Ingest Tenable vulnerability findings, scan events, and audit logs
Latest Dynatrace Preview
Tenable provides robust solutions for identifying, prioritizing, and addressing vulnerabilities, which are crucial for reducing cyber risks and securing digital infrastructure. Integrating Tenable findings into Dynatrace can enhance your overall security posture by ensuring comprehensive visibility and streamlined vulnerability management.
How it works
Dynatrace integration with Tenable is an extension running on Dynatrace ActiveGate. Once you enable and configure the Dynatrace Tenable extension
-
It periodically reaches out to Tenable products and fetches the new findings, scans, and audit logs from the Tenable APIs.
- APIs for vulnerability management:
- API for audit logs:
-
The fetched data is ingested into Dynatrace and mapped to the Dynatrace semantic conventions.
-
Data is stored in a bucket called
default_security_custom_events(for details, see: Built-in Grail buckets).
Prerequisites
Supported Tenable products
-
Tenable Vulnerability Management (for vulnerabilities and scan events)
-
Tenable One (for audit logs)
(more coming soon)
Tenable requirements
-
Generate an API access and secret key with the following roles:
-
Basic for vulnerability management
To get full scan details, ensure that the API key configured has access to read scans and scan history as well. See APIs used to fetch data for details of the APIs required.
-
Administrator or Custom for audit logs
For details, see Tenable-Provided Roles and Privileges.
-
Dynatrace requirements
-
ActiveGate version 1.299+
-
You need an Admin user to define a custom policy with the
app-engine:apps:installpermission to install the extension. For details, see Dynatrace access. -
Generate an access token with the
openpipeline.events_securityscope.
Get started
-
In Dynatrace, search for Tenable and select Install.
-
Follow the on-screen instructions to configure the extension.
-
Verify configuration by running the following queries in Notebooks:
-
For vulnerabilities and asset scans:
fetch events| filter dt.system.bucket=="default_security_custom_events"| filter event.kind == "SECURITY_EVENT"| filter event.provider == "Tenable" -
For audit logs:
fetch logs| filter log.source == "Tenable"
-
-
Once the extension is installed and working, you can access and manage it in Dynatrace via the Extensions app
. For details, see Extensions 2.0 concepts.
Now you can visualize findings, analyze audit logs and automate notifications.
Visualize
-
Download our sample dashboard.
-
Open Dashboards, select
Upload, then select the downloaded file. -
In the Product filter, select Tenable to view data reported by Tenable, such as critical vulnerabilities and affected objects.
Example result:
Analyze
Open Notebooks 
or Security Investigator 
to query ingested data, using the data format in Semantic Dictionary.
For examples of how you can build your queries, see below.
Query for logs over time by action
fetch logs| filter log.source == "Tenable"| makeTimeseries logs=countDistinctExact(id), by:{audit.action}, time:{toTimestamp(received)}, interval:{3h}
Example result:
Query for vulnerability distribution by risk level
fetch events| filter dt.system.bucket=="default_security_custom_events"| filter event.kind == "SECURITY_EVENT" and event.type == "VULNERABILITY_FINDING"| filter event.provider == "Tenable"| dedup {object.id, vulnerability.id}, sort:{timestamp}| summarize Vulnerabilities=countDistinctExact(vulnerability.id), by:{dt.security.risk.level}| fieldsAdd order=if(dt.security.risk.level=="CRITICAL", 1, else:if(dt.security.risk.level=="HIGH", 2, else:if(dt.security.risk.level=="MEDIUM", 3, else:if(dt.security.risk.level=="LOW", 4, else:5))))| sort order asc
Example result:
Query for top 10 scans with the most host coverage
fetch events| filter dt.system.bucket=="default_security_custom_events"| filter event.kind == "SECURITY_EVENT" and event.type == "VULNERABILITY_SCAN"| filter event.provider == "Tenable"| dedup {object.id, scan.id}| summarize Hosts=countDistinctExact(object.id), by:{scan.name}| sort Hosts desc| limit 10
Example result:
Automate notifications
- Download our sample workflow for Jira or sample workflow for Slack.
- Open Workflows, select Upload, then select the downloaded file.
- Adjust the workflow to your needs to create notifications for critical Tenable findings.
Consumption
For billing information, see Events powered by Grail.
FAQ
Why does my configuration show an error?
Error message: Failed to assign monitoring configuration to ActiveGate. Reason: Extension com.dynatrace.extension.tenable(<version-number>) not available in cache yet (queued for download)
If your configuration shows the error message above, it simply means that ActiveGate is still downloading the extension for the cluster. The status should change after a few minutes.
Why do I see duplicate events?
Duplicate events in the Tenable extension are likely due to the first ingest running multiple times. When a monitoring configuration is assigned to an ActiveGate, the first execution will run an export for a longer timeframe (configurable in the monitoring configuration settings). Anytime the extension is restarted (due to an update, ActiveGate reset, failover, and so on), the first ingest will run again.
You can run a DQL query and dedup the events using the object.id, scan.id, and finding.id fields.
- For
VULNERABILITY_FINDING, the unique ID is{object.id, finding.id}. - For
VULNERABILITY_SCAN, the unique ID is{object.id, scan.id}.
Example:
fetch events| filter dt.system.bucket=="default_security_custom_events"| filter event.kind == "SECURITY_EVENT" and event.type == "VULNERABILITY_FINDING"| filter event.provider == "Tenable"| dedup {object.id, finding.id}, sort:{timestamp}
Why do some scan events have the same start and end times?
When fetching vulnerabilities, the Tenable extension attempts to match the data with recent scan executions. If the scan mentioned in the Tenable vulnerability can't be found (for example, due to missing permissions), the extension creates a scan event based on this finding. These scan events have the same start and end times as when the vulnerability was found.
Why isn't my data ingested?
If you installed and configured the extension, but data isn’t being ingested, follow the steps below.
-
Open the extension and go to Health to check the status of the monitoring configuration.
-
If the status isn’t
OK, scroll down to Logs and select Run query to see the error information. -
If the error information isn’t enough, or the status shows
OKbut you're still not getting data, extract a support archive from ActiveGate to troubleshoot further.- Find the ActiveGate ID for the ActiveGate running the configuration and extract a support archive. For details, see ActiveGate diagnostics: Collect and review locally.
- Unzip the support archive and find the extension log file at
COLLECTOR/<id>/remotepluginmodule/log/extensions/datasources/com.dynatrace.extension.tenable/python3.log.
-
If the information there is still not sufficient for troubleshooting, enable the
Debug logsflag in the monitoring configuration and contact Dynatrace Support.
Common causes for missed data ingest include:
-
No connectivity between the ActiveGate and Tenable cloud
Suggestion: Attempt to curl the Tenable cloud URL from the ActiveGate to ensure connectivity is working.
-
Wrong access and/or secret key
Suggestion: Double-check the credentials configured on the monitoring configuration.
-
Missing permissions on the API user
Suggestion: Ensure that the user provided can call the View activity log API.