# Tenable Security Center

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable-security-center.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable-security-center.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

## Overview[​](#overview "Direct link to Overview")

Tenable Security Center (Tenable.sc) is an on-premise vulnerability management platform. This integration pulls security data from your Security Center deployment into Coralogix, where you can investigate it alongside the rest of your telemetry and retain it to meet compliance requirements.

It collects three data types, each of which you can enable independently:

* **Vulnerabilities** — open, reopened, and patched findings from the analysis API.
* **Assets** — the Security Center asset export.
* **Plugin metadata** — the plugin catalog.

Vulnerabilities and plugin metadata are collected incrementally after the first backfill. Assets are collected as a periodic current-state snapshot from Security Center's asset export.

### Poll intervals[​](#poll-intervals "Direct link to Poll intervals")

Vulnerabilities and plugin metadata are polled about once a minute. Their backfills are paginated across several runs, and later runs collect only new or changed records. Asset collection is also paginated, but each asset poll exports the current inventory snapshot; by default, asset snapshots run about once an hour.

## What you need[​](#what-you-need "Direct link to What you need")

* A Tenable Security Center deployment reachable over HTTPS from the Coralogix cloud-collector. On-premise network reachability is a deployment prerequisite on your side.
* Tenable Security Center credentials for a user with permission to read the enabled data types. The integration supports either an **API access key** and **secret key**, or **username** and **password** session authentication.
* To use API-key authentication, your Tenable Security Center deployment must be version 5.13.x or later, and API-key authentication must be enabled for the user.
* Permission to create integrations in your Coralogix account.

## Prepare credentials in Security Center[​](#prepare-credentials-in-security-center "Direct link to Prepare credentials in Security Center")

1. Log in to your Tenable Security Center console.

2. Identify the user the integration runs as. If needed, create a dedicated service user with permission to read the data types you plan to collect.

3. Select one authentication method:

   <!-- -->

   * **API keys** — confirm API-key authentication is enabled for the user, open that user's profile, go to **API Keys**, and select **Generate**. Security Center displays an **Access Key** and a **Secret Key**.
   * **Username and password** — use the selected user's username and password. The collector creates a Security Center API session token when it calls the API.

The secret key is shown only once. If you use API keys, copy both values immediately and store them securely.

## Set up[​](#set-up "Direct link to Set up")

1. From your Coralogix toolbar, navigate to **Data Flow** > **Integrations**, select **Tenable Security Center**, and select **Connect**.

2. Select **Add New**.

3. Define the integration settings:

   <!-- -->

   * **Integration name** — a meaningful name for this integration.
   * **Application name** — the Coralogix application name to ingest under.
   * **Subsystem name** — the Coralogix subsystem name to ingest under.
   * **Endpoint** — the base URL of your Security Center instance, for example `https://securitycenter.example.com`.
   * **Authentication type** — select **API keys** or **Username and password**.
   * **Access key** and **Secret key**, or **Username** and **Password** — provide the credentials for the selected authentication type.
   * **Data types** (select at least one): **Vulnerabilities**, **Assets**, **Plugin metadata**.

4. Select **Create**.

## Log format[​](#log-format "Direct link to Log format")

Each collected record is ingested as a log with the Tenable Security Center payload nested under a `tenable_sc` top-level field:

```
{

  "tenable_sc": {

    "...": "the Tenable Security Center record"

  }

}
```

## Validate the integration[​](#validate-the-integration "Direct link to Validate the integration")

In **Explore**, filter by the application and subsystem names you configured. You should see logs whose body contains a top-level `tenable_sc` field. If you enabled Vulnerabilities, those records carry the analysis fields (such as `pluginID`, `severity`, `lastSeen`, and `lastMitigated`).

## Troubleshoot common issues[​](#troubleshoot-common-issues "Direct link to Troubleshoot common issues")

**No data appears after setup.** Cause: the collector cannot reach the Security Center URL, or the credentials lack the required read permissions. Fix: confirm the **Endpoint** is reachable from the collector's network and that the credentials belong to a user permitted to read the enabled data types.

**The integration test fails with an authorization error.** Cause: the configured credentials are incorrect or the user lacks permission for the enabled data type being tested. Fix: re-enter the credentials or regenerate API keys in Security Center, then confirm the user can read the selected data types.

## Related resources[​](#related-resources "Direct link to Related resources")

* [Tenable Security Center integration guide](https://developer.tenable.com/docs/sc-integrations)
* [Tenable Security Center API](https://docs.tenable.com/security-center/api/index.htm)
