# Tenable

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Ftenable.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

## Overview[​](#overview "Direct link to Overview")

Tenable Vulnerability Management generates audit logs that record administrative actions, user activity, and configuration changes performed in your Tenable account. By sending these records to Coralogix, security teams gain a single place to investigate Tenable activity alongside the rest of their telemetry, correlate events across products, and meet compliance requirements that demand long-term retention.

The integration can also collect vulnerability findings, asset inventory, plugin catalog metadata, and compliance findings from Tenable Vulnerability Management, as well as web application vulnerability findings and web application assets from Tenable Web App Scanning (WAS). WAS is licensed separately by Tenable, but it is served by the same platform and API keys, so it is part of this integration. You can enable each data type independently.

## Collected data[​](#collected-data "Direct link to Collected data")

### Audit logs[​](#audit-logs "Direct link to Audit logs")

Administrative actions, user activity, and configuration changes performed in your Tenable account. Collected about once a minute.

### Vulnerabilities[​](#vulnerabilities "Direct link to Vulnerabilities")

Vulnerability findings across your assets, with each finding's severity and Vulnerability Priority Rating (VPR). Collected about once a minute. VPR is delivered per finding in this stream, so use **Vulnerabilities** when you need current VPR.

### Assets[​](#assets "Direct link to Assets")

Your host asset inventory and its lifecycle changes — created, updated, deleted, and terminated assets — collected about once a minute. The first collection performs a one-time full inventory backfill and can ingest a large volume of records, depending on the size of your environment; later collections capture only the changes since the previous run.

### Plugins[​](#plugins "Direct link to Plugins")

Metadata from Tenable's plugin catalog — the detection definitions behind vulnerability findings — including plugin ID, name, family, CVE references, CVSS scores, and publication and modification dates. Plugins are collected once a day and are meant for tracking catalog drift (new and updated detections), not for real-time security findings.

Plugin metadata reflects Tenable's catalog at collection time. Tenable's plugin feed does not flag Vulnerability Priority Rating (VPR) changes, so a plugin's VPR is captured as a point-in-time value and is not refreshed when only its VPR changes. For current VPR, use the **Vulnerabilities** data type, where Tenable provides VPR per finding.

### Compliance[​](#compliance "Direct link to Compliance")

Compliance audit findings from your scans — the pass/fail results of configuration checks against benchmarks such as CIS and DISA STIG — including the check name, the audited value versus the expected policy value, the result status, and the asset each finding belongs to. The first collection captures your current compliance posture in full and can ingest a large volume of records, depending on the size of your environment; later collections capture only findings added or updated since the previous run.

### WAS vulnerabilities[​](#was-vulnerabilities "Direct link to WAS vulnerabilities")

Web application vulnerability findings from Tenable Web App Scanning, across all states (open, reopened, and fixed) and severities, with each finding's details and the web application it belongs to. Requires a Tenable Web App Scanning license. The first collection captures findings found or fixed within the last 30 days (Tenable's default export scope); later collections capture only findings added or updated since the previous run.

### WAS assets[​](#was-assets "Direct link to WAS assets")

Your web application asset inventory from Tenable Web App Scanning and its lifecycle changes, collected about once a minute. Requires a Tenable Web App Scanning license. The first collection performs a one-time full inventory backfill; later collections capture only the changes since the previous run.

## What you need[​](#what-you-need "Direct link to What you need")

* An API key pair (access key + secret key) for a Tenable user that has permission to read the records you plan to collect.
* The URL of your Tenable region. The default is `https://cloud.tenable.com`. Customers in other regions or on FedRAMP use a different host (for example, `https://fedcloud.tenable.com` for FedRAMP). You will paste this URL into the Coralogix setup form.

## Generate a Tenable API key pair[​](#generate-a-tenable-api-key-pair "Direct link to Generate a Tenable API key pair")

1. Log in to your Tenable account.

2. Identify the user that the integration will run as. Audit log access requires the **Administrator** role; if needed, create a dedicated service user with that role.

3. Navigate to your user profile and open **API Keys**.

4. Select **Generate**. A new **Access Key** and **Secret Key** will be displayed.

   Note

   The **Secret Key** is shown only once. Copy both values immediately and store them securely — they will be used in the steps below.

## Setup[​](#setup "Direct link to Setup")

1. From your Coralogix toolbar, navigate to **Data Flow** > **Integrations**, select **Tenable** and select **Connect**.

2. Select **Add New**.

3. Define the integration settings by filling in the following parameters:

   * **Integration name** — Meaningful name of the Tenable integration.
   * **Application name** — The Coralogix application name.
   * **Subsystem name** — The Coralogix subsystem name. This field defaults to "Tenable", but it may be modified.
   * **Endpoint** — The base URL of your Tenable region. Defaults to `https://cloud.tenable.com`. Replace with `https://fedcloud.tenable.com` for FedRAMP, or with the appropriate regional URL.
   * **Access Key** — The access key obtained above.
   * **Secret Key** — The secret key obtained above.
   * **Audit logs** — Select to collect Tenable audit logs.
   * **Vulnerabilities** — Select to collect Tenable vulnerability findings.
   * **Assets** — Select to collect Tenable asset inventory.
   * **Plugins** — Select to collect Tenable plugin metadata.
   * **Compliance** — Select to collect Tenable compliance findings.
   * **WAS vulnerabilities** — Select to collect Tenable Web App Scanning vulnerability findings.
   * **WAS assets** — Select to collect Tenable Web App Scanning assets.

4. Select **Create** to create the integration. Coralogix validates the credentials against the selected collection options; if validation fails, the error message indicates whether the credentials or the endpoint URL is the problem.
