**The integration test fails with an authorization error.** Cause: the configured API key is invalid. Fix: regenerate the API key in the OT Security console and re-enter it in the integration settings.

**The integration test fails with a connection error.** Cause: the collector cannot reach the OT Security URL — commonly a firewall rule or DNS resolution issue on the path from Coralogix to the appliance. Fix: confirm the URL is correct and that your network allows HTTPS from the Coralogix cloud-collector to the appliance.

**The integration test fails with a TLS certificate error.** Cause: the appliance presents a certificate that public certificate authorities do not trust, such as a self-signed certificate. Fix: install a publicly trusted certificate on the appliance, or enable **Skip TLS certificate verification** and accept the tradeoff described in [TLS certificate verification](#tls-certificate-verification).

**No data appears after setup.** Cause: all data types are disabled, or nothing changed since the last poll — assets and vulnerabilities are ingested only when an asset's last-update time advances, and plugins emit only new and changed definitions after the first sweep. Fix: confirm at least one data type is enabled; quiet periods are otherwise normal.

## Related resources[​](#related-resources "Direct link to Related resources")

* [Tenable OT Security documentation](https://docs.tenable.com/OT-security/)
* [Tenable OT Security GraphQL API](https://docs.tenable.com/OT-security/api/)
