• 5 Minutes to read
  • PDF


  • PDF

Article summary

1. About this document

This document provides step-by-step instructions to configure a Tenable.io account in SAFE.

You can onboard multiple Tenable.io accounts in SAFE. To onboard multiple accounts, refer to Add multiple integration accounts via APIs.

2. Introduction

This integration allows you to discover and import assets and their respective vulnerability assessment results in SAFE. You can set the frequency for the automatic synchronization of assets and assessment results between Tenable.io and SAFE. Additionally, you can manually initiate a pull of the asset assessment results whenever needed.

  • SAFE pulls only the Licensed assets from Tenable.io, excluding any Unlicensed assets.
  • SAFE Pulls only the assets categorized as "Host" type from Tenable.io.

3. Prerequisites

To configure Tenable.io, you need the following details: 

  • Tenable.io URL - Tenable.io instance URL 
  • Tenable.io API keys  - Refer to Create a user in Tenable.io with scan access
  • Tenable.io Asset Tags specify a filter to pull in only specific assets and their vulnerabilities from Tenable.io.

3.1. Create a user in Tenable.io with scan access

To connect Tenable.io with SAFE, we must create a new user with a Scan Manager role assigned with CanView and CanoScan permissions.

3.2. Create a new user in Tenable.io

Create a new user with the following role and permission. Refer to Create a User Account for more details. 

  1. Role as Scan Manager. This is required to use APIs to get vulnerabilities.
  2. Permission as CanView and CanScan if it exists; else, leave it empty.

3.3. Create the required permission for the user

Follow Create and Add a Permission Configuration to create permission with: 

  1. Users as the new user created. 
  2. Permission as CanView and CanScan.
  3. Objects as All Assets. If you want to restrict it to a set of assets, you can also select some other object. 

3.4. Generate API Keys

Generate API Keys. Refer to Generate API Keys for more details.

3.5. Identify Tenable.io Asset Tags (Optional)

The SAFE-Tenable.io integration allows users to specify Tenable.io Asset Tags as filters for pulling selective assets and their related VA results from Tenable.io. This allows SAFE to fetch selective information from Tenable.io.


4. Configure Tenable.io

To configure tenable.io:

  1. Navigate to SAFE Hooks 
  2. Click the Tenable.io card.
  3. Enter the Tenable.io URL, Access Key, Secret Key, and Auto-Sync.
  4.  (Optional) Enter the Tags Filters. Example format: Category1:value1, Category1: value2, Category2: Value3.
  5. If needed, uncheck the Onboard Asset checkbox.
    Onboard Assets - By default, any assets in Tenable.io that are not found in SAFE will be onboarded. In order to limit the integration to pull in vulnerabilities of only the assets that are present in SAFE, this option can be unchecked.
  6. Click the Test Connection button.
  7. Once the connection is verified, click the Save button.
  8. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the Scheduled Auto Sync. The Auto Sync time is 01:15 UTC.

Tenable Confg

5. View Result

Once Tenable.io is configured, SAFE pulls all the VA scan results from Tenable.io. 

To view assets pulled from Tenable.io: 

  1. Click the "See Updated Assets" button available at the top-right of the History table.
  2. You will be redirected to the filtered assets list page that displays all the assets pulled from Tenable.io. 

    Alternatively, you can navigate to Assets under Technology and filter the assets list for signal source equals security.safe.tenableio.
    tenable.io asset list

  3. Click on any asset from the list to view the control list.
  4. Clicking a control, you will be redirected to the control details page. 
  5.  You can see the MITRE ATT&CK mapping on this page 
  6. The Observation tab displays the Tenable Link for the finding.

tenable result

  • The assets get added to the Technology Verticals based on the OS given by Tenable.io.
  • If the Asset Matching Criteria fails, the assets will get added to the Others vertical. The asset can be manually moved to the best-suited vertical from Others.
  • To check the Asset Matching Criteria, use the below API
    GET <SAFE_URL>/api/v3/settings/os-to-safe-asset-type-mapping
  • To add a custom Asset Matching Criteria based on your requirements, use the below API
    POST <SAFE_URL>/api/v3/settings 

6. History

Learn More about Integration History here.

7. FAQs

Q1. I’m not sure what the assetMatchingCriteria should be for my Tenable.io instance.
Ans: The assetMatchingCriteria is something that SAFE uses to map Tenable.io Assets' VA data to SAFE assets. It can be simplified in 2 ways:

  1. If the Tenable.io Asset(s) for which the VA data is being pulled can be identified uniquely using the FQDN or Hostname value in Tenable.io, we can use the default assetMatchingCriteria. In this situation, no customization will be needed. In case any asset does not have a value for FQDN or Hostname fields in Tenable.io, in that scenario, IP Address will be used to identify the Asset.
  2. If the Tenable.io Asset(s) for which the VA data is being pulled can be identified uniquely by IP Address value in Tenable.io, we need to give higher precedence to IP Address in asset matching criteria. The assetMatchingCriteria in such a situation would become ["ipAddress","fqdn",  "assetName", "macAddress"]. If an IP address is not available, then FQDN/Hostname will be used to identify the asset.

Q2. Is it mandatory to provide tags in Tenable.io Configuration?
Ans: No, providing the tags in the Tenable.io configuration is not mandatory. Tags help a user configure a filter for the assets whose VA data is pulled by SAFE. This is useful in case Tenable.io has a large data set, and the user only wants to import a section of the data in SAFE.

Q3. Is it possible to update an already stored Tenable.io configuration?
Ans: Yes, it's possible to update a stored configuration. Users can go to UI and follow the configuration steps again.
Q4. I’m not able to trigger a sync action over a Tenable.io configuration.


  1. Please make sure the stored credentials are still valid.
  2. Sync would be available on the Tenable.io page if sync is stuck for more than 24 hours. 

Q5. Which CVSS score does Tenable.io integration use?
Ans: We use the CVSS V3 score if it is present. Ifthe CVSS V3 is absent, then the CVSS V2 score is considered.

Q6. If I mark Accepted Failed from SAFE, what would happen in the case of Tenable.io? 
Ans: Tenable.io will only comply with the Accepted Risk marked in Tenable.io. In case you mark a control as Accepted Failed in SAFE, it will get overridden in the next sync of Tenable.io.

Q7. Why is there a difference in the total count of assets in Tenable vs What is shown in SAFE?
SAFE does not pull in assets without any vulnerabilities or if only info-level vulnerabilities are present. 

Q8. How to get the number of assets that were skipped from syncing to SAFE if no vulnerabilities or only info-level vulnerabilities were present?
Under SAFE Hooks history, the details section shows details of entity counts synced. Skipped Assets field shows the count of assets that were skipped from syncing for the above reason. 

Q9. There are some duplicate assets in Tenable - how does SAFE handle them?
SAFE uses the asset matching criteria to determine which asset to post the data to. If there are duplicate assets in the source, the order of data received in API determines which asset’s vulnerability remains synced in SAFE. The recommendation is to clean the data at the source. 

Was this article helpful?

What's Next