> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Tenable Vulnerability Management

> Configure Tenable VM integration with RAD Security for comprehensive vulnerability assessment.

# Tenable Vulnerability Management Integration Setup

This guide walks you through integrating Tenable Vulnerability Management (formerly Tenable.io) with RAD Security, enabling you to import vulnerability findings and correlate them with runtime security events.

Tenable VM provides comprehensive vulnerability assessment, asset discovery, and continuous monitoring across your entire attack surface.

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Admin access to Tenable Vulnerability Management
  * Ability to create users or access to an existing user account
  * Access to RAD Security workspace with integration permissions
</Check>

<Info>
  **Service Account Recommended:** For production environments, create a dedicated service user with an email not tied to a specific employee to ensure continuity.
</Info>

***

## Step 1: Log in to Tenable Vulnerability Management

<Steps>
  <Step title="Access Tenable Console">
    Log in to Tenable Vulnerability Management with an administrator account
  </Step>

  <Step title="Navigate to Access Control">
    Click the **Settings** gear icon in the top right corner and select **Access Control**
  </Step>
</Steps>

***

## Step 2: Create or Select Service User

You have two options for setting up the integration:

<Tabs>
  <Tab title="Create New Service User (Recommended)">
    <Steps>
      <Step title="Create Service User">
        In the Access Control section, create a new user account for the integration
      </Step>

      <Step title="Configure User Details">
        Enter the following information:

        * **Username** (e.g., "RAD Security Integration")
        * **Email** - Use a service email not tied to a specific employee (e.g., `security-integrations@company.com`)
        * **Name** (e.g., "RAD Security Service Account")

        <Info>
          Using a service email ensures the integration continues working when employees change roles or leave the organization.
        </Info>
      </Step>

      <Step title="Assign User Role">
        Assign the **Basic User** role to the account

        <Note>
          **Basic User** is the minimum role required for reading vulnerability data. This follows the principle of least privilege.
        </Note>
      </Step>

      <Step title="Save User">
        Click **Save** to create the user account
      </Step>

      <Step title="Switch to Service User">
        1. Log out of your administrator account
        2. Log in using the newly created service user account
      </Step>
    </Steps>
  </Tab>

  <Tab title="Use Existing User">
    <Steps>
      <Step title="Verify Role">
        Ensure the existing user has at least **Basic User** role assigned
      </Step>

      <Step title="Switch User">
        If you're not already logged in as this user:

        1. Log out of your current account
        2. Log in with the user account you want to use for the integration
      </Step>
    </Steps>

    <Warning>
      Using a personal user account is not recommended for production. If the user leaves or changes roles, the integration will break.
    </Warning>
  </Tab>
</Tabs>

***

## Step 3: Generate API Keys

<Steps>
  <Step title="Access User Profile">
    Click on the **profile avatar** in the top right corner and select **My Profile**
  </Step>

  <Step title="Navigate to API Keys">
    In the left-side navigation menu, select **API KEYS**
  </Step>

  <Step title="Generate New Keys">
    In the bottom-right corner, click the **Generate** button

    <Warning>
      **Important:** A warning will appear stating that this operation will overwrite any previously generated keys. If you're regenerating keys, make sure no other integrations are using the existing keys.
    </Warning>
  </Step>

  <Step title="Confirm Generation">
    Click **Continue** to proceed with key generation
  </Step>

  <Step title="Copy and Save Keys">
    You will be provided with two keys:

    * **Access Key** - Copy this value
    * **Secret Key** - Copy this value

    **Save both keys immediately** in a secure password manager or vault

    <Warning>
      Store these keys securely! You'll need both for the integration configuration. If you lose them, you'll need to generate new keys.
    </Warning>
  </Step>
</Steps>

***

## Step 4: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Tenable VM integration with the following parameter:

### Required Parameter

| Parameter    | Description                                                                                             | Example                                   |
| ------------ | ------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
| **Base URL** | Base URL for the Tenable Cloud API                                                                      | `https://cloud.tenable.com`               |
| **API Keys** | Combined access key and secret key in the format: `accessKey=YOUR_ACCESS_KEY;secretKey=YOUR_SECRET_KEY` | `accessKey=abc123...;secretKey=xyz789...` |

### Formatting the Secret Parameter

The secret parameter must be formatted exactly as shown below:

<CodeGroup>
  ```text Format theme={null}
  accessKey=YOUR_ACCESS_KEY;secretKey=YOUR_SECRET_KEY
  ```

  ```text Example theme={null}
  accessKey=1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p;secretKey=A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6
  ```
</CodeGroup>

<Note>
  * There are **no spaces** in the format
  * Use a **semicolon** (`;`) to separate the two key-value pairs
  * Replace `YOUR_ACCESS_KEY` with your actual Access Key
  * Replace `YOUR_SECRET_KEY` with your actual Secret Key
</Note>

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > Vulnerabilities** in RAD Security
2. Locate your Tenable VM integration
3. Check the connection status shows as **Connected**
4. Verify vulnerability data is being synced

<Check>
  Your Tenable Vulnerability Management integration is now configured! RAD Security can now import vulnerability findings and correlate them with runtime security events.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following data from Tenable VM:

<AccordionGroup>
  <Accordion title="Vulnerability Findings" icon="bug">
    * Plugin ID and details
    * CVE identifiers
    * Vulnerability severity (Critical, High, Medium, Low, Info)
    * CVSS v2 and v3 scores
    * VPR (Vulnerability Priority Rating) scores
    * Exploit availability
    * Vulnerability publication and modification dates
    * See Also references and solutions
  </Accordion>

  <Accordion title="Asset Information" icon="server">
    * Asset inventory and UUIDs
    * Hostnames and FQDNs
    * IP addresses (IPv4 and IPv6)
    * MAC addresses
    * Operating systems
    * Installed software
    * Asset tags and groups
    * Last scan and authentication status
  </Accordion>

  <Accordion title="Risk and Compliance" icon="shield-check">
    * Asset Exposure Scores (AES)
    * Asset Criticality Ratings (ACR)
    * VPR context and trends
    * Compliance scan results
    * Policy violations
  </Accordion>

  <Accordion title="Scan Data" icon="radar">
    * Scan schedules and history
    * Scan targets and zones
    * Plugin families used
    * Credential scan status
    * Scan duration and completeness
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Attack Surface Visibility" icon="radar">
    Maintain comprehensive visibility of your attack surface with continuous vulnerability assessments.
  </Card>

  <Card title="Predictive Prioritization" icon="crystal-ball">
    Use Tenable's VPR scores combined with RAD's runtime context for intelligent vulnerability prioritization.
  </Card>

  <Card title="Compliance Monitoring" icon="clipboard-check">
    Track compliance posture and policy violations across your infrastructure.
  </Card>

  <Card title="Exploit Detection" icon="crosshairs">
    Correlate Tenable vulnerability data with runtime exploitation attempts detected by RAD Security.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Access Key or Secret Key is incorrect
    * Keys were regenerated and not updated in RAD Security
    * Secret parameter format is incorrect
    * User account was disabled or deleted

    **Solution:**

    * Verify both keys are copied correctly without extra spaces
    * Check the format: `accessKey=YOUR_KEY;secretKey=YOUR_KEY`
    * Ensure there's a semicolon (`;`) separating the keys, not a space or comma
    * Verify the user account is still active in Tenable
    * Try regenerating keys if necessary
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * User doesn't have Basic User role or higher
    * User account permissions were reduced
    * User was moved to a restricted group

    **Solution:**

    * Log in to Tenable as admin
    * Navigate to Settings > Access Control
    * Verify the service user has at least **Basic User** role
    * Check that user permissions haven't been restricted
  </Accordion>

  <Accordion title="No Data Syncing" icon="database-slash">
    **Possible causes:**

    * No scans have been completed yet
    * Assets are not in scope for the user
    * Initial sync is still in progress
    * API rate limits reached

    **Solution:**

    * Verify scans have been completed in Tenable VM
    * Check that the user has access to the relevant assets
    * Allow up to 15 minutes for initial data sync
    * Review Tenable API usage to ensure you're within rate limits
    * Check integration logs in RAD Security for specific errors
  </Accordion>

  <Accordion title="Secret Parameter Format Error" icon="code">
    **Possible causes:**

    * Wrong format used (spaces, commas, or incorrect syntax)
    * Keys not properly concatenated
    * Special characters not escaped

    **Solution:**

    * Use exact format: `accessKey=KEY1;secretKey=KEY2`
    * No spaces anywhere in the string
    * Use semicolon (`;`) as separator, not comma or space
    * Don't add quotes around the entire string or individual keys
    * Example: `accessKey=abc123;secretKey=xyz789`
  </Accordion>

  <Accordion title="Keys Regenerated by Accident" icon="rotate">
    **Possible causes:**

    * Keys were regenerated, breaking existing integrations
    * Multiple integrations using same user account

    **Solution:**

    * If you accidentally regenerated keys, update all integrations using those keys
    * Consider creating separate service users for different integrations
    * Document which integrations use which API keys
    * Update the Secret parameter in RAD Security with the new keys
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use Service Accounts" icon="user-gear">
    Create dedicated service users with service email addresses for integrations, not personal accounts.
  </Card>

  <Card title="Least Privilege Access" icon="shield-halved">
    Use Basic User role for integrations. Only escalate permissions if absolutely necessary.
  </Card>

  <Card title="Secure Key Storage" icon="lock">
    Store API keys in a secure password manager or secrets vault. Never commit them to version control.
  </Card>

  <Card title="Regular Key Rotation" icon="rotate">
    Periodically rotate API keys as part of your security hygiene. Update all integrations when rotating.
  </Card>

  <Card title="Document Key Usage" icon="book">
    Maintain documentation of which integrations use which API keys to avoid accidental key regeneration.
  </Card>

  <Card title="Monitor API Activity" icon="chart-line">
    Review API usage in Tenable to detect anomalous activity and ensure compliance with rate limits.
  </Card>
</CardGroup>

## Important Notes

<Warning>
  **Key Regeneration Warning:** Generating new API keys will immediately invalidate the previous keys. Make sure to update all integrations using those keys to avoid service disruptions.
</Warning>

<Info>
  **One User, One Set of Keys:** Each Tenable user can only have one active set of API keys at a time. If you need multiple integrations, create separate service users for each.
</Info>

<Note>
  **Rate Limits:** Tenable enforces API rate limits. If you have multiple integrations or heavy API usage, monitor your usage to avoid hitting limits.
</Note>

## Next Steps

<CardGroup cols={2}>
  <Card title="Vulnerabilities Overview" icon="shield-halved" href="/rad-security/integrations/vulnerabilities/overview">
    Explore other vulnerability integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn how RAD correlates vulnerabilities with runtime threats
  </Card>

  <Card title="Threat Models" icon="crosshairs" href="/rad-security/security-and-compliance/overview">
    Understand how threats are detected and prioritized
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure alerts for vulnerability-related events
  </Card>
</CardGroup>