Overview
The Tenable.io integration (INT-003) ingests vulnerability findings into CaseBender, enriches them with CVSS-based severity and CVE observables, and turns them into alerts (and optionally cases).Polling uses the Tenable.io Vulnerability Export API, authenticated with an
API key pair (access key + secret key).
Capabilities
Prerequisites
1
Create API keys
In Tenable.io, go to Settings → My Account → API Keys and generate a key pair. Copy the
Access Key and Secret Key.
2
Network egress
The CaseBender poller must reach
https://cloud.tenable.com (or your private Tenable.io
region URL).Configure the integration in CaseBender
1
Open the integration catalog
Go to Settings → Integrations → Create, then choose Tenable.io from the
Vulnerability Management category.
2
Enter API keys
3
Enable automatic polling (recommended)
4
Configure auto-case creation
Inbound (automatic polling, recommended)
Tenable exposes incremental vulnerability data through an asynchronous export job. CaseBender manages that flow automatically:1
Request an export
On each interval, CaseBender requests an export of
OPEN/REOPENED vulnerabilities updated
since the last cursor (optionally severity-filtered). On first run, the window is
pollingInitialLookbackHours.2
Wait + resume
CaseBender waits (bounded) for the export to finish and downloads its chunks. If the export
is still building when the in-tick budget elapses, its ID is saved and the next tick resumes
it — no data is lost.
3
Cursor + deduplication
After a completed export, the cursor advances to the run time. Findings are deduplicated by
asset.uuid + plugin.id, so overlapping windows never create duplicates.Because exports are asynchronous, findings may appear a few minutes after they are updated in
Tenable. This is expected for vulnerability data and controlled by
pollingIntervalMinutes.Security considerations
- Secret handling — the API keys are stored in the integration settings; rotate on your organization’s schedule.
- Least privilege — use keys tied to a user account with read access to vulnerabilities.
- Network — restrict egress to your Tenable.io region URL.
Troubleshooting
Polling is enabled but no findings appear
Polling is enabled but no findings appear
Confirm the access/secret keys are valid and there are
OPEN/REOPENED findings updated
since the cursor. Exports take time; allow at least one full interval. Lower the Minimum severity if it filters everything out.Make sure all CaseBender services are running — with Docker, docker compose ps should
show the worker and misp-processor services Up.Export failed
Export failed
A
Tenable export … failed error indicates the export job errored server-side. It will be
retried on the next interval. Verify the keys have vulnerability export permission.