Tenable Schema#
Overview#
Cartography ingests assets and vulnerability findings from the Tenable Export API. The integration uses the async bulk-export workflow (POST to initiate, poll for status, download chunks) to retrieve complete datasets efficiently.
Configuration#
CLI flag |
Default |
Required |
Description |
|---|---|---|---|
|
|
Yes |
Environment variable holding the Tenable API access key |
|
|
Yes |
Environment variable holding the Tenable API secret key |
|
|
No |
Base URL of the Tenable API endpoint |
|
hostname of |
No |
Identifier used to scope all graph nodes for this Tenable instance. Set this to the container UUID shown in your Tenable account settings when running multiple tenants or using a custom URL. Defaults to the hostname portion of |
|
|
No |
Number of days of vulnerability findings to retrieve on each sync. Tenable’s export API filters on |
Nodes#
TenableTenant#
Represents the Tenable instance being synced. All other Tenable nodes are scoped under this node via RESOURCE relationships.
Field |
Description |
|---|---|
id |
The tenant identifier: the container UUID from Tenable account settings when |
lastupdated |
Timestamp of the last sync run |
TenableAsset#
An asset discovered and tracked by Tenable. Corresponds to a record returned by the Assets Export v2 API.
Cloud-provider details live in the TenableAssetAWS, TenableAssetAzure, and TenableAssetGCP sub-nodes; only the cloud identifier keys are stored here for cross-module indexing.
Field |
Description |
|---|---|
id |
Asset UUID (Tenable’s |
has_agent |
Whether a Tenable agent is installed |
has_plugin_results |
Whether plugin scan results exist |
is_licensed |
Whether the asset counts against the license |
is_public |
Whether the asset has a public IP |
types |
Asset type list (e.g. |
system_types |
System type list (e.g. |
operating_systems |
List of operating system strings |
serial_number |
Hardware serial number (indexed) |
tenable_agent_days_since_active |
Days since the Tenable agent last checked in |
created_at_timestamps |
Timestamp when the asset was first created in Tenable |
updated_at_timestamps |
Timestamp of the most recent asset update |
first_seen_timestamps |
Timestamp when the asset was first observed |
last_seen_timestamps |
Timestamp when the asset was last observed |
first_scan_time |
Timestamp of the first scan |
last_scan_time |
Timestamp of the most recent scan |
last_authenticated_scan_date |
Timestamp of the most recent authenticated scan |
last_licensed_scan_date |
Timestamp of the most recent licensed scan |
last_scan_id |
ID of the most recent scan |
network_id |
Tenable network container ID |
fqdn |
Primary FQDN (first entry of |
fqdns |
Full list of FQDNs |
hostnames |
List of hostnames |
ipv4s |
List of IPv4 addresses |
ipv6s |
List of IPv6 addresses |
mac_addresses |
List of MAC addresses |
aws_ec2_instance_id |
AWS EC2 instance ID (indexed) |
azure_vm_id |
Azure VM ID (indexed) |
gcp_instance_id |
GCP instance ID (indexed) |
acr_score |
Asset Criticality Rating (0–10) |
aes_score |
Asset Exposure Score |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableAsset)
(:TenableAsset)-[:MEMBER_OF_NETWORK]->(:TenableNetwork)
(:TenableAsset)-[:HAS_AWS_INFO]->(:TenableAssetAWS)
(:TenableAsset)-[:HAS_AZURE_INFO]->(:TenableAssetAzure)
(:TenableAsset)-[:HAS_GCP_INFO]->(:TenableAssetGCP)
(:TenableAsset)-[:HAS_SOURCE]->(:TenableAssetSource)
(:TenableAsset)-[:TAGGED]->(:TenableAssetTag)
TenableAssetAWS#
AWS-specific cloud details for a Tenable asset. The id is the EC2 instance ID.
Field |
Description |
|---|---|
id |
EC2 instance ID ( |
ec2_instance_ami_id |
AMI ID used to launch the instance |
owner_id |
AWS account ID |
availability_zone |
AWS availability zone |
region |
AWS region |
vpc_id |
VPC ID |
subnet_id |
Subnet ID |
ec2_instance_type |
Instance type (e.g. |
ec2_instance_state_name |
Instance state (e.g. |
ec2_instance_group_name |
Security group name |
ec2_name |
Value of the EC2 |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableAssetAWS)
(:TenableAsset)-[:HAS_AWS_INFO]->(:TenableAssetAWS)
TenableAssetAzure#
Azure-specific cloud details for a Tenable asset. The id is the Azure VM ID (GUID).
Field |
Description |
|---|---|
id |
Azure VM ID ( |
resource_id |
Azure Resource Manager resource ID (indexed) |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableAssetAzure)
(:TenableAsset)-[:HAS_AZURE_INFO]->(:TenableAssetAzure)
TenableAssetGCP#
GCP-specific cloud details for a Tenable asset. The id is the GCP instance ID.
Field |
Description |
|---|---|
id |
GCP instance ID ( |
project_id |
GCP project ID |
zone |
GCP zone |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableAssetGCP)
(:TenableAsset)-[:HAS_GCP_INFO]->(:TenableAssetGCP)
TenableNetwork#
A Tenable logical network container. Multiple assets can belong to the same network.
Field |
Description |
|---|---|
id |
Network UUID ( |
name |
Network name (e.g. |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableNetwork)
(:TenableAsset)-[:MEMBER_OF_NETWORK]->(:TenableNetwork)
TenableAssetSource#
A data source that has observed a Tenable asset (e.g. NESSUS_AGENT, NESSUS_SCAN, WAS). The id is scoped to the asset: {asset_uuid}::{source_name}.
Field |
Description |
|---|---|
id |
Composite key: |
name |
Source name (e.g. |
source_first_seen |
Timestamp when this source first observed the asset |
source_last_seen |
Timestamp when this source last observed the asset |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableAssetSource)
(:TenableAsset)-[:HAS_SOURCE]->(:TenableAssetSource)
Tag::TenableAssetTag#
A key/value tag applied to a Tenable asset. The id is the Tenable tag UUID. Also carries the cross-provider :Tag label so (:Tag {key, value}) matches it alongside AWS/Azure/GCP tags.
Field |
Description |
|---|---|
id |
Tag UUID |
key |
Tag category/key (e.g. |
value |
Tag value (e.g. |
tag_key |
DEPRECATED, will be removed in v1.0.0: mirror of |
tag_value |
DEPRECATED, will be removed in v1.0.0: mirror of |
added_by |
User who applied the tag |
added_at |
Timestamp when the tag was applied |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableAssetTag)
(:TenableAsset)-[:TAGGED]->(:TenableAssetTag)
The legacy (:TenableAsset)-[:HAS_TAG]->(:TenableAssetTag) edge is still written in parallel and will be removed in v1.0.0.
TenableFinding#
A vulnerability instance detected by Tenable on a specific asset. Corresponds to a record returned by the Vulnerability Export API.
The id is the Tenable finding UUID (finding_id). Plugin details live in TenablePlugin; scan metadata lives in TenableScan.
Ontology note: when
has_cveis"true"the node is also labelledCVE, allowingCVEMetadatanodes to enrich it automatically via(:CVEMetadata)-[:ENRICHES]->(:CVE)(matched oncve_id).
Field |
Description |
|---|---|
id |
Finding UUID ( |
asset_uuid |
UUID of the asset this finding was detected on (indexed) |
severity |
Severity string ( |
severity_id |
Numeric severity (0=info, 1=low, 2=medium, 3=high, 4=critical) |
severity_default_id |
Default numeric severity before any overrides |
severity_modification_type |
Whether severity was manually adjusted (e.g. |
state |
Finding state ( |
first_found |
Timestamp when the finding was first detected |
last_found |
Timestamp when the finding was most recently detected |
indexed |
Timestamp when the finding was indexed in Tenable |
source |
Scanner source (e.g. |
output |
Raw scanner output text |
resurfaced_date |
Timestamp when a previously-fixed finding re-appeared |
time_taken_to_fix |
Seconds between first_found and fix (as a string) |
port |
Port number the finding was detected on |
protocol |
Protocol (e.g. |
service |
Service name (e.g. |
cve_id |
First CVE ID from the plugin’s CVE list; used for CVEMetadata ontology matching (indexed) |
cve_list |
Full list of CVE IDs associated with this finding |
has_cve |
|
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableFinding)
(:TenableFinding)-[:AFFECTS]->(:TenableAsset)
(:TenableFinding)-[:DETECTED_BY]->(:TenablePlugin)
(:TenableFinding)-[:PART_OF_SCAN]->(:TenableScan)
TenablePlugin#
A Tenable plugin that detected one or more findings. Plugins are deduplicated across findings — a single TenablePlugin node can be linked to many TenableFinding nodes.
Field |
Description |
|---|---|
id |
Integer plugin ID (e.g. |
name |
Human-readable plugin name |
family |
Plugin family (e.g. |
family_id |
Numeric family ID |
description |
Detailed plugin description |
synopsis |
Short summary of what the plugin checks |
solution |
Recommended remediation |
risk_factor |
Qualitative risk ( |
has_patch |
Whether a vendor patch is available |
has_workaround |
Whether a workaround exists |
vendor_unpatched |
Whether the vendor has declined to patch |
vendor_severity |
Vendor-assigned severity label (e.g. |
exploit_available |
Whether a known exploit exists |
exploitability_ease |
Ease of exploitation description |
exploit_framework_metasploit |
Whether a Metasploit module exists |
patch_publication_date |
Date the patch was published |
publication_date |
Date the plugin was published |
modification_date |
Date the plugin was last modified |
vuln_publication_date |
Date the vulnerability was disclosed |
cvss_base_score |
CVSS v2 base score |
cvss_temporal_score |
CVSS v2 temporal score |
cvss3_base_score |
CVSS v3 base score |
cvss3_temporal_score |
CVSS v3 temporal score |
cvss4_base_score |
CVSS v4 base score |
vpr_score |
Tenable Vulnerability Priority Rating score |
epss_score |
EPSS probability score |
cve_list |
Full list of CVE IDs associated with this plugin |
type |
Scan type ( |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenablePlugin)
(:TenableFinding)-[:DETECTED_BY]->(:TenablePlugin)
TenableScan#
A Tenable scan run that produced one or more findings. Scans are deduplicated — multiple findings from the same scan share one TenableScan node.
Field |
Description |
|---|---|
id |
Scan UUID ( |
schedule_uuid |
UUID of the scan schedule template |
started_at |
Timestamp when the scan started |
last_scan_target |
IP address or hostname that was most recently scanned |
lastupdated |
Timestamp of the last sync run |
Relationships#
(:TenableTenant)-[:RESOURCE]->(:TenableScan)
(:TenableFinding)-[:PART_OF_SCAN]->(:TenableScan)