Tenable.io integration - missing FIXED vulnerabilities

Elastic Stack Elastic Agent
1

Hello,

I started to test tenable.io integration (great work BTW) and found a little issue.
Vulnerabilities with state FIXED are missing in logs-tenable_io.vulnerability indexes, I can only find OPEN and REOPENED events.

In tenable API doc it's written that if you don't specify a state in body, it will return OPEN, REOPENED, FIXED states : Refine Vulnerability Export Requests

I did a test and API behavior looks different :

--------- TEST 1 : no state filter (exactly what do tenable.io integration) ----------
JSON body :
{
  "num_assets": 50,
  "filters": {
    "last_found": 1653655049,
  }
}


Results :

count state                     
----- ---- 
  317 OPEN                     
  167 REOPENED                 
  

--------- TEST 2 : state filter ----------
JSON body :
{
  "num_assets": 50,
  "filters": {
    "state": [
      "open",
      "reopened",
      "fixed"
      ],
    "last_found": 1653655049,
  }
}


Results :

count state
----- ----                     
  317 OPEN                     
  167 REOPENED                 
   63 FIXED

Looks like if you don't specify state=open,reopened,fixed in json body, you will never get fixed vulnerabilities.

  - set:
      target: body.filters.state
      value: '[open,reopened,fixed]'

CC: @jamie.hynds

Thanks

2

Thanks for flagging this @marrc.rousseau - we're investigating this on our side and will report back shortly :slight_smile:

3

Thanks @jamie.hynds

Quick update :
API documentation seems to confirm what I saw:
https://developer.tenable.com/reference/exports-vulns-request-export

state
array of strings
(...)
This parameter is required if your request includes first_found, last_found, or last_fixedparameters. If your request omits this parameter, the export includes default states open and reopened only.