Tenable.io provides actionable insight into an infrastructure's security risks, making it easy to identify, investigate, and prioritize vulnerabilities and misconfigurations in an IT environment.
D3 SOAR is providing REST operations to function with Tenable.io.
Tenable Vulnerability Management performs rate limiting on API requests to ensure that all customers experience the same level of service. For more information, refer to Rate Limiting from Tenable's documentation.
Connection
To connect to Tenable.io from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
The server URL of the Tenable.io environment.
https://cloud.tenable.com
API Access Key
The API access key to authenticate the connection.
YOUR_API_Access_Key
API Secret Key
The API secret key to authenticate the connection.
YOUR_API_Secret_Key
Permission Requirements
Each endpoint in the Tenable.io API requires a certain
permission scope. The following are required scopes for the commands in this integration:
Command
Required Permission
Download Exported Scan
All roles can be used
Export Scan
All roles can be used
Get Scan Details
Basic User will only return limited information. All other roles can be used.
Get Scan Status
All roles can be used
Get Vulnerabilities By Asset
All roles can be used
Get Vulnerability Details
All roles can be used
Launch Scan
Administrator
List Plugin Outputs
All roles can be used
Get Scan History
All roles can be used
List Scans
All roles, but non-administrator role will return less data
List Vulnerability Filters V2
All roles can be used
Query Vulnerability Details
All roles can be used
Test Connection
Any role except for Basic User
As Tenable.io is using role-based access control (RBAC), the API Access Key and API Secret Key are generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Tenable.io console for each command in this integration.
READER NOTE
Tenable.io's default user profiles are as follows:
Basic - Basic users can only view scan results and manage their user profile.
Scan Operator - Scan Operator users can create and run scans based on templates which the company has authorized.
Standard - Standard users can create scans, templates, and user target groups.
Scan Manager - Scan Manager users have the same privileges as the standard user, and can also manage agents, exclusions, and scanners.
Administrator - Administrators have the same privileges as the scan manager user, and can also manage users, groups, system target groups, and access groups. Additionally, administrators can view scans created by all users.
Disabled - Disabled user accounts cannot be used to log in to Tenable Vulnerability Management.
Configuring Tenable.io to Work with D3 SOAR
Log in to Tenable.io. Navigate to the Settings menu in your Tenable.io dashboard. Select Access Control and then choose the Users tab. Click on Create User to add a new user account.
After creating the user, locate and click on the newly created user profile. Ensure that the API Key option is enabled.
For role assignment, note that the Basic User role is not sufficient for integration with D3 SOAR. However, it may still be utilized for running commands, albeit with potential limitations. To understand the specific role requirements for commands and connectors, please refer to the Permission Requirements section.
Go to My Account and select API Key. Click on Generate to create a new API key.
A warning message will appear. Read it and click Continue.
Once the API key is generated, a key and a secret will be provided. Ensure to save these credentials in a secure and accessible location for future reference and use.
Configuring D3 SOAR to Work with Tenable.io
Log in to D3 SOAR.
Find the Tenable.io integration.
a. Navigate to Configuration on the top header menu.
b. Click on the Integration icon on the left sidebar.
c. Type Tenable.io in the search box to find the integration, then click it to select it.
d. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Tenable.io.
a. Connection Name: The desired name for the connection.
b. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
c. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
d. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
e. Description (Optional): Add your desired description for the connection.
f. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
g. Configure User Permissions: Defines which users have access to the connection.
h. Active: Check the tick box to ensure the connection is available for use.
i. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL. The default value is https://cloud.tenable.com
j. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
k. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
a. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check markappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
b. Click OK to close the alert window.
c. Click +Add to create and add the configured connection.
Commands
Tenable.io includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Download Exported Scan
Downloads an exported scan.
READER NOTE
Scan ID and File ID are required parametersto run this command.
Run the List Scans command to obtain Scan ID. Scan ID can be found in the returned raw data at the path $.scans[*].id.
Run the Export Scan command to obtain File ID. File ID can be found in the returned raw data at the path $.file.
Input
Input Parameter
Required/Optional
Description
Example
Scan ID
Required
The ID of scan to export as a scan report. Scan IDs can be obtained using the List Scans command.
***
File ID
Required
The ID of the file to poll. File IDs can be obtained using the Export Scan command.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"PBFileID": ***
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
fileID
***
fileName
S3test.txt
md5
*****
sha1
*****
sha***6
*****
actionResult
S3 Test Sample 20211004
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Download Exported Scan failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Download Exported Scan failed:name 'time' is not defined.
Error Sample Data
Download Exported Scan failed.
Status Code: 400.
Message: Download Exported Scan failed:name 'time' is not defined.
Export Scan
Exports the specified scan.
READER NOTE
Scan ID is a required parameterto run this command.
Run the List Scans command to obtain Scan ID. Scan ID can be found in the returned raw data at the path $.scans[*].id.
History ID is an optional parameter to run this command.
Run the Get Scan History command to obtain History ID. History ID can be found in the returned raw data at the path $.id.
Input
Input Parameter
Required/Optional
Description
Example
Scan ID
Required
The ID of the scan to export. Scan IDs can be obtained using the List Scans command.
***
History ID
Optional
The ID of the historical data to export. History IDs can be obtained using the Get Scan History command. If this parameter is not defined, the latest data will be exported.
*****
Report Format
Required
The format of the exported report. The available options are Nessus, HTML, PDF, CSV, or DB. For scans that are older than 60 days, only the Nessus and CSV formated are supported.
HTML (Need Chapters parameter)
Chapters
Optional
The chapters to include in the export. This parameter accepts a semi-colon delimited string comprised of some combination of the following options: vuln_hosts_summary, vuln_by_host, compliance_exec, remediations, vuln_by_plugin, compliance). Note: This parameter is required if the file format is PDF or HTML.
The password used to encrypt database exports. This parameter is required when exporting as DB.
PASSWORD
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"file": *****
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"FileID": *****
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
file
*****
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Export Scan failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Scan ID) is invalid.
Error Sample Data
Export Scan failed.
Status Code: 400.
Message: The value for parameter (Scan ID) is invalid.
Get Scan Details
Returns scan results for a specific scan. Tenable.io returns results from the latest run of the specified scan.
READER NOTE
Scan ID is a required parameterto run this command.
Run the List Scans command to obtain Scan ID. Scan ID can be found in the returned raw data at the path $.scans[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Scan ID
Required
The ID of the scan to retrieve details. Scan IDs can be obtained using the List Scans command.
***
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
No Sample Data
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
owner
***@*****.com
name
scan2
folder_id
**
scanner_name
Scanner Groups
policy
WannaCry Ransomware Detection
status
completed
scan_type
remote
targets
***.***.***.***-***.***.***.***
host_id
*****
*****
*****
hostname
***.***.***.***
***.***.***.***
***.***.***.***
host_severity
1
1
1
host_score
1
1
1
plugin_id
*****
plugin_name
Nessus Scan Information
plugin_severity
0
plugin_family
Settings
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Scan Details failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Scan ID) is invalid.
Error Sample Data
Get Scan Details failed.
Status Code: 400.
Message: The value for parameter (Scan ID) is invalid.
Get Scan Status
Returns the latest status for the specified scan. Scans can have following statuses: aborted, canceled, completed, empty, imported, initializing, pausing, paused, pending, processing, resuming, running, stopped or stopping.
READER NOTE
Scan ID is a required parameterto run this command.
Run the List Scans command to obtain Scan ID. Scan ID can be found in the returned raw data at the path $.scans[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Scan ID
Required
The ID of the scan to retrieve its status. Scan IDs can be obtained using the List Scans command.
***
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"status": "imported"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Status": imported
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
status
imported
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Scan Status failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Scan ID) is invalid.
Error Sample Data
Get Scan Status failed.
Status Code: 400.
Message: The value for parameter (Scan ID) is invalid.
Get Vulnerabilities By Asset
Returns information on vulnerabilities associated with the specified host.
READER NOTE
The input IP address must already exist in the system.
Input
Input Parameter
Required/Optional
Description
Example
IP Address
Required
The IP address of the host to retrieve vulnerabilities.
***.***.***.***
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"vulnerabilities": [
{
"count": 18,
"plugin_family": "Windows : Microsoft Bulletins",
"plugin_id": *****,
"plugin_name": "MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)",
"vulnerability_state": "Active",
"vpr_score": 5.9,
"accepted_count": 0,
"recasted_count": 0,
"counts_by_severity": [
{
"count": 18,
"value": 0
}
],
"severity": 3,
"info": {
"count": 1,
"vuln_count": 1,
"description": "The remote Windows host contains a version of the Microsoft Foundation Class (MFC) library affected by an insecure library loading vulnerability. The path used for loading external libraries is not securely restricted.\n\nAn attacker can exploit this by tricking a user into opening an MFC application in a directory that contains a malicious DLL, resulting in arbitrary code execution.",
"synopsis": "Arbitrary code can be executed on the remote host through the Microsoft Foundation Class library.",
"solution": "Microsoft has released a set of patches for Visual Studio .NET 2003, 2005, and 2008, as well as Visual C++ 2005, 2008, and 2010.",
"discovery": {
"seen_first": "2019-12-31T17:15:52.000Z",
"seen_last": "2019-12-31T17:15:52.000Z"
},
"severity": 3,
"plugin_details": {
"family": "Windows : Microsoft Bulletins",
"modification_date": "2016-12-31T00:00:00Z",
"name": "MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)",
"publication_date": "2011-12-31T00:00:00Z",
"type": "local",
"version": null,
"severity": 3
},
"reference_information": [
{
"name": "bid",
"url": "http://***.*****.com/***",
"values": [
42811
]
},
{
"name": "cve",
"url": "http://***.*****.com/***",
"values": [
"CVE-2010-3190"
]
},
{
"name": "iavb",
"values": [
"2011-B-0046"
]
},
{
"name": "msft",
"url": "http://***.*****.com/***",
"values": [
"MS11-025"
]
},
{
"name": "osvdb",
"values": [
"67674"
]
},
{
"name": "secunia",
"url": "http://***.*****.com/***",
"values": [
"41212"
]
}
],
"risk_information": {
"risk_factor": "High",
"cvss_vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"cvss_base_score": "9.3",
"cvss_temporal_vector": "E:F/RL:OF/RC:ND",
"cvss_temporal_score": "7.7",
"cvss3_vector": null,
"cvss3_base_score": null,
"cvss3_temporal_vector": null,
"cvss3_temporal_score": null,
"stig_severity": null
},
"see_also": [
"[\"http://***.*****.com/***"]"
],
"vulnerability_information": {
"vulnerability_publication_date": "2010-12-31T00:00:00Z",
"exploited_by_malware": null,
"patch_publication_date": "2011-12-31T00:00:00Z",
"exploit_available": true,
"exploitability_ease": null,
"asset_inventory": null,
"default_account": null,
"exploited_by_nessus": null,
"in_the_news": null,
"malware": null,
"unsupported_by_vendor": null,
"cpe": null,
"exploit_frameworks": []
},
"vpr": {
"score": 5.9,
"drivers": {
"age_of_vuln": {
"lower_bound": 731,
"upper_bound": 0
},
"exploit_code_maturity": "UNPROVEN",
"cvss_impact_score_predicted": true,
"threat_intensity_last28": "VERY_LOW",
"threat_sources_last28": [
"No recorded events"
],
"product_coverage": "MEDIUM"
},
"updated": "2019-12-31T10:08:58Z"
}
}
}
],
"exposure_score": 753,
"total_vulnerability_count": 1,
"total_asset_count": 1
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"Plugin_ids": [*****],
"severities": [3],
"Plugin_Families": [ "Windows : Microsoft Bulletins" ],
"Plugin_Names": [ "MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)" ],
"Vulnerability_States": ["Active"],
"Plugin_Descriptions": [ "The remote Windows host contains a version of the Microsoft Foundation Class (MFC) library affected by an insecure library loading vulnerability. The path used for loading external libraries is not securely restricted.\n\nAn attacker can exploit this by tricking a user into opening an MFC application in a directory that contains a malicious DLL, resulting in arbitrary code execution." ],
"First_Seen_Time": ["2019-12-31T17:15:52.000Z"],
"Last_Seen_Time": ["2019-12-31T17:15:52.000Z"],
"VPR_Scores": [5.9],
"CVSS_Risk_Factors": ["High"],
"CVSS_Temporal_Scores": ["7.7"],
"Exploit_Available": [true],
"Threat_Intensities": ["VERY_LOW"],
"Asset_Exposure_Scores": 753
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
count
plugin_family
plugin_id
plugin_name
vulnerability_state
vpr_score
accepted_count
recasted_count
counts_by_severity
severity
info
18
Windows : Microsoft Bulletins
*****
MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
Active
5.9
0
0
[{'count': 18, 'value': 0}]
3
{'count': 1, 'vuln_count': 1, 'description': 'The remote Windows host contains a version of the Microsoft Foundation Class (MFC) library affected by an insecure library loading vulnerability. The path used for loading external libraries is not securely restricted.\n\nAn attacker can exploit this by tricking a user into opening an MFC application in a directory that contains a malicious DLL, resulting in arbitrary code execution.', 'synopsis': 'Arbitrary code can be executed on the remote host through the Microsoft Foundation Class library.', 'solution': 'Microsoft has released a set of patches for Visual Studio .NET 2003, 2005, and 2008, as well as Visual C++ 2005, 2008, and 2010.', 'discovery': {'seen_first': '2019-12-31T17:15:52.000Z', 'seen_last': '2019-12-31T17:15:52.000Z'}, 'severity': 3, 'plugin_details': {'family': 'Windows : Microsoft Bulletins', 'modification_date': '2016-12-31T00:00:00Z', 'name': 'MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)', 'publication_date': '2011-12-31T00:00:00Z', 'type': 'local', 'version': None, 'severity': 3}, 'reference_information': [{'name': 'bid', 'url': 'http://***.*****.com/***', 'values': [42811]}, {'name': 'cve', 'url': 'http://***.*****.com/***', 'values': ['CVE-2010-3190']}, {'name': 'iavb', 'values': ['2011-B-0046']}, {'name': 'msft', 'url': 'http://***.*****.com/***', 'values': ['MS11-025']}, {'name': 'osvdb', 'values': ['67674']}, {'name': 'secunia', 'url': 'http://***.*****.com/***', 'values': ['41212']}], 'risk_information': {'risk_factor': 'High', 'cvss_vector': 'AV:N/AC:M/Au:N/C:C/I:C/A:C', 'cvss_base_score': '9.3', 'cvss_temporal_vector': 'E:F/RL:OF/RC:ND', 'cvss_temporal_score': '7.7', 'cvss3_vector': None, 'cvss3_base_score': None, 'cvss3_temporal_vector': None, 'cvss3_temporal_score': None, 'stig_severity': None}, 'see_also': ['["https://technet.microsoft.com/library/security/ms11-025 "]'], 'vulnerability_information': {'vulnerability_publication_date': '2010-12-31T00:00:00Z', 'exploited_by_malware': None, 'patch_publication_date': '2011-12-31T00:00:00Z', 'exploit_available': True, 'exploitability_ease': None, 'asset_inventory': None, 'default_account': None, 'exploited_by_nessus': None, 'in_the_news': None, 'malware': None, 'unsupported_by_vendor': None, 'cpe': None, 'exploit_frameworks': []}, 'vpr': {'score': 5.9, 'drivers': {'age_of_vuln': {'lower_bound': 731, 'upper_bound': 0}, 'exploit_code_maturity': 'UNPROVEN', 'cvss_impact_score_predicted': True, 'threat_intensity_last28': 'VERY_LOW', 'threat_sources_last28': ['No recorded events'], 'product_coverage': 'MEDIUM'}, 'updated': '2019-12-31T10:08:58Z'}}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Vulnerabilities By Asset failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Get Vulnerabilities By Asset failed:'vulnerabilities.
Error Sample Data
Get Vulnerabilities By Asset failed.
Status Code: 400.
Message: Get Vulnerabilities By Asset failed:'vulnerabilities.
Get Vulnerability Details
Retrieves the details for a vulnerability by plugin ID.
READER NOTE
Plugin ID is a required parameterto run this command.
Run the Get Scan Details command to obtain Plugin ID. Plugin ID can be found in the returned raw data at the path $.vulnerabilities[*].plugin_id.
Input
Input Parameter
Required/Optional
Description
Example
Plugin ID
Required
The ID of the plugin to retrieve vulnerability details. Plugin IDs can be obtained using the Get Scan Details command.
*****
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"info": {
"count": 64,
"vuln_count": 64,
"recasted_count": 0,
"accepted_count": 0,
"description": "Makes a traceroute to the remote host.",
"synopsis": "It was possible to obtain traceroute information.",
"discovery": {
"seen_first": "2020-07-18T21:35:51.866Z",
"seen_last": "2020-07-30T07:50:38.914Z"
},
"severity": 0,
"plugin_details": {
"family": "General",
"modification_date": "2019-03-06T00:00:00Z",
"name": "Traceroute Information",
"publication_date": "1999-11-27T00:00:00Z",
"type": "remote",
"version": "1.65",
"severity": 0
},
"reference_information": [],
"risk_information": {
"risk_factor": "None",
"cvss_vector": null,
"cvss_base_score": null,
"cvss_temporal_vector": null,
"cvss_temporal_score": null,
"cvss3_vector": null,
"cvss3_base_score": null,
"cvss3_temporal_vector": null,
"cvss3_temporal_score": null,
"stig_severity": null
},
"see_also": []
}
}{
"id": "*****",
"description": "Makes a traceroute to the remote host.",
"synopsis": "It was possible to obtain traceroute information.",
"solution": "",
"seen_first": "7/18/2020 9:35:51 PM",
"seen_last": "7/30/2020 7:50:38 AM",
"severity": 0,
"plugin_details_family": "General",
"plugin_details_name": "Traceroute Information"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
CODE
{
"id": "*****",
"description": "Makes a traceroute to the remote host.",
"synopsis": "It was possible to obtain traceroute information.",
"solution": "",
"seen_first": "7/18/2020 9:35:51 PM",
"seen_last": "7/30/2020 7:50:38 AM",
"severity": 0,
"plugin_details_family": "General",
"plugin_details_name": "Traceroute Information"
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
id
*****
description
Makes a traceroute to the remote host.
synopsis
It was possible to obtain traceroute information.
solution
seen_first
7/18/2020 9:35:51 PM
seen_last
7/30/2020 7:50:38 AM
severity
0
plugin_details_family
General
plugin_details_name
Traceroute Information
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Vulnerability Details failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Expecting value: line 1 column 1 (char 0).
Error Sample Data
Get Vulnerability Details failed.
Status Code: 400.
Message: Expecting value: line 1 column 1 (char 0).
Launch Scan
Launches the specified scan.
READER NOTE
Scan ID is a required parameterto run this command.
Run the List Scans command to obtain Scan ID. Scan ID can be found in the returned raw data at the path $.scans[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Scan ID
Required
The ID of the scan to launch. Scan IDs can be obtained using the List Scan command.
***
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"scan_uuid": "*****"
}
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 enriches the context data from the original http://Tenable.io API response by adding the "id" and "status" fields.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
scan_uuid
*****
id
***
status
pending
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Launch Scan failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Insufficient scope.
Error Sample Data
Launch Scan failed.
Status Code: 403.
Message: Insufficient scope.
List Plugin Outputs
Retrieves the output of vulnerabilities for a plugin. The output is restricted to a maximum of 5,000 entries.
READER NOTE
Plugin ID is a required parameterto run this command.
Run the Get Scan Details command to obtain Plugin ID. Plugin ID can be found in the returned raw data at the path $.vulnerabilities[*].plugin_id.
If you input an invalid Plugin ID, the command will run successfully with no results.
Input
Input Parameter
Required/Optional
Description
Example
Plugin ID
Required
The ID of the plugin to list outputs. Plugin IDs can be obtained using the Query Vulnerability Details command.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbook
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
outputs
{'plugin_output': '\nThe following certificate was at the top of the certificate\nchain sent by the remote host, but it is signed by an unknown\ncertificate authority :\n\n|-Subject : O=LCE Users/OU=LCE Certification Authority/L=New York/C=US/ST=NY/CN=LCE Certification Authority\n|-Issuer : O=LCE Users/OU=LCE Certification Authority/L=New York/C=US/ST=NY/CN=LCE Certification Authority\n', 'states': [{'name': 'Active', 'results': [{'application_protocol': 'unknown', 'port': 1243, 'transport_protocol': 'tcp', 'assets': [{'hostname': '***.***.***.***', 'id': '*****', 'uuid': '*****', 'netbios_name': None, 'fqdn': None, 'ipv4': '***.***.***.***', 'first_seen': '2018-12-31T15:00:25Z', 'last_seen': '2018-12-31T15:00:25Z'}, {'hostname': '***.***.***.***', 'id': '*****', 'uuid': '*****', 'netbios_name': None, 'fqdn': None, 'ipv4': '***.***.***.***', 'first_seen': '2018-12-31T15:00:25Z', 'last_seen': '2018-12-31T15:00:25Z'}, {'hostname': '***.***.***.***', 'id': '*****', 'uuid': '*****', 'netbios_name': None, 'fqdn': '*****@*****.com ', 'ipv4': '***.***.***.***', 'first_seen': '2018-12-31T15:00:25Z', 'last_seen': '2018-12-31T15:00:25Z'}, {'hostname': '***.***.***.***', 'id': '*****', 'uuid': '*****', 'netbios_name': None, 'fqdn': None, 'ipv4': '***.***.***.***', 'first_seen': '2018-12-31T15:00:25Z', 'last_seen': '2018-12-31T15:00:25Z'}, {'hostname': '***.***.***.***', 'id': '*****', 'uuid': '*****', 'netbios_name': None, 'fqdn': '*****@*****.com ', 'ipv4': '***.***.***.***', 'first_seen': '2018-12-31T15:00:25Z', 'last_seen': '2018-12-31T15:00:25Z'}, {'hostname': '***.***.***.***', 'id': '*****', 'uuid': '*****', 'netbios_name': None, 'fqdn': None, 'ipv4': '***.***.***.***', 'first_seen': '2018-12-31T15:00:25Z', 'last_seen': '2018-12-31T15:00:25Z'}], 'severity': 2}]}]}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Plugin Outputs failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Test connection failed Insufficient scope.
Error Sample Data
List Plugin Outputs failed.
Status Code: 403.
Message: Test connection failed Insufficient scope.
Get Scan History
Returns a list of scan run objects, each of which represents an individual run of the specified scan.
READER NOTE
Scan ID is a required parameterto run this command.
Run the List Scans command to obtain Scan ID. Scan ID can be found in the returned raw data at the path $.scans[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Scan ID
Required
The ID of the scan to retrieve scan history. Scan ID can be obtained using the List Scans command.
31
Limit
Optional
The maximum number of scans to return. If this parameter is not defined, the default limit is 50.
50
Offset
Optional
The initial scan run to retrieve. If this parameter is not defined, the offset defaults to 0.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.history in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
id
status
is_archived
targets
visibility
scan_uuid
reindexing
time_start
time_end
*****
completed
False
{'custom': False, 'default': None}
public
*****
None
1634281431
1634281497
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Scan History failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Scan ID) is invalid.
Error Sample Data
Get Scan History failed.
Status Code: 400.
Message: The value for parameter (Scan ID) is invalid.
List Scans
Returns a list of scans according to the optional filters (Folder ID and Last Modification Date).
Input
Input Parameter
Required/Optional
Description
Example
Folder ID
Optional
The ID of the folder to retrieve scans.
11
Last Scan Run Date
Optional
The date to filter search results including scans that were conducted on or after the specified date, provided in UTC time.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.scans in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
template_uuid
permissions
legacy
type
read
last_modification_date
creation_date
status
uuid
shared
user_permissions
owner
schedule_uuid
timezone
rrules
starttime
enabled
control
wizard_uuid
policy_id
agent_scan_launch_type
triggers
name
id
*****
128
False
remote
True
1634281497
1634281431
completed
*****
True
64
*****@*****.com
*****
America/Vancouver
FREQ=DAILY;INTERVAL=1
20200725T000000
True
True
*****
***
None
None
Copy of cybertest1
***
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Scans failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Test connection failed Insufficient scope.
Error Sample Data
List Scans failed.
Status Code: 403.
Message: Test connection failed Insufficient scope.
List Vulnerability Filters V2
Returns available filters for the vulnerabilities workbench.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Vulnerability Filters V2 failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Test connection failed Insufficient scope.
Error Sample Data
List Vulnerability Filters V2 failed.
Status Code: 403.
Message: Test connection failed Insufficient scope.
Query Vulnerability Details
Retrieves vulnerability details based on the specified search conditions.
READER NOTE
Plugin ID is an optional parameterto run this command.
Run the Get Scan Details command to obtain Plugin ID. Plugin ID can be found in the returned raw data at the path $.vulnerabilities[*].plugin_id.
Input
Input Parameter
Required/Optional
Description
Example
Plugin Name
Optional
The name of the plugin to retrieve vulnerabilities.
RHEL
Plugin ID
Optional
The ID of the plugin to retrieve vulnerabilities. Plugin IDs can be obtained using the Get Scan Details command.
*****
Description
Optional
The description text to filter vulnerabilities.
The remote web server is affected by a command injection vulnerability
VPR Score
Optional
The minimum VPR score to filter vulnerabilities.
7.0
Severity
Optional
The severity level to filter vulnerabilities. If this parameter is not defined, vulnerabilities of all severity levels will be returned.
Critical Severity
CVEs
Optional
The IDs of the CVEs to filter vulnerabilities.
[ "CVE-2023-1637" , "CVE-2008-5161" ]
Host Names or IPs
Optional
The host names or IP addresses of the hosts to filter vulnerabilities.
[ "192.168.86.43", "192.168.86.203" ]
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"vulnerabilities": [
{
"count": 13,
"plugin_family": "CGI abuses",
"plugin_id": *****,
"plugin_name": "GNU Bash Environment Variable Handling Code Injection (Shellshock)",
"vulnerability_state": "Active",
"vpr_score": 2.4,
"accepted_count": 0,
"recasted_count": 0,
"counts_by_severity": [
{
"count": 13,
"value": 4
}
],
"severity": 4,
"pluginInfo": {
"count": 13,
"vuln_count": 14,
"description": "The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.",
"synopsis": "The remote web server is affected by a remote code execution vulnerability.",
"solution": "Apply the referenced patch.",
"discovery": {
"seen_first": "2019-12-31T17:15:52.000Z",
"seen_last": "2019-12-31T22:53:45.000Z"
},
"severity": 4,
"plugin_details": {
"family": "CGI abuses",
"modification_date": "2017-12-31T00:00:00Z",
"name": "GNU Bash Environment Variable Handling Code Injection (Shellshock)",
"publication_date": "2014-12-31T00:00:00Z",
"type": "remote",
"version": null,
"severity": 4
},
"reference_information": [
{
"name": "bid",
"url": "http://***.*****.com/***",
"values": [
70103
]
},
{
"name": "cert",
"url": "http://***.*****.org/***",
"values": [
"252743"
]
},
{
"name": "cve",
"url": "http://***.*****.gov/***",
"values": [
"CVE-2014-6271"
]
},
{
"name": "edb-id",
"url": "http://***.*****.gov/***",
"values": [
"34766",
"34777",
"34765"
]
},
{
"name": "iava",
"values": [
"2014-A-0142"
]
},
{
"name": "osvdb",
"values": [
"112004"
]
}
],
"risk_information": {
"risk_factor": "Critical",
"cvss_vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cvss_base_score": "10.0",
"cvss_temporal_vector": "E:F/RL:OF/RC:ND",
"cvss_temporal_score": "8.3",
"cvss3_vector": null,
"cvss3_base_score": null,
"cvss3_temporal_vector": null,
"cvss3_temporal_score": null,
"stig_severity": null
},
"see_also": [
"http://***.*****.org/***",
"http://***.*****.org/***",
"http://***.*****.ca/***"
],
"vulnerability_information": {
"vulnerability_publication_date": "2014-12-31T00:00:00Z",
"exploited_by_malware": true,
"patch_publication_date": "2014-12-31T00:00:00Z",
"exploit_available": true,
"exploitability_ease": null,
"asset_inventory": null,
"default_account": null,
"exploited_by_nessus": null,
"in_the_news": true,
"malware": null,
"unsupported_by_vendor": null,
"cpe": null,
"exploit_frameworks": [
{
"name": "Core Impact"
},
{
"name": "Metasploit",
"exploits": [
{
"name": "Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)",
"url": null
}
]
}
]
},
"vpr": {
"score": 9.6,
"drivers": {
"age_of_vuln": {
"lower_bound": 731,
"upper_bound": 0
},
"exploit_code_maturity": "HIGH",
"cvss3_impact_score": 5.9,
"cvss_impact_score_predicted": true,
"threat_intensity_last28": "HIGH",
"threat_recency": {
"lower_bound": 0,
"upper_bound": 7
},
"threat_sources_last28": [
"Others",
"Mainstream Media",
"Code Repo and Paste Bins"
],
"product_coverage": "LOW"
},
"updated": "2019-12-31T10:10:57Z"
}
}
}
],
"total_vulnerability_count": 1,
"total_asset_count": 0
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
vulnerabilities
{'count': 13, 'plugin_family': 'CGI abuses', 'plugin_id': *****, 'plugin_name': 'GNU Bash Environment Variable Handling Code Injection (Shellshock)', 'vulnerability_state': 'Active', 'vpr_score': 2.4, 'accepted_count': 0, 'recasted_count': 0, 'counts_by_severity': [{'count': 13, 'value': 4}], 'severity': 4, 'pluginInfo': {'count': 13, 'vuln_count': 14, 'description': 'The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.', 'synopsis': 'The remote web server is affected by a remote code execution vulnerability.', 'solution': 'Apply the referenced patch.', 'discovery': {'seen_first': '2019-12-31T17:15:52.000Z', 'seen_last': '2019-12-31T22:53:45.000Z'}, 'severity': 4, 'plugin_details': {'family': 'CGI abuses', 'modification_date': '2017-12-31T00:00:00Z', 'name': 'GNU Bash Environment Variable Handling Code Injection (Shellshock)', 'publication_date': '2014-12-31T00:00:00Z', 'type': 'remote', 'version': None, 'severity': 4}, 'reference_information': [{'name': 'bid', 'url': 'http://***.*****.com/***', 'values': [70103]}, {'name': 'cert', 'url': 'http://***.*****.com/***', 'values': ['252743']}, {'name': 'cve', 'url': 'http://***.*****.gov/***', 'values': ['CVE-2014-6271']}, {'name': 'edb-id', 'url': 'http://***.*****.gov/*** ', 'values': ['34766', '34777', '34765']}, {'name': 'iava', 'values': ['2014-A-0142']}, {'name': 'osvdb', 'values': ['112004']}], 'risk_information': {'risk_factor': 'Critical', 'cvss_vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C', 'cvss_base_score': '10.0', 'cvss_temporal_vector': 'E:F/RL:OF/RC:ND', 'cvss_temporal_score': '8.3', 'cvss3_vector': None, 'cvss3_base_score': None, 'cvss3_temporal_vector': None, 'cvss3_temporal_score': None, 'stig_severity': None}, 'see_also': ['http://***.*****.org/*** ', 'http://***.*****.org/*** ', 'http://***.*****.ca/***'], 'vulnerability_information': {'vulnerability_publication_date': '2014-12-31T00:00:00Z', 'exploited_by_malware': True, 'patch_publication_date': '2014-12-31T00:00:00Z', 'exploit_available': True, 'exploitability_ease': None, 'asset_inventory': None, 'default_account': None, 'exploited_by_nessus': None, 'in_the_news': True, 'malware': None, 'unsupported_by_vendor': None, 'cpe': None, 'exploit_frameworks': [{'name': 'Core Impact'}, {'name': 'Metasploit', 'exploits': [{'name': 'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)', 'url': None}]}]}, 'vpr': {'score': 9.6, 'drivers': {'age_of_vuln': {'lower_bound': 731, 'upper_bound': 0}, 'exploit_code_maturity': 'HIGH', 'cvss3_impact_score': 5.9, 'cvss_impact_score_predicted': True, 'threat_intensity_last28': 'HIGH', 'threat_recency': {'lower_bound': 0, 'upper_bound': 7}, 'threat_sources_last28': ['Others', 'Mainstream Media', 'Code Repo and Paste Bins'], 'product_coverage': 'LOW'}, 'updated': '2019-12-31T10:10:57Z'}}}
total_vulnerability_count
1
total_asset_count
0
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Query Vulnerability Details failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Test connection failed Insufficient scope.
Error Sample Data
Query Vulnerability Details failed.
Status Code: 403.
Message: Test connection failed Insufficient scope.
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
SAMPLE DATA
CODE
Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Test Connection failed. Failed to check the connector.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Tenable.io portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Test connection failed Insufficient scope.
Error Sample Data
Test Connection failed. Failed to check the connector.
Status Code: 403.
Message: Test connection failed Insufficient scope.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
