Skip to main content

Overview

The Tenable.io integration (INT-003) ingests vulnerability findings into CaseBender, enriches them with CVSS-based severity and CVE observables, and turns them into alerts (and optionally cases).
Recommended: enable Automatic polling. CaseBender pulls new vulnerabilities directly from Tenable.io on a schedule using the Vulnerability Export API — no inbound endpoint is required. See Automatic polling.
Polling uses the Tenable.io Vulnerability Export API, authenticated with an API key pair (access key + secret key).

Capabilities

Prerequisites

1

Create API keys

In Tenable.io, go to Settings → My Account → API Keys and generate a key pair. Copy the Access Key and Secret Key.
2

Network egress

The CaseBender poller must reach https://cloud.tenable.com (or your private Tenable.io region URL).

Configure the integration in CaseBender

1

Open the integration catalog

Go to Settings → Integrations → Create, then choose Tenable.io from the Vulnerability Management category.
2

Enter API keys

3

Enable automatic polling (recommended)

4

Configure auto-case creation

Tenable exposes incremental vulnerability data through an asynchronous export job. CaseBender manages that flow automatically:
1

Request an export

On each interval, CaseBender requests an export of OPEN/REOPENED vulnerabilities updated since the last cursor (optionally severity-filtered). On first run, the window is pollingInitialLookbackHours.
2

Wait + resume

CaseBender waits (bounded) for the export to finish and downloads its chunks. If the export is still building when the in-tick budget elapses, its ID is saved and the next tick resumes it — no data is lost.
3

Cursor + deduplication

After a completed export, the cursor advances to the run time. Findings are deduplicated by asset.uuid + plugin.id, so overlapping windows never create duplicates.
Because exports are asynchronous, findings may appear a few minutes after they are updated in Tenable. This is expected for vulnerability data and controlled by pollingIntervalMinutes.

Security considerations

  • Secret handling — the API keys are stored in the integration settings; rotate on your organization’s schedule.
  • Least privilege — use keys tied to a user account with read access to vulnerabilities.
  • Network — restrict egress to your Tenable.io region URL.

Troubleshooting

Confirm the access/secret keys are valid and there are OPEN/REOPENED findings updated since the cursor. Exports take time; allow at least one full interval. Lower the Minimum severity if it filters everything out.Make sure all CaseBender services are running — with Docker, docker compose ps should show the worker and misp-processor services Up.
A Tenable export … failed error indicates the export job errored server-side. It will be retried on the next interval. Verify the keys have vulnerability export permission.