---
title: Tenable Vulnerability Management
aliases: ["/docs/tenable-io/"]
---
<!-- licenses: community, platform -->

runZero integrates with Tenable Vulnerability Management (previously ((Tenable.io))) by importing data from the
Tenable [API](https://developer.tenable.com/docs/welcome/).

## Getting started with Tenable Vulnerability Management {#tenablevm-getting-started}

To set up an integration with Tenable Vulnerability Management, you'll need to:

1. Create an Administrator API key in an access group with `Can View` [permission](https://developer.tenable.com/docs/permissions) to `Manage Assets`.
   Optionally, this must have the Scan Manager role in order to retrieve agent health data.
2. Configure the Tenable Vulnerability Management credential in runZero.
3. Choose whether to configure the integration as [a scan probe or connector task](integrations-inbound.md#integration-probe-connector).
4. Activate the integration to pull your data into runZero. 

## Requirements {#tenablevm-requirements}

Before you can set up the Tenable Vulnerability Management integration:

* Make sure you have administrator access to the Tenable portal. 

## Step 1: Create an Administrator API key {#tenablevm-step1}

1. Sign in to Tenable Vulnerability Management with the Administrator account being used for the runZero integration. 
2. Go to **My Profile** > **My Account** > **API Keys**. 
3. **Generate** the API token, and then download or copy it.

## Step 2: Add the Tenable credential to runZero {#tenablevm-step2}

1. Go to the [Credentials page](https://console.runzero.com/credentials/new) in runZero. Provide a name for the credentials, 
   like `Tenable Vulnerability Management`.
2. Choose **Tenable.io Access & Secret** from the list of credential types.
3. Generate your Tenable access and secret keys via your account page in the Tenable portal, and then provide the 
   following information:
    * **Access key** - Your 64-character Tenable access key. 
    * **Secret key** - Your 64-character Tenable secret key.
4. If you want other organizations to be able to use this credential, select the _Make this a global credential_ option.
   Otherwise, you can configure access on a per-organization basis. 
5. Save the credential. 

You're now ready to set up and activate the connection to bring in data from Tenable Vulnerability Management. 

## Step 3: Choose how to configure the Tenable integration {#tenablevm-step3}
The Tenable Vulnerability Management integration can be configured as either a [scan probe or a connector task](integrations-inbound.md#integration-probe-connector). 
Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or
one of your Explorers, only performing the integration sync. Setting up a connector will work if you're self-hosting
runZero or integrating with Tenable Vulnerability Management.

## Step 4: Set up and activate the integration to sync data {#tenablevm-step4}
After you add your Tenable credential, you'll need to sync your data from Tenable Vulnerability Management.

### Step 4a: Configure the Tenable integration as a connector task {#tenablevm-step4a}
A connection requires you to specify a schedule and choose a site. The schedule determines when the sync occurs, and
the site determines where any new Tenable-only assets are created.

1. Activate a connection to [Tenable Vulnerability Management](https://console.runzero.com/ingest/tenable). You can access all available third-party
   connections from the [integrations page](https://console.runzero.com/integrations), your [inventory](https://console.runzero.com/inventory), or the [tasks page](https://console.runzero.com/tasks). 
1. Choose the credentials you added earlier. If you don't see the credentials listed, make sure the credentials have
   access to the organization you are currently in.
1. If you want to exclude assets that have not been scanned by runZero from your integration import, check the
   **Exclude assets that cannot be merged into an existing asset** checkbox. By default, the integration will include
   assets that have not been scanned by runZero.
1. If you want to include assets that have not been assessed for vulnerabilities, check the
   **Include assets that have not been assessed for vulnerabilities** checkbox.
1. If you want to exclude retrieving asset agent health data, check the **Disable importing asset agent data** checkbox.
1. Check the **Disable importing software from the Tenable inventory** checkbox if you want software
   records to be ingested for fingerprint analysis but not stored in your runZero software inventory (optional).
1. Check the **Disable importing vulnerabilities from the Tenable inventory** checkbox if you want vulnerability
   records to be ingested for fingerprint analysis but not stored in your runZero vulnerability inventory (optional).
1. Set the [severity and risk levels](docs/tenable.md/#tenable-scoring) you want to import (optional).
   **Note**: Much of the host information provided by Tenable is from Info-level plugins, so if you only import higher
   levels of severity you may not see much information about assets not scanned by runZero.
1. Optionally provide a list of tags to include in the import. The list should be comma separated and use the format
   `category:value`. We will import assets that match at least one of the specified tags.
1. To filter by asset source, set the **Filter by asset source** option to either _All supported sources_ or a 
   combination of sources from the checklist.
1. Enter a name for the task, like `Tenable Vulnerability Management sync` (optional). 
1. Choose the Explorer to perform this connector task from (optional).
1. Choose the site you want to add your assets to. All newly discovered assets will be stored in this site. 
1. Enter a description for the task (optional).
1. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date
   and time you have set. 
1. Activate the connection when you are done. The sync will run on the defined schedule. You can always check
   the [Scheduled tasks](https://console.runzero.com/tasks) to see when the next sync will occur. 

### Step 4b: Configure the Tenable integration as a scan probe {#tenablevm-step4b}
You can run the Tenable Vulnerability Management integration as a scan probe so that the runZero Explorer will pull
your vulnerability data into the runZero Console. 

In a new or existing scan configuration:
* Ensure that the _TENABLE_ option is set to _Yes_ in the _Probes and SNMP_ tab and change any of the default options
  if needed.
* Optionally, set the [severity and risk levels](docs/tenable.md/#tenable-scoring) for ingested vulnerability scan results.
* Set the correct `Tenable` credential to _Yes_ in the _Credentials_ tab.

### Step 5: View Tenable assets and vulnerabilities {#tenablevm-step5}

After a successful sync, you can [go to your inventory](https://console.runzero.com/inventory) to view your Tenable assets. These assets will have a
Tenable icon listed in the **Source** column.

The Tenable integration gathers details about vulnerabilities detected in addition to enriching asset inventory data.
Go to **Inventory** > [**Vulnerabilities**](https://console.runzero.com/inventory/vulnerabilities) to view the vulnerability data provided by
Tenable Vulnerability Management.

To filter by Tenable assets, consider running the following queries:

* [View all Tenable assets](https://console.runzero.com/inventory?search=source%3Atenable): 
     ```
     source:Tenable
    ```
Click into each asset to see its individual attributes. runZero will show you the attributes gathered from the Tenable
scan data.

## Troubleshooting {#tenablevm-troubleshooting}
If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.

### Why is the Tenable Vulnerability Management integration unable to connect? {#tenablevm-connection-error}
1. Are you getting any data from the Tenable Vulnerability Management integration?
    * Make sure to query the inventory rather than look at the task details to review all the data available from this
      integration.
    * In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero
      console.
2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the
   integration, it may not work correctly. Please review this documentation and follow the steps exactly.
3. If the Tenable Vulnerability Management integration is unable to connect be sure to check the task log for errors.
   Some common errors include:
   * 500 - server error, unable to connect to the endpoint
   * 404 - hitting an unknown endpoint on the server
   * 403 - not authorized, likely a credential issue
4. Verify you are running the integration task from an Explorer with access to the Tenable host if it is on-premises.

### How do I solve the following error in Tenable Vulnerability Management: {#tenablevm-import-error}
```
"error-message":"no tenable assets match import criteria",
"level":"error","msg":"could not load scan result data to writer"
```

This is an error we have seen intermittently from Tenable. A solution that usually works is to enable the
_Include Unscanned Assets_ toggle in the Tenable task configuration. This will disable the filters we apply for live
assets that were scanned in the last 30 days.