• 4 Minutes to read
  • PDF


  • PDF


The integration of SAFE with Tenable.io allows SAFE users to discover and import the assets and their respective vulnerability assessment results. Users can sync the assessment results of assets at a pre-configured time interval, as well as the on-demand pull of assessment results for assets.

Users can configure Tenable.io from SAFE Hooks.


To configure Tenable.io, you need the following details: 

  • Tenable.io URL - Tenable.io instance URL 
  • Tenable.io API keys  - Refer to Create a user in Tenable.io with scan access
  • Tenable.io Asset Tags to specify a filter to pull in only specific assets and their vulnerabilities from Tenable.io.

Create a user in Tenable.io with scan access

To connect Tenable.io with SAFE, we first need to create a new user who has a Scan Manager role assigned with CanView and CanoScan permissions.

Create a new user in Tenable.io

Create a new user with the following role and permission. Refer to Create a User Account for more details. 

  1. Role as Scan Manager. This is required to use APIs to get vulnerabilities.
  2. Permission as CanView and CanScan if it exists; else, leave it empty.

Create the required permission for the user

Follow Create and Add a Permission Configuration to create permission with: 

  1. Users as the new user created. 
  2. Permission as CanView and CanScan.
  3. Objects as All Assets. In case you want to restrict it to a set of assets, you can select some other object too. 

Generate API Keys

Generate API Keys. Refer to Generate API Keys for more details.

Identify Tenable.io Asset Tags (Optional)

The SAFE-Tenable.io integration allows users to specify Tenable.io Asset Tags as filters for pulling selective assets and their related VA results from Tenable.io. This allows SAFE to fetch selective information from Tenable.io.


Configure Tenable.io

To configure tenable.io:

  1. Navigate to SAFE Hooks 
  2. Click the Tenable.io card.
  3. Enter the Tenable.io URL, Access Key, Secret Key, and Auto-Sync.
  4.  (Optional) Enter the Tags Filters. Example format: Category1:value1, Category1: value2, Category2: Value3.
  5. If needed, uncheck the Onboard Asset checkbox.
    Onboard Assets - By default, any assets in Tenable.io that are not found in SAFE will be onboarded. In order to limit the integration to pull in vulnerabilities of only the assets that are present in SAFE, this option can be unchecked.
  6. Click the Test Connection button.
  7. Once the connection is verified, click the Save button.
  8. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the Scheduled Auto Sync. The Auto Sync time is 01:15 UTC.

View Result

Once Tenable.io is configured, SAFE pulls all the VA scan results from Tenable.io. 

To view assets pulled from Tenable.io: 

  1. Navigate to Technology > Assets.
  2. Filter the list for source equals Tenable.io.

tenable.io asset list

To view the result for an asset:

  1. Navigate to Technology > Inside-out > Vertical.
  2. Click the asset from the asset list.
  3. Filter the control list for Assessment tools as Tenable.io.
  4. The system displays all the vulnerabilities and their status for Tenable.io.

tenable.io result

  • The assets get added to the Technology Verticals based on the OS given by Tenable.io. 
  • If the Asset Matching Criteria fails, the assets will get added to the Others vertical. The asset can be manually moved to the best-suited vertical from Others.
  • To check the Asset Matching Criteria, use the below API
    GET <SAFE_URL>/api/v3/settings/os-to-safe-asset-type-mapping
  • To add a custom Asset Matching Criteria based on your requirements, use the below API
    POST <SAFE_URL>/api/v3/settings 


  1. I’m not sure what the assetMatchingCriteria should be for my Tenable.io instance.
    The assetMatchingCriteria is something that SAFE uses to map Tenable.io Assets' VA data to SAFE assets. It can be simplified in 2 ways:
    1. If the Tenable.io Asset(s) for which the VA data is being pulled can be identified uniquely using the FQDN or Hostname value in Tenable.io, we can use the default assetMatchingCriteria. In this situation, no customization will be needed. In case any asset does not have a value for FQDN or Hostname fields in Tenable.io, in that scenario, IP Address will be used to identify the Asset.
    2. If the Tenable.io Asset(s) for which the VA data is being pulled can be identified uniquely by IP Address value in Tenable.io, we need to give higher precedence to IP Address in asset matching criteria. The assetMatchingCriteria in such a situation would become ["ipAddress","fqdn",  "assetName", "macAddress"]. If an IP address is not available, then FQDN/Hostname will be used to identify the asset. 
  2. Is it mandatory to provide tags in Tenable.io Configuration?
    Ans: No, it is not mandatory to provide the tags in Tenable.io Configuration. tags help a user to configure a filter for the assets whose VA data is being pulled by SAFE. This is useful in case Tenable.io has a large data set, and the user only wants to import a section of the whole data in SAFE.

  3. Is it possible to update an already stored Tenable.io configuration?
    Ans: Yes, it's possible to update a stored configuration. Users can go to UI and follow the configuration steps again.

  4. I’m not able to trigger a sync action over a Tenable.io configuration.
    1. Please make sure the stored credentials are still valid.
    2. Sync would be available on the Tenable.io page in case sync is stuck for more than 24 hours. 
  5. Which CVSS score does Tenable.io integration use?
    We use the CVSSv2 score from Tenable.io.

  6. If I mark Accepted Failed from SAFE, what would happen in the case of Tenable.io? 
    Tenable.io will only comply with the Accepted Risk marked in Tenable.io. In case you mark a control as Accepted Failed in SAFE, it will get overridden in the next sync of Tenable.io.

Was this article helpful?

What's Next