Skip to main content
Solved

Cribl API Integration Issues With Polling Tenable.SC And Nessus Manager For Asset Inventory

  • April 21, 2026
  • 12 replies
  • 2 views
M
This message originated from Cribl Community Slack.
Click here to view the original link.

Anyone with experience polling Tenable.SC and Nessus Manager for Asset inventory, vulnerabilities, plugins, and agent status? We used to poll this via Splunk apps / custom Python but I've been tasked with leveraging Cribl API methods to ingest into our new SIEM. I've been looking at this article in the meantime: https://www.aplura.com/news/cribl/tenable/2025/08/06/tenable_sc_logs_with_cribl.html Sorry in advance: I'm a Unix beard but very new to Cribl.

Best answer by paul925

Step 1, initiate the discovery. Step 2, poll until the result set is ready. Step 3, collect from the result set

12 replies

P
  • paul925
  • Participating Frequently
  • April 21, 2026
That requires a multi-stage discovery - one of which is a polling stage - which Cribl does not natively support. We've solved this for clients with an Exec source that can handle the multi-stage discovery and polling needed.
M
  • mricharf106
  • Author
  • New Participant
  • April 21, 2026
Yeah that's what I figured, since I do know how to do the REST queries myself. My original thought was to adapt my current code to dump to JSON files and just have it collected like any other log - esp. since in our prior production environment we were only polling the data 1x / day.
P
  • paul925
  • Participating Frequently
  • April 21, 2026
I am actually playing with an experimental version of that for another SaaS platform, but the holdout here is that you need to block on the polling. With that other platform discovery gives a list of files to download. With this, you cannot collect the results until the prep/polling job is complete
P
  • paul925
  • Participating Frequently
  • April 21, 2026
FWIW there's a feature request in for this - or should be :sweat_smile:
M
  • mricharf106
  • Author
  • New Participant
  • April 21, 2026
Yeah it's definitely not a unique problem opportunity limited to Tenable. IIRC certain aspects of grabbing JAMF attributes in bulk require a bit of endpoint ID polling...
P
  • paul925
  • Participating Frequently
  • April 21, 2026
Yeah its not common, but not isolated. You're welcome to DM me to schedule some time to see if we can help
M
Could I bother you to ELI5 the multi-state discovery aspect of it? Is that just saying that the initial endpoint provides a list of UUIDs, then you have to save those UUIDs as variables and do another discovery?
M
  • mricharf106
  • Author
  • New Participant
  • April 21, 2026
yeah so the first pull is to the /hosts REST endpoint, which gives you a JSON list of every asset under monitoring in SecurityCenter. The IDs from that collection need to be looped through to pull discovered vulnerabilities associated with that host. In one of our other ingestion pipelines through our GRC infrastructure, additional queries are made to pull the current scan plugin list, and those plugins are associated with the hosts they appear on.
M
  • mricharf106
  • Author
  • New Participant
  • April 21, 2026
Crazy as it seems, we actually discover some new assets that way. Simply because we are a University and people spin up random, unmanaged (via AD or JAMF) devices all the time.
P
  • paul925
  • Participating Frequently
  • Answer
  • April 21, 2026
Step 1, initiate the discovery. Step 2, poll until the result set is ready. Step 3, collect from the result set
P
  • paul925
  • Participating Frequently
  • April 21, 2026
It's step 2 Cribl cannot do ootb inline with steps 1 and 3
M
If you are hybrid or on-prem, you can use a script collector for this, but as others said the REST collector isn't going to work well here
Terms & ConditionsAccessibility statement