Tenable Vulnerability Management User Guide

Last Revised: June 20, 2024

Copyright © 2024 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other
products or services are trademarks of their respective owners.
Table of Contents

Welcome to Tenable Vulnerability Management 29

Get Started with Tenable Vulnerability Management 31

Tenable Vulnerability Management Licenses 36

System Requirements 41

Sensor Connection Requirements 41

Log in to Tenable Vulnerability Management 42

CVSS vs. VPR 43

CVSS 43

CVSS-Based Severity 44

CVSS-Based Risk Factor 45

Vulnerability Priority Rating 45

VPR Key Drivers 46

Vulnerability Severity Indicators 47

Vulnerability Mitigation 48

Vulnerability States 49

Log Out of Tenable Vulnerability Management 50

Navigate Tenable Vulnerability Management 51

Navigate Breadcrumbs 57

Navigate Planes 58

Tenable Vulnerability Management Tables 59

Tenable Vulnerability Management Workbench Tables 59

Filter a Table 62

Get Started with Tenable Lumin 64

-2-
 Error Messages 68

Dashboards 81

Vulnerability Management Dashboard 81

Vulnerability Management Overview (Explore) 86

Tenable Web App Scanning Dashboard 91

View the Dashboards Page 92

Tenable-Provided Dashboards 94

Export a Full Dashboard Landing Page 94

Export an Individual Dashboard Widget 95

View an Individual Dashboard 96

View the Dashboard Template Library 97

Create a Dashboard 98

Preview a Dashboard 103

Enable Explore Dashboards 103

Manage Dashboards 104

Dashboard Groups 104

Add a Dashboard Group 105

Share a Dashboard Group 105

Edit a Dashboard Group 106

Delete a Dashboard Group 107

Automatically Update Widgets on a Dashboard 108

Edit a Dashboard 109

Set a Default Dashboard 112

Rename a Dashboard 113

-3-
 Duplicate a Dashboard 114

Filter a Dashboard 114

Filter a Dashboard by Time 116

Share a Dashboard 117

Manage Dashboard Exports 118

Export a Dashboard 118

Download a Dashboard Export 123

View Dashboard Export History 124

Delete a Dashboard Export Download 125

Delete a Dashboard Export Configuration 125

Delete a Dashboard 126

Manage Widgets 127

View the Widget Library 128

Delete a Widget from the Widget Library 129

Create a Custom Widget 129

Create a Custom Widget for Explore Dashboards 132

Edit a Custom Widget 137

Add a Widget to a Dashboard 138

Configure a Widget 139

Duplicate a Widget 142

Rename a Widget 142

Delete a Widget from a Dashboard 143

Welcome to Tenable Lumin 144

Tenable Lumin Metrics 144

-4-
 Improve Your Tenable Lumin Metrics 166

Edit an ACR Manually 167

Tenable Lumin Data Timing 170

View the Tenable Lumin Dashboard 172

Export the Tenable Lumin Dashboard Landing Page 173

Export a Widget from the Tenable Lumin Dashboard 174

Update the Tenable Lumin Industry Benchmark 175

Tenable Lumin Dashboard Widgets 176

View the CES Details Panel 188

View Assessment Maturity Details 196

View Remediation Maturity Details 203

View Business Context/Tag Asset Details 210

View Mitigations Details in Tenable Lumin 217

Plugins for Mitigation Detection 219

Export Mitigations 222

Mitigations Export File Contents 223

View and Download Exported Mitigations 224

View Recommended Actions 225

Export Recommended Actions 227

Recommended Actions Export File Contents 228

Scans 232

Manage Scans 232

Scans Overview 232

Create a Scan 233

-5-
 View Scans 237

View Scan Details 239

View Scan Vulnerability Details 248

Scan Filters 249

Launch a Scan 250

Launch a Scan 251

Launch a Rollover Scan 252

Launch a Remediation Scan 254

Stop a Running Scan 261

Pause or Resume a Scan 262

Change Scan Ownership 263

Change the Scan Read Status 265

Edit a Scan Configuration 266

Configure vSphere Scanning 267

Copy a Scan Configuration 270

Export Scan Results 271

Import a Scan 275

Organize Scans by Folder 277

Move a Scan to the Trash Folder 282

Delete a Scan 283

Discovery Scans vs. Assessment Scans 286

Identify Assets That Have Not Been Assessed 288

Scan Failovers 290

Scan Status 290

-6-
Scan Templates 292

Tenable-Provided Tenable Nessus Scanner Templates 293

Tenable-Provided Tenable Nessus Agent Templates 299

Tenable-Provided Tenable Web App Scanning Templates 302

User-Defined Templates 304

Scan Settings 317

Tenable Vulnerability Management Scan Settings 318

Basic Settings in Tenable Vulnerability Management Scans 319

Basic Settings in User-Defined Templates 331

Triggered Agent Scans 338

Triggered vs. Window Scans 339

Find Triggered Scan Details 340

Scan Targets 341

Target Groups 344

Info-level Reporting 356

Description 356

Configuration 357

Limitations and Considerations 358

Discovery Settings in Tenable Vulnerability Management Scans 359

Preconfigured Discovery Settings 368

Assessment Settings in Tenable Vulnerability Management Scans 384

Preconfigured Assessment Settings 399

Report Settings in Tenable Vulnerability Management Scans 407

Advanced Settings in Tenable Vulnerability Management Scans 408

-7-
 Preconfigured Advanced Settings 417

Credentials in Tenable Vulnerability Management Scans 425

Add a Credential to a Scan 427

Edit a Credential in a Scan 429

Add a Credential to a User-defined Template 430

Edit a Credential in a User-defined Template 432

Convert a Scan-specific Credential to a Managed Credential 432

Cloud Services 433

Database Credentials 437

DB2 437

MySQL 437

Oracle 438

PostgreSQL 439

SQL Server 440

Sybase ASE 441

Cassandra 441

MongoDB 442

Database Credentials Authentication Types 442

Client Certificate 443

Password 443

Import 444

BeyondTrust 445

CyberArk 446

CyberArk (Legacy) 448

-8-
Delinea 451

HashiCorp Vault 452

Lieberman 454

QiAnXin 457

Senhasegura 459

Host 460

Privilege Escalation 516

Miscellaneous 522

Mobile 529

Patch Management 534

Plaintext Authentication 544

Compliance in Tenable Vulnerability Management Scans 550

SCAP Settings in Tenable Vulnerability Management Scans 553

Configure Plugins in Tenable Vulnerability Management Scans 555

Tenable Web App Scanning Scan Settings 557

Basic Settings in Tenable Web App Scanning Scans 558

Scope Settings in Tenable Web App Scanning Scans 563

Assessment Settings in Tenable Web App Scanning Scans 567

Report Settings in Tenable Web App Scanning Scans 572

Advanced Settings in Tenable Web App Scanning Scans 573

Credentials in Tenable Web App Scanning Scans 579

Tenable Web App Scanning Selenium Commands 580

HTTP Server Authentication Settings in Tenable Web App Scanning Scans 583

Web Application Authentication 584

-9-
 Client Certificate Authentication 588

Plugin Settings in Tenable Web App Scanning Scans 589

Scan Distribution 591

Scanner Capacity 592

Job Queues 593

Dispatching Tasks 594

Configure Scan Routing 595

Scan Best Practices 598

Introduction 598

General Best Practices 599

Role-Based Access Control (RBAC) 599

Credentialed Scanning 599

Proper Inventory of Assets 599

Deleting Assets 599

Agent Scanning 600

Scan Hygiene 600

API Scan Creation Best Practices 601

Duplication Challenges and Remedies 601

Server with Multiple NICs 601

Firewall and Layer 3 Switches 602

Agents and Non-Credentialed Scans 602

Ephemeral Assets 602

Scan Limitations 603

Vulnerability Intelligence 605

- 10 -
 Search Known Vulnerabilities 606

View Vulnerability Profiles 606

Vulnerability Information 607

How Does This Affect Me 611

Sources 612

Vulnerability Metrics 613

Identify Your Exposure 615

Work with the Query Builder 617

Query Builder Filters 619

Use Saved Searches in Vulnerabity Intelligence 623

Export from Vulnerability Intelligence 625

CVEs 626

My Findings 627

My Affected Assets 629

Plugins 629

Tag Affected Assets 630

Vulnerability Categories 632

Explore 634

Explore Overview 634

Findings 636

View the Findings Workbench 636

Vulnerabilities 637

Cloud Misconfigurations 640

Host Audits 642

- 11 -
 Web Application Findings 644

View Finding Details 645

Vulnerability Details 647

Cloud Misconfiguration Details 655

Host Audit Details 660

Web Application Findings Details 664

Findings Filters 669

Group Your Findings 686

Add Recast or Accept Rules in Findings 692

Generate a Findings Report 695

Assets 697

View the Assets Workbench 698

Host Assets 699

Cloud Resources 704

Web Applications 705

Domain Inventory 707

View Asset Details 709

Host Asset Details 710

Cloud Resource Details 716

Web Application Details 719

Domain Inventory Preview 722

Asset Filters 724

Open Ports and the Assets workbench 747

Working with Ports 748

- 12 -
 Supported Plugins 748

View Asset Visualizations 749

Edit the ACR for Host Assets 750

Move Assets to Another Network 753

Remove and Prevent Duplicate Assets 754

Download Inventory Debug Data 755

Delete Assets 756

Filter Findings or Assets 757

Use Filters 758

Use the Context Menu 764

Customize Explore Tables 765

Export Findings or Assets 766

Saved Filters for Findings or Assets 768

Create a Saved Filter 769

Use a Saved Filter 769

Edit a Saved Filter 769

Rename a Saved Filter 770

Share a Saved Filter 771

Delete a Saved Filter 771

Explore vs. Legacy Workbenches 772

Vulnerabilities 774

View Vulnerabilities by Plugin 776

View Vulnerabilities by Asset 778

View Vulnerabilities by Application in Tenable Web App Scanning 780

- 13 -
 View Vulnerability Details 781

Create an Accept Rule from Vulnerability Details 787

Create a Recast Rule from Vulnerability Details 789

View Plugin Output 792

Copy Plugin Output 794

View Plugin Attachments 795

Export Vulnerability Data 797

CSV Vulnerability Export Fields 803

Vulnerability Filters 805

Application Filters in Tenable Web App Scanning 812

Assets 813

View Assets 815

Asset View 817

Discover and Assess 819

View Asset Details 822

View Asset Activity 826

Manage Asset Tags 827

Search Assets by Tag from the Assets Page 827

Remove a Tag from an Asset via the Asset View 828

Export Asset Data 831

CSV Asset Export Fields 834

Download an Asset's Inventory Debug Data (Assets View section) 840

Export Vulnerability Data for an Asset 841

Delete Assets 843

- 14 -
 View Deleted Assets 846

Asset Filters 848

Act 861

Reports 861

Report Templates 862

Report Settings 863

Create a Report 864

Generate a Report 867

View Report Details 868

Share Report Templates 870

Edit an Existing Report 872

Filter Reports 873

Schedule a Report 875

Email Report Results 880

Edit a Report Schedule 882

Delete a Report 883

Remediation 885

View Remediations 885

Remediation Filters 887

Remediation Projects 888

Create a New Remediation Project 889

Create a New Remediation Project From Findings 892

View Remediation Project Details 895

Remediation Project Details 896

- 15 -
 Edit a Remediation Project 898

Activate a Remediation Project 899

Suspend a Remediation Project 901

Close a Remediation Project 902

Export Remediation Projects 903

Delete a Remediation Project 906

Remediation Goals 908

Fixed-Scope and Ongoing Remediation Goals 909

Create a New Remediation Goal 909

View Remediation Goal Details 913

Edit a Remediation Goal 914

Activate a Remediation Goal 916

Suspend a Remediation Goal 918

Close a Remediation Goal 919

Export Remediation Goals 921

Delete a Remediation Goal 924

Solutions 926

View Solutions 926

Solutions Filters 928

Export Solutions 929

View Solution Details 930

Tenable Container Security Dashboard 934

Tenable Container Security Scanner Scanning Overview 934

Log in to Tenable Container Security via the Docker CLI 935

- 16 -
Push a Container Image to Tenable Container Security 936

Push from Bamboo to Tenable Container Security 938

Push from CircleCI to Tenable Container Security 939

Push from Codeship to Tenable Container Security 942

Push from Distelli to Tenable Container Security 943

Push from Drone.io to Tenable Container Security 944

Push from Jenkins to Tenable Container Security 945

Push from Shippable to Tenable Container Security 947

Push from Solano Labs to Tenable Container Security 948

Push from Travis CI to Tenable Container Security 950

Push from Wercker to Tenable Container Security 952

Tenable Container Security Scanner with Kubernetes 953

Tenable Container Security Scanner System Requirements for Kubernetes 953

Prepare Kubernetes Objects to Configure and Run the Tenable Container Security
Scanner 954

Configure and Run the Tenable Container Security Scanner in Kubernetes 956

Tenable Container Security Scanner 960

Tenable Container Security Scanner System Requirements 960

Download the Tenable Container Security Scanner 961

Tenable Container Security Scanner Environment Variables 963

Configure and Run the Tenable Container Security Scanner 976

Scan an Image via the Tenable Container Security Scanner 976

Scan a Registry via the Tenable Container Security Scanner 977

Prepare your Registry 979

Glossary of Tenable Container Security Terms 981

- 17 -
 Configure Tenable Container Security Connectors to Import and Scan Images 983

Configure an AWS ECR Connector to Import Images in Tenable Container Security 985

Configure a Local Connector to Import Images in Tenable Container Security 987

View Container Details 989

View Scan Results for Container Images 994

Manage Tenable Container Security Image Repositories 996

Delete an Image in Tenable Container Security 998

Manage Tenable Container Security Policies 999

Add a Tenable Container Security Policy 999

Edit a Tenable Container Security Policy 1001

Delete a Tenable Container Security Policy 1002

Tenable Container Security Policy Condition Settings 1003

Risk Metrics in Tenable Container Security 1004

View Tenable Container Security Data Usage 1005

Tenable PCI ASV 1007

Settings 1008

General Settings 1009

My Account 1016

View Your Account Details 1018

Update Your Account 1022

Change Your Password 1024

Configure Two-Factor Authentication 1025

Generate API Keys 1029

Unlock Your Account 1032

- 18 -
SAML 1033

View SAML Configurations 1034

Add a SAML Configuration 1036

Edit a SAML Configuration 1040

Disable a SAML Configuration 1044

Enable a SAML Configuration 1045

Enable Automatic Account Provisioning 1046

Disable Automatic Account Provisioning 1047

Delete a SAML Configuration 1048

License Information 1049

Access Control 1054

Users 1054

Create a User Account 1056

Edit a User Account 1060

View Your List of Users 1063

Tenable Vulnerability Management Password Requirements 1064

Change Another User's Password 1064

Assist a User with Their Account 1065

Generate Another User's API Keys 1066

Unlock a User Account 1068

Disable a User Account 1068

Enable a User Account 1069

Manage User Access Authorizations 1071

Audit User Activity 1071

- 19 -
 Export Users 1072

Delete a User Account 1076

User Groups 1078

Create a User Group 1080

Edit a User Group 1081

Export Groups 1082

Delete a Group 1086

Permissions 1088

Create and Add a Permission Configuration 1090

Add a Permission Configuration to a User or Group 1093

Edit a Permission Configuration 1095

Export Permission Configurations 1097

Remove a Permission Configuration from a User or Group 1101

Delete a Permission Configuration 1103

Roles 1104

Tenable-Provided Roles and Privileges 1106

Custom Roles 1114

Create a Custom Role 1118

Duplicate a Role 1120

Edit a Custom Role 1122

Delete a Custom Role 1123

Export Roles 1123

API Access Security 1127

Activity Logs 1128

- 20 -
 Export Activity Logs 1130

Access Groups 1133

Transition to Permission Configurations 1135

Convert an Access Group to a Permission Configuration 1136

Access Group Types 1138

Restrict Users for All Assets Group 1138

Create an Access Group 1140

Configure User Permissions for an Access Group 1143

Edit an Access Group 1146

View Assets Not Assigned to an Access Group 1147

View Your Assigned Access Groups 1148

Delete an Access Group 1150

Access Group Rule Filters 1151

Scan Permissions Migration 1155

Language 1157

Exports 1157

Scheduled Exports 1158

View Your Scheduled Exports 1159

Disable a Scheduled Export 1161

Enable a Disabled Scheduled Export 1162

Delete a Scheduled Export 1163

Export Activity 1164

Filter your Exports 1168

Export Filters 1169

- 21 -
 Renew an Export Expiration Date 1171

Stop an Export 1172

Download Export Activity 1174

Export your Export Activity 1175

Delete an Export 1179

Recast/Accept Rules 1180

View Recast/Accept Rules 1182

Create a Recast Rule 1183

Create an Accept Rule for a Plugin 1185

Edit a Recast or Accept Rule 1187

Export Recast Rules 1188

Delete a Recast or Accept Rule 1191

Tags 1192

Examples: Asset Tagging 1195

Tag Format and Application 1197

Create a Manual or Automatic Tag 1198

Considerations for Tags with Rules 1201

Tag Rules 1201

Create a Tag Rule 1202

Edit a Tag Rule 1208

Delete A Tag Rule 1210

Tag Rules Filters 1211

Create a Tag via Asset Filters 1219

Edit a Tag or Tag Category 1221

- 22 -
 Edit a Tag via Asset Filters 1222

Add a Tag to an Asset 1224

Remove a Tag from an Asset 1228

Export Tags 1231

Delete a Tag Category 1236

Delete a Tag 1238

Search for Assets by Tag from the Tags Table 1240

Sensors 1241

Agents 1241

Retrieve the Tenable Nessus Agent Linking Key 1243

Download Linked Agent Logs 1244

Restart an Agent 1245

Unlink an Agent 1247

Rename an Agent 1249

Agent Settings 1250

Modify Remote Agent Settings 1250

Modify Global Agent Settings 1260

Agent Profiles 1262

Add or Remove Agents from Agent Profiles 1266

Agent Status 1269

Export Agents 1269

Export Linked Agents 1271

Export Linked Agent Details 1274

Filter Agents 1277

- 23 -
 Agent Filters 1279

Agent Groups 1281

Create an Agent Group 1281

Add an Agent to an Agent Group 1282

Edit an Agent Group 1284

Delete an Agent Group 1286

Remove an Agent from an Agent Group 1287

View Agents in an Agent Group 1289

Agent Group Filters 1290

Freeze Windows 1291

Create a Freeze Window 1291

Edit a Freeze Window 1292

Enable or Disable a Freeze Window 1293

Export Freeze Windows 1294

Delete a Freeze Window 1297

Plugin Updates 1298

Connection Disruptions 1299

Networks 1300

Create a Network 1301

View or Edit a Network 1302

Add a Scanner to a Network 1303

Remove a Scanner from a Network 1305

Add an Agent to a Network 1306

Remove an Agent from a Network 1309

- 24 -
 Move Assets to a Network via Settings 1311

Delete Assets in a Network 1316

Delete Assets Manually 1316

Delete Assets Automatically 1317

Export Networks 1317

Delete a Network 1320

Linked Scanners 1322

View Linked Scanners 1323

Rename a Linked Scanner 1324

Download Linked Scanner Logs 1325

Export Linked Scanners 1326

Export Linked Scanner Details 1330

Differential Plugin Updates 1333

Scanner Groups 1333

Create a Scanner Group 1334

Modify a Scanner Group 1335

Configure User Permissions for a Scanner Group 1338

Delete a Scanner Group 1340

Add a Sensor to a Scanner Group 1341

Remove a Sensor from a Scanner Group 1343

View Sensors in a Scanner Group 1345

View All Running Scans for a Sensor 1346

OT Connectors 1346

Cloud Sensors 1349

- 25 -
 Tenable FedRAMP Moderate Cloud Sensors 1353

Sensor Security 1354

Link a Sensor 1356

Regenerate a Linking Key 1364

View Sensors and Sensor Groups 1365

View Sensor Details 1367

Edit Sensor Settings 1368

Edit Sensor Permissions 1370

Enable or Disable a Sensor 1371

Remove a Sensor 1372

Credentials 1374

Create a Managed Credential 1374

Edit a Managed Credential 1377

Configure User Permissions for a Managed Credential 1378

Export Credentials 1380

Delete a Managed Credential 1384

Exclusions 1385

Create an Exclusion 1385

Edit an Exclusion 1386

Import an Exclusion 1387

Exclusion Import File 1387

Export an Exclusion 1389

Delete an Exclusion 1392

Exclusion Settings 1393

- 26 -
 Connectors 1396

Amazon Web Services Connector 1397

Frictionless Assessment for AWS 1398

Operating System Coverage 1399

Licensing Considerations 1400

Supported Regions 1400

Limitations 1401

Get Started 1401

Configure AWS for Frictionless Assessment 1402

Create an AWS Connector for Frictionless Assessment 1404

Edit an AWS Frictionless Assessment Connector 1407

Manually Delete Connector Artifacts in AWS 1408

Update AWS Frictionless Assessment Connectors to Detect Log4j 1409

AWS Cloud Connector (Discovery Only) 1411

AWS Connector with Keyless Authentication (Discovery Only) 1412

Configure AWS for Keyless Authentication (Discovery Only) 1415

Create an AWS Connector with Keyless Authentication (Discovery Only) 1418

AWS Connector with Key-based Authentication 1420

Configure AWS for Key-based Authentication 1422

Configure Linked AWS Accounts for Key-based Authentication 1424

Create an AWS Connector with Key-based Authentication 1427

Microsoft Azure Connector 1428

Frictionless Assessment for Azure 1430

Create an Azure Connector for Frictionless Assessment 1432

- 27 -
 Manually Delete Connector Artifacts from Azure Frictionless Assessment 1435

Azure Runbook Information 1436

Configure Microsoft Azure (Discovery Only) 1438

Create Azure Application 1438

Obtain Azure Tenant ID (Directory ID) 1444

Obtain Azure Subscription ID 1445

Grant the Azure Application Reader Role Permissions 1447

Link Azure Subscriptions 1452

Create a Microsoft Azure Connector 1456

Google Cloud Platform Connector 1459

Configure Google Cloud Platform (GCP) 1459

Create a Google Cloud Platform Connector (Discovery Only) 1464

Manage Existing Connectors 1466

Launch a Connector Import Manually 1466

View Connectors Details 1467

View Connector Event History 1469

Edit a Connector 1470

Delete a Connector 1474

Remove Frictionless Assessment 1475

Remove AWS Frictionless Assessment 1476

Remove Azure Frictionless Assessment 1478

- 28 -
Welcome to Tenable Vulnerability Management
Tenable Vulnerability Management® (formerly known as Tenable.io) allows security and audit teams
to share multiple Tenable Nessus, Tenable Nessus Agent, and Tenable Nessus Network Monitor
scanners, scan schedules, scan policies, and scan results among an unlimited set of users or
groups.

Note: Tenable Vulnerability Management can be purchased alone or as part of the Tenable One package.
For more information, see Tenable One.

Tip: The Tenable Vulnerability Management User Guide is available in English and Japanese. The Tenable
Vulnerability Management user interface is available in English, Japanese, and French. To switch the user
interface language, see Language.

For additional information on Tenable Vulnerability Management, review the following customer
education materials:

l Tenable Vulnerability Management Self Help Guide

l Tenable Vulnerability Management Introduction (Tenable University)

Tenable One Exposure Management Platform

Tenable One is an Exposure Management Platform to help organizations gain visibility across the
modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber
risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources,
containers, web apps, and identity systems, builds on the speed and breadth of vulnerability
coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and
communicate cyber risk. Tenable One allows organizations to:

l Gain comprehensive visibility across the modern attack surface

l Anticipate threats and prioritize efforts to prevent attacks

l Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of

the Tenable One Exposure Management platform.

- 29 -
 Tip: For additional information on getting started with Tenable One products, check out the Tenable One
Deployment Guide.

Tenable Vulnerability Management

Video: Introduction to Tenable Vulnerability Management

Get Started with Tenable Vulnerability Management

By making different resources available for sharing among users and groups, Tenable Vulnerability
Management provides endless possibilities for creating customized workflows for vulnerability
management programs, regardless of any of the numerous regulatory or compliance drivers that
demand keeping your business secure.

Tenable Vulnerability Management can schedule scans, push policies, view scan findings, and
control multiple Tenable Nessus scanners from the cloud. This enables the deployment of Tenable
Nessus scanners throughout networks to both public and private clouds as well as multiple physical
locations.

Tenable Lumin
Get Started with Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Lumin features augment Tenable Vulnerability Management data. Use Tenable Lumin to
quickly and accurately assess your exposure risk and compare your health and remediation
performance to other Tenable customers in your Salesforce industry and the larger population.

Tenable Lumin correlates raw vulnerability data with asset business criticality and threat context
data to support faster, more targeted analysis workflows than traditional vulnerability management
tools.

Tenable Web App Scanning

Tenable Web App Scanning offers significant improvements over the existing Web Application
Tests policy template provided by the Tenable Nessus scanner, which is incompatible with modern

- 30 -
web applications that rely on Javascript and are built on HTML5. This leaves you with an incomplete
understanding of your web application security posture.

Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web
applications. Tenable Web App Scanning's accurate vulnerability coverage minimizes false positives
and false negatives, ensuring that security teams understand the true security risks in their web
applications. The product offers safe external scanning that ensures production web applications
are not disrupted or delayed, including those built using HTML5 and AJAX frameworks.

Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Video: Introducing Tenable Container Security

Tenble Container Security stores and scans container images as the images are built, before
production. It provides vulnerability and malware detection, along with continuous monitoring of
container images. By integrating with the continuous integration and continuous deployment
(CI/CD) systems that build container images, Tenable Container Security ensures every container
reaching production is secure and compliant with enterprise policy.

Tenable Vulnerability Management API

See the API

The Tenable Vulnerability Management API can be leveraged to develop your own applications using
various features of the Tenable Vulnerability Management platform, including scanning, creating
policies, and user management.

Get Started with Tenable Vulnerability Management

Use the following getting started sequence to configure and mature your Tenable Vulnerability
Management deployment.

1. Prepare a Deployment Plan

2. Install and Link Scanners

- 31 -
 3. Configure Scans

4. Additional Tenable Vulnerability Management Configurations

5. Review and Analyze

6. Expand

Tip: For additional information on Tenable Vulnerability Management, review the following customer
education materials:

l Tenable Vulnerability Management Self Help Guide

l Tenable Vulnerability Management Introduction (Tenable University)

Prepare a Deployment Plan

To establish a deployment plan and analysis workflow:

1. Review principles of the TCP/IP internet protocol suite. Tenable Vulnerability Management
documentation assumes you know basic networking concepts and principles.

2. Get your Tenable Vulnerability Management access information and starter account
credentials from your Tenable representative.

3. If necessary, access Tenable Support and training resources for Tenable Vulnerability
Management, including the Professional Services Scan Strategy guide.

4. Design a deployment plan by identifying your organization's objectives and analyzing your
network topology. Consider Tenable-recommended best practices for your environment.

For more information about environment requirements, see the guidelines provided for your
scanner in the General Requirements Guide. For more information about supported browsers
for Tenable Vulnerability Management, see System Requirements.

5. Design an internal scanning and external scanning plan. Identify the scans you intend to run
and ensure that you have sufficient network coverage.

6. Design an analysis workflow. Identify key stakeholders in your management and operational
groups, considering the data you intend to share with each stakeholder.

Install and Link Scanners

- 32 -
To install your scanners and link them to Tenable Vulnerability Management:

1. Log in to the Tenable Vulnerability Management user interface.

2. Set up your linked scanners:

l If your deployment plan includes Tenable Nessus scanners, install Tenable Nessus as
described in Install Tenable Nessus in the Tenable Nessus User Guide.

l If your deployment plan includes Tenable Nessus Agents, install agents as described in
Install Tenable Nessus Agents in the Tenable Nessus Agent Deployment and User Guide.

l If your deployment plan includes Tenable Nessus Network Monitor, install Tenable
Nessus Network Monitor as described in Install NNM in the Tenable Nessus Network
Monitor User Guide.
o Then, configure Tenable Nessus Network Monitor to communicate with Tenable
Vulnerability Management, as described in Configure NNM in the Tenable Nessus
Network Monitor User Guide.

l If your deployment plan includes Tenable Web App Scanning, install web applications as
described in Deploy or Install Tenable Core + Tenable Web App Scanning in the Tenable
Core User Guide.

Then, link your first scanners to Tenable Vulnerability Management, as described in Link a
Sensor.

Configure Scans
Configure and run basic scans to begin evaluating the effectiveness of your deployment
plan and analysis workflow:

Note: For information on how to configure scans based on your environment and business needs, see the
Tenable Vulnerability Management Scan Tuning Guide.

- 33 -
 1. Configure your first active scan using the Basic Network Scan template:

a. Create a scanner group, as described in Create a Scanner Group.

b. Create a scan using the Basic Network Scan template, as described in Create a Scan.

2. Configure your first agent scan using the Basic Agent Scan template:

a. Create an agent group, as described in Create an Agent Group.

b. Create an agent scan using the Basic Agent Scan template, as described in Create a
Scan.

3. Launch your first Tenable Nessus scan and agent scan, as described in Launch a Scan.

4. Confirm your Tenable Nessus scan and agent scan completed, accessing all targeted areas of
your network. Review your discovered assets to assess your knowledge of your network.

Additional Tenable Vulnerability Management Configurations

Configure other features, if necessary, and refine your existing configurations:

1. Create user accounts and create user groups within your Tenable Vulnerability Management
container.

2. Create access groups to manage view and scan permissions for assets and targets.

3. Configure tags to organize, group, and control access to assets.

4. Set up asset discovery with connectors, Professional Services integrations, or integrated

products. For more information, see Connectors, the Custom Integration Services page, or
the Integration Guides section of the Tenable Vulnerability Management Documentation page.

5. Configure managed credentials, scan-specific credentials, or policy-specific credentials for a

Tenable Nessus scan, as described in Credentials. For more information about configuring
and troubleshooting credentialed scans, see Tenable Nessus Credentialed Checks.

a. Launch your credentialed Tenable Nessus scan and credentialed agent scan, as
described in Launch a Scan.

b. Confirm your credentialed scan completed, accessing all targeted areas of your
network.

- 34 -
 6. If you want to assess your exposure, obtain a Tenable Lumin license.

7. If you want to perform web application scanning, obtain a Tenable Web App Scanning license.

8. If you want to evaluate risk on your containers, obtain a Tenable Container Security license.

9. Configure user Access Control to control what objects users can and cannot view and interact
with within Tenable Vulnerability Management.

Review and Analyze

Tip: Tenable recommends frequently reviewing your scan results and scan coverage. You may need to
modify your scan configurations to suit your organization's objectives and reach all areas of your network.

To review and analyze your data further, you can:

1. View your scans and individual scan details.

2. View and analyze your vulnerability and asset findings via the Findings and Assets pages.

3. Create a dashboard to gain immediate insight and quickly analyze vulnerabilities in your
network. Use interactive widgets and customizable tables to explore your data.

4. Filter your dashboards, assets, and findings to drill into data and investigate your progress.

5. Create recast or accept rules to recast or accept vulnerabilities discovered by scans.

6. Create a report to share scan and vulnerability information with others in your organization.

Expand
Tenable recommends the following as best practices to keep up to date with your
deployment plan and analysis workflow:
l Conduct weekly meetings to review your organization's responses to identified vulnerabilities.
Conduct weekly management meetings to oversee your teams executing the analysis
workflow.

l Review your scan results and scan coverage. You may need to modify your scan
configurations to suit your organization's objectives and reach all areas of your network.

- 35 -
 l Consider API integrations, as described in the Tenable Vulnerability Management API
Documentation.

Tenable Vulnerability Management Licenses

This topic breaks down the licensing process for Tenable Vulnerability Management as a standalone
product. It also explains how assets are counted, lists add-on components you can purchase,
explains how licenses are reclaimed, and notes plugins whose output is excluded from your license
count.

Licensing Tenable Vulnerability Management

To use Tenable Vulnerability Management, you purchase licenses based on your organizational
needs and environmental details. Tenable Vulnerability Management then assigns those licenses to
your assets: assessed resources from the past 90 days, either identified on scans or imported with
vulnerabilities (for example, servers, storage devices, network devices, virtual machines, or
containers).

When your environment expands, so does your asset count, so you purchase more licenses to
account for the change. Tenable licenses use progressive pricing, so the more you purchase, the
lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click
and then click License Information. To learn more, see License Information Page.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more,
contact your Tenable representative.

How Assets Are Counted

When Tenable Vulnerability Management scans an asset, it compares it to previously discovered
assets. In general, if the new asset does not match a previously discovered asset and has been
assessed for vulnerabilities, it counts towards your license.

Tenable Vulnerability Management uses a complex algorithm to identify new assets without creating
duplicates. The algorithm looks at the asset’s BIOS UUID, MAC address, NetBIOS name, fully
qualified domain name (FQDN), and more. Authenticated scanners or agents also assign a Tenable

- 36 -
UUID to each asset to mark it as unique. For more information, see the Tenable Vulnerability
Management FAQ.

The following table describes when assets count towards your license.

Counted Towards Your License Not Counted Towards Your License

l An asset identified by an active scan. l A scan configured with the Host

Discovery template or configured to
l An asset identified by an agent scan.
use only the discovery plugins.
l An asset import containing
l An asset import containing no
vulnerabilities (for example, a scan result
vulnerabilities (for example,
from Tenable Nessus Professional).
ServiceNow data).
l Host and Tenable Web App Scanning
l A linked instance of Tenable Nessus
asset types, if the last licensed scan was
Network Monitor running in discovery
within the past 90 days.
mode.
l An asset identified by a scan with plugin
l A discovery-only connector, until and
debugging enabled. To prevent such
unless the asset is scanned for
assets from counting against your
vulnerabilities Scanned Mobile Device
license, delete them.
Management assets.

l Some plugin output, as described in

Excluded Plugin Output.

Tenable Vulnerability Management Components

You can customize Tenable Vulnerability Management for your use case by adding components.
Some components are add-ons that you purchase.

Included with Purchase Add-on Component

l Unlimited Tenable Nessus scanners. l Tenable PCI ASV.

l Unlimited Tenable Nessus Agents. l Tenable Attack Surface

Management.
l Unlimited Tenable Nessus Network Monitors with
vulnerability detection.

- 37 -
 l Access to the Tenable Vulnerability Management API.

Reclaiming Licenses
When you purchase licenses, your total license count is static for the length of your contract unless
you purchase more licenses. However, Tenable Vulnerability Management reclaims licenses under
some conditions—and then reassigns them to new assets so that you do not run out of licenses.

The following table explains how Tenable Vulnerability Management reclaims licenses.

Asset Type License Reclamation Process

Deleted assets Tenable Vulnerability Management removes deleted assets from the Assets
workbench and reclaims their licenses within 24 hours.

Aged out In Settings > Sensors > Networks, if you enable Asset Age Out, Tenable
assets Vulnerability Management reclaims assets after they have not been scanned
for a period you specify.

Assets from Tenable Vulnerability Management reclaims assets from connectors the day
connectors after they are terminated. You can observe this event in each connector.

All other Tenable Vulnerability Management reclaims all other assets—such as those
assets imported from other products or assets with no age-out setting—after they
have not been scanned for 90 days.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated
threats, Tenable licenses are elastic. However, when you scan more assets than you have licensed,
Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario Result

You scan more assets than are A message appears in Tenable Vulnerability
licensed for three consecutive days. Management.

You scan more assets than are A message and warning about reduced functionality
licensed for 15+ days. appears in Tenable Vulnerability Management.

- 38 -
 You scan more assets than are A message appears in Tenable Vulnerability
licensed for 45+ days. Management; scan and export features are disabled.

Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated
asset counts. To learn more, see Scan Best Practices.

Expired Licenses
The Tenable Vulnerability Management licenses you purchase are valid for the length of your
contract. 30 days before your license expires, a warning appears in the user interface. During this
renewal period, work with your Tenable representative to add or remove products or change your
license count.

After your license expires, you can no longer sign in to the Tenable platform.

Excluded Plugin Output

The plugins listed in this section do not count towards your license limit.

Note: Plugin IDs are static, but Tenable products may sometimes update plugin names. For the latest
information on plugins, see Tenable Plugins.

Tenable Nessus Plugins in Discovery Settings

Configure the following Tenable Nessus plugins in Discovery Settings. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

10180 Ping the remote host

10335 Nessus TCP scanner

11219 Nessus SYN scanner

14274 Nessus SNMP Scanner

14272 Netstat Portscanner (SSH)

34220 Netstat Portscanner (WMI)

- 39 -
 34277 Nessus UDP Scanner

Tenable Nessus Plugins on the Plugins Page

Configure the following Tenable Nessus plugins on the Plugins page. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

45590 Common Platform Enumeration (CPE)

54615 Device Type

12053 Host Fully Qualified Domain Name (FQDN)

11936 OS Identification

10287 Traceroute Information

22964 Service Detection

11933 Do not scan printers

87413 Host Tagging

19506 Nessus Scan Information

33812 Port scanners settings

33813 Port scanner dependency

Tenable Nessus Network Monitor Plugins

The following Tenable Nessus Network Monitor plugins do not count towards your license.

Tenable Nessus Network Monitor Plugin ID Plugin Name

0 Open Ports

12 Host TTL discovered

18 Generic Protocol Detection

- 40 -
 19 VLAN ID Detection

20 Generic IPv6 Tunnel Traffic Detection

113 VXLAN ID Detection

132 Host Attribute Enumeration

System Requirements

Display Settings
Minimum screen resolution: 1440 x 1024

Supported Browsers
Tenable Vulnerability Management supports the latest versions of the following browsers.

Note: Before reporting issues with Tenable Vulnerability Management, ensure your browser is up to date.

l Google Chrome

l Apple Safari

l Mozilla Firefox

l Microsoft Edge

Note: Tenable Vulnerability Management is not supported on mobile browsers.

Sensor Connection Requirements

Tenable Vulnerability Management requires access to specific addresses and ports for inbound and
outbound traffic with scanners and agents:

l 162.159.129.83/32

l 162.159.130.83/32

l 162.159.140.26/32

- 41 -
 l 172.66.0.26/32

l 2606:4700:7::1a

l 2a06:98c1:58::1a

l 2606:4700:7::a29f:8153

l 2606:4700:7::a29f:8253

l *.cloud.tenable.com with the wildcard character (*) to allow cloud.tenable.com and all
subdomains, such as sensor.cloud.tenable.com

Tip: For information about the port requirements for Tenable Security Center, Tenable Nessus
scanners, and Tenable Nessus Agents, see the following topics:
l Tenable Security Center Port Requirements
l Tenable Nessus Port Requirements
l Tenable Nessus Agent Port Requirements

Log in to Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: If you bookmark a Tenable Vulnerability Management page within your browser, you must still log in
before accessing the bookmarked page.
In some cases, you may also need to navigate through the Workspace page and navigate to the Tenable
Vulnerability Management application before accessing the bookmarked page.

Before you begin:

l Obtain credentials for your Tenable Vulnerability Management user account.

Note: If you are an administrator logging in to your Tenable Vulnerability Management instance for
the first time, Tenable provides your first-time credentials during setup. After you log in for the first
time, you can set your new password. If you are logging in to Tenable Vulnerability Management after
initial setup, your username is the email address you used to register for your Tenable Vulnerability
Management account.

- 42 -
 l Review the System Requirements in the General Requirements User Guide and confirm that
your computer and browser meet the requirements.

Note: If your account is configured to use SAML, you can log in to Tenable Vulnerability Management
directly through your SAML provider. For more information, see SAML.

To log in to Tenable Vulnerability Management:

1. In a supported browser, navigate to https://cloud.tenable.com.

The Tenable Vulnerability Management login page appears.

2. In the username box, type your Tenable Vulnerability Management username.

3. In the password box, type the Tenable Vulnerability Management password you created during
registration.

4. (Optional) To retain your username for later sessions, select the Remember Me check box.

5. Click Sign In.

The Tenable Vulnerability Management Workspace page appears.

Note:Tenable Vulnerability Management logs you out after a period of inactivity (typically, 30
minutes).

CVSS vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to
quantify the risk and urgency of a vulnerability.

Note: When you view these metrics on an analysis page organized by plugin (for example, the
Vulnerabilities by Plugin page), the metrics represent the highest value assigned or calculated
for a vulnerability associated with the plugin.
For Tenable Lumin-specific information about VPR and the other Tenable Lumin metrics, see
Tenable Lumin Metrics.

CVSS

- 43 -
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved
from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities. CVSS
scores power a vulnerability's Severity and Risk Factor values.

Note: If a vulnerability's related plugin has CVSS vectors, the Risk Factor is calculated based on the
CVSSv2 vector and equates to the CVSSv2 score Severity. If a plugin does not have CVSS vectors, Tenable
independently calculates the Risk Factor.

Tenable Vulnerability Management imports a CVSS score every time a scan sees a vulnerability.

CVSS-Based Severity

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Configure Your Severity Metric.

Tenable Vulnerability Management analysis pages provide summary information about

vulnerabilities using the following CVSS categories. For more information about the icons used for
each severity, see Vulnerability Severity Indicators.

Severity CVSSv2 Range CVSSv3 Range CVSSv4 Range

Critical The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is 10.0. score is between 9.0 score is between 9.0
and 10.0. and 10.0.

High The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 7.0 score is between 7.0 score is between 7.0
and 9.9. and 8.9. and 8.9.

Medium The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 4.0 score is between 4.0 score is between 4.0
and 6.9. and 6.9. and 6.9.

Low The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 0.1 score is between 0.1 score is between 0.1

- 44 -
 and 3.9. and 3.9. and 3.9.

Info The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv3
score is 0. score is 0. score is 0.

- or - - or - - or -

The plugin does not The plugin does not The plugin does not
search for search for search for
vulnerabilities. vulnerabilities. vulnerabilities.

CVSS-Based Risk Factor

For each plugin, Tenable interprets CVSS scores for the vulnerabilities associated with the plugin
and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The Vulnerability
Details page shows the highest risk factor value for all the plugins associated with a vulnerability.

Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS
scores. In these cases, Tenable determines the risk factor based on vendor advisories.

Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a
custom risk factor based on information provided in related security advisories.

Vulnerability Priority Rating

Video: Vulnerability Priority Rating in Tenable Vulnerability Management

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher
likelihood of exploit.

VPR Category VPR Range

Critical 9.0 to 10.0

High 7.0 to 8.9

- 45 -
 Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many
vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these
vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on
your network. Then, Tenable Vulnerability Management automatically provides new and updated
VPR values daily.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores
and summary data in:

l The Tenable-provided Vulnerability Management Overview dashboard

l The Vulnerabilities by Plugin plane

l The Vulnerabilities by Plugin (Classic) page

VPR Key Drivers

You can view the following key drivers to explain a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Age of Vuln The number of days since the National Vulnerability Database (NVD) published
the vulnerability.

CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact not provide a score, Tenable Vulnerability Management displays a Tenable-
Score predicted score.

Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal

- 46 -
 and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The
possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit
Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.

Threat The relative intensity based on the number and frequency of recently observed
Intensity threat events related to this vulnerability: Very Low, Low, Medium, High, or
Very High.

Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

l A discussion of the vulnerability on hacker forums

Vulnerability Severity Indicators

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Configure Your Severity Metric.

- 47 -
The Tenable Vulnerability Management interface uses different icons for each severity category and
accepted or recasted status.

Icon Category And

Critical You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Critical.

High You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to High.

Medium You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Medium.

Low You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Low.

Info You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Info.

Vulnerability Mitigation
Tenable Vulnerability Management vulnerabilities exist in one of two categories: Active or Fixed.
When Tenable Vulnerability Management discovers a vulnerability on an asset, the vulnerability
remains in the Active category until it is mitigated or fixed. Then, the vulnerability moves to the
Fixed category.

Active Vulnerabilities

- 48 -
Active vulnerabilities are any vulnerabilities in the New, Active, or Resurfaced states. For more
information, see Vulnerability States.

Fixed Vulnerabilities
The Fixed category contains vulnerabilities that Tenable Vulnerability Management determines are
not vulnerable, based on the scan definition, the results of the scan, and authentication
information. To be considered for mitigation, a vulnerability must be active and successfully
authenticated.

A vulnerability is mitigated when:

l The vulnerability's IP address or another combination of identifying attributes (IAs) is on the

scan's target list. For more information on IAs, see the Tenable Community.

l The vulnerability's plugin ID is listed in the scan policy.

l The vulnerability's port is on the list of scanned ports.

l A vulnerability with that combination of IP address, port, protocol, and plugin ID is not listed in
the scan results.

Mitigation Exceptions
Note the following exceptions for vulnerability mitigation:

l Vulnerabilities identified during a thorough scan by a plugin with the thorough_tests attribute
can only be mitigated by another thorough scan.

l Vulnerabilities identified during a paranoid scan by a plugin with the requires_paranoid_

scanning attribute can only be mitigated by another paranoid scan.

l Vulnerabilities discovered by a local or combined plugin reported on port 0 or 445 via a

credential scan can only be mitigated by another credential scan.

l The list of scanned ports can be expanded to “all” ports when one of the following plugins
triggered the host:14272 (SSH netstat), 34220 (WMI netstat), 14274 (SNMP).

l Agent scans cannot mitigate vulnerabilities discovered by a combined type plugin reported on
a remote port (not 0/445).

Vulnerability States

- 49 -
Tenable assigns a state to vulnerabilities detected on your network. You can track and filter by
vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.
To filter for vulnerabilities by their state, use the Findings workbench.

Vulnerability
Description
State

New Indicates that Tenable Vulnerability Management detected the vulnerability

once.

Active Indicates that Tenable Vulnerability Management detected the vulnerability

more than once.

Note: When you filter for Active vulnerabilities, Tenable Vulnerability

Management also returns New vulnerabilities. For filtering purposes, New is a
subcategory of Active.

Fixed Indicates that Tenable Vulnerability Management detected the vulnerability

on a host, but no longer detects it.

Note: To view Fixed vulnerabilities by date range, use the Last Fixed filter.

Resurfaced Indicates that Tenable Vulnerability Management previously marked the

vulnerability as Fixed, but has detected it again. When a vulnerability is
Resurfaced, it remains in this state until a scan identifies the vulnerability
as remediated. Then, the vulnerability returns to Fixed.

Note: The API uses different terms for vulnerability states than the user interface. In the API, the new and
active states are both labeled as open. The resurfaced state is labeled as reopened. The fixed state is the
same.

Log Out of Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To log out of Tenable Vulnerability Management:

- 50 -
 1. In the upper-right corner, click the blue user circle.

The user account menu appears.

2. Click Sign Out.

Navigate Tenable Vulnerability Management

Tenable Vulnerability Management includes several helpful shortcuts and tools that highlight
important information and help you to navigate the user interface more efficiently:

Quick Actions Menu

The quick actions menu displays a list of the most commonly performed actions.

To access the quick actions menu:

1. In the upper-right corner, click the Quick Actions button.

The quick actions menu appears.

2. Click a link to begin one of the listed actions.

Resource Center

The Resource Center displays a list of informational resources including product announcements,
Tenable blog posts, and user guide documentation.

- 51 -
To access the Resource Center:

1. In the upper-right corner, click the button.

The Resource Center menu appears.

2. Click a resource link to navigate to that resource.

Notifications

In Tenable Vulnerability Management, the Notifications panel displays a list of system notifications.
The button shows the current number of unseen notifications. When you open the Notifications
panel, Tenable Vulnerability Management marks those notifications as seen. Once you have seen a
notification, you can clear it to remove it from the Notifications panel.

- 52 -
 Note:Tenable Vulnerability Management groups similar notifications together.

To view notifications:

l In the upper-right corner, click the button.

The Notifications panel appears and displays a list of system notifications.

In the Notifications panel, you can do the following:

o To clear one notification, next to the notification, click the button.

o To expand a group of notifications, at the bottom of the grouped notification, click More
Notifications.
o To collapse an expanded group of notifications, at the top of the expanded notifications,
click Show Less.
o To clear an expanded group of notifications, at the top of the expanded notifications,
click Clear Group.
o To clear all notifications, at the bottom of the panel, click Clear All.

Settings Icon

Click the button to navigate directly to the Settings page, where you can configure your system
settings.

Workspace

When you log in to Tenable, the Workspace page appears by default. On the Workspace page, you
can switch between your Tenable applications or set a default application to skip the Workspace
page in the future. You can also switch between your applications from the Workspace menu,
which appears in the top navigation bar.

Important: Tenable disables application tiles for expired applications. Tenable removes expired application
tiles from the Workspace page and menu 30 days after expiration.

Open the Workspace Menu

- 53 -
To open the Workspace menu:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. Click an application tile to open it.

View the Workspace Page

To view the Workspace page:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. In the Workspace menu, click Workspace.

- 54 -
 The Workspace page appears.

Set a Default Application

When you log in to Tenable, the Workspace page appears by default. However, you can set a default
application to skip the Workspace page in the future.

By default, users with the Administrator, Scan Manager, Scan Operator, Standard, and Basic roles can set
a default application. If you have another role, contact your administrator and request the Manage
permission under My Account. For more information, see Custom Roles.

To set a default login application:

1. Log in to Tenable.

The Workspace page appears.

2. In the top-right corner of the application to choose, click the button.

A menu appears.

- 55 -
 3. In the menu, click Make Default Login Page.

This application now appears when you log in.

Remove a Default Application

To remove a default login application:

1. Log in to Tenable.

The Workspace page appears.

2. In the top-right corner of the application to remove, click the button.

A menu appears.

3. Click Remove Default Login Page.

The Workspace page now appears when you log in.

User Account Menu

The user account menu provides several quick actions for your user account.

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

- 56 -
 2. Do one of the following:

l Click My Profile to configure your own user account. You navigate directly to the My
Account settings page. See My Account for more information.

l Click Sign out to sign out of Tenable Vulnerability Management.

l Click What's new to navigate directly to the Tenable Vulnerability Management Release
Notes.

l Click View Documentation to navigate directly to the Tenable Vulnerability Management

User Guide documentation.

For additional information about navigating the Tenable Vulnerability Management interface, see
the following topics:

Navigate Breadcrumbs

Navigate Planes

Tenable Vulnerability Management Tables

Navigate Breadcrumbs
In the Tenable Vulnerability Management interface, certain pages display breadcrumbs in the top
navigation bar. From left to right, the breadcrumbs show the path of pages you visited to reach your
current page:

- 57 -
To navigate breadcrumbs:
l In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Navigate Planes
Tenable Vulnerability Management combines fixed pages with overlapping planes.

To navigate planes in the new interface:

1. Access a plane using one of the following methods:

l Click a widget on a dashboard.

l
Use the left navigation plane as follows:
a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click a menu option.

With the exception of the left navigation plane, planes open from the right side of the screen.

2. Manipulate a plane using the following buttons at the left edge of the plane:

Button Short Name Action

expand Expand a plane. Some planes can expand to full screen.

retract Retract an expanded plane to its default size.

close Close a plane.

expand preview Expand a preview plane.

retract preview Retract an expanded plane to the preview plane.

3. Return to a previous plane or page (and close a new plane or planes) by clicking the previous
plane.

- 58 -
Tenable Vulnerability Management Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management Workbench Tables

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section. These tables feature search and navigational
capabilities. They also include the ability to drag and drop columns in any order, change column
width, and sort the data in multiple columns at one time. For more information, see Tenable
Vulnerability Management Workbench Tables.

Explore Tables
Explore tables are any tables within the Explore section in the Tenable Vulnerability Management
user interface. They include many of the features of Tenable Vulnerability Management Workbench
tables, but include additional customization and filtering capabilities. For more information, see
Filter Findings or Assets.

Tenable Vulnerability Management Workbench Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: Customizable tables also include the ability to access the actions buttons by right-clicking a table
row. To access your browser menu, press the Ctrl key and right-click.

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section.

To interact with a Tenable Vulnerability Management workbench table:

1. View a workbench table.

2. Do any of the following:

- 59 -
l
Navigate the table:
o To adjust the sort order, click a column title.

Tenable Vulnerability Management sorts all pages of the table by the data in the
column you selected.
o In Tenable Vulnerability Management, to increase or decrease the number of rows
displayed per page, click Results per page and select a number.

Tenable Vulnerability Management refreshes the table.

o To view all action buttons available in a table row, click the button.

This button appears instead of individual action buttons if 5 or more actions are
possible for the row.
o To navigate to another page of the table, click the arrows:

Button Action

Navigate to the first page of the table.

Navigate to the previous or next page of the table.

Navigate to the last page of the table.

Note: Due to limitations, the total number of findings is not always known past the 1000
limit. In this case, the table may display a modified interface, changes in pagination
labeling, and a disabled last page navigation button.

l
Search the table:
In the new interface, a search box appears above individual tables in various pages and
planes. In some cases, the search box appears next to the Filters box.

a. In the Search box, type your search criteria.

Your search criteria depends on the type of data in the table you want to search.

- 60 -
 b. Click the button.

Tenable Vulnerability Management filters the table by your search criteria.

l To change the column order, drag and drop a column header to another position in the
table.

l
Remove or add columns:
a. Roll over any column.

The button appears in the header.

b. Click the button.

A column selection box appears.

c. Select or clear the check box for any column you want to show or hide in the table.

Tip: Use the search box to quickly find a column name.

The table updates based on your selection.

l
Adjust column width:
a. Roll over the header between two columns until the resize cursor appears.

Click and drag the column width to the desired width.

Tip: To automatically resize a column to the width of its content, double-click the right
side of the column header.

l To sort data in the table, click a column header.

Tenable Vulnerability Management sorts all pages of the table by the data in the column
you selected.

l To sort data in the table by multiple columns, press Shift and click one or more column
headers.

Note: Not all tables or columns support sorting by multiple columns.

- 61 -
 Tenable Vulnerability Management sorts all pages of the table in the order in which you
selected the columns.

Filter a Table

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, a Filters box appears above individual tables in various pages
and planes.

To filter a table:

1. Next to Filters, click the button.

The filter settings appear.

2. (Optional) In Tenable Vulnerability Management, to quick-select filters, click Select Filters.

A drop-down list appears.

a. In the drop-down list, search for the filter you want to apply.

The list updates based on your search criteria.

b. Select the check box next to the filter or filters you want to apply.

The selected filters appear in the filter section.

3. In the Select Category drop-down box, select an attribute.

For example, you might select Severity if filtering findings or Asset ID if filtering assets.

4. In the Select Operator drop-down box, select an operator.

Note: When using the contains or does not contain operators, use the following best
practices:
l For the most accurate and complete search results, use full words in your search
value.
l Do not use periods in your search value.
l Remember that when filtering assets, the search values are case sensitive.

- 62 -
 l Where applicable, Tenable recommends using the contains or does not contain
instead of the is equal to or is not equal to operators.

5. In the Select Value box, do one of the following:

Value Type Action

Text Type the value on which you want to filter.

An example of the expected input is present in the box until you start
typing. If what you type is invalid for the attribute, a red outline appears
around the text box.

Single valid If a default value is associated with the attribute, Tenable Vulnerability
value Management selects the default value automatically.

To change the default value, or if there is not an associated default value

present:

a. Click the box to display the drop-down list.

b. Search for and select one of the listed values.

Multiple To select one or more values:

valid values
a. Click the box to display the drop-down list.

b. Search for and select a value.

The selected value appears in the box.

c. Repeat until you have selected all appropriate values

d. Click outside the drop-down list to close it.

To deselect values:

a. Roll over the value you want to remove.

The button appears over the value.

b. Click the button.

- 63 -
 The value disappears from the box.

6. (Optional) In the lower-left corner of the filter section:

l To add another filter, click the Add button.

l To clear all filters, click the Reset Filters button.

7. Click Apply.

Tenable Vulnerability Management applies your filter or filters to the table.

8. (Optional) Save your filter or filters for later use.

9. (Optional) Clear the filters you applied:

a. In the table header, click Clear All Filters.

Tenable Vulnerability Management clears all filters from the table, including saved
searches.

Note: Clearing filters does not change the date range selected in the upper-right corner of the
page. For more information, see Tenable Vulnerability Management Tables.

Get Started with Tenable Lumin

You can use Tenable Lumin to quickly and accurately assess your risk and compare your health and
remediation performance to other Tenable customers in your Salesforce industry and the larger
population. Tenable Lumin correlates raw vulnerability data with asset business criticality and
threat context data to support faster, more targeted analysis workflows than traditional
vulnerability management tools.

Tenable recommends the following to get started with Tenable Lumin data and functionality.

License and Enable

Acquire a Tenable Lumin license and enable Tenable Lumin in Tenable Vulnerability Management.

1. To add Tenable Lumin to your Tenable Vulnerability Management license, contact your
Tenable representative.

- 64 -
 2. In your browser, disable features that may prevent you from enabling Tenable Lumin:

l Ad blocker extensions

l Do Not Track (Mozilla Firefox, Google Chrome, Apple Safari, or Microsoft Internet
Explorer)

l Protected Mode (Microsoft Internet Explorer)

Tip: You can re-enable these features after you fully enable Tenable Lumin.

3. Log in to Tenable Vulnerability Management, as described in Log In to Tenable Lumin.

The Tenable Lumin welcome window appears.

4. Follow the wizard to enable Tenable Lumin.

The Lumin dashboard appears.

Prepare
Generate data and learn about Tenable Lumin terminology.

Tenable Security Center + Tenable

Tenable Vulnerability Management Only
Vulnerability Management Tenable Lumin

1. Run an authenticated assessment scan 1. Sync repositories to Tenable Lumin

in Tenable Vulnerability Management to from Tenable Security Center. All
generate vulnerability data. vulnerability data is synced immediately.

Note: You must run scans to start
seeing data in Tenable Lumin views;
Tenable Lumin shows scan result data
generated after you licensed Tenable
Lumin. For more information, see
Tenable Lumin Data Timing.
Note: Tenable Lumin does not support
third-party integration data.
2. Create assets in Tenable Security
Center to add business context to your
assets.

Note: Tenable Lumin does not support 3. Configure Tenable Security Center to
third-party integration data. Tenable Lumin synchronization.

2. Create tags in Tenable Vulnerability Allow sufficient time for the

Management to add business context to synchronization to complete. For more

- 65 -
 your assets.
3. Review the metrics terminology to
understand Vulnerability Priority Rating
(VPR) and Asset Criticality Rating (ACR)
values and how they impact your Asset
Exposure Score (AES), Assessment
Maturity grade, and Cyber Exposure
Score (CES).
4. Allow sufficient time for your metrics to
calculate. For more information, see
Tenable Lumin Data Timing.
information, see Tenable Lumin Data
Timing.
4. View your assets as business context
tags in Tenable Vulnerability
Management. For more information, see
Manage Asset Tags.
5. Review the metrics terminology to
understand Vulnerability Priority Rating
(VPR) and Asset Criticality Rating (ACR)
values and how they impact your Asset
Exposure Score (AES), Assessment
Maturity grade, and Cyber Exposure
Score (CES).

6. Allow sufficient time for your metrics to

calculate. For more information, see
Tenable Lumin Data Timing.

Assess Your Exposure

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Review your CES and perform vulnerability management analysis.

1. Use the Tenable Lumin dashboard to understand your CES and access details pages.

l Cyber Exposure Score widget — How does your overall risk compare to other Tenable
customers in your Salesforce industry and the larger population?

l Cyber Exposure Score Trend widget — How has the overall risk for your entire
organization changed over time?

l Assessment Maturity widget — How frequently and thoroughly are you scanning your
assets?

- 66 -
 l Remediation Maturity widget — How quickly and thoroughly are you remediating
vulnerabilities on your assets?

l Reduce Cyber Exposure Score widget — What would the impact be if you addressed all
of your top 20 recommended actions?

l Asset Criticality Rating Breakdown widget — How critical are your assets?

l Asset Scan Distribution widget — What types of scans have run on your assets?

l Mitigations widget — What endpoint protection agents are running on your assets?

l Cyber Exposure Score by Business Context/Tag widget — How do assets with different
tags (unique business context) compare?

2. To browse the most critical vulnerabilities on your network, sort your vulnerabilities by VPR.

3. To browse the most critical assets on your network, sort your assets by ACR.

Customize Your ACR Values

Review the Tenable-provided ACR values and customize them to reflect the unique infrastructure or
concerns of your organization.

1. Use the Assets page to review the Tenable-provided ACR values for your assets.

l Do any of your assets have ACR values that seem too high for the relative criticality of
that asset?

l Do any of your assets have ACR values that seem too low for the relative criticality of
that asset?

2. If necessary, manually customize your asset ACR values.

Lower Your CES and AES

You must address vulnerabilities on your network to lower your CES and AES.

Important: Private findings are excluded from all scores in Tenable Lumin. For more information see
Findings.

- 67 -
 1. View lists of Tenable-recommended action items:

l Top recommended actions for all assets on your network.

Export your top recommended actions, as necessary.

l All solutions on your network.

Export your solutions, as necessary.

2. Follow the recommendations and take steps to address the vulnerabilities on your network.

Mature
Mature your vulnerability management strategy.

l Continue monitoring and addressing vulnerabilities to lower your CES and AES.

l Continue exporting and sharing recommended actions (solutions) data with others in your
organization to refine your vulnerability management strategy.

Error Messages
For Tenable Vulnerability Management API status codes, see the Tenable Developer Portal.

Scanning
The following table describes the scanning error messages that may appear in Tenable Vulnerability
Management.

Some scanning errors occur when you exceed the following Tenable Vulnerability Management
scanning limitations:

Scan Limitations

The following table describes scanning limitations in Tenable Vulnerability Management:

Limitation Description

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single assessment scan (for more

- 68 -
hostnames per information, see Discovery Scans vs. Assessment Scans). The host target
assessment scan limit is 10 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
10,000 hostnames or IP addresses in a single assessment scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single discovery scan (for more information,
hostnames per see Discovery Scans vs. Assessment Scans). The host target limit is 1,000
discovery scan times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
1,000,000 hostnames or IP addresses in a single discovery scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Host scan results Tenable Vulnerability Management limits the number of live hosts for
per scan which a single scan can generate scan results for. The live host scan
results limit is 1.1 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 1,100 live hosts from a single scan. If you exceed the
limit, Tenable Vulnerability Management aborts the scan. Tenable
Vulnerability Management does not apply the live host scan result limit to
discovery scans.

Tenable Vulnerability Management also limits the number of dead hosts

for which a single scan can generate scan results for. The dead host scan
results limit is 100 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 100,000 dead hosts from a single scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

- 69 -
 Targeted IP You cannot specify more than 300,000 comma-separated IP addresses or
addresses or ranges when configuring a scan’s targets.
ranges per scan

Active scans You cannot have more than 25 scans running in your container
simultaneously.

Scan chunks Tenable Vulnerability Management limits scan chunks to 10,000 hosts or
150,000 findings. If a scan chunk exceeds either value, Tenable
Vulnerability Management does not process the scan and eventually
aborts it.

Note: This limits items like MDM assessments, importing Nessus files, and
very large Auto Discovery scenarios like VMware to individual scans with less
than 10,000 assessed targets.

Scan Tenable Vulnerability Management limits the number of scan

configurations configurations you can create to 10,000 scans. Tenable recommends re-
using scheduled scans instead of creating new scans. This approach
helps to avoid latency issues in the user interface.

For more information about creating, modifying, and launching scans, see Manage Scans. For more
information about scan status values, see Scan Status.

Warning Message Recommended Action

Account Target The target count exceeds the limit You reached the maximum scan
Limit for this account. Please contact target limit. To increase your scan
customer support to upgrade your target limit by upgrading your
license. license, contact Tenable Support.

Agent Group Unexpected error retrieving the

Error agent groups.

Agent Group The owner does not have access to You do not have access to all the
Permissions all of the configured agent groups. agent groups selected for this scan.
Select the correct groups. For more
information, see Agent Groups.

- 70 -
Warning Message Recommended Action

Agent Scan Tenable Vulnerability Management Re-scan the affected agent.

Indexing Error aborted a scan task after an
unexpected error during indexing.
You may need to re-scan the
agent: [agent name].

All Inactive All targets were routed to scanner

Scanners groups with no active scanners.

All Scans All active scans were aborted. Tenable Vulnerability Management
Aborted aborted the scan due to a system
abort request. Re-run the scan.

Auto Routed Custom scan targets are not Select a specific scanner to run
Custom Targets currently supported for auto routed scans on custom targets.
scans.

Auto Routing The scan is configured for auto

Disabled routing, but that feature is not
enabled.

Concurrent Scan Concurrent scan limit reached for You reached the maximum
Limit this account. Please contact concurrent scan limit. Re-run the
customer support to upgrade your scan later.
license.

Concurrent Scan Scan could not be completed:
Limit Reached concurrent scan limit reached for
this account. Please contact
customer support to upgrade your
license.
You reached the maximum
concurrent scan limit. Re-run the
scan later.

Conflict Transition for indexing to pausing The scan is completed and is now
not supported. in the process of indexing. Wait for
the indexing to complete.

Empty Scanner The scan is configured to use a Confirm the scanner group contains

- 71 -
Warning Message Recommended Action

Group scanner group with no assigned functioning scanners, then re-run

scanners. the scan. For more information, see
Scanner Groups.

Empty Targets No targets are configured for the Confirm the scan configuration
scan. contains one or more valid targets,
then re-run the scan.

Inactive The scan is configured to use a Confirm the scanner group contains
Scanners scanner group with no active functioning scanners, then re-run
scanners. the scan. For more information, see
Scanner Groups.

Indexing Error Unexpected error during task Re-run the scan for unscanned
processing. Targets may need to targets or targets that need to be
be rescanned : [scan targets] re-scanned.

Initialization Unexpected error during Tenable Vulnerability Management

Error initialization. aborted the scan. Re-run the scan.

Invalid AWS No valid AWS targets are Confirm the scan contains valid
Targets configured for the scan. AWS scan targets and re-run the
scan. For more information, see
Targets.

Invalid PCI The PCI scan can only be launched Use a Tenable cloud sensor to run a
Scanner using Tenable Cloud Scanners Tenable PCI ASV scan. For more
information, see Cloud Sensors.

Invalid Tag Failed to resolve a target FQDN or One or more assets in a tag
Target IP from an asset in the configured configured for the scan requires an
tags. associated scan target. Confirm the
tag configuration, then re-run the
scan. For more information, see
Tags.

Invalid Tag Rule Tags with the "Match All" filter can Adjust your tag rules, then re-run

- 72 -
Warning Message Recommended Action

As Target only have one rule for scans with the scan.
the "Targets defined by tags"
option enabled. Tag category: [tag
category], Tag value: [tag value].

Invalid Target Can't resolve target. Confirm your scan includes valid
scan targets, then re-run the scan.
For more information, see Targets.

Invalid Target An invalid target range is Correct or remove the invalid scan
Range configured for the scan: [scan target range, then re-run the scan.
targets] For more information, see Targets.

Invalid Targets No valid targets are configured for Confirm the scan targets meet the
the scan. following criteria:

l IP addresses use a valid

format

l Use commas to separate lists

of IP addresses

l IP addresses in target groups

use a valid format

For more information, see Targets

and Target Groups.

For more troubleshooting

assistance, see the knowledge base
article.

Job Initialization Unexpected error during Re-run the scan.

Error initialization. Please check the
scan targets and settings for
irregularities and contact support if
the problem persists.

- 73 -
Warning Message Recommended Action

Log4j DNS Unable to resolve DNS [scan Re-run the scan for unscanned
Failed Request target] to check Log4j targets or targets that need to be
Vulnerability. re-scanned.

Max Findings The maximum number of findings Review the Tenable Vulnerability
Error was reached. Management scan limitations and
adjust the scan configuration to
produce an allowed number of
findings.

Max Hosts Scan has exceeded the maximum Review the Tenable Vulnerability
Reached Error number of allowed hosts. Management scan limitations and
adjust the scan configuration to
scan an allowed number of hosts.

Network Some network congestion was To reduce the risk of congestion:

Congestion detected during the scan. This may
l Reduce max hosts to a lower
Detected indicate that one or more of the
value
remote hosts are connected
through a connection that does not l Increase the network read
have enough bandwidth to handle timeout in your policy
the network traffic generated while
scanning.

No Available Unable to find a scanner that is Confirm you selected the correct
Scanner able to run the scan. scanner, then re-run the scan.

No Configured The scan has no configured Agent Add at least one Agent Group to the
Agent Groups Groups. scan.

No Scan Policy The scan must be configured with The scan requires a scan policy.
a scan policy. Configure a scan policy, then re-run
the scan.

No Tag Targets No valid targets were found from

the configured tags.

- 74 -
Warning Message Recommended Action

Notification Notifications for this scan may not The scan completed, but failed to
Error have been sent. send a notification.

Owner Disabled The owner of the scan is disabled. Enable the owner of the scan or
transfer ownership to an enabled
user. For more information, see
Permissions.

Paused Scan Paused scan exceeded timeout of The paused scan exceeded the
Timeout [maximum allowed pause] days. maximum pause duration. Re-run
Some tasks were aborted. Targets the scan for all incomplete scan
may need to be rescanned. targets.

Pending Scan The scan was unable to transition Confirm the selected scanner group
Timeout to running within the expected has sufficient capacity, then re-run
timeout. the scan. For more information, see
Scanner Groups.

Policy The owner of the scan does not You do not have access to the scan
Permissions have access to the configured policy for this scan. Re-run the
policy. scan with correct permissions. For
more information, see Permissions.

Portscanner Max Portscanners have found more Since this negatively impacts both
Ports Exceeded than [number] ports open for scan accuracy and performance,
target [target name], and the you may want to adjust your
number of reported ports has been network security configuration to
truncated to [number] (threshold disable this behavior for
controlled by scanner preference vulnerability scans.
portscanner.max_ports). Usually
this is due to intervening network
equipment intercepting and
responding to connection requests
as a countermeasure against
portscanning or other potentially

- 75 -
Warning Message Recommended Action

malicious activity.

Processing Error Unexpected error in processing. Tenable Vulnerability Management

aborted the scan. Re-run the scan.

Routed To The following targets were routed Confirm the scanner group contains
Inactive to a scanner group with no active functioning scanners, then re-run
Scanners scanners: [scan targets] the scan. For more information, see
Scanner Groups.

Running Scan The scan exceeded the maximum The scan may be taking too long to
Timeout allowed runtime. scan some scan targets. Re-run the
scan.

Scan Aborted Scan aborted because it stalled in Tenable Vulnerability Management

initializing. aborted the scan. Re-run the scan.

Scan Aborted An error occurred while initializing Tenable Vulnerability Management

the scan. failed to initialize the scan. Re-run
the scan.

Scan Aborted Failed to obtain plugin set Tenable Vulnerability Management

information from Tenable Nessus. failed to download the plugin set.
Re-run the scan.

Scan Aborted The assigned scanner was not Tenable Vulnerability Management
found. could not find the selected scanner.
Select a different scanner and re-
run the scan.

Scan Extraction An error occurred during the scan

Error extraction.

Scan Extraction The scan extraction timed out.

Timeout Error

Scan Forbidden Rejected attempt to scan [scan The scan target is excluded from
target], as it violates user-defined scans. If you want to scan this

- 76 -
Warning Message Recommended Action

rules. target, remove it from the exclusion

and re-run the scan. For more
information, see Exclusions.

Alternatively, you many not have

the correct user permissions to run
the scan. Check your user
permissions and re-run the scan.
For more information, see
Permissions.

Scan Job The scan could not be initialized.
Initialization Please check the scan targets
Error setting for irregularities and
contact support if the problem
persists.
Tenable Vulnerability Management
failed to launch the scan. Re-run
the scan with the correct scan
target. For more information, see
Targets.

Scanner The assigned scanner is disabled. A user disabled the selected

Disabled scanner. Select a different scanner
and re-run the scan.

Scanner Error Unexpected error retrieving the

assigned scanner.

Scanner Group Unable to load scanner group for Confirm the scan configuration
Error scanner [scanner ID]. contains one or more valid targets,
then re-run the scan.

Scanner Due to detection of scanner This error occurs when a Tenable

Interruptions interruptions during the scan, this
scan might have run longer than
expected. Scanner name: [scanner
name]
Nessus scanner is unable to
complete a scan task, and Tenable
Vulnerability Management reassigns
the scan task to another scanner.
This usually happens when the
original scanner goes offline
intentionally (for example, a user

- 77 -
Warning Message Recommended Action

stops, powers off, or unlinks the

scanner) or experiences an
unexpected failure while
completing the scan task (for
example, power or network loss).

Adjust the Tenable Nessus scanner

as needed to prevent interruptions.

Scanner Not The assigned scanner was not Tenable Vulnerability Management
Found found. could not find the selected scanner.
Select a valid scanner and re-run
the scan.

Scanner The owner of the scan does not You do not have access to the
Permissions have access to the assigned selected scanner. Select a different
scanner. scanner and re-run the scan. For
more information, see Permissions.

Stalled Task A task was automatically aborted
after stalling on scanner. Targets
may need to be rescanned: [scan
targets]
Confirm the scanners are
functioning properly and have
enough capacity for your scans,
then re-run the scan for unscanned
targets or targets that need to be
re-scanned.

Tag Not Found Tenable Vulnerability Management
could not process the tag. The tag
either did not exist at the time of
scanning or the user does not have
access to the tag. Tag UUID: [tag
uuid].
Open the scan configuration in
Tenable Vulnerability Management
to automatically remove any tags
that no longer existing. Save the
scan configuration and re-run the
scan.

Tag Targets Failed to obtain tag targets Tenable Vulnerability Management

- 78 -
Warning Message Recommended Action

Error associated with scan. could not obtain the scan targets.
Verify the targets and re-run the
scan. For more information, see
Targets.

Target Access The owner of the scan does not You do not have the correct user
Error have access to any configured permissions to run the scan. Check
targets. your user permissions and re-run
the scan. For more information, see
Permissions.

Target Group The owner of the scan does not Confirm the scan owner's
Permissions have access to all of the configured permissions, then re-run the scan.
target groups. For more information, see Target
Groups.

Target Limit The target count exceeds the
maximum allowed for Tenable
Vulnerability Management.
The scan target range is too large.
Confirm the scan configuration
includes a valid target range, then
re-run the scan. For more
information, see Targets.

Target Range A target range exceeds the Confirm or reduce the configured
Limit maximum allowed targets: [scan scan target range and re-run the
targets] scan. For more information, see
Targets.

Targets Unable The following targets are not able Re-run the scan for unscanned
To Complete to complete scanning in the targets or targets that need to be
allowed scan time and will need to scanned again.
be rescanned: [scan targets]

Task Unexpected error during Re-run the scan for unscanned

Initialization initialization. Targets may need to targets or targets that need to be
Error be rescanned: [scan targets] re-scanned.

- 79 -
Warning Message Recommended Action

Task Processing Unexpected error in processing. Re-run the scan for unscanned
Error Targets may need to be rescanned: targets or targets that need to be
[scan targets] re-scanned.

Transition Some tasks stalled when being Failed to complete scan on some
Timeout [resumed, paused, or stopped] and scan targets. Re-run the scan for all
were aborted. Targets may need to unscanned scan targets.
be rescanned.

Unable To Route Unable to find a matching scanner Tenable Vulnerability Management

Targets route for the following targets: could not find one or more scan
[scan targets] targets specified in the scan
configuration. Do the following,
then re-run the scan:

l Confirm the scan

configuration specifies the
correct network.

l Confirm the scan routing

configuration of the scanner
groups in that network.

The total number of scan Review and remove any scan

configurations cannot exceed configurations that your
10,000 organization no longer uses.

- 80 -
Dashboards
Dashboards are interactive, graphical interfaces that often provide at-a-glance views of key
performance indicators (KPIs) relevant to a particular objective or business process.

The Dashboards page contains tiles that represent:

l Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

Note: Depending on your license, more dashboards are included. For example, the Tenable Lumin
dashboard.

l Dashboards you have created. To create a template-based or custom dashboard with

Tenable-provided or custom widgets, see Create a Dashboard.

l Dashboards that other users have shared with you. Click the Shared with Me tab to view
dashboards that others have shared with you.

Vulnerability Management Dashboard

This Tenable-provided dashboard visualizes actionable insights for your vulnerability management
program. Tenable Vulnerability Management updates dashboard data every time you run a scan.

Note: There may be a delay between when a scan completes and when the dashboard data updates while
Tenable Vulnerability Management indexes the data.

To access the Vulnerability Management Overview dashboard:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Management.

The Vulnerability Management Overview dashboard appears.

You can roll over individual items to reveal additional information or click on items to drill down into
details behind the data.

- 81 -
 Tip: All charts on the Vulnerability Management Overview show New, Active, and Resurfaced vulnerability
data. However, the counts or data displayed on each chart may differ for other reasons. For example, the
Vulnerability Priority Rating (VPR) widget organizes vulnerabilities by VPR category, but the Vulnerability
Trending widget graphs vulnerabilities by CVSS-based severity category. For more information about how
severity and VPR metrics compare, see CVSS vs. VPR.

In the Vulnerability Management Overview, you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Statistics This widget summarizes the highest severity vulnerabilities on

for your network during the last 30 days.

l View a count of your total vulnerabilities and counts for the

highest severity vulnerabilities (Critical and High) during
the past 30 days.

l To view a list of vulnerabilities, click one of the counts.

The Vulnerabilities page appears, filtered by a severity if

you selected the Critical or High count. For more
information, see View Vulnerabilities by Plugin.

l View a count of your total licensed assets, your assets

discovered during the last 7 days, and your assets
discovered during the last and 30 days.

If necessary, onboard your newly discovered assets.

l To view a list of assets, click one of the counts.

The Assets page appears, filtered by a time range if you

selected the 7 days or 30 days count. For more

- 82 -
 information, see View Asset Details.

l View a count of your scans run during the last 90 days and
the percentage that succeeded and failed.

To investigate your failed scans, review your scans with

the status Aborted or Canceled. For more information, see
View Scans.

l To export the data in the widget, click the button and

select a format.

CISA Alerts AA22-011A This widget provides a vulnerability count of risks associated
and AA22-047A with the CISA Alerts AA22-011A and AA22-047A vulnerabilities
that have been identified or mitigated.

l To view a list of related vulnerabilities by plugin, in the

Vulnerabilities column, click one of the tiles.

The Vulnerabilities page appears with results filtered by

vulnerability state. For more information, see View
Vulnerabilities by Plugin.

l To view a list of related vulnerabilities by asset, in the

Assets column, click one of the tiles.

The Vulnerabilities page appears, filtered by vulnerability

state. For more information, see View Vulnerabilities by
Asset.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget summarizes the number of vulnerabilities on your

Rating (VPR) network, organized by VPR. For more information, see CVSS vs.
VPR.

l To view a list of vulnerabilities filtered by a VPR range,

click one of the tiles.

- 83 -
 The Vulnerabilities page appears, filtered by the range you
selected. For more information, see View Vulnerabilities by
Plugin.

l To export the data in the widget, click the button and

select a format.

SLA This widget visualizes vulnerability counts by severity and by

Progress: Vulnerability compliance with your Service Level Agreements (SLAs). To
Age modify how Tenable Vulnerability Management calculates SLA
severity, see General Settings.

l To view a list of vulnerabilities, click one of the tiles.

The Vulnerabilities page appears, filtered by severity. For

more information, see View Vulnerabilities by Plugin.

l To export the data in the widget, click the button and

select a format.

Vulnerability Trending This widget shows the cumulative number of Critical, High,
Medium, and Low severity vulnerabilities on your network over
time. For more information, see CVSS vs. VPR.

l To show or hide data for a severity, click the boxes in the

graph legend.

The system updates the widget to show or hide the data

you selected.

l To view historical vulnerability count and severity data, roll

over a point on the graph.

l To view a list of current vulnerabilities, click a point on the

graph.

The Vulnerabilities page appears, filtered by the severity

you selected and by New, Active, or Resurfaced state. For
more information, see View Vulnerabilities by Plugin.

- 84 -

Critical and High
Exploitable Vulnerabilities
Future Threats: Not Yet
Exploitable Vulnerabilities
Vulnerability Age
l To export the data in the widget, click the button and
select a format.
This widget summarizes the number of Critical and High severity
vulnerabilities on your network, organized by exploitability
characteristic category. A single vulnerability may have multiple
exploitability characteristics and count towards multiple
categories.
l To view the counts of your vulnerabilities by decreasing
priority, view the categories and counts from left to right.
l To view a list of vulnerabilities, click one of the bars on the
graph.
The Vulnerabilities page appears, filtered by Critical and
High severity and the exploitability characteristic you
selected. For more information, see View Vulnerabilities by
Plugin.
l To export the data in the widget, click the button and
select a format.
This widget summarizes the vulnerabilities that are not yet
exploitable, determined by their Exploit Code Maturity and
Vulnerability Publication Date.
l To view the counts of your vulnerabilities by decreasing
priority, view the categories and counts from upper left to
lower right. Tenable recommends addressing
vulnerabilities with proof-of-concept before those with no
known exploit.
l To export the data in the widget, click the button and
select a format.
This widget summarizes the age of your vulnerabilities (by
Vulnerability First Seen date), organized by severity, to help you
manage your SLAs. For more information about severity, see
- 85 -
 CVSS vs. VPR.

l To view a list of vulnerabilities, click one of the

vulnerability counts.

The Vulnerabilities page appears, filtered by the

Vulnerability First Seen date and severity you selected.
For more information, see View Vulnerabilities by Plugin.

l To export the data in the widget, click the button and

select a format.

Vulnerability Management Overview (Explore)

The Vulnerability Management Overview (Explore) dashboard provides executive management with a
summary of risk information at a glance, while enabling security analysts to drill down into technical
details by clicking on the widgets. Tenable Vulnerability Management updates the dashboard data
each time you run a scan.

Note: There may be a delay between the time when a scan completes and when the dashboard data
updates while Tenable Vulnerability Management indexes the data.

Hovering over individual items reveals a data summary that you can click to drill down for further
details.

In the Vulnerability Management Overview (Explore), you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Severity Statistics by The widget provides a count of vulnerabilities collected through

Source multiple sources: Tenable Nessus scan, Tenable Nessus Agents,

- 86 -
 and Frictionless Assessment. The numbers displayed in this
widget use severity to determine the precedence of
vulnerabilities to mitigate.

l To view the list of assets for a specific category, click on

the summary information in the relevant category.

The Findings page appears with details about the assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Tenable Research This widget provides two indicators for current major threats
Advisory discovered by Tenable Research. The red indicator signifies the
presence of the relevant vulnerabilities, while the green
indicator is enabled when these vulnerabilities are patched.

l Click on the tiles to display a Findings page with details

about the assets detected for Missing Patches and
Applied Patches.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget displays vulnerabilities grouped by Vulnerability

Rating (VPR) Priority Rating (VPR). VPR is the output of Tenable's predictive
prioritization process which it is continually updates to
accommodate the evolving threat landscape.

Following the initial scan of an asset on the network, Tenable

computes an initial VPR using a machine-learning algorithm that
analyzes more than 150 different aspects of each vulnerability to
determine the level of risk. Vulnerabilities listed on the left have
the highest VPR, while those on the right have the lowest. For
more information, see CVSS vs. VPR.

l To view the asset details detected in a specific range, click

on a VPR range.

- 87 -
 The Findings page appears with details about the assets
detected in the selected range.

l To export the data in the widget, click the button and

select a format.

SLA This widget helps organizations manage Service Level

Progress: Vulnerability Agreements (SLAs) by providing a vulnerability view organized by
Age Vulnerability Priority Rating (VPR) Score and Vulnerability Age.

Tenable calculates the vulnerabilities that do not meet SLAs

using a date filter for within the last X days. The vulnerabilities
that meet SLAs use a date filter for older than X days.

When you apply default SLA settings:

l Critical: row uses VPR greater than 9.0.

l High: row uses VPR between 7.0-8.9.

l Medium: row uses VPR between 4.0-6.9.

l Low: row uses VPR between 0-3.9.

To know how Tenable Vulnerability Management calculates SLA

severity, see General Settings.

l To view the list of assets detected for a specific category,

click on the summary information under the
SLA categories.

The Findings page appears with details about the assets.

l To export the data in the widget, click the button and

select a format.

Critical and High This widget focuses on the most severe current threats, critical,
Exploitable Vulnerabilities and high exploitable vulnerabilities to help prioritize remediation.
Each bar represents vulnerabilities grouped by an exploitability
characteristic.

- 88 -
 l Exploited by Malware: Vulnerabilities that can be exploited
by malicious software, such as viruses, worms, spyware,
adware, and ransomware.

l Remotely Exploitable (Low Complexity): Vulnerabilities

that can easily be exploited remotely and require little skill
or information gathering to exploit.

l Locally Exploitable (Low Complexity): Vulnerabilities that

can easily be exploited with local access and require little
skill or information gathering to exploit.

l Exploited by Framework (Metasploit): Vulnerabilities that

have publicly available exploit code imported into various
exploit frameworks, such as Metasploit, pose risks. These
common exploit frameworks are easily accessible, which
both security researchers and malicious attackers use.

l Remotely Exploitable (High Complexity): Vulnerabilities

that can be exploited remotely, but require a high degree
of skill and information gathering to exploit.

Note: These groupings are not mutually exclusive, as a single

vulnerability can fall into multiple exploitability categories. Tenable
recommends prioritizing remediation starting with vulnerabilities in
the left-most column, Exploited by Malware.

l To view details about assets for a specific category, click

one of the bars on the graph.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget provides a view of vulnerabilities based on exploit
Exploitable Vulnerabilities code maturity and vulnerability publication date. The columns
display counts of published vulnerabilities within the specified

- 89 -
 time period present in the organization. The rows display the
exploit code maturity, where Proof of Concept is more serious
than Unproven Exploit.

l To view the list of assets for a specific category, click on

the counts under the Published categories.

The Findings page appears with details about the assets

detected for the category.

Tip: Tenable recommends addressing vulnerabilities with proof-of-

concept before those with no known exploit.

l To export the data in the widget, click the button and

select a format.

Scan Health This widget provides a summary of scan health in relation to

authentication success and failures. The five columns display
asset counts related to:

l Authentication Success - Scans authenticate successfully

with full administrator/root privileges. Scan results are the
most comprehensive.

l Success but Insufficient Access - Scans authenticate

successfully, but do not have privileged access. Scan
results are limited to the scope of a local non-privileged
user.

l Success but Intermittent Failure - Scan credentials

intermittently fail, which result from session rate limits,
session concurrency limits, or other issues preventing
consistent authentication success.

l Authentication Failure (Credentials) - Incorrect

credentials provided.

l To view the list of assets that falls in a specific category,

click the required category.

- 90 -
 The Findings page appears with details about assets
detected for the category.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age: This widget provides a view of vulnerabilities based on severity

Managing SLAs and age. The columns display counts of published vulnerabilities
within the specified time period present in the organization. The
rows display the severity level of the vulnerability.

l To view asset details for a specific category, click

vulnerability count in the required category.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Tenable Web App Scanning Dashboard

The default Web Applications Scanning dashboard displays data Tenable Web App Scanning
collects.

The tables below describes the sections and widgets displayed in the Web Applications Scanning
dashboard. You can view details about the data in a widget by clicking the widget.

Tenable Web App Scanning Statistics

The table below describes the widgets displayed in the Statistics section of the Web Applications
Scanning dashboard. You can view details about the data in a widget by clicking the widget.

Widget Description

Findings Number of findings Tenable Web App Scanning has discovered. The
findings are categorized by severity (Critical and High).

For information about vulnerability ratings and the severity metrics

Tenable uses to analyze risk, see Severity vs. VPR in the Tenable

- 91 -
 Widget Description

Vulnerability Management User Guide.

Web Assets Number of assets scanned over time.

Scanned

Incomplete Scans Number of incomplete scans in the past 90 days.

Non Number of non-authenticated scans in the past 90 days.

Authenticated
Scans

OWASP Top 10
This chart displays the vulnerabilities discovered by Tenable Web App Scanning that appear in the
latest Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application
Security Risks document.

View the Dashboards Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management updates dashboard data based on date filters you add when you
Create a Custom Widget for the dashboard.

To view the Dashboards page:

1. Access the Dashboards page in one of the following ways:

l On any Tenable-provided dashboard page, click the Dashboards button.

l On any other page, do the following:

- 92 -
 a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click Dashboards.

The Dashboards page appears. The page contains tiles that represent:

l Tenable-provided dashboards

l Dashboards you have created

l Dashboards that other users have shared with you

2. Do any of the following:

l In the upper-left corner, use the Search bar to search for specific dashboards.

l In the upper-left corner, use the drop-down to change the order in which dashboards
appear on the Dashboards page.

l In the Groups section, do any of the following:

o Use the Search Groups bar to search for specific dashboard groups.
o Click the Shared with Me tab to view dashboards that have been shared with you.
o Click the Updates Available tab to view dashboards that are eligible for auto-
update.

l Roll over individual dashboard tiles to reveal additional information.

l Toggle between the grid and list view.

l Set a default dashboard.

l Edit a dashboard.

l Share a dashboard.

l Export a dashboard.

l Duplicate a dashboard.

- 93 -
 l Delete a dashboard.

l Click a dashboard tile to view the individual dashboard.

Tenable-Provided Dashboards
On the Dashboards page, Tenable Vulnerability Management shows dashboards in the following
order:

1. Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

2. Dashboards you create and dashboards that have been shared with you.

Note: You can change the order in which dashboards appear by using the drop-down in the upper-right
corner of the Dashboards page.

The Tenable-provided dashboards you see depend on the licenses you have, but can include the
following:

Dashboard License

Vulnerability Management Overview Tenable Vulnerability Management

Lumin Tenable Lumin

Container Security Tenable Container Security

Web Application Scanning Tenable Web App Scanning

Note: You can export the Vulnerability Management Overview and Asset View dashboard landing pages,
or export individual widgets on those dashboards. For more information, see Export a Full Dashboard and
Export an Individual Dashboard Widget.

Note: If your dashboard fails to show data, you may be filtering the dashboard by a target group with too many
targets. Tenable recommends limiting the number of targets in any individual target group.

Export a Full Dashboard Landing Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 94 -
In Tenable Vulnerability Management, you can export the following dashboard landing pages:

l Vulnerability Management Overview

l Asset View

l Tenable Lumin

l Tenable Web App Scanning

To export a full dashboard landing page:

1. View the dashboard page you want to export.

2. In the upper-right corner, click Export.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Export an Individual Dashboard Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export individual widgets from the following
dashboard landing pages:

l Vulnerability Management Overview

l Asset View

- 95 -
 l Tenable Lumin

l Tenable Web App Scanning

To export an individual dashboard widget:

1. View the dashboard page that contains the widget you want to export.

2. In the header of the widget you want to export, click the button.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

View an Individual Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management updates dashboard data every time you run a scan.

To view an individual dashboard:

1. View the Dashboards page.

2. Do one of the following:

l In grid view, roll over the tile for the dashboard you want to view.

Dashboard information and options overlay the dashboard tile.

- 96 -
 l In list view, roll over the thumbnail dashboard image for the dashboard you want to view.

Dashboard options overlay the thumbnail dashboard image.

3. Click View.

The page for that dashboard appears.

4. Do one of the following:

l Change the dashboard you are viewing:

a. In the upper-right corner, click Jump to Dashboard.

A drop-down box appears.

b. Select the dashboard you want to view.

Tip: Use this option to view legacy versions of Explore dashboards. For more
information, see Enable Explore Dashboards

l Roll over individual widgets to reveal additional information.

l Click on widget elements to drill down into details behind the data.

l Share the dashboard.

l Export the dashboard.

l Edit the dashboard.

l Set the dashboard as default.

l Duplicate the dashboard.

l Create a new dashboard.

l Delete the dashboard.

View the Dashboard Template Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Template Library provides a selection of Tenable-provided dashboards.

- 97 -
To view the dashboard template library:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

On the Template Library page, you can:

l Sort the Template Library page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the page.

l In the upper-left corner, use the Search bar to search for specific dashboards.

l Click the New and Updated tab to view dashboards that are eligible for auto-update.

l Toggle between the grid and list view.

l Preview a dashboard.

l Create a dashboard.

Create a Dashboard
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can create a custom dashboard or use the Template Library to create a copy from the available
templates. Dashboards let you drill down to view the details of each widget.

Important: The Template Library in Tenable Vulnerability Management includes Explore dashboard
templates. The Explore dashboard templates are marked with Explore at the end of the template name.
For example: Vulnerability Management (Explore). From the dashboards that you create using these
templates, you can drill down to the Findings or Assets pages. To add an Explore dashboard, see Enable
Explore Dashboards.

To create a dashboard:

- 98 -
1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Do one of the following:

To create a dashboard from a template:

a. Click Template Library.

The Template Library page appears.

b. In the Groups panel on the left, click the group name to view the templates for the
category.

The following is not supported in Tenable FedRAMP Moderate environments. For more
information, see the Tenable FedRAMP Moderate Product Offering.

Category Description

Center for CIS Benchmarks are best practices for the secure configuration
Internet of a target system. Be sure to use the proper audit file for
Security (CIS) scans.

Defense The Defense Information Systems Agency (DISA) is a United

Information States Department of Defense combat support agency
Systems composed of military, federal civilians, and contractors.
Agency (DISA) Security Technical Implementation Guides (STIG) is a
configuration standard that consists of cybersecurity
requirements for a specific product. Be sure to use the proper
audit file for scans.

Compliance Tenable allows you to audit configuration compliance with a

Framework variety of standards including GDPR, ISO 27000, HIPAA, NIST
800-53, PCI DSS, and so on. These reports provide summary
and detailed information for all the supported frameworks. Be
sure to use the proper audit file for scans.

- 99 -
 Host Audit Organizations such as CIS, DISA, and some vendors create
Plugin Type golden configurations standards, known as benchmarks.
Tenable creates audit files that perform a detailed
configuration review. Scanning the assets with the Host Audit
Compliance Check plugins allows you to do detailed
configuration checks. These reports provide summary and
detailed information for all the Host Audit Compliance Check
plugins.

Tenable Best Allows you to implement best practice audits for new
Practice Audits technologies. Be sure to use the proper audit file for scans.

Vendor Based Allows you to implement vendor-specific guidance for new

Audits technologies. Vendors include: Vendor, IBM, Juniper, Microsoft,
NetApp, VMware, and others. Be sure to use the proper audit
file for scans.

Vulnerability Tenable Vulnerability Management provides the most

Management comprehensive vulnerability coverage with real-time
continuous assessment of the organization. These built-in
reports allow organizations to communicate risk based on
prioritization, threat intelligence and real-time insights to
prioritize remediation actions. These reports provide summary
and detailed information on data collected using Tenable
Vulnerability Management applications such as Tenable Nessus.

Web App Web application security provides the ability to detect and
Scanning mitigate threats and vulnerabilities that may compromise the
confidentiality, integrity, and availability of web applications.
These reports leverage data from Tenable Web App Scanning, a
comprehensive and automated vulnerability scanning tool for
modern web applications.

c. In the library, locate the template you want to use.

- 100 -
 d. Hover over the template.

An overlay of template information and options appears.

e. (Optional) To preview the dashboard template, click Preview. For more information, see
Preview a Dashboard.

f. Click Add.

An Added dashboard to Dashboards confirmation message appears.

The new dashboard appears on the Dashboards page with the name Copy of selected
dashboard.

To create a custom dashboard:

a. Click Custom Dashboard.

The Edit Dashboard page appears.

b. Name the dashboard:

a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the updated name.

c. Add a dashboard description:

a. Click the dashboard description.

The description becomes an editable text box.

b. Type a description for the dashboard.

d. Add widgets to the dashboard:

a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

- 101 -
 b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

e. Add dashboard filters:

a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

Note: The Edit Filter option does not appear if there are no widgets added to the
dashboard.

b. Configure your dashboard filters as described in Filter a Dashboard.

f. (Optional) Reorder widgets on the dashboard:

a. Hover over the widget you want to move.

b. Press and hold the mouse button to highlight the widget.

The edges of the widget become defined and exhibit a raised appearance.

c. Using the mouse, drag the widget to the new location.

d. Release the mouse button to drop the widget in the new location.

g. (Optional) Delete the dashboard:

o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management discards the newly created dashboard.

What to do next:
l Manage Dashboards

- 102 -
Preview a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When creating a new dashboard from a template, you can preview the dashboard before adding it to
the Dashboards page.

To preview a dashboard:

1. Create a dashboard.

2. In the Template Library, roll over the template you want to preview.

An overlay of template information and options appears.

3. Click Preview.

A preview of the dashboard appears.

4. To exit the preview, in the top navigation bar, click a link in the breadcrumb trail to return to
the Template Library, or the Dashboards page.

5. To add the template to the Dashboards page, click Add to Dashboards.

An Added dashboard to Dashboards confirmation message appears, and the new dashboard
appears on the Dashboards page with the name Copy of selected dashboard.

Enable Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To use Explore dashboards within Tenable Vulnerability Management, you must first add them to
your interface via the Template Library.

Note: The numerical data that appears on your Explore dashboards may not match the data on your legacy
Tenable Web App Scanning or VM dashboards.

Note: The data on your Explore Tenable Web App Scanning and VM dashboards reflects your complete
scanning history. This differs from the Tenable Web App Scanning and VM dashboards, which display data

- 103 -
 for only the last 30 calendar days.

To enable Explore dashboards:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

4. In the upper-left corner, in the Search bar, type "(Explore)".

All available Explore dashboards appear.

If Explore dashboards do not appear, your container may not have enabled them. Please contact
your Customer Success Manager.

5. For each Explore dashboard you want to add to your interface, do the following:

a. Roll over the Explore dashboard template.

An overlay of template information and options appears.

b. Click Add.

An Added dashboard to Dashboards confirmation message appears, and the Explore

dashboard appears on the Dashboards page.

Note: To reenable your Tenable Web App Scanning or VM dashboards, enable the corresponding
workbench.

Manage Dashboards
This section contains the following topics related to help you manage your Tenable Vulnerability
Management dashboards:

Dashboard Groups

- 104 -
In Tenable Vulnerability Management, you can organize dashboards into groups via the dashboard
Groups panel. This allows you to track different types of dashboards, and dashboards that others
have shared with you. You can also share a dashboard group with one or more users or user groups.

The Groups panel automatically expands when you view the Dashboards page. The panel is
separated by Tenable-provided dashboard groups and user-created dashboard groups.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Add a Dashboard Group

You can add a dashboard group via the Groups panel on the Dashboards page.

To add a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click Add.

The Edit Group pane appears.

3. In the Group Name box, type a name for your dashboard group.

4. In the Dashboards to Include section, select the check box next to any dashboards you want
to add to the dashboard group.

5. Click Save.

Tenable Vulnerability Management adds the dashboard group to the user-created dashboard
list in the Groups panel.

Share a Dashboard Group

In Tenable Vulnerability Management, you can share user-created dashboard group with other users
or user groups via the Groups panel.

Note: Dashboard groups are not automatically re-shared with a user after they have been updated. For
example:

- 105 -
User A shares a dashboard group with User B. User A then makes a change to the dashboard group. To see
the update, User A must re-share the dashboard group, with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to share.

The group and its included dashboards appears.

3. Click Share Group.

The Share Group pane appears.

4. Do one of the following:

l To share the dashboard group with all users, select the All Users check box.

l To share the dashboard group with specific users or user groups, from the drop-down
box, select the users or user groups with which you want to share the dashboard group.

Tip: You can share with multiple users or user groups.

5. Click Share.

A Group shared successfully message appears. Tenable Vulnerability Management shares the
dashboard group with the designated users or user groups and sends an email indicating that
you shared a dashboard with them.

Edit a Dashboard Group

In Tenable Vulnerability Management, you can edit user-created dashboard groups via the Groups
panel.

To edit a dashboard group:

- 106 -
 1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to edit.

The group and its included dashboards appears.

3. Click Edit Group.

The Edit Group pane appears.

4. (Optional) In the Group Name box, edit the name of the dashboard group.

5. (Optional) In the Dashboards to Include section, select or deselect the dashboards that
appear in the dashboard group.

6. Click Save.

Tenable Vulnerability Management saves your changes to the dashboard group.

Delete a Dashboard Group

In Tenable Vulnerability Management, you can delete user-created dashboard groups via the Groups
panel.

To delete a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to delete.

The group and its included dashboards appear.

3. Click Delete Group.

A confirmation message appears.

4. Click Delete.

Tenable Vulnerability Management deletes the dashboard group.

Note: Deleting dashboard groups does not delete the dashboards within the group.

- 107 -
Automatically Update Widgets on a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To provide the most up-to-date vulnerability information, Tenable updates or adds new dashboard
widgets when, for example, a new vulnerability is exposed or when Tenable Vulnerability
Management adds a new vulnerability filter. When Tenable updates these widgets, you can view and
automatically update them in one of the following ways:

l Dashboards page — On the Dashboards page, you can update all updated widgets on a
dashboard at one time.

l Dashboard Template Library — When creating a custom dashboard via the Template Library,
you can view new or updated widgets and add them to the custom dashboard.

Note: On predefined dashboard templates, Tenable Vulnerability Management always includes the
most recent version of widgets.

l Widget Library — In the Widget Library, you can view new or updated widgets and add them
to up to ten individual dashboards.

To update widgets automatically via the Dashboards page:

1. View the Dashboards page.

2. In the Groups section, click the Updates Available tab.

A list of dashboards with updated widgets appears.

Note: You can also see dashboards with new and updated widgets on the All tab. These dashboards
appear with a pulsing blue dot next to the dashboard name.

3. Roll over the dashboard for which you want to update widgets.

An overlay of options appears.

4. Click Apply.

An Update Available message appears that describes the updates to the widgets on the
dashboard.

- 108 -
 5. Click Update.

An Update Applied Successfully message appears and Tenable Vulnerability Management

updates the widgets on the dashboard.

To update widgets automatically via the dashboard Template Library:

1. View the dashboard Template Library.

2. Click the New and Updated tab.

A list of dashboard templates with new and updated widgets appears.

3. Roll over the dashboard template you want to add.

An overlay of options appears.

4. Click Add.

An Added Dashboard Template to Dashboards message appears, and the dashboard

template with the new or updated widget appears on the Dashboards page.

To update widgets automatically via the Widget Library:

1. View the Widget Library.

2. Click the New and Updated tab.

A list of new and updated widgets appears.

3. Roll over any widget you want to add to a dashboard.

4. Click Add to Dashboards.

The Add to Dashboards plane appears.

5. In the Dashboards drop-down, select the dashboard or dashboards to which you want to add
the new or updated widget.

6. Click Save.

A Successfully Added to Selected Dashboards message appears and Tenable Vulnerability

Management adds the new or updated widget to the selected dashboards.

Edit a Dashboard

- 109 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To edit a dashboard:

1. Do one of the following:

l Access the Edit Dashboard page via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Edit.

l Access the Edit Dashboard page via an individual dashboard:

a. View the dashboard you want to edit.

b. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

c. Click Edit dashboard.

The Edit Dashboard page appears.

2. On the Edit Dashboard page, do any of the following:

l
Rename the dashboard:
a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a new name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the name.

- 110 -
l
Edit the dashboard description:
a. Click the dashboard description.

The description becomes an editable text box.

b. Type a new description for the dashboard.

l
Edit the dashboard filters:
a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

b. Configure your dashboard filters as described in Filter a Dashboard.

l
Add widgets to the dashboard:
a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

l
Reorder widgets on the dashboard:
a. Roll over the top of the widget until the move cursor appears.

b. Click and drag the widget to the desired location.

l
Resize the widgets on the dashboard:

- 111 -
 a. Roll over the lower-right corner of the widget until the resize cursor appears.

b. Click and drag the widget to the desired size.

The widgets shift to accommodate the new widget size.

l
Delete the dashboard:
o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management removes the dashboard from the Dashboards

page.

3. Click Done Editing.

You return to the selected dashboard and Tenable Vulnerability Management applies your
changes.

Set a Default Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can set any dashboard as the default dashboard to make it your landing page. If you do not set
a default dashboard, Tenable Vulnerability Management uses the Tenable-provided Vulnerability
Management Overview dashboard as the default.

When you set a dashboard as default, on the Dashboards page, the Default label appears in the
header of the dashboard tile.

Note: If you delete a dashboard set as default, the product Tenable-provided dashboard becomes the
default.

To set a default dashboard:

- 112 -
 1. Do one of the following:

l Set a default dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

l Set a default dashboard via an individual dashboard:

a. View the dashboard you want to make the default.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Select Make Default.

A Successfully set as default dashboard confirmation message appears, and Tenable

Vulnerability Management sets the dashboard as the default.

Note: You may have to log out and log back in to see the updated default dashboard.

Rename a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To rename a dashboard:

1. View the dashboard you want to rename.

2. On the dashboard page, roll over the dashboard name.

The name becomes highlighted and shows a button.

3. Click the button or double-click the name.

The name field becomes a text box.

4. Enter a new name for the dashboard.

5. Click the button to confirm the name change.

- 113 -
 A confirmation appears at the top of the page.

The new name appears.

Duplicate a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a dashboard:

1. Do one of the following:

l To duplicate a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

l To duplicate a dashboard via an individual dashboard:

a. View the dashboard you want to duplicate.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Duplicate.

A Successfully copied the dashboard confirmation message appears, and Tenable

Vulnerability Management copies the dashboard on the Dashboards page.

Filter a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can apply filters at the dashboard level to all widgets within that dashboard.

- 114 -
 Note: You can apply configurations to individual widgets. The widget-level configuration takes precedence
over dashboard-level configuration.

To filter a dashboard in the new interface:

1. View the dashboard you want to filter.

2. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

3. Click Filter.

The Filter plane appears.

4. In the Select Filter Type drop-down, select the assets you want the dashboard to analyze. See
the following table for options and requirements.

Option Description Requirement

All Assets (Default) This option includes This is the default option and
all the assets in the includes all assets in the dashboard.
dashboard. There is not a requirement for this
option.

Target Group This option only includes An extra field for Select Target
assets in a specific target Groups appears when you select this
group. option. Select the desired target
group from the drop-down list.

Custom This option only includes
assets with a specific
hostname, IP address, FQDN,
or CIDR.
A text box appears when you select
this option. Enter one or more of the
custom option formats (hostname, IP
address, FQDN, or CIDR). Separate
multiple items with commas.

Important: Make sure that the

- 115 -
 number of IP addresses in your
search filter is less than or equal to
25.

Important: Make sure that the

number of Hostnames in your search
filter is less than or equal to 300.

5. Click Apply.

The icon appears in the header of all the dashboard widgets.

6. In the widgets section, roll over the icon to view the added filter.

Note: The following are the filtering limitations for Explore widgets:

l Explore widgets do not support Target Groups.

l Cloud Misconfigurations widgets do not support filtering by IP or hostname.
l Cloud Misconfigurations and Web Application Findings widgets do not support tags.

Note: You can filter only with the tags you can access. You cannot apply tags that you do not have access
to.

Filter a Dashboard by Time

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can filter a dashboard to show only vulnerabilities within a specific timeframe — in hours, days,
months, or years. Filters are available only for custom dashboards or dashboards created using the
template library.

Note: Filter by time option is available only for Explore dashboards and Explore widgets.

To filter a dashboard by a specific timeframe:

1. View the dashboard you want to filter.

2. To filter your dashboard data for a specific timeframe, do one of the following:

- 116 -
 l In the All drop-down box, select the required timeframe: All, 7 days ago, 14 days ago, 30
days ago, 60 days ago, 90 days ago.

l For a custom timeframe, in the Last Seen box, type the value to view the data within the
last number of days, hours, years, or months.

Tenable Vulnerability Management displays the vulnerabilities for the selected timeframe on
the dashboard.

Share a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management users can share a dashboard with one or more users, or one or
more user groups. Shared dashboards appear automatically for the users or groups with which they
are shared.

Note: You cannot edit dashboards that are shared with you. You can, however, duplicate or delete a
dashboard that is shared with you.

Note: Dashboards are not automatically re-shared with a user after they have been updated. For example:
User A shares a dashboard with User B. User A then makes a change to the dashboard. To see the update,
User A must re-share the dashboard with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard:

1. Do one of the following:

l To share a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

A drop-down list appears.

- 117 -
 c. Click Share.

l To share a dashboard via an individual dashboard:

a. View the dashboard you want to share.

b. In the upper-right corner, click Share.

The Share panel appears,

2. Do one of the following:

l To share the dashboard with all users, select the All Users check box.

l To share the dashboard with specific users or user groups, from the drop-down box,
select the users or user groups with which you want to share the dashboard.

Tip: You can share with multiple users or user groups.

3. Click Share.

A Dashboard shared successfully message appears. Tenable Vulnerability Management

shares the dashboard with the designated users or user groups and sends an email indicating
that a dashboard has been shared with them.

Manage Dashboard Exports

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

With the export feature, you can export dashboard data in CSV, PDF, and detailed PDF formats. You
can create dashboard exports on demand or schedule automated exports to specified recipients.

You can also manage your dashboard exports. You can download them, view your export history,
delete your exports, or delete their configuration.

Note: While you cannot export the Vulnerability Management Overview and Asset View dashboards, you
can export their associated landing pages, or export individual widgets on those dashboards. For more
information, see Export a Full Dashboard Landing Page and Export an Individual Dashboard Widget.

Export a Dashboard

- 118 -
To export a dashboard in CSV format:
1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to CSV.

l Export the dashboard while viewing the individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click CSV.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To export a dashboard in PDF format:

You can use the Export PDF feature to share customized dashboards externally. The exported
PDF is a generated report of the selected dashboard.

To export a PDF:

- 119 -
1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to PDF or, where available, Export to PDF - Detailed.

Note: By default, the following dashboards support PDF-Detailed exports:

l Executive Summary
l Exploitable by Malware
l Exploitable Framework Analysis
l Measuring Vulnerability Management
l Mitigation Summary
l Outstanding Remediation Tracking
l Prioritize Assets
l Vulnerabilities by Common Ports
l Vulnerability Management
l Web Services

l Export the dashboard via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information that is included in the report.

- 120 -
 The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To schedule a dashboard export:

The Schedule Export option allows you to export a dashboard at specified times.

To schedule an export:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Schedule Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

- 121 -
 The Schedule Export plane appears.

2. Do one of the following:

l If you have never exported and/or scheduled an export for the dashboard, the Schedule
options automatically appear.

l If you have already exported the dashboard, in the Schedule section, click Add New.

The Schedule options appear.

l If you have already scheduled an export for the dashboard, you cannot create another
one. You must first cancel the scheduled dashboard export.

3. Select CSV, PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information included in the report.

The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

4. In the Schedule section, set the following parameters:

Option Description

Name A name for the scheduled export.

Start Date and Time The date and time that you want the export to begin.

Repeat The frequency that you want Tenable Vulnerability Management

to send the export:

l Daily — The export occurs daily at the time specified.

l Weekly — The export occurs every week on the same day

at the time specified (for example, Weekly on Tuesday).

- 122 -
 l Monthly — The export occurs once a month on the day of
the week and time specified (for example Monthly on Last
Tuesday)

l Custom — The export occurs at a custom interval. If you

select Custom, more options appear:

a. In the Repeat Every section, in the drop-down, select

how often you want the export to repeat. For
example, if you want the export to repeat every 2
days, then in the first drop-down box, select 2 and in
the second drop-down box, select Days.

l Does not Repeat — The export does not repeat.

Password Protection Specifies the export as encrypted or unencrypted.

If you toggle this option on, an Encryption Password box

appears. Type the password you want to use to encrypt the
export file.

Note: Once you save the scheduled export, you cannot edit the
Encryption Password. Instead, you must create a copy of the
dashboard, create a scheduled export, and then select the desired
password.

Add Recipients (Optional) The email address for the person that receives the
report. You can specify multiple email addresses as a comma-
separated list.

5. Click Schedule.

The scheduled export appears in the Schedule Export plane.

Download a Dashboard Export

To download a dashboard export:

- 123 -
 1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard with the export you want to download.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, next to the export download you want to download, click the
button.

Tenable Vulnerability Management downloads the export file to your computer.

View Dashboard Export History

To view dashboard export history:

1. View the dashboard for which you want to view export history.

2. In the upper-right corner, click Export.

A drop-down list appears.

3. In the drop-down list, click History.

The Export History plane appears.

On the Export History plane, you can view:

- 124 -
 l The schedule for the dashboard export.

l Available downloads of previous dashboard exports.

You cannot access the Export History plane if the dashboard has not yet been exported.

Delete a Dashboard Export Download

To delete a dashboard export download:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete an export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, roll over the export download you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Delete.

A Download deleted successfully message appears and Tenable Vulnerability Management

removes the export download from the Schedule Export plane.

Delete a Dashboard Export Configuration

- 125 -
To delete a dashboard export configuration:
1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete a scheduled export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Schedule section, roll over the scheduled export configuration you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Confirm.

A Successfully deleted export configuration message appears and Tenable Vulnerability

Management removes the export configuration from the Schedule section of the Schedule
Export plane.

Delete a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: In Tenable Vulnerability Management, you can only delete custom dashboards. You cannot delete
Tenable-Provided Dashboards.

- 126 -
To delete a dashboard:

1. Do one of the following:

l Delete a dashboard from the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

l Delete a dashboard from the individual dashboard:

a. View the dashboard page you want to delete.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Delete.

A Confirm Deletion confirmation message appears.

3. Click Delete.

A Successfully deleted the dashboard confirmation message appears and Tenable

Vulnerability Management removes the dashboard from the Dashboards page.

Manage Widgets
You can use the widget library to create and edit widgets to use across your dashboards.

To manage widgets in the widget library:

l View the Widget Library

l Create a Custom Widget

l Edit a Custom Widget

l Add a Widget to a Dashboard

On your dashboards, you can further configure widgets to modify your dashboards.

To manage widgets on a dashboard:

- 127 -
 l Configure a Widget

l Duplicate a Widget

l Rename a Widget

l Delete a Widget from a Dashboard

View the Widget Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The widget library provides a selection of Tenable-provided widgets to add to your template-based
or custom dashboard.

Note: The Tenable-provided Vulnerability Trending widget is not available in the widget library. All other
Tenable-provided widgets appear in the widget library.

To view the widget library:

1. View the Dashboards page.

2. In the upper-right corner of the page, click the Widget Library button.

The Widgets page appears.

3. (Optional) In the upper-left corner of the page, click the tab for the dashboard widgets you
want to view. For example, if you want to only widgets associated with Tenable Vulnerability
Management, click the Vulnerability Management tab.

Note: The tabs that appear on the Widgets page depend on the licenses (for example, Tenable
Lumin, Tenable Web App Scanning) you have enabled in Tenable Vulnerability Management.

On the Widgets page you can:

l Sort the Widgets page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the widgets page.

l In the upper-left corner, use the Search bar to search for specific widgets.

- 128 -
 l Click the New and Updated tab to view dashboard widgets that are eligible for auto-
update.

l Add the widget to a dashboard.

l Delete a widget from the widget library.

Delete a Widget from the Widget Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: You can only delete custom widgets. You cannot delete pre-configured Tenable Vulnerability
Management widgets.

To delete a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the header of the widget you want to delete, click the button.

A drop-down menu appears.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Vulnerability Management removes the widget from the widget plane, and a message
confirming the deletion appears at the top of the plane.

Create a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add
to any user-defined dashboards.

- 129 -
To create a custom widget:

1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the upper-right corner of the page, click Add Widgets.

A menu appears.

3. Click Custom Widget.

The Widgets page appears.

4. In the charts section, select the chart type for your custom widget:

l Table

l Ring chart (Vulnerabilities dataset only)

l Bar chart (Vulnerabilities dataset only)

5. In the dataset drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

- 130 -
 l Vulnerabilities

l Assets

Note: If you selected ring chart or bar chart in the charts section, selecting the Assets
dataset resets the chart selection to a table.

The chart type, Data Grouping, and Display Fields options update based on your selection.

6. In the Data Grouping drop-down box, select how you want to group the data:

l By Plugin (Vulnerabilities dataset only)

l By Asset (Vulnerabilities dataset only)

l By CVE (Vulnerabilities dataset only)

l Asset List (Assets dataset only)

7. (Optional) To filter the widget data using filters:

a. Click the button to expand the filter options.

b. In the drop-down box, select category, operator, and value types.

c. (Optional) Click the Add button to specify more filters.

Note: If you previously created a tag, it appears in the custom widget's list of filters.

Note: If you exceed the current asset query limitation of 5,000, a message appears in your interface.
Refine the query to a smaller set of asset tags.

Note: Tenable Vulnerability Management does not currently support tag filters in exports.

8. (Optional) To filter the widget data using an existing saved search, in the Saved Searches
drop-down box, select the saved search you want to use to filter your widget data.

Note: If you do not have any saved searches, this option does not appear. To create a new saved
search, see Saved Search.

9. In the Name box, type a name for the custom widget.

- 131 -
 In the Widget Preview, the title updates automatically.

10. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the description hover text updates
automatically.

11. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

12. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Create a Custom Widget for Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add
to any user-defined Explore dashboards. You can create custom widgets with vulnerabilities and
assets data. Vulnerabilities can include host vulnerabilities, Tenable Web App Scanning
vulnerabilities, and vulnerabilities from Legacy Tenable Cloud Security. Adding a mix of these
custom widgets to your dashboard provides you with a holistic view of the vulnerability
environment.

You can drill down from the custom widgets to the Findings and Assets pages.

To create a custom widget:

- 132 -
1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the New Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the Chart Type section, select the chart type for your custom widget:

l Chart types for vulnerabilities:

l Bar

l Column

l Doughnut

l Matrix

l Multi-series Bar

l Multi-series Column

l Stacked Bar

l Stacked Column

l Table

- 133 -
 l Chart types for assets:

l Column

l Bar

l Doughnut

l Table

3. In the Name box, type a name for the custom widget.

In the Widget Preview, the title updates automatically.

4. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the contextual description updates
automatically.

5. In the Data Set drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

l Findings

l Assets

The Chart Type, Group By, and Sort Fields options update based on your selection.

If you
Options
selected...

Findings Provide the following details:

a. In the Entity drop-down box, select the type of vulnerability for

which you want to create a widget. You can select from the
following:

l Vulnerabilities — Includes the list of findings.

l Web Application Findings — Includes vulnerabilities from

Tenable Web App Scanning.

l Cloud Misconfigurations— Includes vulnerabilities from

Legacy Tenable Cloud Security.

- 134 -
 b. In the Limit drop-down box, select the number of records you
want to show on the widget. The default value is 5 and maximum
value is 20.

c. In the Group By drop-down box, select how you want to group the
data. The values in the Group By drop-down changes based on the
Entity you select.

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group vulnerabilities. For Matrix,
Multi-series Bar, Multi-series Column, Stacked Bar, and
Stacked Column chart types, you must select two options for
grouping vulnerabilities.

For more information about all filters, see Findings Filters.

d. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

e. In the Sort Fields drop-down box, select how you want to sort the
data on the widget. You can sort by one of these options:

l Count

l Value in Group By

f. In the Sort Order drop-down box, select whether you want the sort
in ascending or descending order.

Assets Provide the following details:

a. In the Limit drop-down box, select the number of records you

want to show on the widget. The default value is 5 and maximum
value is 20.

- 135 -
 b. In the Group By drop-down box, select how you want to group the
data:

l System Type

l Name

l Operating System

l SSH Fingerprint

l Fully Qualified Domain

l Mac Addresses

l Asset Types

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group assets. For Matrix, Multi-
series Bar, Multi-series Column, Stacked Bar, and Stacked
Column chart types, you must select two options for grouping
assets.

c. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

6. For each filter you want to use, do the following:

Note: Tenable recommends that you use simple instead of complex queries or one level of nested
filters when creating your custom widgets. Widgets can only have a maximum of one level of nested
filters, provided no additional context filters are applied when the widgets are added to the
dashboards. An example of a query with one level of nesting:
(CVSSv3 Base Score is greater than 8.9 OR VPR is greater than 8.9) AND State is
not equal to Fixed

a. Click Select Filters.

The Select Filters drop-down box appears.

- 136 -
 b. Click the filter you want to apply.

The filter appears in the box.

c. In the filter, click the ˅ button.

A list of filter value and operator options appears.

d. In the first drop-down box, select the operator you want to apply to the filter.

e. In the second drop-down box, select one or more values to apply to the filter.

f. Select Match All from the drop-down box. By default, Tenable Vulnerability Management
sets the filter to Match All.

7. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

8. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Edit a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: You cannot edit Tenable-provided widgets.

To edit a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the upper-right corner of the widget you want to edit, click the button.

A menu appears.

- 137 -
 4. Click Edit.

The widget options appear.

5. Edit the widget options.

6. Click Save and Exit.

A confirmation appears.

Note: A custom widget that was previously included in dashboards before you edited the widget does not
update to reflect your edits. To include the edited widget, you must add the widget again as described in
Add a Widget to a Dashboard.

Add a Widget to a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Use the following steps to add a widget to your template-based and custom dashboards.

You can add custom widgets, widgets from Tenable-provided dashboards, and other general
purpose Tenable-provided widgets.

To add a widget to a dashboard:

Note: These steps describe how to add a template widget to a dashboard. See custom widgets for
information on how to create custom widgets and add them to your dashboard.

1. View the widget library.

2. For each widget you want to add:

a. Do one of the following:

l Scroll through the list of widgets.

l Use the Search box to find a specific widget.

Tip: You can hover over a widget tile for brief descriptions of each widget. For detailed
descriptions about widgets originating from Tenable-provided dashboards, see Tenable-
Provided Dashboards.

- 138 -
 b. Roll over the widget you want to add.

The Add to Dashboards button appears.

c. Click Add to Dashboards.

The Add to Dashboards plane appears.

d. In the Dashboards drop-down box, select the dashboard or dashboards to which you
want to add the widget.

e. Click Save.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard or dashboards.

f. Click Add.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard.

3. Click Done.

You return to the Dashboards page.

Configure a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To configure a widget:

1. View the dashboard page that contains the widget you want to configure.

2. In the upper-right corner of the widget you want to change, click the button.

A menu appears.

3. Click Configure.

The widget summary plane appears.

4. On the widget summary plane, do any of the following:

- 139 -
l
Rename the widget:
a. Do one of the following:

l Click the name of the widget.

l In the widget summary plane, roll over the widget name and click the
button.

The name field becomes an editable text box.

b. Type a new name for the widget.

c. Click the button to confirm the name change.

A confirmation message appears at the top of the page, and the new name
appears in the widget header.

l
Edit the widget description:
a. Do one of the following:

l Click the widget description.

l In the widget summary plane, roll over the widget description and click the
button.

The description field becomes an editable text box.

b. Type a new description for the widget.

c. Click the button to confirm the change.

A confirmation message appears at the top of the page, and the new description
appears in the widget header.

l
Duplicate the widget:
o In the Actions row, click the button.

A confirmation message appears and Tenable Vulnerability Management adds the

duplicated widget to the dashboard.

- 140 -
l
Delete the widget from the dashboard:
a. In the Actions row, click the button.
A Confirm Deletion message appears.
b. Click Delete.
A confirmation message appears and Tenable Vulnerability Management removes
the dashboard from the Dashboards page.
l
Apply filters to the widget:
Option Description
All Assets (Default) This option
includes all the assets in the
dashboard.
Custom This option only includes
assets with a specific
hostname, IP address, FQDN,
or CIDR.
Tags This option uses tags to
filter asset results or
vulnerability results.
Note: Because the
ACR Widget uses Tenable
Lumin data, this widget
does not support filtering
by tag.
- 141 -
Requirement
This is the default option and
includes all assets in the
dashboard. There is not a
requirement for this option.
When you select this option, a
text box appears. Enter one or
more of the custom option
formats (hostname, IP address,
FQDN, or CIDR). You must
separate multiple items with a
comma.
When you select this option, a
drop-down box appears. Select or
type the tag name by which you
want to filter results. Tenable
Vulnerability Management filters
the results by the selected tags.
Note: Tenable Vulnerability
Management supports a
maximum of 100 filters.
 Note: Once you apply a filter to a widget, a icon appears in the widget header. Roll over the
icon to view the applied filter.

5. Click Apply.

A confirmation message appears and Tenable Vulnerability Management applies your changes
to the widget.

Duplicate a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a widget:

1. View the dashboard page that contains the widget you want to duplicate.

2. In the upper-right corner of the widget you want to duplicate, click the button.

A menu appears.

3. Click Duplicate.

The duplicated widget appears at the bottom of the page.

4. (Optional) Change the name of the widget.

5. (Optional) Reorder the widget sections.

Rename a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To rename a widget:

1. View the dashboard page that contains the widget you want to change.

2. In the upper-right corner of the widget you want to rename, click the button.

A menu appears.

- 142 -
 3. Click Configure.

The widget summary plane appears.

4. In the widget summary plane, roll over the widget name.

The button appears next to the name.

5. Click the button or double-click the name.

The name field becomes an editable text box.

6. Type a new name for the widget.

7. Click the button to confirm the name change.

A confirmation message appears at the top of the page.

The new name appears in the widget header.

Delete a Widget from a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To remove a widget from a dashboard:

1. View the dashboard page that contains the widget you want to remove.

2. In the upper-right corner of the widget you want to remove, click the button.

A menu appears.

3. Click Delete.

Tenable Vulnerability Management prompts you to confirm the removal.

4. Click Delete.

A confirmation message appears at the top of the page.

Tenable Vulnerability Management removes the widget from the dashboard. Remaining
widgets adjust to fill the new space.

- 143 -
Welcome to Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can use Tenable Lumin to quickly and accurately assess your risk and compare your health and
remediation performance to other Tenable customers in your Salesforce industry and the larger
population. Tenable Lumin correlates raw vulnerability data with asset business criticality and
threat context data to support faster, more targeted analysis workflows than traditional
vulnerability management tools.

Tenable-provided metrics help you quantify your risk to make informed remediation and strategic
security decisions. For more information about the metrics used in Tenable Lumin analysis, see
Tenable Lumin Metrics.

For information on how to prepare, install, and configure Tenable Lumin, see Get Started with
Tenable Lumin.

Important! Tenable One customers can access Tenable Lumin directly from the Workspace page.

Tenable Lumin Metrics

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Tenable Lumin uses several metrics to help you assess your risk.

l Cyber Exposure Score (CES)

l Vulnerability Priority Rating (VPR)

l Asset Criticality Rating (ACR)

l Asset Exposure Score (AES)

l Assessment Maturity Grade

l Remediation Maturity Grade

For information about improving the accuracy of your Tenable Lumin metrics and increasing your
overall vulnerability management health, see Improve Your Tenable Lumin Metrics.

- 144 -
 Important: Private findings are excluded from all scores in Tenable Lumin. For more information see
Findings.

Cyber Exposure Score (CES)

Tenable calculates a dynamic CES that represents exposure risk as an integer between 0 and 1000,
based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES
values indicate higher risk.

You can view CES for different groups of assets, including:

l the overall CES for your entire organization (for example, the CES displayed in the Cyber
Exposure Score widget)

l the tag-level CES for assets in a specific business context (for example, the CES displayed in
the Cyber Exposure Score by Business Context/Tag widget).

CES Category CES Range

High 650 to 1000

Medium 350 to 649

Low 0 to 349

To view the CES for your entire organization or for a group of assets, view the widgets on the View
the Tenable Lumin Dashboard.

For more information about how long Tenable Vulnerability Management takes to calculate or
recalculate your CES, see Tenable Lumin Data Timing.

Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher
likelihood of exploit.

VPR Category VPR Range

- 145 -
 Critical 9.0 to 10.0

High 7.0 to 8.9

Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many
vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these
vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on
your network. Then, Tenable Vulnerability Management automatically provides new and updated
VPR values daily.

Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your
assets with the highest ACRs.

To view the VPR for a specific vulnerability, view vulnerabilities as described in View Vulnerabilities
by Plugin.

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Age of Vuln The number of days since the National Vulnerability Database (NVD) published
the vulnerability.

CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact not provide a score, Tenable Vulnerability Management displays a Tenable-
Score predicted score.

- 146 -
 Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal
and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The
possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit
Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.

Threat The relative intensity based on the number and frequency of recently observed
Intensity threat events related to this vulnerability: Very Low, Low, Medium, High, or
Very High.

Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

l A discussion of the vulnerability on hacker forums

Asset Criticality Rating (ACR)

- 147 -
Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as
an integer from 1 to 10. A higher ACR indicates higher criticality.

ACR Category ACR Range

Critical 9 to 10

High 7 to 8

Medium 4 to 6

Low 1 to 3

Because Tenable Vulnerability Management calculates ACR values every 24 hours, you may need to
wait up to 24 hours to view the ACR after scanning the asset on your network.

Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if
necessary. You can customize ACR values to reflect the unique infrastructure or needs of your
organization, as described in Edit an ACR.

If an asset receives multiple ACR values, Tenable Vulnerability Management prioritizes the values in
the following order:

1. If set, the manually overridden ACR value.

2. The Tenable-provided ACR value.

To view the ACR for a specific asset, view the asset details as described in View Asset Details.

ACR Key Drivers

Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.

Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global
threat landscape associated with the asset's characteristics.

Note: Running unauthenticated scans may result in limited or incomplete ACR key drivers.

Key Driver Types:

Key Driver Description

- 148 -
 device_type The device type. For example:

l hypervisor — The device is a Type-1 hypervisor that hosts a virtual

machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen).

l printer — The device is a networked printer or a printing server.

device_ The device's business purpose. For example:

capability
l file_server — The device is a server that provides file sharing services
(e.g., an FTP, SMB, NFS, or NAS server).

l mail_server — The device is a server designated for sending and

receiving emails.

internet_ The device's location on your network and proximity to the internet. For
exposure example:

l internal — The device is located within your local area network (LAN),
possibly behind a firewall.

l external — The device is located outside your LAN and not behind a
firewall.

ACR Device Capabilities:

Part of ACR device capabilities are defined by which software is installed on the target host.

Software or
Capability Description
Services

accounting_ An accounting solution is installed on the target Intuit Quickbooks

system asset.

backup_agent A backup solution agent is installed on the target Amanda backup

asset. (agent)

- 149 -
analytics_system A software solution for data analytics and reporting QlikView
is installed on the target host.
TIBCO Spotfire

IBM SPSS

SharePoint 2013

SOLR

Elasticsearch

Enterprise Search

Google Search
Appliance

Lucene

SQL Server
Reporting
Services

Oracle BI
publisher

SAP Business
Object

- 150 -
backup_server An enterprise backup solution is installed or Acronis Backup
running on the target host.
Quest NetVault

Unitrends
Enterprise Backup

Veritas Backup
Exec

Spectrum Protect
(formerly Tivoli
Storage Manager)

crm_system A Customer Relation Management (CRM) solution is SugarCRM

installed or running on the target host
Bitrix24 CRM

Siebel CRM

- 151 -
database_server A database system is installed on the target host or PostgreSQL
a database server is running on the target host.
Microsoft SQL
Server

MongoDB

Oracle Database

Db2 Hosted

Percona XtraDB
Cluster

IBM Informix

PostgreSQL

Percona Server

MariaDB Cluster

MySQL

Microsoft SQL
Server

SAP Adaptive
Server Enterprise
(ASE)

MariaDB Server

SQLite

Apache Derby
Network Server

SAP DB

Cogent Datahub
Server

- 152 -
directory_server The target asset is an authentication server. McAfee Stonegate
Authentication
Server

Kerberos
Ticketing Server

LDAP protocol

IBM Tivoli

Stonegate Auth
Server

dns_server A DNS server is running on the target asset. DNS Service on

Port 53

erp_system An Enterprise Resource Planning Suite server is Microsoft

running or is installed on the target asset. Dynamics AX

Oracle E-Business
Suite

SAP ERP

Microsoft
Dynamics GP

SAP DB

SAPControl

SAP RMI-P4
Protocol Service

SAP Host Control

Apache OFBiz

erp_system_ The target asset has installed a client software for SAP GUI
client accessing ERP systems.

- 153 -
file_server The target asset is used for file sharing purposes. WebCenter
The file sharing here is a narrow sense. SMB server
ownCloud
is not considered as a file server in this
classification. Sharepoint

Oracle WebCenter
Content

Sharepoint

FTP service

Apple File
Protocol (AFP)
service

Network File
System (NFS)
Server Detection

helpdesk_system A help desk ticketing server is installed or running SugarCRM

on the target asset.
Track-It!

ServiceDesk Plus

OTRS

ManageEngine
Service Desk

it_management_ The target asset performs some types of IT Application

system management function. It can be IT infrastructure Insight
management, including managing a single or a
Solarwinds Server
group of devices or services, or IT service
& Application
management such as software provisioning,
Monitor
device, or software repository management.
ManageEngine
Application

- 154 -
 Performance
Monitoring

System Center
Operations
Manager

Applications
Manager-
ManageEngine

ManageEngine
Desktop Central

Ghost Solution
Suite

ZENworks -
Configuration
Management

IBM BigFix

System Center
Configuration
Manager

CA Unified
Infrastructure
Management

Centreon

VMware vRealize
Operations

OpManager

Nagios XI

- 155 -
 SCOM

- 156 -
 PRTG Network
Monitor

Zabbix

SolarWinds
Storage Resource
Monitor

GroundWork
Monitor

Pandora FMS

Tivoli Monitoring

OP5 Monitor

NetFlow Traffic
Analyzer

PRTG Network
Monitor

Cisco Prime
Infrastructure

H3C Intelligent
Management
Center

ZENworks Asset
Management

ManageEngine
Desktop Central

Unified Endpoint
Manager

- 157 -
 Google Analytics

Cisco Prime
Infrastructure

H3C Intelligent
Management
Center

HP 3PAR
Management
Server

Ghost Solution
Suite

Fortigate Firewall
Management
Console

Barracuda Spam
& Virus Firewall
Management Web
Console

mail_server The target asset is a mail server. IBM Domino

IMAP Service
Detection

CCProxy SMTP
Server Detection

SMTP Service
Detection

POP Service
Detection

- 158 -
pci The target asset has PCI sensitive information. PCI Plugin Fired

pci-target The target asset is a PCI scan target. "pci" Keyword

Found in Scan
Name

proxy_server The target asset is a proxy server. Oracle iPlanet

Web Proxy Server

HTTP proxy
Detected in
Service Banner

McAfee Email
Gateway

reverse_proxy_ The target asset is a reverse proxy that directs NetApp SANtricity
server external client requests to internal servers. A Web Services
reverse proxy can be an ADC or a load-balancer. Proxy

Foreman Smart-
Proxy TFTP

rnd_software The target asset is for development purposes Red Hat Mobile
because product development software is installed Application
on it. Platform

Application
Testing Suite

Windows Visual
Studio

AutoCAD

MAC OS Xcode IDE

Autodesk DWG
TrueView

- 159 -
 Detection

scada Software systems used for managing industrial AVEVA InduSoft

processes are installed or running on the target Web Studio /
asset. InTouch Edge HMI
TCP/IP Server

Trihedral VTScada
Detection

upnp The target asset supports UPnP. It is likely to be an UPnP service

appliance. detection

- 160 -
 web_application_ There is a web application server running or Geronimo
server installed on the target asset. Having a web
Resin
application server running on the target asset does
not necessarily indicate its criticality. But it can Tuxedo
hint criticality when used in together with some
Tomcat
properties, e.g. web application server + external +
server device type = high criticality. Jetty

Red Hat OpenShift

Microsoft .NET
Platform

Red Hat Jboss

EAP

WebLogic Server

Magento

WebSphere
Commerce

Cobalt

DNN Platform

Umbraco

Oracle WebCenter
Sites

Glassfish

nginx

Microsoft IIS

Asset Exposure Score (AES)

- 161 -
Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative
exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs
associated with the asset.

AES Category AES Range

High 650 to 1000

Medium 350 to 649

Low 0 to 349

To view the AES for a specific asset, see View Assets.

Assessment Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

Assessment Maturity provides a high-level summary of how effectively you are scanning for
vulnerabilities on your licensed assets. Tenable calculates a dynamic Assessment Maturity grade
that represents your assessment scanning health as a letter grade between A and F. An A grade
indicates you are assessing your assets frequently and thoroughly.

Tenable provides an Assessment Maturity grade the first time you scan. Then, Tenable Vulnerability
Management automatically provides an updated Assessment Maturity grade daily.

Assessment Maturity Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

How is my Assessment Maturity calculated?

- 162 -
 l
For asset scores:
o Scan Frequency score — How often the asset was scanned within the last 90 days
o Scan Depth score — Whether or not the asset was in an authenticated scan within the
last 90 days
o Assessment Maturity score — A calculation of (Scan Frequency score + Scan Depth
score) / 2

l
For a container/business context score:
o Scan Frequency score — the average of the asset Scan Frequency scores
o Scan Depth score — the average of the asset Scan Depth scores
o Assessment Maturity score — the average of the asset Assessment Maturity scores

Scan Depth Score

A high depth grade indicates you are running authenticated scans on these assets.

Depth Grade Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

Scan Frequency Score

Tenable calculates your frequency grade based on how often you scan assets on your network. A
high frequency grade indicates you are scanning your assets often.

Frequency Grade Letter Grade Numerical Range

A 75 to 100

B 55 to 74

- 163 -
 C 30 to 54

D 15 to 29

F 0 to 14

To view your Assessment Maturity grade, depth grade, and frequency grade, see View Assessment
Maturity Details.

For more information about how long Tenable Vulnerability Management takes to calculate or
recalculate your Assessment Maturity grade, see Tenable Lumin Data Timing.

Remediation Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

Remediation Maturity provides a high-level summary of how effectively you are remediating
vulnerabilities on your licensed assets. Tenable calculates a dynamic Remediation Maturity grade
that represents your remediation health as a letter grade between A and F. An A grade indicates
you are remediating the vulnerabilities on your assets quickly and thoroughly.

Remediation Maturity Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

Your Remediation Maturity grade is the combination of your Remediation Maturityremediation

responsiveness grade and your Remediation Maturityremediation coverage grade.

Tenable provides a Remediation Maturity grade the first time you remediate a vulnerability. Then,
Tenable Lumin automatically provides an updated Remediation Maturity grade daily.

Remediation Responsiveness Grade

- 164 -
Tenable calculates your remediation responsiveness grade based on how long it takes you to
remediate a vulnerability after it is first discovered (the First Seen date).

A high remediation responsiveness grade indicates you are quickly remediating the vulnerabilities
on your assets.

Remediation Responsiveness Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

Remediation Coverage Grade

Tenable calculates your remediation coverage grade based on the percentage of remediated
vulnerabilities on your assets.

A high remediation coverage grade indicates you are remediating a high percentage of the
vulnerabilities on your assets.

Remediation Coverage Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

To view your Remediation Maturity grade, remediation responsiveness grade, and remediation
coverage grade, see View Remediation Maturity Details.

For more information about how long Tenable Lumin takes to calculate or recalculate your
Remediation Maturity grade, see Tenable Lumin Data Timing.

- 165 -
Improve Your Tenable Lumin Metrics

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

If you want to improve the accuracy of your Tenable Lumin metrics and increase your overall
vulnerability management health, evaluate your Tenable-provided values and your scanning
strategy.

Important: Private findings are excluded from all scores in Tenable Lumin. For more information see
Findings.

To improve the accuracy of your Tenable Lumin metrics:

1. On the Assessment Maturity Details page, review your Assessment Maturity grade to evaluate
your overall scanning health.

Do any of the following, depending on what your data shows:

l Perform any actions described in the Recommended Actions widget.

l View details about your Assessment Maturity depth grade in the Depth Grade widget. If
necessary, improve your depth grade by increasing the number of plugins enabled in
your user-defined templates or scans, or by increasing the number of authenticated or
agent scans. For more information, see Configure Plugins in Tenable Vulnerability
Management Scans, Credentials in Tenable Vulnerability Management Scans, or Scan
Templates.

Better overall scanning health results in a higher Assessment Maturity score.

If you improve your Assessment Maturity score, you improve the accuracy of your Tenable-
provided ACR and VPR values. Then, more accurate ACR and VPR values improve the accuracy
of your AES and CES values.

2. In the Assets table, review your Tenable-provided ACR values to evaluate the
characterizations of the assets on your network. If the ACR values do not reflect the unique
infrastructure or needs of your organization, you can override them. For more information,
see Edit an ACR Manually.

More accurate ACR values improve the accuracy of your AES and CES values.

- 166 -
 3. On the Remediation Maturity Details page, review your Remediation Maturity grade to evaluate
your overall vulnerability remediation health.

Do any of the following, depending on what your data shows:

l Perform any actions described in the Recommended Actions widget.

l View details about your Remediation Maturity remediation responsiveness grade in the
Remediation Responsiveness Grade widget. If necessary, improve your remediation
responsiveness grade by quickly remediating your most critical (highest VPR)
vulnerabilities. For more information, see View Recommended Actions.

l View details about your Remediation Maturity remediation coverage grade in the
Remediation Coverage Grade widget. If necessary, improve your remediation coverage
grade by increasing the number of vulnerabilities you remediate. For more information
on the assets with the most critical vulnerabilities, see the Vulnerability Priority Rating
(VPR) widget described in Vulnerability Management Dashboard.

Better overall remediation health results in a higher Remediation Maturity score.

Edit an ACR Manually

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required User Role: Administrator

You can customize an asset's Asset Criticality Rating (ACR) value to reflect the unique infrastructure
or needs of your organization. You can edit the ACR for a single asset independently or multiple
assets simultaneously.

Tip: Changes to an ACR value (and recalculations for your AES and CES values) take effect within 24 hours.

Tip: For information about how Tenable Vulnerability Management prioritizes manually overridden ACR
values, see Asset Criticality Rating (ACR).

- 167 -
 Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

To edit the ACR for a single asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. Do one of the following:

Location Action

Asset Details page a. In the left navigation plane, in the Asset View section,
click Assets.

The Assets page appears.

b. Click an asset row.

The Asset Details page appears.

c. In the Asset Criticality Rating section, click the

button.

The Tenable Lumin Edit Asset Criticality Rating plane

appears.

Assets page a. In the left navigation plane, in the Asset View section,
click Assets.

The Assets page appears.

b. In the assets table, roll over the asset you want to edit.

c. Click the button.

d. Click the Edit ACR button.

The Edit Asset Criticality Rating plane appears.

- 168 -
 3. Do one of the following:

l To modify the ACR value, click or drag the Asset Criticality Rating slider to increase or
decrease the ACR.

l To reset an existing ACR value to the Tenable-provided ACR value, click Reset to
Tenable ACR.

4. (Optional) If you want to include a justification for your ACR change, in the Overwrite
Reasoning section, select one or more reasons.

For example, if an asset in your development lab environment received a Tenable-assigned

ACR appropriate for a more public asset, you could select Dev Only as the overwrite
reasoning.

5. (Optional) If you want to include a note about your ACR change, in the Notes section, type a
note.

6. Click Save.

Tenable Vulnerability Management saves the custom ACR.

To edit the ACR for multiple assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the Cyber Exposure Score by Business Context/Tag widget, click the tag for which you
want to view asset details.

The Tenable Lumin Business Context/Tag Asset Details page appears, filtered by the tag you
selected.

4. Access the Assets page through the Asset Criticality Rating Breakdown widget, the Asset
Scan Distribution widget, or the Asset Scan Frequency widget, as described in View Business
Context/Tag Asset Details.

The Assets page appears, filtered by your widget selection.

- 169 -
 5. In the table, select the check boxes next to the assets that you want to edit.

The action bar appears at the bottom of the page.

6. In the action bar, click the button.

The Tenable Lumin Edit Asset Criticality Rating plane appears.

7. Click and drag the Asset Criticality Rating slider to set the ACR.

8. (Optional) If you want to include a justification for your ACR change, in the Overwrite
Reasoning section, select one or more reasons.

9. (Optional) If you want to include a note about your ACR change, in the Notes section, type a
note.

10. Click Save.

Tenable Vulnerability Management saves the custom ACR for all selected assets.

Tenable Lumin Data Timing

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Run scans to generate vulnerability data for use in Tenable Lumin views.

l Time to Show Tenable Vulnerability Management Scan Result Data

l Time to Synchronize Data from Tenable Security Center

l Time to Calculate or Recalculate Your CES, Assessment Maturity, or Remediation Maturity

Grade

Time to Show Tenable Vulnerability Management Scan Result Data

Vulnerability data generated by Tenable Vulnerability Management scans appears in Tenable Lumin
views immediately upon scan completion.

Newly generated data does not immediately impact your Tenable Lumin metrics (for example, your
CES). Tenable requires more time to recalculate your metrics. For more information, see Time to
Calculate or Recalculate Your CES, Assessment Maturity, or Remediation Maturity Grade.

- 170 -
Time to Synchronize Data from Tenable Security Center
Vulnerability and asset data synchronize differently to Tenable Vulnerability Management.

Data Synchronization Method Timing

Vulnerability l Manual initial After you initiate a synchronization, Tenable

data synchronization. Security Center immediately begins
transferring data to Tenable Vulnerability
l Automatic
Management. After 10-15 minutes, data
subsequent
begins appearing in Tenable Vulnerability
synchronizations
Management.
when new scan
result data imports Newly transferred data does not immediately
to your impact your Tenable Lumin metrics (for
synchronized example, your CES). Tenable requires up to
repositories. 48 hours to recalculate your metrics.

Asset data (tags Manual (on-demand) All data and recalculated Tenable Lumin
in Tenable synchronizations only. metrics appear in Tenable Vulnerability
Vulnerability Management within 48 hours.
Management)

For more information about Tenable Security Center synchronization, see Tenable One
Synchronization in the Tenable Security Center User Guide.

Time to Calculate or Recalculate Your CES, Assessment Maturity, or

Remediation Maturity Grade
Tenable Lumin can take up to 24 hours to calculate or recalculate your metrics after any of the
following events:

l You run your first Tenable Vulnerability Management-configured scans after licensing Tenable
Lumin.

l You initiate your first Tenable Security Center synchronization after licensing Tenable Lumin.

l Tenable Vulnerability Management runs a scan.

l Tenable Security Center runs a scan that imports new data to a synchronized repository.

- 171 -
 Tip: Tenable Vulnerability Management calculates Tenable Lumin metrics based on your licensed assets seen
in the last 90 days. If you change your scanning configuration (for example, you perform a recommended
action to increase your Assessment Maturity grade), your changes influence the next scheduled
recalculation, but take more time over the next 90 days to impact significantly and overhaul your metrics.

View the Tenable Lumin Dashboard

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Tenable-provided Tenable Lumin dashboard visualizes exposure data for your organization. You
cannot customize the widgets on this Tenable-provided dashboard.

Important! Tenable One customers can access Tenable Lumin directly from the Workspace page.

To view summary data in the Tenable Lumin dashboard:

- 172 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability
Management instance.

Export the Tenable Lumin Dashboard Landing Page

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export the Tenable Lumin dashboard landing page.

To export the Tenable Lumin dashboard landing page:

1. View the Tenable Lumin dashboard.

2. In the upper-right corner, click Export.

A drop-down menu appears.

- 173 -
 3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Export a Widget from the Tenable Lumin Dashboard

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export individual widgets from the Tenable Lumin
dashboard.

Note: You cannot export the Cyber Exposure Score by Business Context widget.

To export a widget from the Tenable Lumin dashboard:

1. View the Tenable Lumin dashboard.

2. In the header of the widget you want to export, click the button.

A drop-down menu appears.

- 174 -
 3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Update the Tenable Lumin Industry Benchmark

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Larger organizations may have business units that span multiple industries, or that don't fit neatly
into one industry categorization. By selecting the most applicable industry benchmark in Tenable
Lumin, users can maximize the relevancy of their data and more accurately track how their Tenable
Lumin metrics compare with others across similar industries.

To update the Tenable Lumin industry benchmark:

- 175 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the upper-right corner, click Configure.

The Configure plane appears.

4. In the Benchmark section, from the Industry drop-down, select the industry benchmark you
want to use across the Tenable Lumin dashboard.

5. Click Save.

An Industry Updated confirmation message appears, and Tenable Vulnerability Management

applies the new industry across the Tenable Lumin dashboard.

(Optional) To reset the Tenable Lumin industry benchmark:

1. On the Configure Industry plane, click Reset to Default.

A confirmation message appears.

2. Click Confirm.

An Industry Updated confirmation message appears, and Tenable Vulnerability Management

resets the industry back to the industry selected upon account creation.

Tenable Lumin Dashboard Widgets

- 176 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Tenable Lumin dashboard consists of the following widgets:

l Cyber Exposure Score

l Cyber Exposure Score Trend

l Actions to Reduce CES

l Assessment Maturity

l Remediation Maturity

l Cyber Exposure Alerts

l Mitigations

l Cyber Exposure Score by Business Context/Tag

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Cyber Exposure Score

How does your overall risk compare to other Tenable customers in your Salesforce industry and the
larger population?

Time Frame Assets

Past 90 days Licensed assets for your entire organization

- 177 -
This widget summarizes the CES for your entire organization compared to Tenable customers in
your Salesforce industry and the larger population.

In this widget, you can perform the following actions:

l View a visual representation of your CES compared to the average CES for Tenable customers
in your Salesforce industry and the larger population.

l View a summary statement about whether your CES recently increased or decreased.

l To view details about your CES, click your CES value.

The Tenable Lumin Cyber Exposure Score details panel appears. For more information, see
CES Details.

l Export the dashboard widget.

Cyber Exposure Score Trend

How has the overall risk for your entire organization changed over time?

- 178 -
 Time Frame Assets

Past 90 days at each point on the graph, Licensed assets for your entire
recalculated daily organization

This widget graphs the increases and decreases to your CES and to the average CES for Tenable
customers in your Salesforce industry and the larger population.

In this widget, you can perform the following actions:

l To view details about an industry or population CES value on a specific date, hover over a
point on the graph.

The hover text provides historical data about the CES.

l To view details about your CES value on a specific date, click a point on the You line.

The Tenable Lumin Cyber Exposure Score details plane appears. For more information, see
CES Details.

l To show or hide data for your organization, the industry, or the population, click the boxes in
the graph legend.

The system updates the widget to show or hide the data you selected.

l Export the dashboard widget.

Actions to Reduce CES

What would the impact be if you addressed all of your top 20 recommended actions?

- 179 -
 Time Frame Assets

Past 90 days Licensed assets for your entire organization

This widget summarizes the impact of your top 20 recommended actions.

In this widget, you can perform the following actions:

l View the expected CES reduction if you address all top 20 recommended actions.

l View the number of vulnerability instances you would eliminate if you addressed all top 20
recommended actions.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified

uniquely by plugin ID, port, and protocol.

l View the number of assets affected by your top 20 recommended actions.

l To view details about your top 20 recommended actions, click See Top Recommended
Actions.

The Tenable Lumin Recommended Actions page appears. For more information, see View
Recommended Actions.

l Export the dashboard widget.

Assessment Maturity

- 180 -
How frequently and thoroughly are you scanning your assets?

Time Frame Assets

Past 90 days Licensed assets for your entire organization

This widget summarizes the Assessment Maturity grade for your entire organization compared to
Tenable customers in your Salesforce industry and the larger population.

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

In this widget, you can perform the following actions:

l View your Assessment Maturity grade compared to the average Assessment Maturity grade
for Tenable customers in your Salesforce industry and the larger population.

l View a summary statement about whether your Assessment Maturity grade recently increased
or decreased.

l To view historical details about your Assessment Maturity grade, hover over a point on the
graph.

The hover text provides historical data about the Assessment Maturity grade.

l To view more details about your Assessment Maturity grade, click More Details.

- 181 -
 The Tenable Lumin Assessment Maturity page appears. For more information, see View
Assessment Maturity Details.

l Export the dashboard widget.

Remediation Maturity
How quickly and thoroughly are you remediating vulnerabilities on your assets?

Time Frame Assets

Past 90 days Licensed assets for your entire organization

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

This widget summarizes the Remediation Maturity grade for your entire organization compared to
Tenable customers in your Salesforce industry and the larger population.

In this widget, you can perform the following actions:

l View your Remediation Maturity grade compared to the average Remediation Maturity grade
for Tenable customers in your Salesforce industry and the larger population.

l View a summary statement about whether your Remediation Maturity grade recently
increased or decreased.

- 182 -
 l To view historical details about your Remediation Maturity grade, hover over a point on the
graph.

The hover text provides historical data about the Remediation Maturity grade.

l To view more details about your Remediation Maturity grade, click More Details.

The Tenable Lumin Remediation Maturity page appears. For more information, see View
Remediation Maturity Details.

l Export the dashboard widget.

Cyber Exposure Alerts

What Tenable Research cyber security alerts should you be aware of?

Time Frame Assets

6 most recent alerts Licensed assets for your entire organization

This widget shows the 6 most recent cyber security alerts provided by the Tenable research team.
Tenable Lumin provides further details about how many assets are potentially impacted and a link
to the Tenable blog post for the alert, where you can view further information and any required
responses.

Note: To maintain an accurate CVE count, Tenable Lumin does not include entries from patch Tuesdays,
Oracle CPU, etc. as alerts within the Cyber Exposure Alerts widget.

- 183 -
To reduce noise within the Cyber Exposure Alerts widget, Tenable Lumin does not target specific
CVEs ( i.e., from Patch Tuesday/Oracle CPU)

In this widget, you can perform the following actions:

l View cyber exposure alerts with one of the following severities:

o Information (Low) — The alert contains information that may be of interest, but does not
require an immediate response.
o Advisory (Medium) — The alert contains warning information and may require a
response.
o Response (Critical) — The alert requires an immediate response.

l To view the severity of the alert, a brief description, and the date on which the alert was
published, roll over one of the alerts in the widget.

l To view the percentage of your assets affected by the alert (assets where one of the CVEs
associated with the alert is present as a vulnerability on the asset), roll over one of the rows in
the Assets Affected column.

If an alert has a CVE but no assets are affected, or you have not yet scanned your assets for
the vulnerability, then the Assets Affected column shows a value of 0%. If no CVE is currently
assigned to the alert, then the Assets Affected column shows a value of Pending. Once
Tenable Vulnerability Management calculates the CVE for the alert, Tenable Lumin updates
the column with the appropriate value.

l To view your vulnerabilities by asset automatically filtered by the CVE associated with the
alert, click one of the percentages in the widget.

l To view the Tenable blog post about the exposure alert, click one of the alerts in the widget.

l To view the Trending Threats page for an alert, click one of the alerts in the widget.

l Export the dashboard widget.

Mitigations
How are endpoint protection agents distributed on your assets?

- 184 -
 Time Frame Assets

Past 90 days Licensed assets for your entire organization

This widget summarizes the distribution of endpoint protection agents on your assets.

If you run an authenticated scan based on the Basic Network Scan template or Advanced Network
Scan template or an agent scan based on the Basic Agent Scan or Advanced Agent Scan template,
Tenable automatically enables the plugins required to detect mitigations present on your assets.
Tenable Lumin defines mitigations as endpoint protection agents, which include antivirus software,
Endpoint Protection Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

In this widget, you can perform the following actions:

l To view a list of assets in a Mitigations category, click one of the percentages in the widget.

The Assets page appears, filtered by licensed assets, the mitigations category you selected,
and the past 90 days. For more information, see View Assets.

Note: When accessing the Assets page from the Mitigations widget, you may see an asset count
notification at the top of the page. This notification indicates the number of assets you have
permission to view based on the access group to which you belong.

l To view details about the endpoint protection agents detected on your assets, click More
Details.

- 185 -
 The Tenable Lumin Mitigations page appears. For more information, see View Mitigations
Details in Tenable Lumin.

l Export the dashboard widget.

Cyber Exposure Score by Business Context/Tag

How do assets with different tags (unique business context) compare?

Time Frame Assets

Past 90 days All licensed assets to which the selected tags apply

This widget summarizes data about the CES calculated for your entire organization and for assets
with specific business context tags.

In this widget, you can perform the following actions:

l View data for the assets with each tag.

l CES — The average CES for assets with the tag. A value of N/A indicates Tenable is
calculating your CES.

l CES Trend — A visual representation of your CES change over the past 180 days. A value
of N/A indicates Tenable is processing your CES data or that there are 0 assets with
this tag.

l 14 Day Trend — A summary of how the CES increased ( ) or decreased ( ) in the past 14
days. A value of N/A indicates Tenable is processing your CES data or that there are 0
assets with this tag.

l Assessment Maturity — The Assessment Maturity grade for assets with the tag. A value
of N/A indicates there are 0 licensed assets with the tag.

To view details about your Assessment Maturity grade for assets with a specific tag, in
the Assessment Maturity column, click the grade.

- 186 -
 The Tenable Lumin Assessment Maturity page appears, filtered by the tag you selected.

l Remediation Maturity — The Remediation Maturity grade for assets with the tag.

To view details about your Remediation Maturity grade for assets with a specific tag, in
the Remediation Maturity column, click the grade.

The Tenable Lumin Remediation Maturity page appears, filtered by the tag you selected.
For more information, see View Remediation Maturity Details.

l Licensed Assets — The number of licensed assets with the tag.

l # Assets with High AES — The number of assets with the tag and a high AES.

l Reduce Tag CES — Your expected tag-level CES reduction if you resolve all the solutions
for assets with this specific tag. A value of N/A indicates your expected reduction is 5
or fewer. Typically, you cannot significantly reduce your CES if many assets were
scanned without authentication or if your assets are healthy and your risk is already low.

To view the recommended actions for assets with a specific tag, in the Reduce Tag CES
column, click See Actions.

The Tenable Lumin Recommended Actions page appears, filtered by licensed assets
and the tag you selected.

l To view details about the assets with a specific tag, click a row of the table.

The Tenable Lumin Business Context/Tag Asset Details page appears. For more information,
see View Business Context/Tag Asset Details.

l To modify the tags that appear in the widget:

1. Click the button.

2. Click the Configure button.

The widget editor plane appears.

3. Do one of the following:

- 187 -
 l To reorder the tags in the widget:

a. Click and hold the button next to the tag you want to move.

b. Drag the tag to the new location.

c. Release the mouse button to drop the tag in the new location.

l To delete a tag from the widget, click the button.

l To add a tag to the widget, click the Add Tag button and specify the tag you
want to add.

This widget can show data for up to 25 tags.

4. Click Save.

Tenable Vulnerability Management refreshes the widget.

l To sort the table, see Tenable Vulnerability Management Tables.

View the CES Details Panel

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Use this page to browse CES details for your organization, or for assets with a specific business
context tag.

To view CES details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

- 188 -
3. Do one of the following:

l To view CES details for your entire organization:

a. Do one of the following:

l To view current CES details, in the Cyber Exposure Score widget, click the
CES value.

l To view historical CES details, in the Cyber Exposure Score Trend widget,

- 189 -
 click a past point on the graph.

l To view CES details for assets with a specific business context tag:

a. In the Cyber Exposure Score by Business Context/Tag widget, click the tag for
which you want to view asset details.

The Tenable Lumin Business Context/Tag Asset Details page appears, filtered by
the tag you selected.

b. In the Cyber Exposure Score Trend widget, click a CES value.

The Tenable Lumin Cyber Exposure Score details plane appears.

- 190 -
Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability
Management instance.

Section Timeframe Assets Action

- 191 -
Score Past 90 days Licensed l View the CES for your
assets entire organization and
the average CES for
other Tenable customers
in your Salesforce
industry and the larger
population.

l View the amount by

which the score for your
entire organization
increased ( ) or
decreased ( ) in the past
14 days.

Change Factors Past 14 days Licensed l View the major events

for the Past 14 assets that contributed to your
Days score change. Tenable
Vulnerability
Management groups the
factors by the change
type:
o CES Algorithm —
Any changes
related to the CES
Algorithm Update.
For more
information, see
the Lumin FAQ.

Note: This
section only
appears if the
algorithm update

- 192 -
 affected your
CES score.

o Asset Composition
Change — Asset
license changes,
assets depth
changes, etc.
o Vulnerability
Composition
Change —
Remediation of
vulnerabilities, the
discovery of new
vulnerabilities, etc.
o Asset Exposure
and ACR Change —
Any changes to
your AES or ACR

l To view specific details

about what changed,
under any change factor
group, click More
Details.

Tenable Lumin shows

the amount by which
specific drivers
increased ( ) or
decreased ( ) in the past
14 days.

Assets (#) All time Licensed and l View the total number of

- 193 -
(Visible only when unlicensed assets.
viewing current assets l For each ACR category,
CES details)
view the following
information:
o The percentage of
assets with critical,
high, medium, and
low ACR values.

Tip: The
percentages do
not total to 100%
if any of your
assets are
unscored.

o The total number

of assets with
critical, high,
medium, and low
ACR values.
o If the number of
assets with critical,
high, medium, and
low ACR values has
increased or
decreased in the
past 14 days, the
amount by which
the percentage of
assets and the
total number of
assets increased (

- 194 -
 ) or decreased (
) during that time.

l To view a list of assets in

an ACR category, click a
percentage.

The Assets page

appears, filtered by
licensed assets and the
ACR category you
selected. For more
information, see View
Assets.

Vulnerabilities (#) All time Licensed and l View the total number of
unlicensed vulnerabilities present on
(Visible only when
assets the assets.
viewing current
CES details) l For each VPR category,
view the following
information:
o The percentage of
vulnerabilities with
critical, high,
medium, and low
VPR values.

Tip: The
percentages do
not total to 100%
if any of your
assets are
unscored.

o The total number

- 195 -
 of vulnerabilities
with critical, high,
medium, and low
VPR values.
o If the number of
vulnerabilities with
critical, high,
medium, and low
VPR values
increased or
decreased in the
past 14 days, the
amount by which
the percentage of
vulnerabilities and
the total number of
vulnerabilities has
increased ( ) or
decreased ( )
during that time.

l To view a list of
vulnerabilities in a VPR
category, click a
percentage.

The Vulnerabilities page

appears, filtered by
licensed assets and the
VPR category you
selected. For more
information, see View
Vulnerabilities by Plugin.

View Assessment Maturity Details

- 196 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable calculates a dynamic Assessment Maturity grade that represents your overall scanning
depth and frequency. For more information, see Assessment Maturity.

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

To view Assessment Maturity details for all assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Assessment Maturity.

The Assessment Maturity page appears and, by default, shows details for your entire
organization.

- 197 -
3. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section or Widget Timeframe Assets Action

Summary Past 90 days Licensed This section summarizes your

assets Assessment Maturity grade,
compared to Tenable customers in
your Salesforce industry and the
larger population.

l View a visual representation of

your Assessment Maturity
compared to the average
Assessment Maturity for
Tenable customers in your
Salesforce industry and the
larger population.

- 198 -
 l To view a list of your licensed
assets impacting your
Assessment Maturity, click
<count> Licensed Assets.

The Assets page appears,

filtered by licensed assets and
the past 90 days. For more
information, see View Assets.

l To view a list of your

unlicensed assets that do not
impact your Assessment
Maturity, click <count> Not
Licensed.

The Assets page appears,

filtered by unlicensed assets
and the past 90 days. For
more information, see View
Assets.

Maturity Score Past 90 days at Licensed This widget graphs the increases
Trend each point on assets and decreases to your Assessment
the graph, Maturity grade and to the average
How is your
recalculated Assessment Maturity grade for
Assessment
daily Tenable customers in your
Maturity grade
Salesforce industry and the larger
changing over
population.
time?
l To view details about an
Assessment Maturity grade on
a specific date, hover over a
point on the graph.

The hover text provides

historical data about the

- 199 -
 Assessment Maturity grade.

l To show or hide data for your

organization, the industry, or
the population, click the boxes
in the graph legend.

The system updates the

widget to show or hide the
data you selected.

Recommended Past 90 days Licensed This widget provides Tenable-

Actions assets recommended best practices to
improve your scanning health.
What general
actions can you l Review your recommended
take to improve best practices.
your scanning
l To take action, click the link
health?
next to the description.

Depth Grade Past 90 days Licensed This widget summarizes the

assets Assessment Maturity depth grade
Are you scanning
for your entire organization,
your assets
compared to Tenable customers in
thoroughly
your Salesforce industry and the
enough?
larger population.

l View a visual representation of

your depth grade compared to
the average depth grade for
Tenable customers in your
Salesforce industry and the
larger population.

l View a summary statement

about whether your depth
grade recently increased or

- 200 -
 decreased.

Authentication Past 90 days Licensed This widget graphs your percentage

Coverage assets of assets scanned with
authentication and without
How often are you
authentication, compared to
performing
Tenable customers in your
authenticated
Salesforce industry and the larger
scans?
population. You can optimize your
authentication coverage by ensuring
you scan with successful
authentication so that all plugins run
on your assets.

l View a visual representation of

your authentication coverage
compared to the average
depth grade for Tenable
customers in your Salesforce
industry and the larger
population.

l To view details, hover over a

scan type cluster on the
graph.

The hover text provides data

about the scan type.

l To show or hide data for your

organization, the industry, or
the population, click the boxes
in the graph legend.

The system updates the

widget to show or hide the
data you selected.

- 201 -
Frequency Grade Past 90 days Licensed This widget summarizes the
assets Assessment Maturity frequency
Are you scanning
grade for your entire organization,
your assets
compared to Tenable customers in
frequently
your Salesforce industry and the
enough?
larger population.

Tip: Tenable calculates your

frequency grade based on how
often you scan assets on your
network.

l View a visual representation of

your frequency grade
compared to the average
frequency grade for Tenable
customers in your Salesforce
industry and the larger
population.

l View a summary statement

about whether your frequency
grade recently increased or
decreased.

Scan Cycle Past 90 days Licensed This widget summarizes your

assets average scan frequency, in days,
How much time
compared to Tenable customers in
passes between
your Salesforce industry and the
your scans?
larger population. Your scan cycle is
the average number of days
between scans for your assets.

Asset Scan Past 90 days Licensed This widget graphs the percentage
Frequency assets of your assets that Tenable
Vulnerability Management scans
How often are you

- 202 -
 scanning your daily, weekly, monthly, and
assets? quarterly, compared to Tenable
customers in your Salesforce
industry and the larger population.

l To view details about a scan

frequency for a specific date
range, hover over a point on
the graph.

The hover text provides data

about the scan frequency.

l To show or hide data for your

organization, the industry, or
the population, click the boxes
in the graph legend.

The system updates the

widget to show or hide the
data you selected.

View Remediation Maturity Details

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable calculates a dynamic Remediation Maturity grade that represents your overall vulnerability
remediation responsiveness and coverage. For more information, see Remediation Maturity.

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

- 203 -
To view Remediation Maturity details for all assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Remediation Maturity.

The Remediation Maturity page appears.

3. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section or Widget Timeframe Assets Action

Summary Past 90 days Licensed This section summarizes your

assets Remediation Maturity grade,
compared to Tenable customers
in your Salesforce industry and
the larger population.

- 204 -
 l View a visual representation
of your Remediation
Maturity compared to the
average Remediation
Maturity for Tenable
customers in your
Salesforce industry and the
larger population.

l To view a list of your

licensed assets impacting
your Remediation Maturity
grade, click <count>
Licensed Assets.

The Assets page appears,

filtered by licensed assets
and the past 90 days. For
more information, see View
Assets.

l To view a list of your

unlicensed assets that do
not impact your
Remediation Maturity grade,
click <count> Not Licensed.

The Assets page appears,

filtered by unlicensed
assets and the past 90 days.
For more information, see
View Assets.

Maturity Score Past 90 days at Licensed This widget graphs the increases
Trend each point on assets and decreases to your
the graph, Remediation Maturity grade and
How is your

- 205 -
Remediation Maturity recalculated to the average Remediation
grade changing over daily Maturity grade for Tenable
time? customers in your Salesforce
industry and the larger
population.

l To view details about a

Remediation Maturity grade
on a specific date, hover
over a point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the
data you selected.

Recommended Past 90 days Licensed This widget provides Tenable-

Actions assets recommended best practices to
improve your remediation health.
What general actions
can you take to l Review your recommended
improve your best practices.
remediation health?
l To take action, click the link
in the description.

Remediation Past 90 days Licensed This widget summarizes the

Responsiveness assets Remediation Maturity remediation
Grade responsiveness grade for your
entire organization, compared to
How quickly are you
Tenable customers in your
remediating
Salesforce industry and the larger
vulnerabilities?

- 206 -
 population.

l View a visual representation

of your remediation
responsiveness grade
compared to the average
remediation responsiveness
grade for Tenable
customers in your
Salesforce industry and the
larger population.

l View a summary statement

about whether your
remediation responsiveness
grade recently increased or
decreased.

Average Past 90 days Licensed This widget graphs the average

Remediation Time assets time, in days, you took to
Since Discovery remediate vulnerabilities in each
VPR category after the
How long does it
vulnerability was first discovered,
take you to
compared to Tenable customers
remediate a
in your Salesforce industry and
vulnerability after it
the larger population.
is first discovered
(the First Seen l To view details about the
date)? average time for a specific
VPR category, hover over a
point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph

- 207 -
 legend.

The system updates the

widget to show or hide the
data you selected.

Average Past 90 days Licensed This widget graphs the average

Remediation Time assets time, in days, you took to
Since Publication remediate vulnerabilities in each
VPR category after a plugin was
How long does it
first made available, compared to
take you to
Tenable customers in your
remediate a
Salesforce industry and the larger
vulnerability after a
population.
plugin is first made
available (the Plugin l To view details about the
Publication date)? average time for a specific
VPR category, hover over a
point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the
data you selected.

Remediation Past 90 days Licensed This widget summarizes the

Coverage Grade assets Remediation Maturity remediation
coverage grade for your entire
How thoroughly are
organization, compared to
you remediating
Tenable customers in your
vulnerabilities?
Salesforce industry and the larger
population.

- 208 -
 l View a visual representation
of your remediation
coverage grade compared
to the average remediation
coverage grade for Tenable
customers in your
Salesforce industry and the
larger population.

l View a summary statement

about whether your
remediation coverage grade
recently increased or
decreased.

Remediation Past 90 days Licensed This widget graphs the

Coverage assets percentage of your vulnerabilities
that are remediated (fixed) in
What percentage of
each VPR category, compared to
your vulnerabilities
Tenable customers in your
are remediated?
Salesforce industry and the larger
population.

l To view details about the

percentage for a specific
VPR category, hover over a
point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the

- 209 -
 data you selected.

Average Past 90 days Licensed This widget graphs the average

Vulnerabilities Per assets number of vulnerabilities (active,
Asset fixed, or resurfaced) in each VPR
category present on your assets,
How many
compared to Tenable customers
vulnerabilities, on
in your Salesforce industry and
average, are present
the larger population.
on an asset?
l To view details about the
count for a specific VPR
category, hover over a point
on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the
data you selected.

View Business Context/Tag Asset Details

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can use this page to view details about assets with a specific business context tag.

Before you begin:

- 210 -
 l Add tags to assets, as described in Add a Tag to an Asset.

To view business context tag asset details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Business Context.

The Business Context/Tag Asset Details page appears.

3. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section or
Timeframe Assets Action
Widget

Tag summary All time Licensed and l View the name of the tag.
unlicensed l View the CES calculated
assets with the
for assets with the tag.
tag applied

Cyber Exposure Past 90 days at Licensed assets This widget graphs the

- 211 -
Score Trend each point on the with the tag increases and decreases to your
graph, applied tag-specific CES compared to
How has the
recalculated daily the average organization-wide
overall risk for
CES for Tenable customers in
this business
your Salesforce industry and
context changed
the larger population.
over time?
Note: Newly added tags may
take up to 14 days before
displaying CES trending
information.

l To view details about an

organization-wide
industry or population CES
value on a specific date,
hover over a point on the
graph.

The hover text provides

historical data about the
CES.

l To view details about your

tag-specific CES value on
a specific date, click a
point on the You line.

The Tenable Lumin Cyber

Exposure Score details
plane appears. For more
information, see CES
Details.

l To show or hide data for

your organization, the
industry, or the

- 212 -
 population, click the
boxes in the graph legend.

The system updates the

widget to show or hide the
data you selected.

Asset Past 90 days Licensed assets This widget summarizes the

Distribution by with the tag number of vulnerabilities in
Asset Exposure applied and each AES category.
Score (AES) shared with your
l To view the recommended
user account via
How exposed are solutions for an AES
access groups
my assets? category, click one of the
<Category> AES Solutions
links.

The Solutions page

appears, filtered by the
tag, licensed assets, and
the AES category you
selected. For more
information, see View
Solutions.

l To view the recommended

solutions for all assets,
click the All Solutions link.

The Solutions page

appears, filtered by the
tag and licensed assets.
For more information, see
View Solutions.

Asset Criticality Past 90 days Licensed and This widget visualizes the
Rating unlicensed percentage of your assets in

- 213 -
Breakdown assets with the each ACR category.
tag applied
How critical are l View the total number of
my assets? scanned assets on your
network.

l View the percentage of

assets in each category:
Critical, High, Medium,
Low, and Unclassified.

l To view a list of assets,

click a category on the
graph.

The Assets page appears,

filtered by the tag,
licensed assets seen in
the past 90 days, and the
ACR category you
selected. For more
information, see View
Assets.

Asset Scan Past 90 days Licensed and This widget summarizes your
Distribution unlicensed asset scan distribution during
assets with the the past 90 days.
What percentage
tag applied
of your assets Authenticated Scans are run by
are scanned with a non-agent scanner with
different credentialed scanning
methods? configured. Agent Scans are
run by agent scanners. All other
scans are Unauthenticated
Scans.

l View the total number of

- 214 -
 assets scanned on your
network in the past 90
days.

l View the percentage of

assets where the system
performed authenticated,
unauthenticated, or agent
scans in the past 90 days.

l View the percentage of

assets the system has not
scanned in the past 90
days.

l To filter the data

displayed in the widget,
roll over the widget and
click the button. Click
the desired filter.

Tenable Vulnerability
Management refreshes
the widget.

l To view the assets list,

click a scan category.

The Assets page appears,

filtered by the tag,
licensed assets seen in
the past 90 days, the scan
type you selected, and the
ACR category filter
applied to the widget. For
more information, see
View Assets.

- 215 -
Asset Scan Past 90 days Licensed and This widget visualizes the
Frequency unlicensed percentage of assets scanned
assets with the on your network during periods
How often are
tag applied in the past 90 days, compared
you scanning
to others in your Salesforce
your assets?
industry and the population.

l View the percentage of

assets scanned on your
network at Daily, Weekly,
Monthly, or Quarterly
intervals.

l To show or hide data for

your organization, the
industry, or the
population, click the
boxes in the graph legend.

The system updates the

widget to show or hide the
data you selected.

l To filter the data

displayed in the widget,
roll over the widget and
click the button. Click
the desired filter.

Tenable Vulnerability
Management refreshes
the widget.

l To view the assets list,

click a bar on the graph.

The Assets page appears,

- 216 -
 filtered by the tag,
licensed assets, the time
period you selected, and
the ACR category filter
applied to the widget. For
more information, see
View Assets.

View Mitigations Details in Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

If you run an authenticated scan based on the Basic Network Scan template or Advanced Network
Scan template or an agent scan based on the Basic Agent Scan or Advanced Agent Scan template,
Tenable automatically enables the plugins required to detect mitigations present on your assets.
Tenable Lumin defines mitigations as endpoint protection agents, which include antivirus software,
Endpoint Protection Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

Then, you can use Tenable Lumin Mitigations data to assess whether your assets are covered
properly with the endpoint protection agent software.

You must enable certain plugins in your authenticated and agent scans to detect endpoint
protection agents on your assets. For more information, see Plugins for Mitigation Detection.

Before you begin:

l Enable the required plugins in your scans.

l Run your scans before checking the Mitigations page.

To view a list of endpoint protection agents on your assets:

- 217 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the Mitigations widget, click More Details.

The Tenable Lumin Mitigations page appears.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section Action

Exports Download previously generated export files.

button

Date range Change the date range for the mitigations table. For more information, see
selector Tenable Vulnerability Management Tables.

Filters box Filter the data displayed in the mitigations table.

Search box Search the mitigations table by product name. For more information, see
Tenable Vulnerability Management Tables.

Mitigations In this table, you can:

table
l
View information about each endpoint protection agent.
o Product Name — The name of the endpoint protection agent.
o Vendor Name — The name of the vendor that maintains the
endpoint protection agent.

- 218 -
 o All Assets — The total number of assets with the endpoint
protection agent present.
o Critical Assets — The total number of Critical ACR assets with
the endpoint protection agent present.
o High Assets — The total number of High ACR assets with the
endpoint protection agent present.
o Version — The version of the endpoint protection agent.
o Last Detected — The date that a scan last detected the endpoint
protection agent on an asset.

l Sort, increase or decrease the number of rows per page, or navigate to

another page of the table. For more information, see Tenable
Vulnerability Management Tables.

l Export mitigations.

l To view a list of assets with a specific endpoint protection agent

present, click the asset count in the appropriate column:

l All Assets to view all assets regardless of the asset ACR

l Critical Assets to view Critical ACR assets

l High Assets to view High ACR assets

The Assets page appears, filtered by licensed assets, ACR severity, the
mitigation product name, the mitigation vendor name, the mitigation
version, and the past 90 days. For more information, see View Assets.

Plugins for Mitigation Detection

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To detect mitigations, you must enable the following plugins in your scan.

- 219 -
Tip: Tenable Vulnerability Management enables these plugins automatically in the following Tenable-
provided scan templates: Advanced Network Scan, Basic Network Scan, Advanced Agent Scan, Basic
Agent Scan.

ID Name

12107 McAfee Antivirus Detection and Status

16192 Trend Micro Antivirus Detection and Status

20283 Panda Antivirus Detection and Status

20284 Kaspersky Anti-Virus Detection and Status

21162 Spybot Search & Destroy Detection

21608 NOD32 Antivirus Detection and Status

21725 Symantec Antivirus Software Detection and Status

21726 Webroot SpySweeper Enterprise Detection

24232 BitDefender Antivirus Detection and Status

52668 F-Secure Anti-Virus Detection and Status

54845 Sophos Anti-Virus for Mac OS X Detection

54846 Sophos Anti-Virus Detection and Status (Mac OS X)

56567 Mac OS X XProtect Detection

56568 Mac OS X XProtect Installed

58580 Trend Micro ServerProtect Detection and Status (credentialed check)

67119 McAfee ePolicy Orchestrator Installed (credentialed check)

68997 Check Point ZoneAlarm Detection and Status

74038 McAfee VirusScan Enterprise for Linux Detection and Status

84432 AVG Internet Security Detection

87777 Avast Antivirus Detection and Status

- 220 -
87923 McAfee Application Control / Change Control Installed

87955 McAfee Agent Detection

87989 McAfee Agent Detection (Linux/MacOS)

88598 Symantec Endpoint Protection Installed (Unix Credentialed Check)

95470 McAfee Host Intrusion Prevention Installed

100131 McAfee Security Scan Plus Detection

106757 CylancePROTECT Detection

106758 CylancePROTECT Detection (Mac OS X)

112279 Windows Defender Advanced Threat Protection Installed (Windows)

124366 McAfee Endpoint Security and Module Detection

131023 Windows Defender Installed

131725 Sophos Anti-Virus Installed (Windows)

133843 VMware Carbon Black Cloud Endpoint Standard Installed (Windows)

133962 Sophos Anti-Virus Installed (Linux)

134216 VMware Carbon Black Cloud Endpoint Standard Installed (macOS)

134871 Trend Micro Apex One Server Installed (Windows)

135408 Trend Micro Deep Security Agent Installed (Linux)

135409 Trend Micro Deep Security Agent Installed (Windows)

136760 BitDefender Endpoint Security Tools Status (Windows)

136761 BitDefender Endpoint Security Tools Detection (Windows)

138209 Symantec Critical System Protection/Data Center Security Agent (Windows)

138853 F-Secure PSB Computer Protection (Windows)

139913 Check Point Endpoint Security SandBlast Agent Installed (Windows)

- 221 -
 139918 ClamAV Installed (Linux)

140633 CrowdStrike Falcon Sensor Installed (Windows)

152356 Cybereason Endpoint Agent Installed (Windows)

Export Mitigations

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can export a list of mitigations and affected assets, if needed, to share the data with others in
your organization.

To export mitigations and affected assets:

1. View mitigation details for your organization.

2. In the mitigations table, select the check boxes next to the mitigation or mitigations that you
want to include in the export file.

The action bar appears at the top of the table.

3. In the action bar, click Export.

The Tenable Lumin mitigations Export plane appears.

4. In the Type section, click the type of export you want to perform.

- 222 -
 l CSV - Mitigations — A single .csv file that includes the mitigations you selected.

l CSV - Mitigations & Assets Affected — Two .csv files that include the mitigations you
selected and the assets affected where those mitigations are present.

The export begins and Tenable Vulnerability Management downloads the export as a tar.gz
package. For more information about the data in the export files, see Mitigations Export File
Contents.

What to do next:
l To download previously exported mitigation data, see View and Download Exported
Mitigations.

Mitigations Export File Contents

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can export mitigations from the Mitigations page. Your export files contain the following data.

Export Field Description

mitigations_summary.csv — the Mitigations file

product_name The name of the endpoint protection agent.

vendor_name The name of the vendor that maintains the endpoint protection agent.

all_assets The total number of assets with the endpoint protection agent
present.

critical_assets The total number of Critical ACR assets with the endpoint protection
agent present.

high_assets The total number of High ACR assets with the endpoint protection
agent present.

version The version of the endpoint protection agent.

last_detected The date that a scan last detected the endpoint protection agent on an
asset.

- 223 -
 mitigations_detail.csv — the Affected Assets file

product_name The name of the endpoint protection agent.

vendor_name The name of the vendor that maintains the endpoint protection agent.

version The version of the endpoint protection agent.

last_detected The date that a scan last detected the endpoint protection agent on an
asset.

asset_uuid The asset's UUID.

hostname The asset's hostname.

ipv4 The asset's IPv4 address.

operating_system The asset's operating system.

acr_score The asset's ACR.

acr_severity The ACR category of the ACR calculated for the asset.

aes_score The AES for the asset.

aes_severity The AES category of the AES calculated for the asset.

View and Download Exported Mitigations

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

After you export mitigation or affected assets files, you can view and download them. You cannot
view or download export files generated by other users.

Before you begin:

l Export a mitigation or affected assets file.

- 224 -
To view and download mitigation and affected asset exports files:

1. View mitigation details for your organization.

2. In the upper-right corner of the page, click Export.

The Tenable Lumin mitigations Export plane appears.

3. In the exports table, click the row for the export you want to download.

Tenable Vulnerability Management downloads the export file as a tar.gz package. For
information about the data in the export files, see Mitigations Export File Contents.

View Recommended Actions

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable provides a list of top recommended actions (solutions) for assets on your network,
regardless of your access group permissions. You can identify solutions, then drill into the solution
details to understand the steps to address the vulnerability on your network.

To generate the top recommended actions, Tenable Lumin looks for the plugins that, if remediated
for all licensed assets, have the biggest effect on your CES. If plugins are related, remediating one
may affect other plugins.

Addressing vulnerabilities on your network lowers your CES and AES metrics.

To view the top recommended solutions for all assets on your network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

- 225 -
2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the Actions to Reduce CES widget, click See Top Recommended Actions.

The Tenable Lumin Recommended Actions page appears. The table sorts your top solutions
(up to 20) by VPR category (Critical to Low) and then by decreasing Assets Affected.

4. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Section Action

Summary bar View summary statistics about the expected impact if you address all the
solutions in the Recommended Actions table.

l Expected CES reduction if you resolve all the top solutions.

l Number of vulnerability instances eliminated by the top solutions.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

l Number of assets affected by the top solutions.

Recommended l View information about each solution.

Actions table l Solution — A description for the solution.

l Licensed Assets — The total number of assets affected by

the vulnerabilities addressed by the solution.

- 226 -
 l CVEs — The number of individual Common Vulnerabilities and
Exposures (CVEs) addressed by the solution.

l CVE Instances — The total number of Common Vulnerabilities

and Exposures (CVEs), including duplicates, addressed by the
solution.

l Exploit Code Maturity — The key driver value for the highest
VPR for the vulnerabilities addressed by the solution.

l VPR — The highest VPR for the vulnerabilities addressed by

the solution.

l CVSS — The highest CVSSv2 score (or CVSSv3 score, when

available) for the vulnerabilities addressed by the solution.

l To view details for a solution, click a solution row.

The Solution Details page appears. For more information, see View
Solution Details.

l To export solution data, see Export Recommended Actions.

Export Recommended Actions

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can export a list of recommended actions (solutions) and affected assets, if needed, to share
the data with others in your organization.

To export recommended actions and affected assets:

- 227 -
 1. Navigate to one the Tenable Lumin Recommended Actions page, as described in View
Recommended Actions.

The Tenable Lumin Recommended Actions page appears.

2. In the table, select the check boxes next to the recommended actions that you want to
include in the export file.

The action bar appears at the top of the table.

3. In the action bar, click Export.

The Exports plane appears.

4. In the CSV section, select the check box for the recommended action data you want to
export:

l Solutions — A .csv file that includes the recommended actions you selected. This check
box is selected by default.

l Details — A .csv file that includes the recommended actions you selected as well as
additional details about those solutions.

The export begins and Tenable Vulnerability Management downloads the export as a tar.gz
package. For information about the data in the export files, see Recommended Actions Export
File Contents.

Recommended Actions Export File Contents

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can export recommended actions (solutions) from two recommended action pages. The export
contents from each page are unique to that page.

- 228 -
Recommended Actions Export for a Group of Assets
If you export recommended actions and assets affected files from the Recommended Actions page
for a group of assets, your export files contain the following data.

Export Field Description

detail.csv — the Assets Affected file

solution_id The solution's UUID.

solution_title A description for the solution.

asset_uuid The asset's UUID.

hostname The asset's hostname.

ipv4 The asset's IPv4 address.

operating_ The asset's operating system.

system

cve_count The number of vulnerabilities on this asset addressed by the solution.

cve_instance_ The total number of vulnerability instances on this asset addressed by the
count solution.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an

asset, identified uniquely by plugin ID, port, and protocol.

solution.csv — the Selected Actions file

solution_id The solution's UUID.

solution_title A description for the solution.

assets_ The total number of assets affected by the vulnerabilities addressed by the
affected solution.

cve_count The total number of vulnerabilities addressed by the solution.

vpr The highest VPR for the vulnerabilities addressed by the solution.

cvss The highest CVSSv2 score (or CVSSv3 score, when available) for the

- 229 -
 vulnerabilities addressed by the solution.

Recommended Actions Export for All Assets

If you export recommended actions and assets affected files from the Recommended Actions page
for all assets, your export files contain the following data.

Export Field Description

detail.csv — the Assets Affected file

solution_id The solution's UUID.

solution_title A description for the solution.

asset_uuid The asset's UUID.

hostname The asset's hostname.

ipv4 The asset's IPv4 address.

operating_ The asset's operating system.

system

acr_score The asset's ACR.

acr_severity The ACR category of the ACR calculated for the asset.

aes_score The AES for the asset.

aes_severity The AES category of the AES calculated for the asset.

vuln_count The number of vulnerabilities on this asset addressed by the solution.

vuln_instance_ The total number of vulnerability instances on this asset addressed by the
count solution.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on

an asset, identified uniquely by plugin ID, port, and protocol.

summary.csv — the Selected Actions file

solution The solution's UUID.

- 230 -
summary A description for the solution.

assets_affected The total number of assets affected by the vulnerabilities addressed by

the solution.

vulnerabilities The total number of vulnerabilities addressed by the solution.

exploit_code_ The key driver value for the highest VPR for the vulnerabilities addressed
maturity by the solution.

vpr The highest VPR for the vulnerabilities addressed by the solution.

cvss The highest CVSSv2 score (or CVSSv3 score, when available) for the
vulnerabilities addressed by the solution.

- 231 -
Scans
You can create, configure, and manage scans in Tenable Vulnerability Management.

Section Description

Manage Scans Create, import, and launch scans. View and manage scans and scan
results.

Scans (Unified Create, launch, and manage Tenable Vulnerability Management and
Configuration) Tenable Web App Scanning scans in the Tenable Vulnerability
Overview Management unified user interface.

Scan Templates Use a Tenable-provided scanner template, agent template or a user-

and Settings defined template to configure scan settings.

Sensors Link your sensors, such as Tenable Nessus scanners, Tenable Nessus
Agents, and Tenable Nessus Network Monitors, to Tenable Vulnerability
Management.

Note: For information about scanning in Tenable Web App Scanning, see the Tenable Web App Scanning
Getting Started Guide.

Note: For information about scanning in Tenable Container Security, see Tenable Container Security
Scanner Scanning Overview.

Manage Scans
To manage your Tenable Vulnerability Management and Tenable Web App Scanning scans in the
unified Scans user interface, see Scans Overview.

To manage your Tenable Web App Scanning scans in Tenable Web App Scanning, see the Tenable
Web App Scanning Getting Started Guide.

Scans Overview
The Scans page allows you to create, launch, and configure Tenable Vulnerability Management
scans and Tenable Web App Scanning scans.

- 232 -
Many of the Scans workflows and procedures are similar to the legacy Vulnerability Management >
Scans and Web App Scanning > Scans pages, but we have provided updated help topics that match
the new Scans user interface:

Create a Scan
In Tenable Vulnerability Management, you can create scans using scan templates. For general
information about templates and settings, see Scan Templates and Settings.

When you create a scan, Tenable Vulnerability Management assigns you owner permissions for the
scan.

Tip: To quickly target specific vulnerabilities that previous scans have identified on your assets, create a
Tenable Vulnerability Management remediation scan.

Note: Tenable Vulnerability Management excludes PCI Quarterly External scan data from dashboards,
reports, and workbenches intentionally. This is due to the scan's paranoid nature, which may lead to false
positives that Tenable Vulnerability Management would otherwise not detect. For more information, see
Tenable PCI ASV Scans.

Before you begin:

l (Optional) View Tenable Vulnerability Management scan limitations.

l If you want to create a scan from a user-defined template, create a user-defined template as
described in Create a User-Defined Template.

l Create an access group for any targets you want to use in the scan and assign Can Scan
permissions to the appropriate users.

To create a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

- 233 -
 This also determines whether you are creating a Tenable Vulnerability Management or Tenable
Web App Scanning scan.

4. In the upper-right corner of the page, click the Create a Scan button.

The Select a Scan Template page appears.

5. Do one of the following:

l If you are creating a Tenable Vulnerability Management scan, use the following
procedure:

a. Click the Nessus Scanner, Nessus Agent, or User Defined tab to view available
templates for your scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

- 234 -
 l Assessment Settings — Specifies how a scan
identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

Plugins Select security checks by plugin family or individual

plugin.

d. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option
is not available.

Tenable Vulnerability Management saves and launches the scan.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

- 235 -
a. Click the Web Application or User Defined tab to view available templates for your
scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

d. Do one of the following:

- 236 -
 l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option
is not available.

Tenable Vulnerability Management saves and launches the scan.

View Scans

Required Scan Permissions: Can View

Tenable Vulnerability Management defines Archived as any individual scan results that are older
than 35 days. For scan results that are younger than 35 days, you can view and export the results in
Tenable Vulnerability Management. For archived scan results, you can export the results, but cannot
view them in Tenable Vulnerability Management. This limitation applies to both imported scan
results and scan results that Tenable Vulnerability Management collects directly from scanners.
After 15 months, Tenable Vulnerability Management removes the scan data entirely.

You can view configured and imported scans. If you have appropriate permissions, you can also
perform actions to manage the scans.

Before you begin:

l Create or import one or more scans.

To view scans in the Scans section:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

- 237 -
 The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

5. Do any of the following:

Section Action

Search box Search the table by scan name or status. For more information, see
Tenable Vulnerability Management Tables.

Filter Filter the table with Tenable-provided scan filters.

Create In the upper-right corner, click the Create Scan button to create a new
Scan scan.
button

Tools In the upper-right corner, click the Tools button. A menu appears with
button the following options:

l Import Scan (Tenable Vulnerability Management scans only)

l Manage Sensors

l Manage Credentials

l Manage Exclusions

Scans l View summary information about each scan:

table l Name — The scan name.

If you have assigned permissions for the scan to other users,

the label Shared appears next to the scan name.

l Schedule — The scan schedule.

l Last Modified — (Tenable Web App Scanning scans only) The

date and time the scan was last modified.

l Last Run — The date and time the scan was last run.

l Status — The status of the scan.

- 238 -
 l Sort, increase or decrease the number of rows per page, or navigate
to another page of the table. For more information, see Tenable
Vulnerability Management Tables.

l View details for a scan.

l Launch a scan.

l Change the read status for a scan.

l Export scan results.

l Move a scan to the trash.

l Delete a scan permanently.

l Move a scan to a different folder.

View Scan Details

Required Scan Permissions: Can View

You can view scan results for scans you own and scans that were shared with you.

Consider the following when viewing scan results:

l You can view details for an individual scan based on the permissions configured for the scan.
However, when you view aggregated scan results in dashboards and other analysis views (for
example, the Vulnerabilities or Assets tables), your access is based on the access groups you
belong to.

l Tenable Vulnerability Management defines Archived as any individual scan results that are
older than 35 days. For scan results that are younger than 35 days, you can view and export
the results in Tenable Vulnerability Management. For archived scan results, you can export the
results, but cannot view them in Tenable Vulnerability Management. This limitation applies to
both imported scan results and scan results that Tenable Vulnerability Management collects
directly from scanners. After 15 months, Tenable Vulnerability Management removes the scan
data entirely.

l When you view results from the latest run of the scan, Tenable Vulnerability Management
categorizes the scan as Read. The Read status is specific to your user account only. You can

- 239 -
 also manually change the read status.

l Tenable Vulnerability Management retains scan data for 15 months. If you want to store scan
data for longer than 15 months, you can export the scan data for storage outside of Tenable
Vulnerability Management.

l You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

To view scan details for an individual scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. In the scan table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

6. Do any of the following:

Section Action

Scan Actions menu l Launch a scan.

l Edit a scan configuration.

l Export scan results.

l Move a scan to a different folder.

l Change the read status for a scan.

l Delete a scan permanently.

- 240 -
 l Copy a scan.

l Move a scan to the trash.

See All Details button Click the See All Details button to open the Scan
Details page and view the scan's vulnerabilities and
affected assets, target information, and scan history.
You can also use the Scan Details page to export the
scan, edit the scan configuration, move the scan to the
trash folder, and submit the scan for PCI validation.

The scan details page includes the following features

and information:

Table header
l (Rollover scans only) Download a list of a rollover
scan's remaining targets.

l Export the currently visible scan results.

l Edit the scan configuration.

l Move a scan to the trash folder.

Severity summaries
The number of vulnerabilities with a Critical, High,
Medium, and Low severity in the scan results.

Scan Details section

View details about the scan run:

l Status — The status of the scan.

l Start Time — The start date and time for the

scan.

l Template — The Tenable-provided template on

which the scan configuration is based.

- 241 -
 l Scanner — The scanner that performed the scan.

l Scanner Groups — The scanner group or groups

to which Tenable Vulnerability Management
assigned the scan. This detail appears only if
scan routing is enabled for the scan.

l Targets — The targets that the scan evaluated.

Vulns by Plugin tab

View the vulnerabilities in the scan results, organized
by plugin.

Note: This tab does not appear for scan results older
than 35 days.

l View information about each vulnerability:

l Severity icon — The severity of the

vulnerability.

l Name — The name of the plugin that

identified the vulnerability.

l Family — The family of the plugin that

identified the vulnerability.

l Instances — The number of vulnerability

instances.

Tip: A vulnerability instance is a single

instance of a vulnerability appearing on an
asset, identified uniquely by plugin ID, port,
and protocol.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

- 242 -
 per page, or navigate to another page of the
table, see Tenable Vulnerability Management
Tables.

l To view details for a vulnerability, click a row of

the table.

The Vulnerability Details page appears. For more

information, see Vulnerability Details.

Audit tab
View compliance audit check results. This tab only
appears if the scan results include data from
compliance audit checks.

Tip: This tab does not appear for scan results older than
35 days.

On this tab, you can view:

l View tiles representing the number of audit

checks identified the last time the scan was
completed organized by severity level.

l View a table of audits detected during the scan.

Each row represents a specific audit, and
includes the following information:
o Status — The status of the audit, for
example Passed, Warning, or Failed.
o Name — The name of the compliance
check.
o Family — The compliance check family to
which the audit belongs.
o Count — The number of times the audit was

- 243 -
 identified.

l To view additional information about a specific

audit check, click a row in the audits table.

The Audit Details page appears.

l Overview — Information about the audit

check, including a description of the check
and the audit file used for the check.

l Assets — A list of assets where the scan

performed the audit check.

Summary tab
(Rule-based scans only) Shows the scan's description,
triggers, an explanation of rule-based scanning, and a
link to the vulnerabilities workbench.

Vulns by Asset tab

View the vulnerabilities in the scan results, organized
by asset. By default, assets in the table are sorted by
decreasing number of vulnerabilities, then by
decreasing severity.

Tip: This tab does not appear for scan results older than
35 days.

l View information about each vulnerability:

l Assets — The asset identifier. Tenable

Vulnerability Management assigns this
identifier based on the presence of certain
asset attributes in the following order:
o Agent Name (if agent-scanned)
o NetBIOS Name

- 244 -
 o FQDN
o IPv4 address

For example, if scans identify a NetBIOS

name and an IPv4 address for an asset, the
NetBIOS name appears as the Asset Name.

l Vulnerabilities — A visual summary of the

vulnerabilities on the asset, organized by
severity.

l Vuln Count — The total number of

vulnerabilities on the asset.

l Critical — The total number of

vulnerabilities on the asset with a critical
severity.

l High — The total number of vulnerabilities

on the asset with a high severity.

l Audits — A visual summary of the audits on

the vulnerability, organized by severity.

l Audit Count — The total number of audits

on the asset.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

per page, or navigate to another page of the
table, see Tenable Vulnerability Management
Tables.

l To view details for an asset, click a row of the

table.

The Asset Details page appears. For more

- 245 -
 information, see View Asset Details.

Warnings tab
View warnings about problems Tenable Vulnerability
Management or the scanner encountered while running
the scan. This tab only appears if Tenable Vulnerability
Management or the scanner encountered an issue
while running the scan.

Review the warnings to determine how to resolve the

scan problem. For example, if an Invalid Target note is
present, check the target parameters in the scan
configuration.

Tip: This tab does not appear for scan results older than
35 days.

Remediations tab
View remediation details.

Note: The Remediation tab only appears if there are

known remediations for the scan.

This tab contains a table listing each remediation

action. On this tab, you can view:

l Vulnerabilities — The number of vulnerabilities

resolved by the recommended remediation.

l Assets — The number of assets scanned.

History tab
View the scan history.

This tab contains a table listing each time the scan has
run. For the scan run currently displaying in the Scan

- 246 -
Details page, Tenable Vulnerability Management adds
the label Current to the run. By default, the latest scan
run is labeled Current.

Note: Scan history is unavailable for imported scans,

configured scans that have not yet run, and triggered
scans.

Note: For triggered scan histories, Tenable Vulnerability

Management shows a scan history entry for each 12-hour
window of the past 7 days. Tenable Vulnerability
Management only retains up to 15 triggered scan
histories at a time for each scan.

On this tab, you can:

l View summary information about each time the

scan was run:

l Start Time — The start date and time for

the scan.

l End Time — The end date and time for the

scan.

l Duration — The duration of the scan .

l Status — The status of the scan.

l Filter the data displayed in the table.

l Sort, increase or decrease the number of rows

per page, or navigate to another page of the
table. For more information, see Tenable
Vulnerability Management Tables.

l View details for a historical scan by clicking a row

in the table.

Tenable Vulnerability Management marks the run

- 247 -
 you selected as Current and updates the Scan
Details section to show data for the selected run.

If the historical scan results are younger than 35

days, Tenable Vulnerability Management also
updates the tabs on the Scan Details page.

If the historical scan results are older than 35

days, the additional tabs are absent from the
Scan Details page. Use export instead to obtain
the results.

Activity section A history of the scan's activity.

In this section, you can view the date and time when
the scan Started, Completed, and when it was
Modified, Canceled, or manually Aborted.

Vulnerabilities by The number of vulnerabilities with a Critical, High,

Severity/VPR Breakdown Medium, and Low severity in the scan results.
section

Scan Duration section The amount of time elapsed between the start and end
of the scan.

Targets section The number of targets scanned.

Type section The scan type.

Template section The scan template used.

Schedule section The scan schedule.

View Scan Vulnerability Details

You can view a scan's vulnerability details by plugin or by asset (Tenable Vulnerability Management
scans only) from the Scans section.

To view a scan's vulnerability details from the Scans section:

- 248 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. In the scans table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

6. In the scan details plane, click the See All Details button.

The Scan Details page appears. The Vulns by Plugin tab shows by default.

7. If you would rather view vulnerabilities by the affected asset, click the Vulns by Asset tab.

The vulnerabilities by asset table appears.

Note: You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

8. From either the Vulns by Plugin tab or the Vulns by Asset tab, do one of the following:

l Filter the plugins table by vulnerability attributes.

l Search the plugins table.

l View the number of plugin results, next to the Search box.

l On the Vulns by Plugin tab, click a vulnerability to view its details. For more information,
see View Vulnerability Details.

l On the Vulns by Asset tab, click an asset row to view its vulnerability details. For more
information, see View Asset Details.

Scan Filters

- 249 -
On the Scans page, you can filter scans using Tenable-provided filters. The Tenable Vulnerability
Management scan view allows you to filter by scan status, and the Tenable Web App Scanning scan
view allows you to filter by multiple values.

Filter Description

Status The status of the scan. For more information about

scan statuses, see Scan Status.

Created Date (Tenable Web App The date the scan configuration was created.
Scanning scans only)

Description (Tenable Web App The description of the scan configuration.

Scanning scans only)

Finalized Date (Tenable Web App The date on which the scan last completed.
Scanning scans only)

Last Modified Date (Tenable Web App The date on which the scan configuration was last
Scanning scans only) modified.

Last Scanned Date (Tenable Web App The date on which the scan was last ran.
Scanning scans only)

Name (Tenable Web App Scanning The name of the scan configuration.
scans only)

Schedule (Tenable Web App Scanning Whether a scan schedule is enabled or on demand.
scans only)

Target (Tenable Web App Scanning The target URL used to launch the scan.
scans only)

Template (Tenable Web App The Tenable-provided scan template the scan
Scanning scans only) configuration was based on.

User Template (Tenable Web App The user-defined scan template the scan
Scanning scans only) configuration was based on.

Launch a Scan

- 250 -
In addition to configuring a scan's Schedule settings to launch the scan at scheduled times, you can
launch a scan manually. You can only launch a new scan when the previous scan has the Completed,
Aborted, or Canceled status (for more information, see Scan Status).

To launch a standard scan manually, see Launch a Scan.

Alternatively, you can launch a rollover scan to scan the remaining targets of a previous scan that
ended prematurely (for more information, see Launch a Rollover Scan). You can also launch a
remediation scan to run a follow-up scan against existing scan results (for more information, see
Launch a Remediation Scan).

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

Launch a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

Use the following steps to launch a scan manually. You can launch the scan using the targets as
configured in the scan, or you can launch the scan with custom targets that override the configured
targets.

To launch a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

- 251 -
 5. In the scans table, roll over the scan you want to launch.

The action buttons appear in the row.

6. Do one of the following:

l To launch the scan using the targets as configured in the scan, click the button in the
row.

l If you have previously launched the scan and want to use custom targets that override
the configured targets:

a. In the row, click the button.

The Custom Launch Scan plane opens.

b. In the Targets box, type a comma-separated string of targets.

c. Click Launch.

Tenable Vulnerability Management launches the scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Rollover Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

When you launch a rollover scan, the scan runs only against targets and hosts that Tenable
Vulnerability Management did not scan previously. This happens when a scan ends before scanning
all the assigned targets, which can occur when:

l A user manually stops the scan

l The scan times out due to the Scan Window setting

l The scanner aborts scan tasks or does not initialize properly

- 252 -
In some cases, you may see Completed scans that you can perform rollover scans for. This
indicates that even though all the assigned targets were scanned, some individual scan tasks may
have failed.

Rollover scans allow you to achieve complete scan coverage for all your assets, and you can use the
rollover feature to split up large, network-impacting scans. You can launch a rollover scan from
Scans page. Tenable Vulnerability Management marks scans that you can launch a rollover scan for
in the scan table with the Rollover tag in the Name column.

To view the remaining targets that the rollover scan will run against, see Download Rollover Targets.
If you want to restart the scan and rescan all the targets, see Launch a Scan.

Note: You cannot launch rollover Web Application scans.

To launch a rollover scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

5. In the scans table, roll over the scan you want to launch.

6. In the row, click the button.

A menu appears.

7. Click the Launch Rollover option.

Tenable Vulnerability Management launches the rollover scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

- 253 -
Launch a Remediation Scan

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Access Group Permissions: Can Scan

You can create a remediation scan to run a follow-up scan against existing scan results. A
remediation scan evaluates a specific plugin against a specific scan target or targets where a
vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan
targets have been successful. If a remediation scan cannot identify a vulnerability on targets where
the vulnerability was previously identified, the system changes the status of the vulnerability to
Fixed.

You can perform remediation scans for scan results from certain sensors only:

Sensor Type Supported?

Tenable Vulnerability Management Cloud Sensor yes

On-premises Tenable Nessus yes

Tenable Nessus scanner for Amazon Web Services (AWS) yes

Tenable Web App Scanning no

Tenable Nessus Network Monitor no

Tenable Nessus Agent no

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a remediation scan:

- 254 -
1. Set the scope for the remediation scan:

Remediation Scan Scope Action

All vulnerabilities on all affected This scope is not supported.

assets

All vulnerabilities on an To set this scope:

individual asset
a. View asset details.

b. On the Asset Details page, click the

Vulnerabilities tab.

The Vulnerabilities tab appears.

c. In the upper-right corner, click the Actions

button.

The actions menu appears.

d. In the actions menu, click Launch

Remediation Scan.

All vulnerabilities on multiple This scope is not supported.

assets

An individual vulnerability on the To set this scope:

top 500 affected assets
a. View vulnerability details.

b. Click the Assets Affected tab.

The assets table appears.

c. In the upper-right corner, click the Actions

button.

The actions menu appears.

d. Click Launch Remediation Scan.

- 255 -
An individual vulnerability on an To set this scope:
individual asset
a. View vulnerability details.

b. Click the Assets Affected tab.

The assets table appears.

c. In the assets table, select the checkbox for the

asset you want to select.

The action bar appears at the bottom of the

page.

d. In the action bar, click Launch Remediation

Scan.

An individual vulnerability on To set this scope:

multiple assets
a. View vulnerability details.

b. Click the Assets Affected tab.

The assets table appears.

c. In the assets table, select the checkbox next to

each asset you want to select.

The action bar appears at the bottom of the

page.

d. In the action bar, click Launch Remediation

Scan.

Multiple vulnerabilities on all This scope is not supported.

affected assets

Multiple vulnerabilities on an To set this scope:

individual asset
a. View asset details.

b. On the Asset Details page, click the

- 256 -
 Vulnerabilities tab.

The Vulnerabilities tab appears.

c. In the vulnerabilities table, select the checkbox

next to each vulnerability you want to select.

The action bar appears at the bottom of the

page.

d. In the action bar, click Launch Remediation

Scan.

Multiple vulnerabilities on This scope is not supported.

multiple assets

An individual finding To set this scope:

a. View findings details for a host vulnerability

finding or web application vulnerability finding.

b. On the Findings Details page, in the upper-right

corner, click the Actions button.

The actions menu appears.

c. In the actions menu, click Launch

Remediation Scan.

The Create a Scan - Remediation Scan appears.

Tenable Vulnerability Management automatically creates the remediation scan from the
Tenable-provided Advanced Network Scan template and populates certain settings based on
the assets and vulnerabilities you selected.

2. On the Create a Scan page:

a. Verify the settings that Tenable Vulnerability Management populated based on the
vulnerabilities and assets you selected.

- 257 -
 b. Configure additional settings for the scan.

The number of manual changes you must make depends on the plugins involved in the
remediation scan.

The following table defines the inherited and default values for settings in the remediation
scan.

Setting
Setting Remediation Scan Value
Category

Basic Name Specifies an editable scan name in the format

"Remediation scan of plugin # number" where
number is the number of the plugin that identified
the vulnerability.

Folder Cannot be configured. Remediation scans appear

in the Remediation Scans folder only.

Scanner Specifies the scanner that performs the scan.

The scanner you select depends on the location

of the targets included in the remediation scan.
For example:

l By default, this value is the cloud scanner

for your geographical region (for example,
US Cloud Scanner). However, a cloud
scanner cannot scan non-routable IP
addresses. If the scan targets include non-
routable IP addresses, select a linked
scanner instead.

l Select a scanner group if you want to:

o Improve scan speed by balancing the
scan load among multiple scanners.

- 258 -
 o Rebuild scanners and link new
scanners in the future without having
to update scanner designations in
scan configurations.

Network (Required if the scanner is set to Auto-Select) Do

one of the following:

l If your scans involve separate environments

with overlapping IP ranges, select the
network that contains the scanner groups
that you configured for scan routing.

l If your scans do not involve separate

environments with overlapping IP ranges,
retain the Default network.

Targets Specifies the scan targets based on the assets

you selected for the remediation scan.

User Specifies default settings for the Advanced

Permissions Network Scan template.

By default, only you have access to the individual

scan results for the remediation scan. The
Default user permissions are set to No Access. If
you want to share the remediation scan with
other users, configure the user permissions.

Schedule Cannot be configured. If you do not launch a

remediation scan when you create it, you can
launch the scan manually later.

all other Specifies default settings for the Advanced

settings Network Scan template.

Discovery all Specifies default settings for the Advanced

- 259 -
 Network Scan template.

Note: The default Port Scan Range scans common

ports only. If the plugins used in the remediation
scan require specific ports, configure this setting
for a range that includes those ports.

Assessment all Specifies default settings for the Advanced

Network Scan template.

Report all Specifies default settings for the Advanced

Network Scan template.

Advanced all Specifies default settings for the Advanced

Network Scan template.

Credentials all By default, there are no credentials configured. If

the plugins in the remediation scan require
credentials, configure them in the remediation
scan.

Note: Remediation scans work best for un-

credentialed network scan results. Use caution
when running a remediation scan for a plugin that
requires scan credentials. If you neglect to add
scan credentials when required for a specific
plugin, or if you type the credentials incorrectly,
the system may identify the related vulnerabilities
as fixed. In fact, the vulnerabilities do not appear in
the scan results because the system could not
complete the credentialed scan.

Compliance all By default, no compliance audits are configured.

If the plugins in the remediation scan require
compliance audit settings, configure the
appropriate settings.

Plugins limited Specifies plugins limited to the following:

- 260 -
 l the plugins you selected for remediation
scanning

l any plugins on which the selected plugins

are dependent

3. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

What to do next:
l In the Remediation Scans folder on the Scans page:
o View the scan status to determine when the scan completes.
o Edit the scan configuration.
o Change the read status of the scan results.
o Launch the scan.

l Once the scan completes:

a. On the Vulnerabilities page, search on the plugin.

b. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the
remediation scan targeted.

Stop a Running Scan

Required Scan Permissions: Can Control

- 261 -
When you stop a scan, Tenable Vulnerability Management terminates all tasks for the scan and
categorizes the scan as canceled. The scan results associated with the scan reflect only the
completed tasks. You cannot stop individual tasks, only the scan as a whole.

To stop a running scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the scans table, roll over the scan you want to stop.

4. In the row, click the button.

A menu appears.

5. Click Stop.

A confirmation window appears.

6. In the confirmation window, click Stop.

Tenable Vulnerability Management stops the scan. The Status column updates to reflect the
status of the scan.

Pause or Resume a Scan

Required Scan Permissions: Can Control

You can pause scans that you want to stop temporarily. When you pause a scan, Tenable
Vulnerability Management pauses all active tasks for that scan and concludes the scanner's local
scan task. Paused scans do not consume scanner resources, and other scans can run while there is
a paused scan. Tenable Vulnerability Management does not dispatch new tasks from a paused scan
job. If the scan remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management terminates the related tasks on the scanner and categorizes the scan as
aborted.

You can resume scans that you previously paused. When you resume a scan, Tenable Vulnerability
Management instructs the scanner to start the tasks from the point at which the scan was paused.

- 262 -
If Tenable Vulnerability Management encounters problems when resuming the scan, the scan fails,
and Tenable Vulnerability Management categorizes the scan as aborted. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan remains in a paused
state for more than 14 days, the scan times out. Tenable Vulnerability Management terminates the
related tasks on the scanner and categorizes the scan as aborted.

Note: You can only pause and resume Tenable Vulnerability Management scans.

To pause or resume a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the scans table, roll over the scan.

4. Do one of the following:

l To pause the scan, click the button in the row.

l To resume the scan, click the button in the row.

A confirmation window appears.

5. In the confirmation window, click Pause or Resume as appropriate.

Tenable Vulnerability Management pauses or resumes the scan.

Change Scan Ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Scan Permissions: Owner

Before you begin:

- 263 -
 l If the scan is based on a user-defined template, assign the new owner at least Can View
permissions for that template. Otherwise, the new owner cannot view the scan configuration.

Note: Only the scan owner can change scan ownership. Therefore, if an administrator needs to change the
ownership of another user's scan, they must first assist the user with their account and then assign
ownership to the appropriate user.

To change the ownership of a scan in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. (Optional) Search for the scan you want to edit. For more information, see Tenable
Vulnerability Management Tables.

6. In the scans table, click the scan you want to edit.

The scan details appear.

7. Click the button next to the scan name.

The Edit a Scan page appears.

8. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

9. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

- 264 -
 10. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

11. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

12. (Optional) Edit the Tenable Vulnerability Management permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

13. Click Save.

Tenable Vulnerability Management assigns ownership to the selected user and assigns your
user account the permissions you selected. If you removed all permissions for your user
account from the scan, the scan no longer appears in any of your scan folders.

Change the Scan Read Status

Required Scan Permissions: Can View

On the Scans page, a scan appears in bold in the scans table if you have not yet viewed (read) the
results of the latest run of the scan.

If you view the scan results, Tenable Vulnerability Management categorizes the scan as "read" and
removes the bold formatting from the scan in the scans table.

You can also manually change the scan read status.

To change the scan read status:

1. View your scans.

2. In the scans table, roll over the scan you want to change.

- 265 -
 3. Click the button.

A menu appears.

4. Do one of the following:

l If you have already read the scan, click Mark Unread.

l If you have not read the scan, click Mark Read.

Tenable Vulnerability Management changes the read status for the scan.

Edit a Scan Configuration

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

To edit a scan configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. (Optional) Search for the scan you want to edit. For more information, see Tenable
Vulnerability Management Tables.

6. In the scans table, click the scan you want to edit.

The scan details appear.

- 266 -
 7. Click the button next to the scan name.

The Edit a Scan page appears.

8. Change the scan configuration. For more information about scan configuration settings, see
Scan Settings.

9. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Configure vSphere Scanning

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can configure a scan to scan the following virtual environments:

l ESXi/vSphere that vCenter manages

l ESXi/vSphere that vCenter does not manage

l Virtual machines

Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.

Scenario 1: Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

- 267 -
 3. In the Targets section, type the IP address or addresses of the ESXi host or hosts.

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware ESX SOAP API.

7. In the Username box, type the username associated with the local ESXi account.

8. In the Password box, type the password associated with the local ESXi account.

9. If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do
not verify SSL Certificate toggle. Otherwise, leave the toggle enabled.

10. Click Save.

11. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin
always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication
was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks:
Yes in the scan results of the ESXis.

Scenario 2: Scanning vCenter-Managed ESXI/vSpheres

- 268 -
 Note: The SOAP API requires a vCenter admin account with read and write permissions. The REST API
requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle manager
account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the Targets section, type the IP addresses of:

l the vCenter host

l the ESXi host or hosts

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware vCenter SOAP API.

7. In the vCenter Host box, type the IP address of the vCenter host.

8. In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.

9. In the Username box, type the username associated with the vCenter account.

10. In the Password box, type the password associated with the vCenter account.

11. If the vCenter host is SSL enabled, enable the HTTPS toggle.

12. If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the
Verify SSL Certificate toggle. Otherwise, leave the toggle disabled.

13. Click Save.

14. Do one of the following:

- 269 -
 l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Section 3: Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP
address or addresses of your virtual machines in the Targets text box. For more information, see
Create a Scan.

Copy a Scan Configuration

Required Scan Permissions: Owner

When you copy a scan configuration, Tenable Vulnerability Management assigns you owner
permissions for the copy and assigns the copy scan permissions from the original scan.

Note: You cannot copy a scan from the Remediation Scans folder.

To copy a scan configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

- 270 -
 5. In the scans table, roll over the scan you want to copy.

6. In the row, click the button.

A menu appears.

7. Click Copy.

The Copy to Folder plane appears, which contains a list of your scan folders.

8. Click the folder where you want to save the copy.

9. Click Copy.

Tenable Vulnerability Management creates a copy of the scan with Copy of prepended to the
name and assigns you owner permissions for the copy. The copy appears in the scans table of
the folder you selected.

Export Scan Results

Required Scan Permissions: Can View

You can export both imported scan results and results that Tenable Vulnerability Management
collects directly from scanners.

Tenable Vulnerability Management retains individual scan results until the results are 15 months old.

Notes:
l Filters are not applicable for Tenable Web App Scanning exports, All results will are
exported.
l For archived scan results (that is, results older than 45 days), Tenable Vulnerability
Management limits export types to .nessus and .csv files.
l When a scan is actively running, the Export button does not appear in the Tenable
Vulnerability Management interface. Wait until the scan completes, then export the scan
results.

To export results for an individual scan:

- 271 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. Do one of the following:

Location Scope of Export

Scans table a. In the scans table, roll over the scan you want to export.

b. Click the button.

A menu appears.

c. Click Export.

The Export plane appears.

Note: You cannot export scan results from the Scans table if the scan has
multiple targets. For scans with multiple targets, you can export scan results
for each target from the Scan Details page.

Scan Details a. In the scans table, click the scan you want to export.

The scan details plane appears below the scan table.

b. Click the Scan Actions button.

A menu appears.

c. Click Export.

The Export plane appears.

6. Select an export format:

- 272 -
 Supported for
Format Description Archived
Scan Results

Tenable Vulnerability Management Scans

PDF - An Adobe .pdf file. No

Custom
Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

PDF - An Adobe .pdf file. No

Executive
Summary Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

HTML - A web-based .html file. No

Custom

HTML - A web-based .html file. No

Executive
Summary

Nessus A .nessus file in XML format that contains the list of Yes
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML. If you import a .nessus file as a
user-defined scan template, you must re-apply your
passwords to any credentials.

Unlike other export formats, the .nessus file includes

individual open port findings. This ensures that you
can still view open port findings in Tenable Security
Center if your organization integrates Tenable

- 273 -
 Vulnerability Management with Tenable Security
Center.

CSV A .csv text file with only scan results. Yes

Note: When exporting scan results as a .csv file,

the severities always show CVSSv2 scores
regardless of your configured severity metric.
When exporting compliance scan results as a .csv
file, the Risk column results are replaced with the
following values:
l PASSED results show as None
l WARNING results show as Medium
l FAILED results show as High

Tenable Web App Scanning Scans

HTML A web-based .html file that contains the list of n/a

targets, scan results, and scan notes.

PDF An Adobe .pdf file that contains the list of targets, n/a
scan results, and scan notes.

Note:Tenable Vulnerability Management cannot export

PDF files with more than 400,000 individual scan
results.

Nessus A .nessus file in XML format that contains the list of n/a
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML.

CSV A .csv text file with only scan results. n/a

JSON A .json file that contains the list of targets, scan n/a

- 274 -
 settings defined by the user, scan results, and scan
notes. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the JSON file.

7. For Tenable Vulnerability Management scans, if you select the PDF - Custom or HTML -
Custom formats:

l Retain the default Data setting (Vulnerabilities selected).

l Select either Assets or Plugin from the Group By list, depending on how you want to
group the scan results in the export file.

8. Click Export.

Tenable Vulnerability Management generates the export file. Depending on your browser
settings, your browser may automatically download the export file to your computer, or may
prompt you to confirm the download before continuing.

Import a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can import scan results into Tenable Vulnerability Management. You cannot import results from
scans run more than 15 months ago.

Imported scans always belong to the default network. For more information, see Networks.

Note: You can only import Tenable Vulnerability Management scans.

Note: Tenable Vulnerability Management supports scan imports up to 4GB in size.

To import a scan in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

- 275 -
 The Scans page appears.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Click Import Scan.

Your file directory appears.

5. Browse to and select the scan file you want to import.

If the scan file is a .nessus or .db file, the Import plane appears.

Note: To learn more about the .nessus file format, see Nessus File Format.

If the scan file is any other file type, the Scan Import window appears.

6. Do one of the following:

l If the scan file is a .nessus or .db file:

a. In the Password box, type the password to allow Tenable Vulnerability

Management to view the scan.

b. (Optional) To show the scan results in dashboards, select the Show in Dashboard?
check box.

c. Click Import.

l If the scan file is any other file type, specify if you want the scan results to appear in
dashboards:
o Click Yes to show the scan results in dashboards.
o Click No to prevent the scan results from appearing in dashboards.

Note: Clicking Cancel cancels the import.

The Scans page appears, and the imported scan appears in the scans table.

Tenable Vulnerability Management begins processing the imported scan results. Once this
process is complete, the imported data appears in the individual scan details and aggregated

- 276 -
 data views (such as dashboards). This process can take up to 30 minutes, depending on the
size of the import file.

Tip: If the imported data does not appear in the individual scan results or aggregated data views
after a reasonable processing time, verify that you are assigned adequate permissions for the
imported targets in access groups.

Organize Scans by Folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, the Scans page contains a Folders section that automatically
groups your configured and imported scans into default folders. To organize your scans further, you
can create custom folders.

To organize your scans by folder:

1. View scans in default folders.

Note: You cannot rename or delete the default folders.

By default, Tenable Vulnerability Management provides the following folders:

Folder Description

My Scans Contains scans that you have created or imported.

This folder appears by default when you access the Scans page.

All Scans l (Administrators) Contains scans created by any users.

l (All other users) Contains:

o Scans that you have created
o Any shared scans for which you have Can View
permissions or higher

Remediation Contains any remediation scans you own or that another user has

- 277 -
 Scans shared with you.

Trash Contains scans that you have moved to the trash. If you have Can
Configure permissions for a scan in this folder, you can permanently
delete the scan for all users.

If you delete a custom folder that contains scans, Tenable

Vulnerability Management automatically moves any scans in the
deleted folder to the Trash folder.

2. (Optional) Manage custom folders using the following procedures:

Manage scan folders

Use the following procedures to manage your custom scan folders:

Create a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The custom scan folders you create appear only to you and cannot be shared with other users. You
are the only user who can view, rename, or delete the scan folders you create.

Note: The custom folders you create appear only to you and cannot be shared with other users.

To create a scan folder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. Next to Folders, click the button.

The New Folder box appears at the bottom of the folder list.

4. In the New Folder box, type a name for the folder.

- 278 -
 5. Click the button.

A Folder added successfully message appears and the new folder appears in the Folders
section.

Move a scan to a scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can View

You can move a scan from a default folder to either the My Scans default folder or a custom scan
folder. You can also move a scan from a custom folder to the My Scans default folder or a different
custom folder.

If you move a scan from the All Scans default folder, the scan appears in both the folder you select
and the All Scans folder.

If you move a scan from the My Scans default folder, the scan appears in the custom folder only.

For information about moving a scan to the trash, see Move a Scan to the Trash Folder.

Note: You cannot move scans to or from the Remediation Scans folder.

To move a scan to a scan folder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scan table, roll over the scan you want to move.

The action buttons appear in the row.

- 279 -
 5. Do one of the following:

l Tenable Vulnerability Management scans:

a. In the row, click the button.

A menu appears.

b. In the menu, click Move.

The Move to Folder plane appears. This plane contains a list of your scan folders.

l Tenable Web App Scanning scans:

a. In the row, click the button.

The Move to Folder plane appears. This plane contains a list of your scan folders.

6. Search for a folder:

a. In the search box, type the folder name.

b. Click the button.

Tenable Vulnerability Management limits the list to folders that match your search.

7. In the folder list, click the folder where you want to move the scan.

8. Click Move.

Tenable Vulnerability Management moves the scan to the selected folder.

Rename a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can rename custom scan folders only. You cannot rename the default scan folders.

Renaming a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

To rename a scan folder:

- 280 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, roll over the folder you want to rename.

The action buttons appear in the row.

4. In the row, click the button.

An editable box replaces the folder name.

5. In the box, type a new name for the folder.

6. Click the button.

Tenable Vulnerability Management updates the folder name and a Folder updated
successfully message appears.

Delete a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can delete custom scan folders only. You cannot delete the default scan folders that Tenable
Vulnerability Management provides (All Scans, My Scans, and Trash).

Deleting a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

If you delete a scan folder that contains inactive scans, Tenable Vulnerability Management moves
the folder's scans to the Trash folder. If you delete a scan folder that contains at least one active
(Pending or Running) scan, Tenable Vulnerability Management moves the folder's scans to the My
Scans folder.

To delete a scan folder:

- 281 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, roll over the folder you want to delete.

The action buttons appear in the row.

4. In the row, click the button.

A confirmation window appears.

5. Click Delete to confirm the action.

A Folder deleted successfully message appears, and Tenable Vulnerability Management

deletes the folder.

Move a Scan to the Trash Folder

Required Scan Permissions: Can View

When you move a shared scan to the Trash folder, Tenable Vulnerability Management moves the
scan for your account only. The scan remains in the original folder for all other users who have Can
View permissions or higher for the scan.

Scans moved to the Trash folder also appear in the All Scans folder, marked with the label, Trash.

Note: After you move a scan to the Trash folder, the scan remains in the Trash folder until a user with Can
Edit permissions permanently deletes the scan.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.
l For more information about Tenable Vulnerability Management scan schedules, see
Schedule.
l For more information about Tenable Web App Scanning scan schedules, see Schedule.

Note: You cannot move scans from the Remediation Scans folder to the Trash folder. Instead, delete
remediation scans directly in the folder.

- 282 -
To move a scan or scans to the Trash folder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click the folder that contains the scan you want to move.

The scans table lists scans in the selected folder.

5. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to move.

b. Click the button.

A menu appears.

c. Click Trash.

l
Select multiple scans:
a. In the scans table, select the check box next to each scan you want to move.

The action bar appears at the top of the table.

b. In the action bar, click Trash.

Tenable Vulnerability Management moves the scan or scans you selected to the Trash
folder.

Delete a Scan

Required Scan Permissions: Can Configure

When you permanently delete a scan, you delete the scan configuration and scan results for all
users the scan is shared with.

- 283 -
The workflow for deleting a remediation scan differs from the workflow described in this procedure.
For more information, see the Delete a remediation scan steps at the end of this topic.

Caution: After you delete a scan, you cannot recover the scan or any scan data associated with the scan.
Delete only scans you are certain you no longer need to view or run.

Before you begin:

l Move the scan to the Trash folder.

To delete a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click the Trash folder.

The scan table updates to show the scans in the trash folder.

5. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:

- 284 -
 a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Delete a remediation scan

Required Scan Permissions: Can Configure

When you delete a remediation scan, you delete the scan configuration and scan results for all
users the scan is shared with.

Note:Tenable Vulnerability Management deletes scan results older than 90 days.

To delete a remediation scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the Folders section, click the Remediation Scans folder.

Note: The Remediation Scans folder only shows for Tenable Vulnerability Management scans.

The scan table updates to show remediation scans that you own or that other users have
shared with you. By default, the rows are sorted by Created Date.

4. Do one of the following:

- 285 -
 l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:
a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Note: Tenable Vulnerability Management keeps up to 10,000 of the most recent remediation scan
results. Once you have more than 10,000 remediation scan results, Tenable Vulnerability
Management deletes the scan results, starting with the oldest result.

Discovery Scans vs. Assessment Scans

You can perform two types of scans using Tenable products: discovery scans and assessment
scans. Tenable recommends performing discovery scans to get an accurate picture of the assets on
your network and assessment scans to understand the vulnerabilities on your assets.

For information about how discovered and assessed assets are counted towards your license, see
Tenable Vulnerability Management Licenses.

Type Description Licensing

Discovery scans Find assets on your network. Assets identified by

discovery scans do
For example:
not count toward

- 286 -
 l a scan configured with the your license.
Host Discovery template.

l a scan configured to use only

discovery plugins.

l a scan configured to use

Tenable Nessus Network
Monitor in discovery mode.

Assessment scans Find vulnerabilities on your assets. In general, assets

assessed by
For example, run an authenticated or
assessment scans
unauthenticated scan using a
count toward your
Tenable Nessus scanner or Tenable
license.
Nessus Agent.

Authenticated Scans

Configure authenticated scans, also

known as credentialed scans, by
adding access credentials to your
assessment scan configuration.

Credentialed scans can perform a

wider variety of checks than non-
credentialed scans, which can result
in more accurate scan results. This
facilitates scanning of a very large
network to determine local
exposures or compliance violations.

Credentialed scans can perform any

operation that a local user can
perform. The level of scanning
depends on the privileges granted to
the user account. The more
privileges the scanner has via the

- 287 -
 login account (e.g., root or
administrator access), the more
thorough the scan results.

For more information, see

Credentials in Tenable Vulnerability
Management Scans.

Unauthenticated Scans

If you do not add access credentials

to your assessment scan
configuration, Tenable Vulnerability
Management performs a limited
number of checks when scanning
your assets.

Identify Assets That Have Not Been Assessed

Tenable Vulnerability Management can discover, or see, assets without assessing the assets for
vulnerabilities (for example, via a host discovery scan, Tenable Nessus Network Monitor running in
discovery mode, or connectors). Assets that have been seen but not assessed do not count towards
your asset license limit. For a list of conditions that cause an asset to be assessed, see How Assets
are Counted. However, once assessed, the asset is always categorized as assessed, even if it ages
out of the license count.

This licensing exception allows you to discover assets on your network without the large number of
assets counting towards your license limit. After you discover your assets, you can then identify
which assets have not yet been assessed for vulnerabilities, and choose which of those assets you
want to scan and manage going forward.

To identify assets that have not been assessed:

- 288 -
1. Discover assets using any of the following methods:

l Create and launch a host discovery scan in Tenable Vulnerability Management.

l Configure Tenable Nessus Network Monitor with discovery mode enabled, linked to
Tenable Vulnerability Management.

l Configure a connector.

Assets discovered by these methods do not count towards your asset license limit until they
have been assessed for vulnerabilities.

2. Filter for assets that have not been assessed.

a. In the assets table, create a filter with the following settings:

l In the Category box, select Asset Assessed.

l In the Operator box, select is equal to.

l In the Value box, select false.

a. Click Apply.

Tenable Vulnerability Management filters for assets that have not yet been assessed for
vulnerabilities.

Note: Unassessed assets (where Asset Assessed is equal to false) can differ from unlicensed
assets (where Is Licensed (VM) is equal to false). Once you scan an asset for vulnerabilities,
Tenable Vulnerability Management categorizes the asset as assessed from that point on, but
the licensing status of an asset can change over time as assets are deleted or age out of your
organization's license count.

b. (Optional) Save the search for later use.

3. (Optional) Tag assets to identify assets that have not been assessed.

a. Create tags to identify assets that have not been assessed.

For example, Assets:NotYetAssessed.

b. Manually apply the tag to assets, or create tag rules that automatically filter for assets
that have not been assessed.

- 289 -
 For example, to create a dynamic tag for assets that have not yet been assessed, set
the tag rules to filter for Asset Assessed is equal to false.

4. (Optional) Create a scan to target assets using the tag you created.

Scan Failovers
If Tenable Vulnerability Management assigns a scan job to a scanner, and the scanner goes offline
while scanning, the following happens:

1. The scan job times out if the assigned scanner does not respond to Tenable Vulnerability
Management after two hours.

2. Tenable Vulnerability Management removes the scan job from the scanner and attempts the
scan job on another scanner in the same scanner group, or on the same scanner if it comes
back online.

3. Tenable Vulnerability Management attempts steps 1 and 2 three times. If the scan job is not
completed after three attempts, Tenable Vulnerability Management aborts the scan job.

Scan Status
Tenable Vulnerability Management provides a scan status for each of your configured scans.

If the scan is in progress, Tenable Vulnerability Management shows the number of scan tasks
completed as a percentage.

For example, if you scan less than 120 IP addresses in a single scan, Tenable Vulnerability
Management creates a single scan task and the progress percentage changes from 0% to 100%
when it completes.

However, if you target more than 120 IP addresses, Tenable Vulnerability Management creates
multiple scan tasks. After each task completes, the percentage changes to reflect the number of
completed tasks. For example, a scan that targets 300 IP addresses is split into three scan tasks,
and as each task completes, the progress bar updates the percentage to reflect the completed
tasks.

Note: Pausing a scan causes Tenable Vulnerability Management to move any completed results to
processing. When you resume the scan, Tenable Vulnerability Management creates a new scan task or
tasks for incomplete results. Therefore, pausing a scan can cause the progress percentage to update.

- 290 -
 Tip: For Tenable Vulnerability Management scans, you can hover over the scan status to view more status
information in a pop-up window, such as the number of targets scanned and the elapsed or final scan time.
The window shows different information based on the scan's current status.

Tenable Vulnerability Management scans can have the following status values:

Status Description

Tenable Vulnerability Management Scans

Tip: The typical Tenable Vulnerability Management scan status flow is as follows: Initializing, Running,
Publishing Results, Completed.

Aborted Either the latest run of the scan is incomplete because Tenable Vulnerability
Management or the scanner encountered problems during the run, or the
scan remained queued without running for four or more hours. For more
information about the problems encountered during the run, view the scan
warnings.

Canceled At user request, Tenable Vulnerability Management successfully stopped the

latest run of the scan.

Completed The latest run of the scan is complete.

Empty The scan is either empty (the scan is new or has yet to run) or pending
(Tenable Vulnerability Management is processing a request to run the scan).

Imported A user imported the scan. You cannot run imported scans. Scan history is
unavailable for imported scans.

Pausing A user paused the scan, and Tenable Vulnerability Management is processing
the action.

Paused At user request, Tenable Vulnerability Management successfully paused

active tasks related to the scan. The paused tasks continue to fill the task
capacity of the scanner that the tasks were assigned to. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan
remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management then aborts the related tasks on the scanner and
categorizes the scan as aborted.

- 291 -
 Status Description

Pending Tenable Vulnerability Management has the scan queued to launch and is
assigning scan tasks to the assigned sensors.

Note: Tenable Vulnerability Management aborts scans that remain in

Pending status for more than four hours. If Tenable Vulnerability
Management aborts your scan, modify your scan schedule to reduce the
number of overlapping scans. If you still have issues, contact Tenable
Support.

Publishing Tenable Vulnerability Management processes and stores the scan results
Results data for you to view and use in the Tenable Vulnerability Management user
interface. The Publishing Results status begins once the Running status
reaches 100%.

Resuming Tenable Vulnerability Management is in the process of restarting tasks after

the user resumed the scan. Tenable Vulnerability Management instructs the
scanner to start the tasks from the point at which the scan was paused. If
Tenable Vulnerability Management or the scanner encounters problems when
resuming the scan, the scan fails, and Tenable Vulnerability Management
updates the scan status to aborted.

Running The scan is currently running. While this status is shown, the scan's sensors
complete their assigned scan tasks, and Tenable Vulnerability Management
processes the scan results. The progress bar shows next to the status when
a scan is running. The progress bar shows the percentage of the completed
tasks.

Stopping A user stopped the scan, the scan timed out, or Tenable Vulnerability
Management is stopping the scan after all associated scan tasks are
complete.

Scan Templates

- 292 -
Scan templates contain granular configuration settings for your scans. You can use Tenable's scan
templates to create custom scan configurations for your organization. Then, you can run scans
based on Tenable's scan templates or your custom configurations' settings.

When you create a scan configuration, the Select a Scan Template page appears. Tenable
Vulnerability Management provides separate templates for Tenable Vulnerability Management and
Tenable Web App Scanning. Within Tenable Vulnerability Management scanning, Tenable
Vulnerability Management provides separate templates for scanners and agents, depending on
which sensor you want to use for scanning:

If you have custom configurations, they appear in the User Defined tab. For more information about
user-defined templates, see User-Defined Templates.

When you configure a Tenable-provided scan template, you can modify only the settings included
for the scan template type. When you create a user-defined scan template, you can modify a
custom set of settings for your scan.

For descriptions of all scan template settings, see Scan Settings.

Tip: For information and tips on optimizing your Tenable Vulnerability Management scan configurations,
see the Tenable Vulnerability Management Scan Tuning Guide.

Tenable-Provided Tenable Nessus Scanner Templates

There are three scanner template categories in Tenable Vulnerability Management:

l Vulnerability Scans (Common) — Tenable recommends using vulnerability scan templates for
most of your organization's standard, day-to-day scanning needs.

l Configuration Scans — Tenable recommends using configuration scan templates to check

whether host configurations are compliant with various industry standards. Configuration
scans are sometimes referred to as compliance scans. For more information about the checks
that compliance scans can perform, see Compliance in Tenable Vulnerability Management
Scans and SCAP Settings in Tenable Vulnerability Management Scans.

l Tactical Scans — Tenable recommends using the tactical scan templates to scan your network
for a specific vulnerability or group of vulnerabilities. Tactical scans are lightweight, timely
scan templates that you can use to scan your assets for a particular vulnerability. Tenable

- 293 -
 frequently updates the Tenable Vulnerability Management Tactical Scans library with
templates that detect the latest vulnerabilities of public interest, such as Log4Shell.

The following table describes the available Tenable Nessus Scanner templates:

Template Description

Vulnerability Scans (Common)

Advanced Network The most configurable scan type. You can configure this scan template
Scan to match any policy. This template has the same default settings as the
basic scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow Tenable Vulnerability Management

experts to scan more deeply using custom configuration, such as faster or
slower checks, but misconfigurations can cause asset outages or network
saturation. Use the advanced templates with caution.

Basic Network Performs a full system scan that is suitable for any host. Use this
Scan template to scan an asset or assets with all of Nessus's plugins enabled.
For example, you can perform an internal vulnerability scan on your
organization's systems.

Credentialed Patch Authenticates hosts and enumerates missing updates.

Audit
Use this template with credentials to give Tenable Vulnerability
Management direct access to the host, scan the target hosts, and
enumerate missing patch updates.

Host Discovery Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated
information such as IP address, FQDN, operating systems, and open
ports, if available. After you have a list of hosts, you can choose what
hosts you want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive

network monitor, such as Tenable Nessus Network Monitor, run this scan
weekly to discover new assets on your network.

- 294 -
 Note: Assets identified by discovery scans do not count toward your license.

Internal PCI Performs an internal PCI DSS (11.2.1) vulnerability scan.

Network Scan
This template creates scans that you can use to satisfy internal (PCI DSS
11.2.1) scanning requirements for ongoing vulnerability management
programs that satisfy PCI compliance requirements. You can use these
scans for ongoing vulnerability management and to perform rescans until
passing or clean results are achieved. You can provide credentials to
enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or
"clean" scans on at least a quarterly basis, you must also perform scans after
any significant changes to your network (PCI DSS 11.2.3).

Legacy Web App Uses a Tenable Nessus scanner to scan your web applications.
Scan
Note: Unlike the Tenable Web App Scanning scanner, the Tenable Nessus
scanner does not use a browser to scan your web applications. Therefore, a
Legacy Web App Scan is not as comprehensive as Tenable Web App Scanning.

Mobile Device Assesses mobile devices via Microsoft Exchange or an MDM.

Scan

PCI Quarterly Performs quarterly external scans as required by PCI.

External Scan
Note: Because the nature of a PCI ASV scan is more paranoid and may lead
to false positives, the scan data is not included in the aggregate Tenable
Vulnerability Management data. This is by design.

Configuration Scans

Audit Cloud Audits the configuration of third-party cloud services.

Infrastructure
You can use this template to scan the configuration of Amazon Web
Service (AWS), Google Cloud Platform, Microsoft Azure, Rackspace,
Salesforce.com, and Zoom, given that you provide credentials for the
service you want to audit.

MDM Config Audit Audits the configuration of mobile device managers.

- 295 -
 The MDM Config Audit template reports on a variety of MDM
vulnerabilities, such as password requirements, remote wipe settings,
and the use of insecure features, such as tethering and Bluetooth.

Offline Config Audits the configuration of network devices.

Audit
Offline configuration audits allow Tenable Vulnerability Management to
scan hosts without the need to scan over the network or use credentials.
Organizational policies may not allow you to scan devices or know
credentials for devices on the network for security reasons. Offline
configuration audits use host configuration files from hosts to scan
instead. Through scanning these files, you can ensure that devices'
settings comply with audits without the need to scan the host directly.

Tenable recommends using offline configuration audits to scan devices

that do not support secure remote access and devices that scanners
cannot access.

Policy Compliance Audits system configurations against a known baseline.

Auditing
Note: The maximum number of audit files you can include in a single Policy
Compliance Auditing scan is limited by the total runtime and memory that
the audit files require. Exceeding this limit may lead to incomplete or failed
scan results. To limit the possible impact, Tenable recommends that audit
selection in your scan policies be targeted and specific for the scan's scope
and compliance requirements.

The compliance checks can audit against custom security policies, such
as password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can
test for a large percentage of anything that can be described in a
Windows policy file. For Unix systems, the compliance audits test for
running processes, user security policy, and content of files.

SCAP and OVAL Audits systems using SCAP and OVAL definitions.
Auditing
The National Institute of Standards and Technology (NIST) Security
Content Automation Protocol (SCAP) is a set of policies for managing
vulnerabilities and policy compliance in government agencies. It relies on

- 296 -
 multiple open standards and policies, including OVAL, CVE, CVSS, CPE,
and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable
required for auditing. For those systems, you must make an
exception for either the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can
perform Linux and Windows SCAP CHECKS to test compliance
standards as specified in NIST’s Special Publication 800-126.

Tactical Scans

2022 Threat Detects vulnerabilities featured in Tenable's 2022 Threat Landscape

Landscape Retrospective report.
Restrospective
(TLR)

Active Directory Use a Domain User account to query AD identity information. This policy
Identity enumerates Active Directory identity information via LDAPS. It requires
Domain User credentials, LDAPS configuration, and an Active Directory
Domain Controller as the scan target.

Active Directory Scans for misconfigurations in Active Directory.

Starter Scan
Use this template to check Active Directory for Kerberoasting, Weak
Kerberos encryption, Kerberos pre-authentication validation, non-
expiring account passwords, unconstrained delegation, null sessions,
Kerberos KRBTGT, dangerous trust relationships, Primary Group ID
integrity, and blank passwords.

CISA Alerts AA22- Performs remote and local checks for vulnerabilities from recent CISA
011A and AA22- alerts.
047A

- 297 -
ContiLeaks Performs remote and local checks for ContiLeaks vulnerabilities.

GHOST (glibc) Performs remote and local checks for CVE-2015-0235.

Detection

Intel AMT Security Performs remote and local checks for CVE-2017-5689.
Bypass

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

via local checks.

Log4Shell Remote Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Checks via remote checks.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Vulnerability via local and remote checks. This template is dynamic and is regularly
Ecosystem updated with new plugins as third-party vendors patch their software.

Malware Scan Scans for malware on Windows and Unix systems.

PrintNightmare Performs local checks for CVE-2021-34527, the PrintNightmare Windows

Print Spooler vulnerability.

ProxyLogon: Performs remote and local checks to detect Microsoft Exchange Server
MS Exchange vulnerabilities related to CVE-2021-26855, CVE-2021-26857, CVE-2021-
26858, and CVE-2021-27065.

Ransomware Performs local and remote checks for common ransomware

Ecosystem vulnerabilities.

Ripple20 Remote Detects hosts running the Treck stack in the network, which may be
Scan affected by Ripple20 vulnerabilities.

Solarigate Detects SolarWinds Solorigate vulnerabilities using remote and local

checks.

Spectre and Performs remote and local checks for CVE-2017-5753, CVE-2017-5715,
Meltdown and CVE-2017-5754.

WannaCry Scans for the WannaCry ransomware (MS17-010).

Ransomware

- 298 -
 Zerologon Remote Detects Microsoft Netlogon elevation of privilege vulnerability
Scan (Zerologon).

Tenable-Provided Tenable Nessus Agent Templates

There are two agent template categories in Tenable Vulnerability Management:

l Vulnerability Scans — Tenable recommends using vulnerability scan templates for most of
your organization's standard, day-to-day scanning needs.

l Inventory Collection — Unlike standard Tenable Nessus Agent vulnerability scans, the Collect
Inventory template uses Tenable's Frictionless Assessment technology to provide faster scan
results and reduce the scan's system footprint. Agent-based inventory scans gather basic
information from a host and upload it to Tenable Vulnerability Management. Then, Tenable
Vulnerability Management analyzes the information against missing patches and
vulnerabilities as Tenable releases coverage. This reduces the performance impact on the
target host while also reducing the time it takes for an analyst to see the impact of a recent
patch.

Note: If a plugin requires authentication or settings to communicate with another system, the
plugin is not available on agents. This includes, but is not limited to:
l Patch management
l Mobile device management
l Cloud infrastructure audit
l Database checks that require authentication

The following table describes the available Tenable Nessus Agent templates:

Template Description

Vulnerability Scans

Advanced An agent scan without any recommendations, so that you can fully
Agent Scan customize the scan settings. In Tenable Vulnerability Management, the
Advanced Agent Scan template allows for two scanning methods:

l Scan Window - Specify the timeframe during which the agent must

- 299 -
Template Description

report to be included and visible in vulnerability reports.

l Triggered Scans - Provide the agent with specific criteria that

indicates when to launch a scan. The agent launches the scan when
one (or more) of the criteria are met. For more information, see Basic
Settings in the Tenable Vulnerability Management User Guide.

Note: When you create an agent scan using the Advanced Agent Scan template,
you must also select the plugins you want to use for the scan.

Agent Agent detection of Apache Log4j CVE-2021-44228.

Log4Shell

Basic Agent Scans systems connected via Tenable Nessus Agents.

Scan

Malware Scan Scans for malware on systems connected via Tenable Nessus Agents.

Tenable Nessus Agent detects malware using a combined allow list and
block list approach to monitor known good processes, alert on known bad
processes, and identify coverage gaps between the two by flagging unknown
processes for further inspection.

Policy Audits system configurations against a known baseline for systems

Compliance connected via Tenable Nessus Agents.
Auditing
The compliance checks can audit against custom security policies, such as
password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can test
for a large percentage of anything that can be described in a Windows policy
file. For Unix systems, the compliance audits test for running processes,
user security policy, and content of files.

SCAP and Audits systems using SCAP and OVAL definitions for systems connected via
OVAL Agent Tenable Nessus Agents.
Auditing
The National Institute of Standards and Technology (NIST) Security Content
Automation Protocol (SCAP) is a set of policies for managing vulnerabilities

- 300 -
Template Description

and policy compliance in government agencies. It relies on multiple open

standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable required
for auditing. For those systems, you must make an exception for either
the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can perform
Linux and Windows SCAP CHECKS to test compliance standards as
specified in NIST’s Special Publication 800-126.

Inventory Collection

Collect Scans a compiled inventory via Frictionless Assessment Tenable Nessus

Inventory Agents.

The Collect Inventory agent scan template uses Frictionless Assessment to

provide faster scan results and a reduced system footprint. It does so by
performing vulnerability checks via Frictionless Assessment, while the agent
only performs checks that collect asset information (for example, installed
software and IP addresses). This scanning method is sometimes referred to
as inventory scanning in the Tenable Vulnerability Management user
interface and documentation.

Collect Inventory scans provide coverage for:

l RedHat local security checks

l CentOS local security checks

l Amazon Linux local security checks

l Debian local security checks

l Fedora local security checks

- 301 -
 Template Description

l SUSE local security checks

l Ubuntu local security checks

l Windows/Microsoft bulletin checks (All Windows roll-up checks since

2017)

Collect Inventory scans do not currently provide coverage for:

l Malware and compliance checks

l Third-party Linux application detection (for example, Apache HTTP or

Postgres) for instances not installed via dpkg or rpm

l Third-party Windows applications (for example, Google Chrome or

Mozilla Firefox)

l Microsoft product Patch Tuesday updates (for example, Exchange or

Sharepoint)

Tenable-Provided Tenable Web App Scanning Templates

The following table describes the available Tenable Web App Scanning scan templates:

Template Description

API A scan that checks an API for vulnerabilities. This scan analyzes RESTful APIs
described via an OpenAPI (Swagger) specification file. File attachment size is
limited to 1 MB.

Tip: If the API you want to scan requires keys or a token for authentication, you
can add the expected custom headers in the Advanced settings in the HTTP
Settings section.

Note: The API scan template is available as a public beta. Its functionality is
subject to change as ongoing improvements are made throughout the beta period.

Note: API scans support only one target at a time.

- 302 -
Config Audit A high-level scan that analyzes HTTP security headers and other externally
facing configurations on a web application to determine if the application is
compliant with common security industry standards.

If you create a scan using the Config Audit scan template, Tenable Web App
Scanning analyzes your web application only for plugins related to security
industry standards compliance.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local
checks.

Overview A high-level preliminary scan that determines which URLs in a web application
Tenable Web App Scanning scans by default.

The Overview scan template does not analyze the web application for active
vulnerabilities. Therefore, this scan template does not offer as many plugin
family options as the Scan template.

PCI A scan that assesses web applications for compliance with Payment Card
Industry Data Security Standards (PCI DSS) for Tenable PCI ASV.

Quick Scan A high-level scan similar to the Config Audit scan template that analyzes
HTTP security headers and other externally facing configurations on a web
application to determine if the application is compliant with common security
industry standards. Does not include scheduling.

If you create a scan using the Quick Scan scan template, Tenable Vulnerability
Management analyzes your web application only for plugins related to security
industry standards compliance.

Scan A comprehensive scan that assesses web applications for a wide range of
vulnerabilities.

The Scan template provides plugin family options for all active web
application plugins.

If you create a scan using the Scan template, Tenable Web App Scanning
analyzes your web application for all plugins that the scanner checks for when
you create a scan using the Config Audit, Overview, or SSL TLS templates, as
well as additional plugins to detect specific vulnerabilities.

- 303 -
 A scan run with this scan template provides a more detailed assessment of a
web application and take longer to complete that other Tenable Web App
Scanning scans.

SSL TLS A scan to determine if a web application uses SSL/TLS public-key encryption
and, if so, how the encryption is configured.

When you create a scan using the SSL TLS template, Tenable Web App
Scanning analyzes your web application only for plugins related to SSL/TLS
implementation. The scanner does not crawl URLs or assess individual pages
for vulnerabilities.

User-Defined Templates

Required Template Permissions: Owner

Tenable provides a variety of scan templates for specific scanning purposes. If you want to
customize a Tenable-provided scan template and share it with other users, you can create a user-
defined scan template.

For information about any scan settings, see Scan Settings.

You can create, edit, copy, export, or delete user-defined Tenable Vulnerability Management and
Tenable Web App Scanning Scan templates from the Scans page. You can also import and export
Tenable Vulnerability Management scan templates.

To manage your user-defined scan templates:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

- 304 -
 The Scan Templates page appears.

5. Below Scan Templates, choose to view Vulnerability Management Scan Templates or Web
Application Scan Templates.

The scan template table updates based on your selection.

Click a template to view or edit its settings and parameters, or use the following procedures to
further manage your user-defined templates:

Create a user-defined template

You can create user-defined scan templates to save and share custom scan settings with other
Tenable Vulnerability Management users.

When you define a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

To create a user-defined scan template:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Create Template button.

The Select a Template page appears.

5. Click the tile for the template you want to use as the base for your user-defined scan
template.

The Create a Template page appears.

6. Do one of the following:

- 305 -
l If you are creating a Tenable Vulnerability Management scan template, use the following
procedure:

- 306 -
a. Configure the scan template:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

- 307 -
 Plugins Select security checks by plugin family or individual
plugin.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

a. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

7. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of scan templates on the Scan Templates page.

Edit a user-defined template

Required Template Permissions: Can Configure

- 308 -
To edit a user-defined scan template:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the scan templates table, click the scan template you want to edit.

The Edit a Scan Template page appears.

7. Do one of the following:

l If you are editing a Tenable Vulnerability Management scan template, use the following
procedure:

- 309 -
a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

- 310 -
 Plugins Select security checks by plugin family or individual
plugin.

l If you are editing a Tenable Web App Scanning scan template, use the following
procedure:

a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

8. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of templates on the Scan Templates page.

Copy a user-defined template

- 311 -
When you copy a user-defined scan template, Tenable Vulnerability Management assigns you owner
permissions for the copy. You can share the copy by assigning template permissions to other users,
but only you can delete the copied scan template.

To copy a user-defined scan template:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the scans table, roll over the scan you want to launch.

7. In the row, click the button.

A menu appears.

8. In the menu, click the button.

A Template copied message appears. Tenable Vulnerability Management creates a copy of

the scan template with Copy of prepended to the name and assigns you owner permissions for
the copy. The copy appears in the scan templates table.

Export a user-defined template (Tenable Vulnerability Management only)

You can export a user-defined scan template for later import.

Note: Tenable Vulnerability Management does not export passwords, credentials, and file-based settings
(for example, .audit files and the SSH known_hosts file) in user-defined scan templates.

To export a user-defined scan template:

- 312 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the scans table, roll over the scan template you want to export.

7. In the row, click the button.

A menu appears.

8. In the row, click the button.

Tenable Vulnerability Management exports the user-defined scan template as a .nessus file.

Note: To learn more about the .nessus file format, see Nessus File Format.

Import a user-defined template (Tenable Vulnerability Management only)

When you import a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

Tenable Vulnerability Management does not include passwords or compliance audit files in exported
user-defined scan templates. You must add these settings in manually after importing the scan
template.

To import a user-defined scan template:

- 313 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the upper-right corner of the page, click the Import button.

Your file manager appears.

7. Select the scan template you want to import.

8. Click Open.

A Template uploaded message appears, and the scan template appears on the Scan
Templates page.

What to do next:
l As needed, add passwords and compliance audit files to the imported template.

Delete a user-defined template

If you delete a user-defined scan template, Tenable Vulnerability Management deletes it from all
user accounts.

Before you begin:

l Delete any scans that use the template you want to delete. You cannot delete a scan template
if a scan is using the template.

To delete a user-defined scan template or templates:

- 314 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. Select the scan template or templates you want to delete:

l
Select a single scan template:
a. In the scans table, roll over the scan you want to launch.

b. In the row, click the button.

A menu appears.

c. In the menu, click the button.

A confirmation window appears.

l
Select multiple scan templates:
a. In the scan templates table, select the check box for each scan template you want
to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

7. In the confirmation window, click Delete.

- 315 -
 Tenable Vulnerability Management deletes the user-defined scan template or templates you
selected.

Change user-defined template ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Template Permissions: Owner

To change the ownership of a user-defined scan template in the new interface:

1. Edit a user-defined template.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

4. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

5. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

6. (Optional) Edit permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

7. Click Save.

- 316 -
 Tenable assigns ownership to the selected user and assigns your user account the
permissions you selected. If you removed all permissions for your user account from the
template, the template no longer appears in the templates table.

Scan Settings
Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Scan settings are organized into the following categories:

Tenable Vulnerability Management Scans Tenable Web App Scanning Scans

l Basic Settings in User-Defined Templates l Basic Settings in User-Defined

Templates
l Basic Settings in Tenable Vulnerability
Management Scans l Basic Settings in Tenable Web App
Scanning Scans
l Discovery Settings in Tenable Vulnerability
Management Scans l Scope Settings in Tenable Web App
Scanning Scans
l Assessment Settings in Tenable
Vulnerability Management Scans l Report Settings in Tenable Web App
Scanning Scans
l Report Settings in Tenable Vulnerability
Management Scans l Assessment Settings in Tenable Web
App Scanning Scans
l Advanced Settings in Tenable Vulnerability
Management Scans l Advanced Settings in Tenable Web
App Scanning Scans
l Credentials in Tenable Vulnerability
Management Scans l Credentials in Tenable Web App
Scanning Scans
l Compliance in Tenable Vulnerability
Management Scans l Plugin Settings in Tenable Web App
Scanning Scans
l SCAP Settings in Tenable Vulnerability
Management Scans

- 317 -
 l Configure Plugins in Tenable Vulnerability
Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those
settings in an individual scan based on a user-defined template. These settings include
Discovery, Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to
modify these settings for individual scans, create individual scans based on a Tenable-
provided template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Tenable Vulnerability Management Scan Settings

Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Tenable Vulnerability Management scan settings are organized into the following categories:

l Basic Settings in User-Defined Templates

l Basic Settings in Tenable Vulnerability Management Scans

- 318 -
 l Discovery Settings in Tenable Vulnerability Management Scans

l Assessment Settings in Tenable Vulnerability Management Scans

l Report Settings in Tenable Vulnerability Management Scans

l Advanced Settings in Tenable Vulnerability Management Scans

l Credentials in Tenable Vulnerability Management Scans

l Compliance in Tenable Vulnerability Management Scans

l SCAP Settings in Tenable Vulnerability Management Scans

l Configure Plugins in Tenable Vulnerability Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those
settings in an individual scan based on a user-defined template. These settings include
Discovery, Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to
modify these settings for individual scans, create individual scans based on a Tenable-
provided template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Basic Settings in Tenable Vulnerability Management Scans

- 319 -
 Note: This topic describes Basic settings you can set in individual scans. For Basic settings in user-
defined templates, see Basic Settings in User-Defined Templates.

You can use Basic settings to specify organizational and security-related aspects of a scan
configuration. This includes specifying the name of the scan, its targets, whether the scan is
scheduled, and who has access to the scan.

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

The Basic settings include the following sections:

l General

l Schedule

l Notifications

l User Permissions

General
The general settings for a scan.

Setting Default Value Description

Name None Specifies the name of the scan.

Description None (Optional) Specifies a description of the scan.

Scan Results Show in Specifies whether the results of the scan should
dashboard appear in workbenches, dashboards, and reports, or
be kept private.

When set to Keep private, the scan results Last Seen

dates do not update and you must access the scan
directly to view the results.

Private scan results do not show new Active findings

in the workbenches, dashboards, and reports, and
they do not transition the vulnerability states of
previously discovered findings to Fixed or

- 320 -
 Resurfaced.

Note: Show in dashboard is always enabled for

triggered scans.

Folder My Scans Specifies the folder where the scan appears after
being saved.

You cannot specify a folder when you launch a

remediation scan. All remediation scans appear in the
Remediation Scans folder only.

Agent Groups None (Tenable Nessus Agent templates only) Specifies the
agent group or groups you want the scan to target. In
the drop-down box, select an existing agent group, or
create a new agent group.

Scanner Type Internal Scanner Specifies whether a local, internal scanner or a cloud-
managed scanner performs the scan, and determines
whether the Scanner field lists local or cloud-
managed scanners to choose from.

Scanner Auto-Select Specifies the scanner that performs the scan.

Select a scanner based on the location of the targets

you want to scan. For example:

l Select a linked scanner to scan non-routable

IP addresses.

Note: Auto-select is not available for cloud

scanners.

l Select a scanner group if you want to:

o Improve scan speed by balancing the scan
load among multiple scanners.
o Rebuild scanners and link new scanners in
the future without having to update

- 321 -
 scanner designations in scan
configurations.

l Select Auto-Select to enable scan routing for

the targets.

Tags None Select one or more tags to scan all assets that have
any of the specified tags applied. To see a list of
assets identified by the specified tags, click View
Assets.

IP Selection Internal (Required) Select whether to run a tag-based scan on

Internal or External IP addresses.

l Internal — RFC 1918 (private) IP addresses.

l External — Non-RFC 1918 (public) IP addresses.

Note: You can use your organization's non-cloud

scanners to scan both Internal and External targets.
Cloud scanners can only be used to scan External
targets.

Tip: If you need to scan both External and Internal

targets with the same tag or tags, create two different
scan configurations; one scan that targets External IPs,
and one scan that targets Internal IPs.

Tenable Vulnerability Management evaluates the

identifiers to determine a single target in the following
order:

1. Last scan target

2. Most recent IPv4

3. Most recent IPv6

4. Most recent FQDN added

Note: Scan routing is available for linked scanners only.

- 322 -
Use Tag Rules Existing tagged (Required) Specifies whether Tenable Vulnerability
as Targets assets only Management scans tagged assets only, or any assets
that which the selected tags' rules apply to.

l Existing tagged assets only — Tenable

Vulnerability Management scans all existing
assets that have any of the specified tags
applied.

l Targets defined by tags — Tenable Vulnerability

Management scans all assets whose IP address
or DNS matches the rules of the specified tag.
The Targets defined by tags option only works
for the following tag rules: IPv4, IPv6, and DNS.

Note: If you select the Match All filter, you

can have only one tag rule. Otherwise, the
tag resolves to empty targets.
If you select the Match Any filter, you are
allowed to have more than one tag rule. All
tag rules resolve as targets as long as the
rules are for IPv4, IPv6, and DNS.

For example, you create a scan policy that scans for a

tag with a tag rule that specifies a certain IPv4 range.
The example tag name is My IPv4s.

l If you choose Existing tagged assets only,

Tenable Vulnerability Management only scans
assets that are already tagged with the My IPv4s
tag.

l If you choose Targets defined by tags, Tenable

Vulnerability Management scans any assets
whose IPv4 addresses are within the range
specified in the My IPv4s tag rule.

For more information about tags and tag rules, see

- 323 -
 Tags and Tag Rules.

Scan Window Disabled (Tenable Nessus Scanner templates only) Specifies

the timeframe after which the scan automatically
stops. Use the drop-down box to select an interval of
time, or click to type a custom scan window.

Note: The scan window timeframe only applies to the

scan job. After the scan job completes within the
timeframe, or once the scan job stops due to the scan
window ending, Tenable Vulnerability Management may
still need to index the scan job. This can cause the scan
not to show as Completed after the scan window is
complete. Once Tenable Vulnerability Management
indexes the scan, it shows as Completed.

Scan Type Scan Window (Tenable Nessus Agent templates only) (Required)
Specifies whether the agent scans occur based on a
scan window or triggers:

l Scan Window — Specifies the timeframe during

which agents must report in order to be included
and visible in vulnerability reports. Use the drop-
down box to select an interval of time, or click
to type a custom scan window.

Window scans must be explicitly launched or

scheduled to launch at a particular time.

l Triggered Scan — Specifies the triggers that

cause agents to report in. Use the drop-down
boxes to select from the following trigger types:

l Interval — The time interval (hours)

between each scan (for example, every 12
hours).

l File Name — The file name that triggers

the agent scan. The scan triggers when the

- 324 -
 file name is detected in the trigger
directory.

Tip: You can set multiple triggers for a single

scan, and the scan searches for the triggers in
their listed order (in other words, if the first
trigger does not trigger the scan, it searches for
the second trigger).

To learn more about triggered agent scanning,

see Triggered Agent Scans.

Info-level Triggered agent (Tenable Nessus Agent vulnerability templates only)

Reporting scans — After 10 (Required) Specifies how often the agent scan should
scans report unchanged Info-severity vulnerability findings.
To learn more about this setting, see Info-level
Scan Window
Reporting.
agent scans —
After 10 days You can configure the agent scan to report all severity
findings by launching a new baseline scan after one of
Note: Tenable the following intervals:
highly
recommends l After number of scans — The agent scan
using the
reports all findings every x number of scans. You
default values.
Only lower the choose from the following increments: 7, 10, 15,
value if doing or 20 scans.
so is necessary
for your
l After number of days — The agent scan reports
organization. all findings after a set number of days after the
previous day on which the agent scan last
reported all findings. You choose from the
following increments: 7, 10, 20, 30, 60, or 90
days.

You can only set triggered agent scans to After

number of scans. You can set Scan Window
scans to either After number of scans or After
number of days.

- 325 -
Target Groups None You can select or add a new target group to which the
scan applies. Assets in the target group are used as
scan targets.

Note: Tenable plans to deprecate target groups in the

near future. Currently, you can still create and manage
target groups. However, Tenable recommends that you
instead use tags to group and scan assets on your
Tenable Vulnerability Management instance.

Targets None Specifies one or more targets to be scanned. If you

select a target group or upload a target file, you are
not required to specify additional targets.

Targets can be specified using a number of different

formats.

The targets you specify must be appropriate to the

scanner you select for the scan. For example, cloud
scanners cannot scan non-routable IP addresses.
Select an internal scanner instead.

Tip: You can force Tenable Vulnerability Management to

use a given hostname for a server during a scan by using
the hostname[ip] syntax (for example,
www.example.com[192.168.1.1]). However, you
cannot use this approach if you enable scan routing for
the scan.

Note: You cannot apply more than 300,000 IP address

targets to a scan. To learn more about scan limitations
in Tenable Vulnerability Management, see Scan
Limitations.

Note: See Permissions for more information on how

permissions affect targets.

Upload Targets None Uploads a text file that specifies the targets.

- 326 -
 The targets file must be formatted in the following
manner:

l ASCII file format

l Only one target per line

l No extra spaces at the end of a line

l No extra lines following the last target

Note: Unicode/UTF-8 encoding is not supported.

Policy None This setting appears only when the scan owner edits
an existing scan that is based on a user-defined scan
template.

Note: After scan creation, you cannot change the

Tenable-provided scan template on which a scan is
based.

In the drop-down box, select a user-defined scan

template on which to base the scan. You can select
user-defined scan templates for which you have Can
View or higher permissions.

In most cases, you set the user-defined scan template

at scan creation, then keep the same template each
time you run the scan. However, you may want to
change the user-defined scan template when
troubleshooting or debugging a scan. For example,
changing the template makes it easy to enable or
disable different plugin families, change performance
settings, or apply dedicated debugging templates with
more verbose logging.

When you change the user-defined scan template for

a scan, the scan history retains the results of scans
run under the previously assigned template.

- 327 -
Schedule
The scan schedule settings.

By default, scans are not scheduled. When you first access the Schedule section, the Enable
Schedule setting appears, set to Off. To modify the settings listed on the following table, click the
Off button. The rest of the settings appear.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.

Default
Setting Description
Value

Frequency Once Specifies how often the scan is launched.

l Once: Schedule the scan at a specific time.

l Daily: Schedule the scan to occur every 1-20

days, at a specific time.

l Weekly: Schedule the scan to occur every 1-

20 weeks, by time and day or days of the
week.

l Monthly: Schedule the scan to occur every 1-

20 months, by:

l Day of Month: The scan repeats monthly

on a specific day of the month at the
selected time. For example, if you select
a start date of October 3, the scan
repeats on the 3rd of each subsequent
month at the selected time.

l Week of Month: The scan repeats

monthly on a specific day of the week.
For example, if you select a start date of
the first Monday of the month, the scan
runs on the first Monday of each
subsequent month at the selected time.

- 328 -
 Note: If you schedule your scan to recur
monthly and by time and day of the month,
Tenable recommends setting a start date no
later than the 28th day. If you select a start
date that does not exist in some months (for
example, the 29th), Tenable Vulnerability
Management cannot run the scan on those
days.

l Yearly: Schedule the scan to occur every 1-20

years, by time and date.

Starts Varies Specifies the exact date and time when a scan
launches.

The starting date defaults to the date when you are

creating the scan. The starting time is the nearest
half-hour interval. For example, if you create your
scan on 09/08/2023 at 9:16 AM, the default starting
date and time is set to 09/08/2023 and 09:30.

Timezone Zulu Specifies the timezone of the value set for Starts.

Repeat Every Varies Specifies the interval at which a scan is relaunched.

The default value of this item varies based on the
frequency you choose.

Repeat On Varies Specifies what day of the week a scan repeats. This
item appears only if you specify Weekly for
Frequency.

The value for Repeat On defaults to the day of the

week on which you create the scan.

Repeat By Day of the Specifies when a monthly scan is relaunched. This

Month item appears only if you specify Monthly for
Frequency.

Summary N/A Provides a summary of the schedule for your scan

based on the values you have specified for the

- 329 -
 available settings.

Notifications
The notification settings for a scan.

Default
Setting Description
Value

Email None Specifies zero or more email addresses (separated by commas)

Recipient(s) that are alerted when a scan completes and the results are
available.

Result Filters None Defines the type of information to be emailed.

User Permissions
You can share the scan with other users by setting permissions for users or groups. When you
assign a permission to a group, that permission applies to all users within the group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Can View Groups and users with this permission can view the results of the scan,
export the scan results, and move the scan to the Trash folder. They cannot
view the scan configuration or permanently delete the scan.

Can Execute In addition to the tasks allowed by Can View, groups and users with this
permission can launch, pause, and stop a scan. They cannot view the scan
configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or

- 330 -
 the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting for the
scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of
the permissions assigned to that user in the individual scan.
l An administrator always has the equivalent of Can Edit permissions,
regardless of the permissions set for the administrator account in
the individual scan. This does not apply to user-defined scan
templates.

Basic Settings in User-Defined Templates

Note: This topic describes Basic settings you can set in user-defined templates. For Basic settings in
individual scans, see Basic Settings in Tenable Vulnerability Management Scans .

You can use Basic settings to specify basic aspects of a user-defined template, including who has
access to the user-defined template.

The Basic settings include the following sections:

l General

l Permissions

General
The general settings for a user-defined template.

Default
Setting Description
Value

Name None Specifies the name of the user-defined template.

- 331 -
 Description None (Optional) Specifies a description of the user-defined
template.

Permissions
You can share the user-defined template with other users by setting permissions for users or
groups. When you assign a permission to a group, that permission applies to all users within the
group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Can View Groups and users with this permission can view the results of the scan,
export the scan results, and move the scan to the Trash folder. They cannot
view the scan configuration or permanently delete the scan.

Can Execute In addition to the tasks allowed by Can View, groups and users with this
permission can launch, pause, and stop a scan. They cannot view the scan
configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or
the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting for the
scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of

- 332 -
 the permissions assigned to that user in the individual scan.
l An administrator always has the equivalent of Can Edit permissions,
regardless of the permissions set for the administrator account in
the individual scan. This does not apply to user-defined scan
templates.

Authentication
In user-defined templates, you can use Authentication settings to configure the authentication
Tenable Vulnerability Management performs for credentialed scanning.

Tip: The Authentication settings are equivalent to the Scan-wide Credential Type Settings in Tenable-
provided scan templates.

Setting Default Value Description

SNMPv1/v2c

equivalent to Scans > Credentials > Plaintext Authentication > SNMPv1/v2c

UDP Port 161 Ports where Tenable Vulnerability Management

attempts to authenticate on the host device.
Additional 161
UDP port #1

Additional UDP 161

port #2

Additional UDP 161

port #3

HTTP

equivalent to Scans > Credentials > Plaintext Authentication > HTTP

Login method POST Specify if the login action is performed via a GET or
POST request.

Re-authenticate 0 The time delay between authentication attempts.

delay (seconds) Setting a time delay is useful to avoid triggering brute

- 333 -
 force lockout mechanisms.

Follow 30x 0 If a 30x redirect code is received from a web server,

redirections (# of this setting directs Tenable Vulnerability Management
levels) to follow the link provided or not.

Invert Disabled A regex pattern to look for on the login page, that if
authenticated found, tells Tenable Vulnerability Management that
regex authentication was not successful (e.g., Authentication
failed!).

Use Disabled Rather than search the body of a response, Tenable

authenticated Vulnerability Management can search the HTTP
regex on HTTP response headers for a given regex pattern to better
headers determine authentication state.

Case insensitive Disabled he regex searches are case sensitive by default. This
authenticated instructs Tenable Vulnerability Management to ignore
regex case.

telnet/rsh/rexec

equivalent to Scans > Credentials > Plaintext Authentication > telnet/ssh/rexec

Perform patch Disabled Tenable Vulnerability Management uses telnet to

audits over telnet connect to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rsh to connect

audits over rsh to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rexec to

audits over rexec connect to the host device for patch audits.

Windows

equivalent to Scans > Credentials > Host > Windows

Never send Enabled By default, for security reasons, this option is enabled.
credentials in the
clear

- 334 -
Do not use Enabled If the Do not use NTLMv1 authentication option is
NTLMv1 disabled, then it is theoretically possible to trick
authentication Tenable Vulnerability Management into attempting to
log into a Windows server with domain credentials via
the NTLM version 1 protocol. This provides the remote
attacker with the ability to use a hash obtained from
Tenable Vulnerability Management. This hash can be
potentially cracked to reveal a username or password.
It may also be used to directly log into other servers.
Force Tenable Vulnerability Management to use
NTLMv2 by enabling the Only use NTLMv2 setting at
scan time. This prevents a hostile Windows server from
using NTLM and receiving a hash. Because NTLMv1 is
an insecure protocol, this option is enabled by default.

Start the Remote Disabled
Registry service
during the scan
This option tells Tenable Vulnerability Management to
start the Remote Registry service on computers being
scanned if it is not running. This service must be
running in order for Tenable Vulnerability Management
to execute some Windows local check plugins.

Note: This option is disabled by default to improve

default scan performance. Additionally, enabling this
option can have implications depending on your network
security implementation. For example, certain access
control configurations for your network firewall might
blacklist your scanner for attempting to negotiate Server
Message Block Protocol (SMB protocol) connections.

Enable Disabled This option allows Tenable Vulnerability Management to

administrative access certain registry entries that can be read with
shares during the administrator privileges.
scan
Note: This option is disabled by default to improve
default scan performance. Additionally, enabling this
option can have implications depending on your network
security implementation. For example, certain access

- 335 -
 control configurations for your network firewall might
blacklist your scanner for attempting to negotiate Server
Message Block Protocol (SMB protocol) connections.

SSH

equivalent to Scans > Credentials > Host > SSH

known_hosts file None If you upload an SSH known_hosts file, Tenable

Vulnerability Management only attempts to log in to
hosts in this file. This can ensure that the same
username and password you are using to audit your
known SSH servers is not used to attempt a log into a
system that may not be under your control.

Preferred port 22 The port on which SSH is running on the target system.

Client version OpenSSH_5.0 The type of SSH client Tenable Vulnerability

Management impersonates while scanning.

Attempt least Cleared Enables or disables dynamic privilege escalation. When

privilege enabled, Tenable Vulnerability Management attempts to
run the scan with an account with lesser privileges,
even if the Elevate privileges with option is enabled. If
a command fails, Tenable Vulnerability Management
escalates privileges. Plugins 101975 and 101976 report
which plugins ran with or without escalated privileges.

Note: Enabling this option may increase scan run time by

up to 30%.

Amazon AWS

equivalent to Scans > Credentials > Cloud Services > Amazon AWS

Regions to access Rest of the In order for Tenable Vulnerability Management to audit
World an Amazon AWS account, you must define the regions
you want to scan. Per Amazon policy, you need
different credentials to audit account configuration for

- 336 -
 the China region than you do for the rest of the world.

Possible regions include:

l GovCloud — If you select this region, you

automatically select the government cloud (e.g.,
us-gov-west-1).

l Rest of the World — If you select this region, the

following additional options appear:

l us-east-1

l us-east-2

l us-west-1

l us-west-2

l ca-central-1

l eu-west-1

l eu-west-2

l eu-central-1

l ap-northeast-1

l ap-northeast-2

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l China — If you select this region, the following

additional options appear:

l cn-north-1

l cn-northwest-1

HTTPS Enabled Whether Tenable Vulnerability Management

- 337 -
 authenticates over an encrypted (HTTPS) or an
unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management verifies the

Certificate validity of the SSL digital certificate.

Rackspace

equivalent to Scans > Credentials > Cloud Services > Rackspace

Location – Location of the Rackspace Cloud instance. Possible

locations include:

l Dallas-Fort Worth (DFW)

l Chicago (ORD)

l Northern Virginia (IAD)

l London (LON)

l Syndney (SYD)

l Hong Kong (HKG)

Microsoft Azure

equivalent to Scans > Credentials > Cloud Services > Amazon AWS

Subscription IDs – List subscription IDs to scan, separated by a comma. If

this field is blank, all subscriptions are audited.

Triggered Agent Scans

When you configure a Tenable Nessus Agent scan in Tenable Vulnerability Management, Tenable
Vulnerability Management offers two agent scan types: Scan Window and Triggered Scan.

For window scans, Tenable Vulnerability Management creates a timeframe (for example, the default
is three hours) in which an agent group must report in order to be included in the scan results. You
must schedule Tenable Vulnerability Management to launch window scan at a scheduled time, or
you must manually launch the scan from the Tenable Vulnerability Management user interface (for
example, if you schedule a three-hour agent window scan for every Monday, Tenable Vulnerability
Management pulls data updates from the agent group for three hours every Monday).

- 338 -
Triggered scans differ from window agent scans in that the agent or agent group launches the scan
without any Tenable Vulnerability Management or user intervention. Agents can launch triggered
scans using three different methods:

l Interval trigger — Configure agents to scan at a certain time interval (for example, every 12
hours or every 24 hours).

l File Name trigger — Configure agents to scan whenever a file with a specific file name is
added to the agent trigger directory. The trigger file disappears after the scan begins. The
agent trigger directory location varies by operating system:

Operating System Location

Windows C:\ProgramData\Tenable\Nessus Agent\nessus\triggers

macOS /Library/NessusAgent/run/var/nessus/triggers

Linux /opt/nessus_agent/var/nessus/triggers

l Nessuscli trigger — Launch an existing triggered scan manually by running the following
command in the Tenable Nessus Agent nessuscli utility:

# nessuscli scan-triggers --start --UUID=<scan-uuid>

You can also set multiple triggers for a single scan, and the scan searches for the triggers in their
listed order (in other words, if the first trigger does not trigger the scan, it searches for the second
trigger).

Triggered vs. Window Scans

Tenable recommends using triggered agent scans over window agent scans in many cases. Due to
the scanning independence from Tenable Vulnerability Management or user intervention and the
multiple trigger options, triggered scanning offers more flexibility to meet the needs of your
workflow, especially if you have a mobile workforce in multiple time zones.

Triggered scans can provide more consistent coverage than window scans and help overcome
connectivity issues between Tenable Vulnerability Management and linked agents. While window
scans can create gaps in data coverage due to unresponsive or offline agents, triggered scans allow
agents to scan and send data to Tenable Vulnerability Management whenever the triggers occur;
Tenable Vulnerability Management accepts and processes data from triggered scans at any time.

- 339 -
Tenable recommends using scan windows if you need to export individual scan results, as you can
only export triggered scan data by using the bulk vulnerability export API.

Find Triggered Scan Details

To view triggered scan results, see View Tenable Vulnerability Management Scan Details.

Note: For triggered scan histories, Tenable Vulnerability Management shows a scan history entry for each
12-hour window of the past 7 days. Tenable Vulnerability Management only retains up to 15 triggered scan
histories at a time for each scan.

In addition to managing triggered scans from Tenable Vulnerability Management, you can view
triggered scan details by running the following command in the Tenable Nessus Agent nessuscli
utility:

# nessuscli scan-triggers --list

The --list command returns the agent's triggered scan details. These details include:

l Scan name

l Status (for example, uploaded)

l Time of last activity (shown next to the status)

l Scan description

l Time of last policy modification

l Time of last run

l Scan trigger description

l Scan configuration template

For more information about the Tenable Nessus Agent nessuscli utility, see Nessuscli Agent
in the Tenable Nessus User Guide.

You can also view your agent trigger information in the agent trigger directory:

Operating System Location

Windows C:\ProgramData\Tenable\Nessus Agent\nessus\triggers

- 340 -
 macOS /Library/NessusAgent/run/var/nessus/triggers

Linux /opt/nessus_agent/var/nessus/triggers

Scan Targets

In Tenable Vulnerability Management, you can use a number of different formats when specifying
targets for a scan. The following tables contain target formats, examples, and a short explanation of
what occurs when Tenable Vulnerability Management scans that target type.

Note: Tenable limits the number of targets that you can scan in a single scan. For more information, see
Scan Limitations.

Note: For previously scanned assets, you can configure scan targets based on host attributes like
operating system or installed software, instead of host identifiers like IP address.

Tip: If a hostname target looks like either a link6 target (start with the text "link6") or one of the two IPv6
range forms, put single quotes around the target to ensure that Tenable Vulnerability Management
processes it as a hostname.

Target
Example Explanation
Description

A single IPv4 192.168.0.1 Scans the single IPv4 address.

address

A single IPv6 2001:db8::2120:17ff:fe56:333b Scans the single IPv6 address.

address

A single link fe80:0:0:0:216:cbff:fe92:88d0%eth0 Scans the single IPv6 address.

local IPv6 Note that you must use
address with a interface indexes, not interface
scope names, for the scope identifier
identifier on Windows platforms.

A list of IPv4 192.168.0.1, 192.168.0.32, 192.168.0.200, Scans a list of different IPv4

addresses 192.168.0.255 addresses.

An IPv4 range 192.168.0.1-192.168.0.255 Scans all IPv4 addresses

- 341 -
Target
Example Explanation
Description

with a start between the start address and

and end end address, including both
address addresses.

An IPv4 192.168.0-1.3-5 Scans all combinations of the

address with values given in the octet
the last octet ranges. In this example, scans:
range replaced 192.168.0.3, 192.168.0.4,
with numeric 192.168.0.5, 192.168.1.3,
ranges 192.168.1.4 and 192.168.1.5

An IPv4 subnet 192.168.0.0/24 Scans all addresses within the

with CIDR specified subnet. The address
notation given is not the start address.
Specifying any address within
the subnet with the same CIDR
scans the same set of hosts.

An IPv4 subnet 192.168.0.0/255.255.255.128 Scans all addresses within the

with netmask specified subnet. The address
notation is not a start address.
Specifying any address within
the subnet with the same
netmask scans the same hosts.

A host www.yourdomain.com Scans the single host.

resolvable to
If Tenable Vulnerability
either an IPv4
Management can resolve the
or an IPv6
hostname to multiple
address
addresses, Tenable Vulnerability
Management scans the first
resolved IPv4 address or, if
Tenable Vulnerability

- 342 -
Target
Example Explanation
Description

Management cannot resolve an

IPv4 address, the first resolved
IPv6 address.

A host www.yourdomain.com/24 Resolves the hostname to an

resolvable to IPv4 address, then scans all
an IPv4 addresses within the specified
address with subnet.
CIDR notation
Tenable Vulnerability
Management treats this format
like any other IPv4 address with
CIDR notation.

A host www.yourdomain.com/255.255.252.0 Resolves the hostname to an

resolvable to IPv4 address, then scans all
an IPv4 addresses within the specified
address with subnet.
netmask
Tenable Vulnerability
notation
Management treats this format
like any other IPv4 address with
netmask notation.

The text 'link6' link6 Scans all hosts that respond to

optionally or multicast ICMPv6 echo requests
followed by an link6%16 sent out on the interface
IPv6 scope specified by the scope identifier
identifier to the ff02::1 address. If no IPv6
scope identifier is given, the
requests are sent out on all
interfaces. Note that you must
use interface indexes, not
interface names, for the scope

- 343 -
 Target
Example Explanation
Description

identifier on Windows
platforms.

Some text with Test Host 1[10.0.1.1] Scans the IPv4 or IPv6 address
either a single or within the brackets, like a
IPv4 or IPv6 Test Host 2[2001:db8::abcd] normal single target.
address within
square
brackets

Target Groups

You can still use target groups to manage your scan targets. However, Tenable recommends that you
instead use tags to group and scan your assets when possible. In the future, when tagging features and
options match those currently available in target groups, Tenable will convert your target groups into tags
and retire your existing target groups. No action is required on your part, and Tenable will provide you with
60 calendar days notice before converting and retiring your target groups. For more information, contact
your Tenable representative.

A target group allows you to construct a list of scan targets by FQDN, CIDR notation, or IP address
range. You can then specify which users in your organization can use the target group in scan
configurations or filtering dashboards (including workbenches).

Note: Tenable recommends limiting the number of targets in any single target group. When filtering a
dashboard by a target group with too many targets, Tenable Vulnerability Management may fail to show
data.

Note: Scan targets listed by CIDR notation must be in one of the following formats:

l xx.xx.0.0/16
l xx.xx.xx.0/24

If you grant a user permissions in a target group, the user can use the target group in the Target
Groups option for scan configuration. However, you must also grant the user Can Scan permissions
in an access group for the targets, or Tenable Vulnerability Management excludes the targets from
the scan results. For more information, see Permissions.

- 344 -
To manage target groups, use the following procedures:

Create a target group

System target groups:

Required User Role: Administrator

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To create a target group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to edit a user target group, click User. Otherwise, stay on the System target
groups tab.

5. In the upper-right corner of the page, click the Create Target Group button.

The Create a Target Group page appears.

6. Configure the General settings:

Setting Description

Name A name for the target group.

Targets A comma-separated list of FQDNs, CIDR notation, or IP address ranges

- 345 -
 Setting Description

that you want to scan.

Note: Scan targets listed by CIDR notation must be in one of the following
formats:
l xx.xx.0.0/16
l xx.xx.xx.0/24

Note: For the IP address range format (example: 192.168.0.1-192.168.0.255 ),

Tenable Vulnerability Management supports a maximum count of "-" to 1023.

Upload A text file containing a comma-separated list of FQDNs or IP address

Targets ranges that you want to scan.

The system adds the uploaded targets to the Targets box after you save
the target group.

7. Configure the user permissions for the group.

Note: If you grant a user permissions in a target group, the user can use the target group in the
Target Groups option for scan configurations. However, you must also grant the user Can Scan
permissions in an access group for the targets, or Tenable Vulnerability Management excludes the
targets from the scan results. For more information, see Access Groups.

8. Click Save.

One of the following occurs:

l If you configured user permissions for the target group, Tenable Vulnerability
Management creates the target group and adds it to the table on the Target Groups
page.

l If you retained the default No Access permissions for the target group, a confirmation
window appears.

In response, do one of the following:

- 346 -
 l If the default configuration is appropriate for the target group, click Continue to
confirm your action.

l If the default configuration is not appropriate for the target group, click Cancel to
return to user permissions configuration for the target group.

Configure user permissions for a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

Note: For auditing cloud infrastructure, Tenable Vulnerability Management requires a target group with
Can Scan permissions to be present on 127.0.0.1.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must
also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable
Vulnerability Management excludes the targets from the scan results. For more information, see Access
Groups.

To configure permissions for a target group:

1. Create or edit a target group.

2. In the User Permissions section, do one of the following:

l
Change the permissions for the Default user

Note: The Default user represents any users that have not been specifically added to the
target group.

- 347 -
 a. Next to the permission drop-down for the Default user, click the button.

b. Select a permissions level.

c. Click Save.

l
Add permissions
a. Next to User Permissions, click the button.

The Add User Permission plane appears.

b. In the Add users or groups box, type the name of a user or group.

As you type, a filtered list of users and groups appears.

c. Select a user or group from the search results.

The selected user or group appears in the list of users and groups.

By default, Tenable Vulnerability Management assigns Can Use permissions to the

new user or group.

d. Next to the permission drop-down for the user or group, click the button.

e. Select a permissions level.

f. Click Save.

l
Edit permissions
a. Next to the permission drop-down for the user or group, click the button.

b. Select a permissions level.

c. Click Save.

l
Delete permissions
a. In the list of users, roll over the user or group you want to delete.

b. Click the button next to the user or user group.

The user or group disappears from the permissions list.

- 348 -
 c. Click Save.

Edit a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

Note: System target groups and related functionality asset isolation are deprecated. To control
scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in scan
configurations and dashboard filters. However, Tenable recommends using user target groups
instead.

To edit a target group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to edit a user target group, click User. Otherwise, stay on the System target
groups tab.

- 349 -
 5. In the target groups table, click the target group you want to edit.

The Update a Target Group page appears.

6. Edit the General settings for the target group:

Setting Description

Name A name for the target group.

Targets A comma-separated list of FQDNs, CIDR notation, or IP address ranges

that you want to scan.

Upload A text file containing a comma-separated list of FQDNs or IP address

Targets ranges that you want to scan.

The system adds the uploaded targets to the Targets box after you save
the target group.

7. Configure user permissions for the target group.

8. Click Save.

A confirmation window appears.

9. In the confirmation window, click Continue.

Tenable Vulnerability Management saves the changes to the target group.

Import a target group

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can import a target group as a .csv file.

Tip: To create or modify the .csv file, Tenable recommends using a robust editor such as Microsoft Excel.

Before you begin:

l Create a .csv file in the specified format.

To import a target group:

- 350 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to import a user target group, click User. Otherwise, stay on the System target
groups page.

Note: System target groups and related functionality asset isolation are deprecated. To
control scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in
scan configurations and dashboard filters. However, Tenable recommends using user
target groups instead.

5. In the upper-right corner of the page, click the Import button.

Your operating system's file manager appears.

6. Select a .csv file to import.

Tenable Vulnerability Management imports the file and adds the target groups to the target
groups box.

Target Group Import File Format

Each line of the target group import file must have the following fields:

Field Name Description

id Numeric field used to identify the target group.

name Field used to identify the name of the target group. You can use any
combination of alphanumeric characters or symbols in the name field.

- 351 -
 members Field used to identify the host address or addresses to include in the
target group.

creation_date Numeric field in UNIX timestamp format.

last_ Numeric field in UNIX timestamp format.

modification_
date

Export a target group

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Target Group Permissions: Can Use

You can export a target group as a .csv file. Depending on your browser, the target group may
download automatically.

To export a target group or groups in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to export a user target group, click User. Otherwise, stay on the System target
groups tab.

Note: System target groups and related functionality asset isolation are deprecated. To
control scan permissions, use access groups instead.

- 352 -
 You can still create and edit system target groups, as well as use system target groups in
scan configurations and dashboard filters. However, Tenable recommends using user
target groups instead.

5. Select the target group or groups you want to export.

l
Select a single target group.
a. In the target groups table, roll over the target group you want to export.

The action buttons appear in the row.

b. In the row, click the button.

Tenable Vulnerability Management automatically exports the target group or

groups you selected as a single .csv file.

l
Select multiple target groups.
a. In the target groups table, select the check boxes for each target group you want
to export.

The action bar appears at the bottom of the page.

b. Next to Target Groups, click the button.

Target Group Export File Header Fields

The following table describes the headers that appear in the exclusion export file.

Field Name Description

id Numeric identifier for the target group.

name Alphanumeric name of the target group.

members Host address(es) to be included in the target group.

creation_date Date (in UNIX timestamp format) when the target group was created.

last_modification_ Date (in UNIX timestamp format) when the target group was last
date modified.

- 353 -
 Delete a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

To delete a target group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to delete a user target group, click User. Otherwise, stay on the System target
groups tab.

5. Select the target group or groups you want to delete:

l
Select a single target group.
a. In the target groups table, roll over the target group you want to delete.

The action buttons appear in the row.

- 354 -
 b. In the row, click the button.

A confirmation window appears.

l
Select multiple target groups.
a. In the target groups table, select the check box for each target group you want to
delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the target group or groups you selected.

Target group permissions

The following table describes user permissions for both system and user target groups.

Permission Description

System Target Group

No Access (Default user only) Users assigned this permission cannot use the system
target group to filter dashboards.

Can Use Note: System target groups are deprecated; Tenable recommends using user
target groups instead.

Users assigned this permission can use hosts in the user target groups to
filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for
scan configurations, you must also grant the user Can Scan permissions in an
access group for the targets. If you do not, Tenable Vulnerability Management
excludes the targets from the scan results. For more information, see Access
Groups.

- 355 -
 User Target Group

No Access (Default user only) Users assigned this permission cannot configure scans for
hosts in the user target group or use hosts in the user target group to filter
dashboards.

Can Use Users assigned this permission can use hosts in the user target groups to
filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for
scan configurations, you must also grant the user Can Scan permissions in an
access group for the targets. If you do not, Tenable Vulnerability Management
excludes the targets from the scan results. For more information, see Access
Groups.

Can Change In addition to using hosts in this user target group when configuring scans
and filtering dashboards, users assigned this permission can modify any
setting for the target group except permissions.

Info-level Reporting

Info-level Reporting is a scan setting available for Nessus Agent vulnerability scan templates. The
setting specifies how often the agent scan should report unchanged Info-severity vulnerability
findings.

Description

Info-severity findings can account for up to 90% of agent scan findings. Most Info-level findings do
not change from scan to scan and have minimal impact on your overall network exposure.
Configuring Info-level Reporting can help minimize your scan processing times by decreasing the
number of unchanged Info-severity findings that Tenable Vulnerability Management processes after
every agent scan.

After you configure an agent scan, the first execution of that scan always reports all detected
findings regardless of severity level. This is known as a baseline scan. Subsequent scans return all
vulnerability findings with a severity of Low or higher, and any new or changed Info-level findings.
Agents do not re-report existing, unchanged Info-level findings to Tenable Vulnerability
Management until a new baseline scan is performed.

- 356 -
When you view agent vulnerability scan results in the Tenable Vulnerability Management user
interface, baseline scans are indicated with the baseline icon ( ). For example:

Note: The baseline icon does not appear for triggered scans, regardless of whether or not the
scan was a baseline scan.
The baseline icon always appears for scans whose scan configurations do not have the Info-
level Reporting setting. This is because every execution of that scan includes all findings and is,
therefore, a baseline scan.
The baseline icon does not appear for scans whose configurations have the Info-level Reporting
setting, but were run before the Info-level Reporting feature was released.

Configuration

You can configure the agent scan to report all severity findings by launching a new baseline scan
after one of the following intervals:

l After number of scans — The agent scan reports all findings every x number of scans. You
choose from the following increments: 7, 10, 15, or 20 scans.

For example, if you set the value to the default of 10, the agent scan reports all findings in its
next scan and then reports all findings again during every 10th scan. All interim scans only

- 357 -
 return findings with a severity of Low or higher, as well as any new or changed Info-level
findings.

l After number of days — The agent scan reports all findings after a set number of days after
the previous day on which the agent scan last reported all findings. You choose from the
following increments: 7, 10, 20, 30, 60, or 90 days.

For example, if you set the value to the default of 10, the agent scan reports all findings in its
next scan. For 10 days, all interim scans return all findings with a severity of Low or higher and
any new or changed Info-level findings. After the 10-day period passes, the agent scan reports
all findings again in its next scan.

You can only set triggered agent scans to After number of scans. You can set Scan Window
scans to either After number of scans or After number of days.

The default value for triggered agent scans is After 10 scans, and the default value for Scan
Window agent scans is After 10 days. Tenable recommends using the default values. Only
lower the value if doing so is necessary for your organization.

In addition to Info-level Reporting, you can enable Force refresh of all Info-severity vulnerabilities
on next scan to force the agent scan to report all findings in the next scan. After the next scan
completes and reports all findings, the Info-level Reporting setting determines how often the scan
reports Info-severity findings.

Note: All vulnerability findings with a severity of Low or higher and new or changed Info-severity
vulnerabilities are always reported after every scan.

Limitations and Considerations

l Only agents version 10.5.0 and later can use the Info-level Reporting setting. Any agents on
earlier versions always perform baseline scans.

l The Info-level Reporting setting is not supported when Tenable Vulnerability Management is
connected to Tenable Security Center.

l Agent scans with configured Compliance settings do not support the Info-level Reporting
setting. All agent scans with Compliance settings configured are baseline scans.

l If you recast an Info-level plugin to a higher severity level (for example, Low or Medium), the
plugin is still affected by Info-level Reporting and excluded from non-baseline scans if the

- 358 -
 plugin output has not changed.

l Each individual agent calculates the After number of scans value separately. Therefore,
triggered scans can return a combination of baseline and non-baseline results.

l Plugins 19506 (Nessus Scan Information) and 42980 (SSL Certificate Expiry) are always
reported in full with every scan.

Discovery Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Discovery settings in the scan.
You can only modify these settings in the related user-defined template.

The Discovery settings relate to discovery and port scanning, including port ranges and methods.

Certain Tenable-provided scanner templates include preconfigured discovery settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured discovery settings, you can manually configure Discovery settings
in the following categories:

l Host Discovery

l Port Scanning

l Service Discovery

l Identity

Host Discovery
By default, some settings in the Host Discovery section are enabled. When you first access the
Host Discovery section, the Ping the remote host option appears and is set to On.

Default
Setting Description
Value

Ping the Remote On If set to On, the scanner pings remote hosts on multiple
Host ports to determine if they are alive. Additional options
General Settings and Ping Methods appear.

If set to Off, the scanner does not ping remote hosts on

- 359 -
 multiple ports during the scan.

Note: To scan VMware guest systems, Ping the remote

host must be set to Off.

Scan Unresponsive Disabled Specifies whether the Nessus scanner scans hosts that
Hosts do not respond to any ping methods. This option is only
available for scans using the PCI Quarterly External Scan
template.

General Settings

Use Fast Network Disabled When disabled, if a host responds to ping, Tenable
Discovery Vulnerability Management attempts to avoid false
positives, performing additional tests to verify the
response did not come from a proxy or load balancer.
These checks can take some time, especially if the
remote host is firewalled.

When enabled, Tenable Vulnerability Management does

not perform these checks.

Ping Methods

ARP Enabled Ping a host using its hardware address via Address
Resolution Protocol (ARP). This only works on a local
network.

TCP Enabled Ping a host using TCP.

Destination Ports Built-In Destination ports can be configured to use specific

(TCP) ports for TCP ping. This specifies the list of ports that
are checked via TCP ping.

Type one of the following: built-in, a single port, or a

comma-separated list of ports.

For more information about which ports built-in

specifies, see the knowledge base article.

- 360 -
ICMP Enabled Ping a host using the Internet Control Message Protocol
(ICMP).

Assume ICMP Disabled Assume ICMP unreachable from the gateway means the
Unreachable From host is down. When a ping is sent to a host that is down,
the Gateway its gateway may return an ICMP unreachable message.
Means the Host is When this option is enabled, when the scanner receives
Down an ICMP Unreachable message, it considers the targeted
host dead. This approach helps speed up discovery on
some networks.

Note: Some firewalls and packet filters use this same

behavior for hosts that are up, but connected to a port or
protocol that is filtered. With this option enabled, this
leads to the scan considering the host is down when it is
indeed up.

UDP Disabled Ping a host using the User Datagram Protocol (UDP). UDP
is a stateless protocol, meaning that communication is
not performed with handshake dialogues. UDP-based
communication is not always reliable, and because of
the nature of UDP services and screening devices, they
are not always remotely detectable.

Maximum Number 2 Specifies the number of attempts to retry pinging the

of Retries remote host.

Fragile Devices

Scan Network Disabled When enabled, the scanner scans network printers.
Printers

Scan Novell Disabled When enabled, the scanner scans Novell NetWare hosts.
Netware Hosts

Scan Operational Disabled When enabled, the scanner performs a full scan of
Technology Operational Technology (OT) devices such as
Devices programmable logic controllers (PLCs) and remote

- 361 -
 terminal units (RTUs) that monitor environmental factors
and the activity and state of machinery.

When disabled, the scanner uses ICS/SCADA Smart

Scanning to cautiously identify OT devices and stops
scanning them once they are discovered.

Wake-on-LAN

List of None The Wake-on-LAN (WOL) menu controls which hosts to

MAC Addresses send WOL magic packets to before performing a scan.

Hosts that you want to start prior to scanning are

provided by uploading a text file that lists one MAC
address per line.

For example:

33:24:4C:03:CC:C7
FF:5C:2C:71:57:79

Boot Time Wait (In 5 minutes The amount of time to wait for hosts to start before
Minutes) performing the scan.

Port Scanning
The Port Scanning section includes settings that define how the port scanner behaves and which
ports to scan.

Default
Setting Description
Value

Ports

Consider Disabled When enabled, if a port is not scanned with a selected port
Unscanned scanner (for example, the port falls outside of the specified
Ports as Closed range), the scanner considers it closed.

Port Scan Range Default Specifies the range of ports to be scanned.

- 362 -
 Default
Setting Description
Value

Supported keyword values are:

l default instructs the scanner to scan approximately

4,790 commonly used ports.

l all instructs the scanner to scan all 65,536 ports,

including port 0.

Additionally, you can indicate a custom list of ports by

using a comma-separated list of ports or port ranges. For
example, 21,23,25,80,110 or 1-1024,8080,9000-9200.
If you wanted to scan all ports excluding port 0, you would
type 1-65535.

The custom range specified for a port scan is applied to

the protocols you have selected in the Network Port
Scanners group of settings.

If scanning both TCP and UDP, you can specify a split range
specific to each protocol. For example, if you want to scan
a different range of ports for TCP and UDP in the same
policy, you would type T:1-1024,U:300-500.

You can also specify a set of ports to scan for both

protocols, as well as individual ranges for each separate
protocol. For example, 1-1024,T:1024-65535,U:1025.

Local Port Enumerators

SSH (netstat) Enabled When enabled, the scanner uses netstat to check for open
ports from the local machine. It relies on the netstat
command being available via an SSH connection to the
target. This scan is intended for Linux-based systems and
requires authentication credentials.

WMI (netstat) Enabled When enabled, the scanner uses netstat to determine open

- 363 -
 Default
Setting Description
Value

ports while performing a WMI-based scan.

In addition, the scanner:

l Ignores any custom range specified in the Port Scan

Range setting.

l Continues to treat unscanned ports as closed if the

Consider unscanned ports as closed setting is
enabled.

If any port enumerator (netstat or SNMP) is successful, the

port range becomes all.

SNMP Enabled When enabled, if the appropriate credentials are provided

by the user, the scanner can better test the remote host
and produce more detailed audit results. For example,
there are many Cisco router checks that determine the
vulnerabilities present by examining the version of the
returned SNMP string. This information is necessary for
these audits.

Only Run Enabled If a local port enumerator runs, all network port scanners
Network Port will be disabled for that asset.
Scanners if
Local Port
Enumeration
Failed

Verify Open TCP Disabled When enabled, if a local port enumerator (for example, WMI
Ports Found By or netstat) finds a port, the scanner also verifies that the
Local Port port is open remotely. This approach helps determine if
Enumerators some form of access control is being used (for example,
TCP wrappers or a firewall).

Network Port Scanners

- 364 -
 Default
Setting Description
Value

TCP Disabled Use the built-in Tenable Nessus TCP scanner to identify
open TCP ports on the targets, using a full TCP three-way
handshake. If you enable this option, you can also set the
Override Automatic Firewall Detection option.

SYN Enabled Use the built-in Tenable Nessus SYN scanner to identify
open TCP ports on the target hosts. SYN scans do not
initiate a full TCP three-way handshake. The scanner sends
a SYN packet to the port, waits for SYN-ACK reply, and
determines the port state based on a response or lack of
response.

If you enable this option, you can also set the Override
Automatic Firewall Detection option.

Override Disabled This setting can be enabled if you enable either the TCP or
Automatic SYN option.
Firewall
When enabled, this setting overrides automatic firewall
Detection
detection.

This setting has three options:

l Use aggressive detection attempts to run plugins

even if the port appears to be closed. It is
recommended that this option not be used on a
production network.

l Use soft detection disables the ability to monitor

how often resets are set and to determine if there is
a limitation configured by a downstream network
device.

l Disable detection disables the firewall detection

feature.

- 365 -
 Default
Setting Description
Value

UDP Disabled This option engages the built-in Tenable Nessus UDP
scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not

possible for a port scanner to tell the difference between
open and filtered UDP ports. Enabling the UDP port
scanner may dramatically increase the scan time and
produce unreliable results. Consider using the netstat or
SNMP port enumeration options instead if possible.

Service Discovery
The Service Discovery section includes settings that attempt to map each open port with the
service that is running on that port.

Default
Setting Description
Value

General Settings

Probe All Ports Enabled When enabled, the scanner attempts to map each open
to Find Services port with the service that is running on that port, as
defined by the Port scan range option.

Caution: In some rare cases, probing might disrupt some

services and cause unforeseen side effects.

Search for On Controls how the scanner tests SSL-based services.

SSL/TLS Based
Services Caution: Testing for SSL capability on all ports may be
disruptive for the tested host.

Search for SSL/TLS/DTLS Services (enabled)

Search for Known Specifies which ports on target hosts the scanner searches
SSL/TLS On SSL/TLS for SSL/TLS services.

- 366 -
 Default
Setting Description
Value

ports This setting has two options:

l Known SSL/TLS ports

l All TCP ports

Search for None Specifies which ports on target hosts the scanner searches
DTLS On for DTLS services.

This setting has the following options:

l None

l Known SSL/TLS ports

l All TCP ports

Identify 60 When enabled, the scanner identifies SSL and TLS

Certificates certificates that are within the specified number of days of
Expiring Within expiring.
x Days

Enumerate All True When enabled, the scanner ignores the list of ciphers
SSL/TLS advertised by SSL/TLS services and enumerates them by
Ciphers attempting to establish connections using all possible
ciphers.

Enable CRL False When enabled, the scanner checks that none of the
Checking identified certificates have been revoked.
(Connects to
the Internet)

Identity
The Identity section allows you to enable or disable the collection of Active Directory data.

Note: This section is only applicable in Tenable One Enterprise environments.

- 367 -
 General Settings

Collect Identity Disabled Enable this setting to allow Tenable Vulnerability

Data from Management to gather user, computer, and group objects
Active from Active Directory.
Directory
This setting requires that you specify an Active Directory
user account for the scan. You also need to enable LDAPS
on the Domain Controller that the scan is targeting.

Preconfigured Discovery Settings

Certain Tenable-provided scanner templates include preconfigured discovery settings, described in

the following table. The preconfigured discovery settings are determined by both the template and
the Scan Type that you select.

Template Scan Type Preconfigured Settings

Vulnerability Scans (Common)

Advanced Network – All defaults

Scan

Basic Network Scan Port scan (common ports) l General Settings:

(default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

- 368 -
 l Ping hosts using:
o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Credentialed Patch Port scan (common ports) l General Settings:

Audit (default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

- 369 -
 o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Host Discovery Host enumeration (default) l General Settings:

- 370 -
 o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

OS Identification l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP

Port scan (common ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided

- 371 -
 o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Internal PCI Network Port scan (common ports) l General Settings:

Scan (default) o Always test the local
Nessus host
o Use fast network

- 372 -
 discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

- 373 -
 Custom All defaults

Legacy Web App Scan Port scan (common ports)
(default)
l General Settings:
o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port Scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if

- 374 -
 necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Mobile Device Scan – –

PCI Quarterly External – Scan unresponsive hosts default

Scan

Configuration Scans

Audit Cloud – –
Infrastructure

MDM Config Audit – –

Offline Config Audit – –

Policy Compliance Default (default) l General Settings:

Auditing o Ping the remote host
o Always test the local
Tenable Nessus host

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

SCAP and OVAL Host enumeration (default) l General Settings:

Auditing o Always test the local
Nessus host

- 375 -
 o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Tactical Scans

Badlock Detection Quick l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports

- 376 -
 where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Bash Shellshock Quick l General Settings:

Detection o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Normal (default) l General Settings:

o Ping the remote host

- 377 -
 o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

DROWN Detection Quick l General Settings:

o Ping the remote host
o Always test the local

- 378 -
 Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

- 379 -
Intel AMT Security Quick l General Settings:
Bypass o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 16992,
16993, 623, 80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports

- 380 -
 o Detect SSL on all open
ports

Custom All defaults

Malware Scan Host enumeration (default) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Host enumeration (include l General Settings:

fragile hosts) o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

- 381 -
Shadow Brokers Scan Normal (default) l General Settings:
o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

Spectre and Meltdown Normal (default) l General Settings:

- 382 -
Detection o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

WannaCry Quick l General Settings:

Ransomware o Ping the remote host
Detection
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 139 and
445
o Detect SSL/TLS on ports

- 383 -
 where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Assessment Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Assessment settings in the
scan. You can only modify these settings in the related user-defined template.

You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a
system to brute force attacks, and the susceptibility of web applications.

- 384 -
Certain Tenable-provided scanner templates include preconfigured assessment settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured assessment settings, you can manually configure Assessment
settings in the following categories:

l General

l Brute Force

l SCADA

l Web Applications

l Windows

l Malware

l Databases

Note: The following tables include settings for the Advanced Network Scan template. Depending on the
template you select, certain settings may not be available, and default values may vary.

General
The General section includes the following groups of settings:

l Accuracy

l Antivirus

l SMTP

Setting Default Value Description

Accuracy

Override Disabled In some cases, Tenable Vulnerability Management cannot

Normal remotely determine whether a flaw is present or not. If
Accuracy report paranoia is set to Show potential false alarms, a flaw
is reported every time, even when there is a doubt about the
remote host being affected. Conversely, a paranoia setting
of Avoid potential false alarms causes Tenable Vulnerability

- 385 -
 Management to not report any flaw whenever there is a hint
of uncertainty about the remote host. As a middle ground
between these two settings, disable this setting.

Perform Disabled Causes various plugins to work harder. For example, when
thorough looking through SMB file shares, a plugin analyzes 3
tests (may directory levels deep instead of 1. This could cause much
disrupt your more network traffic and analysis in some cases. By being
network or more thorough, the scan is more intrusive and is more likely
impact scan to disrupt the network, while potentially providing better
speed) audit results.

Antivirus

Antivirus 0 Configure the delay of the Antivirus software check for a set
definition number of days (0-7). The Antivirus Software Check menu
grace period allows you to direct Tenable Vulnerability Management to
(in days) allow for a specific grace time in reporting when antivirus
signatures are considered out of date. By default, Tenable
Vulnerability Management considers signatures out of date
regardless of how long ago an update became available (e.g.,
a few hours ago). You can configure this option to allow for
up to 7 days before reporting them out of date.

SMTP

Third party Tenable Vulnerability Management attempts to send spam through each SMTP
domain device to the address listed in this field. This third party domain address must
be outside the range of the site being scanned or the site performing the scan.
Otherwise, the test may be aborted by the SMTP server.

From The test messages sent to the SMTP server(s) appear as if the messages
address originated from the address specified in this field.

To address Tenable Vulnerability Management attempts to send messages addressed to

the mail recipient listed in this field. The postmaster address is the default
value since it is a valid address on most mail servers.

- 386 -
Brute Force
The Brute Force section includes the following groups of settings:

l General Settings

l Oracle Database

Default
Setting Description
Value

General Settings

Only use Enabled In some cases, Tenable Vulnerability Management can test
credentials default accounts and known default passwords. This can
provided by cause the account to be locked out if too many consecutive
the user invalid attempts trigger security protocols on the operating
system or application. By default, this setting is enabled to
prevent Tenable Vulnerability Management from performing
these tests.

Oracle Database

Test default Disabled Test for known default accounts in Oracle software.
accounts
(slow)

SCADA
Default
Setting Description
Value

ICCP/COTP TSAP The ICCP/COTP TSAP Addressing menu determines a Connection

Addressing Weakness Oriented Transport Protocol (COTP) Transport Service Access
Points (TSAP) value on an ICCP server by trying possible values.

Web Applications
The Web Applications section includes the following groups of settings:

- 387 -
 l General Settings

l Web Crawler

l Application Test Settings

Setting Default Value Description

Scan web Disabled By default, Tenable Vulnerability

applications Management does not scan web
applications. To edit the following
settings, enable this setting.

Use a custom Mozilla/4.0 (compatible; MSIE Specifies which type of web browser
User-Agent 8.0; Windows NT 5.1; Tenable Vulnerability Management
Trident/4.0) impersonates while scanning.

Web Crawler

Start crawling / The URL of the first page that is tested. If

from multiple pages are required, use a colon
delimiter to separate them (e.g.,
/:/php4:/base).

Excluded /server_privileges\.php|logout Specifies portions of the web site to

pages (regex) exclude from being crawled. For example,
to exclude the /manual directory and all
Perl CGI, set this field to: (^/manual) <>
(\.pl(\?.*)?$).

Tenable Vulnerability Management

supports POSIX regular expressions for
string matching and handling, as well as
Perl-compatible regular expressions
(PCRE).

Maximum 1000 The maximum number of pages to crawl.

pages to crawl

Maximum 6 Limit the number of links Tenable

- 388 -
Setting Default Value Description

depth to crawl Vulnerability Management follows for each

start page.

Follow Disabled If selected, Tenable Vulnerability

dynamically Management follows dynamic links and
generated may exceed the parameters set above.
pages

Application Test Settings

Enable generic Disabled Enables the following settings.

web
application
tests

Abort web Disabled If Tenable Vulnerability Management

application cannot log in to the target via HTTP, then
tests if HTTP do not run any web application tests.
login fails

Try all HTTP Disabled This option instructs Tenable Vulnerability

methods Management to also use POST requests
for enhanced web form testing. By
default, the web application tests only use
GET requests, unless you enable this
option. Generally, more complex
applications use the POST method when a
user submits data to the application.
When enabled, Tenable Vulnerability
Management tests each script or variable
with both GET and POST requests. This
setting provides more thorough testing,
but may considerably increase the time
required.

- 389 -
Setting Default Value Description

Attempt HTTP Disabled When performing web application tests,

Parameter attempt to bypass filtering mechanisms
Pollution by injecting content into a variable while
also supplying the same variable with valid
content. For example, a normal SQL
injecton test may look like
/target.cgi?a='&b=2. With HTTP Parameter
Pollution (HPP) enabled, the request may
look like /target.cgi?a='&a=1&b=2.

Test embedded Disabled Embedded web servers are often static

web servers and contain no customizable CGI scripts.
In addition, embedded web servers may
be prone to crash or become non-
responsive when scanned. Tenable
recommends scanning embedded web
servers separately from other web servers
using this option.

Test more than Disabled This setting manages the combination of

one parameter argument values used in the HTTP
at a time per requests. The default, without checking
form this option, is testing one parameter at a
time with an attack string, without trying
non-attack variations for additional
parameters. For example, Tenable
Vulnerability Management would attempt
/test.php?arg1=XSS&b=1&c=1, where b
and c allow other values, without testing
each combination. This is the quickest
method of testing with the smallest result
set generated.

This setting has four options:

- 390 -
Setting Default Value Description

l Test random pairs of parameters:

This form of testing randomly
checks a combination of random
pairs of parameters. This is the
fastest way to test multiple
parameters.

l Test all pairs of parameters (slow):

This form of testing is slightly slower
but more efficient than the one
value test. While testing multiple
parameters, it tests an attack string,
variations for a single variable and
then use the first value for all other
variables. For example, Tenable
Vulnerability Management would
attempt
/test.php?a=XSS&b=1&c=1&d=1
and then cycle through the variables
so that one is given the attack
string, one is cycled through all
possible values (as discovered
during the mirror process) and any
other variables are given the first
value. In this case, Tenable
Vulnerability Management would
never test for
/test.php?a=XSS&b=3&c=3&d=3
when the first value of each variable
is 1.

l Test random combinations of three

or more parameters (slower): This

- 391 -
Setting Default Value Description

form of testing randomly checks a

combination of three or more
parameters. This is more thorough
than testing only pairs of
parameters. Increasing the amount
of combinations by three or more
increases the web application test
time.

l Test all combinations of

parameters (slowest): This method
of testing checks all possible
combinations of attack strings with
valid input to variables. Where all
pairs testing seeks to create a
smaller data set as a tradeoff for
speed, all combinations makes no
compromise on time and uses a
complete data set of tests. This
testing method may take a long time
to complete.

Do not stop Stop after one flaw is found This setting determines when a new flaw
after first flaw per web server (fastest) is targeted. This applies at the script level.
is found per Finding an XSS flaw does not disable
web page searching for SQL injection or header
injection, but unless otherwise specified,
there is at most one report for each type
on a given port. Note that several flaws of
the same type (for example, XSS or SQLi)
may be reported if they were caught by
the same attack.

If this option is disabled, as soon as a flaw

- 392 -
Setting Default Value Description

is found on a web page, the scan moves

on to the next web page.

If you enable this option, select one of the

following options:

l Stop after one flaw is found per

web server (fastest) — (Default) As
soon as a flaw is found on a web
server by a script, Tenable
Vulnerability Management stops and
switches to another web server on a
different port.

l Stop after one flaw is found per

parameter (slow) — As soon as one
type of flaw is found in a parameter
of a CGI (for example, XSS), Tenable
Vulnerability Management switches
to the next parameter of the same
CGI, the next known CGI, or to the
next port or server.

l Look for all flaws (slowest) —

Perform extensive tests regardless
of flaws found. This option can
produce a very verbose report and is
not recommend in most cases.

URL for http://rfi.nessus.org/rfi.txt During Remote File Inclusion (RFI) testing,

Remote File this setting specifies a file on a remote
Inclusion host to use for tests. By default, Tenable
Vulnerability Management uses a safe file
hosted by Tenable for RFI testing. If the
scanner cannot reach the Internet, you

- 393 -
 Setting Default Value Description

can use an internally hosted file for more

accurate RFI testing.

Maximum run 5 This option manages the amount of time

time (min) in minutes spent performing web
application tests. This option defaults to
60 minutes and applies to all ports and
CGIs for a given website. Scanning the
local network for web sites with small
applications typically completes in under
an hour, however web sites with large
applications may require a higher value.

Windows
The Windows section contains the following groups of settings:

l General Settings

l User Enumeration Methods

Default
Setting Description
Value

General Settings

Request Enabled If enabled, domain users are queried instead of local users.
information
about the SMB
Domain

User Enumeration Methods

You can enable as many of the user enumeration methods as appropriate for user discovery.

SAM Registry Enabled Tenable Vulnerability Management enumerates users via

the Security Account Manager (SAM) registry.

- 394 -
 ADSI Query Enabled Tenable Vulnerability Management enumerates users via
Active Directory Service Interfaces (ADSI). To use ADSI, you
must configure credentials under Credentials >
Miscellaneous > ADSI.

WMI Query Enabled Tenable Vulnerability Management enumerates users via

Windows Management Interface (WMI).

RID Brute Enabled Tenable Vulnerability Management enumerates users via

Forcing relative identifier (RID) brute forcing. Enabling this setting
enables the Enumerate Domain Users and Enumerate
Local User settings.

Enumerate Domain Users (available with RID Brute Forcing enabled)

Start UID 1000 The beginning of a range of IDs where Tenable Vulnerability
Management attempts to enumerate domain users.

End UID 1200 The end of a range of IDs where Tenable Vulnerability
Management attempts to enumerate domain users.

Enumerate Local User (available with RID Brute Forcing enabled)

Start UID 1000 The beginning of a range of IDs where Tenable Vulnerability
Management attempts to enumerate local users.

End UID 1200 The end of a range of IDs where Tenable Vulnerability
Management attempts to enumerate local users.

Malware
The Malware section contains the following groups of settings:

l General Settings

l Hash and Whitelist Files

l Yara Rules

l File System Scanning

- 395 -
 Default
Setting Description
Value

Hash and Allow List Files

Custom Netstat IP None A text file that contains a list of known bad IP
Threat List addresses that you want to detect.

Each line in the file must begin with an IPv4 address.

Optionally, you can add a description by adding a
comma after the IP address, followed by the
description. You can also use hash-delimited
comments (e.g., #) in addition to comma-delimited
comments.

Note: Tenable does not detect private IP ranges in the

text file.

Provide your own list None A text file with one MD5 hash per line that specifies
of known bad MD5 additional known bad MD5 hashes.
hashes
Optionally, you can include a description for a hash by
adding a comma after the hash, followed by the
description. If any matches are found when scanning a
target, the description appears in the scan results. You
can also use hash-delimited comments (for example,
fop) in addition to comma-delimited comments.

Provide your own list None A text file with one MD5 hash per line that specifies
of known good MD5 additional known good MD5 hashes.
hashes
Optionally, you can include a description for each hash
by adding a comma after the hash, followed by the
description. If any matches are found when scanning a
target, and a description was provided for the hash,
the description appears in the scan results. You can
also use hash-delimited comments (for example, #) in
addition to comma-delimited comments.

- 396 -
Hosts file allow list None Tenable Vulnerability Management checks system
hosts files for signs of a compromise (for example,
Plugin ID 23910 titled Compromised Windows System
(hosts File Check)). This option allows you to upload a
file containing a list of IPs and hostnames you want
Tenable Vulnerability Management to ignore during a
scan. Include one IP and one hostname (formatted
identically to your hosts file on the target) per line in a
regular text file.

Yara Rules

Yara Rules None A .yar file containing the YARA rules to be applied in
the scan. You can only upload one file per scan, so
include all rules in a single file. For more information,
see yara.readthedocs.io.

File System Scanning

Scan file system Disabled If enabled, Tenable Vulnerability Management can scan
system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or

more hosts could result in performance degradation.

Windows Directories (available if Scan file system is enabled)

Scan Disabled Enables file system scanning to scan %Systemroot%.

%Systemroot%

Scan Disabled Enables file system scanning to scan %ProgramFiles%.

%ProgramFiles%

Scan %ProgramFiles Disabled Enables file system scanning to scan %ProgramFiles

(x86)% (x86)%.

Scan Disabled Enables file system scanning to scan %ProgramData%.

%ProgramData%

- 397 -
 Scan User Profiles Disabled Enables file system scanning to scan user profiles.

Custom Filescan None A custom file that lists directories to be scanned by

Directories malware file scanning. List each directory on one line.

Linux Directories

Scan $PATH Disabled Enables file system scanning to scan $PATH.

Scan /home Disabled Enables file system scanning to scan /home.

MacOS Directories

Scan $PATH Disabled Enables file system scanning to scan $PATH.

Scan /Users Disabled Enables file system scanning to scan /Users.

Scan /Applications Disabled Enables file system scanning to scan /Applications.

Scan /Library Disabled Enables file system scanning to scan /Library.

Databases
Default
Setting Description
Value

Oracle Database

Use Disabled When enabled, if at least one host credential and one
detected SIDs Oracle database credential are configured, the scanner
authenticates to scan targets using the host credentials,
and then attempts to detect Oracle System IDs (SIDs)
locally. The scanner then attempts to authenticate using
the specified Oracle database credentials and the
detected SIDs.

If the scanner cannot authenticate to scan targets using

host credentials or does not detect any SIDs locally, the
scanner authenticates to the Oracle database using the
manually specified SIDs in the Oracle database
credentials.

- 398 -
Preconfigured Assessment Settings

Certain Tenable-provided Tenable Nessus templates include preconfigured assessment settings,

described in the following table. The preconfigured assessment settings are determined by both the
template and the Mode that you select.

Template Mode Preconfigured Settings

Vulnerability Scans (Common)

Advanced Network – All defaults

Scan

Basic Network Default l General Settings:

Scan o Avoid false alarms
o Disable CGI scanning

l Web Applications:
o Disable web application
scanning

Scan for known web l General Settings:

vulnerabilities o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Generic web application

- 399 -
 tests disabled

- 400 -
Scan for all web l General Settings:
vulnerabilities (quick) o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes (max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web

- 401 -
 app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

Credentialed Patch – All defaults

Audit

Host Discovery – –

Internal PCI Default l General Settings:

Network Scan o Avoid false alarms
o Disable CGI scanning

l Web Applications:
o Disable web application
scanning

Scan for known web l General Settings:

vulnerabilities o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications

- 402 -
 o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes (max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly

- 403 -
 used web applications
o Perform each generic web
app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

Legacy Web App Scan for known web l General Settings:

Scan vulnerabilities o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false alarms
(Default)
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"

- 404 -
 o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes (max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

- 405 -
Mobile Device Scan – –

PCI Quarterly – –
External Scan

Configuration
Scans

Audit Cloud – –
Infrastructure

MDM Config Audit – –

Offline Config Audit – –

Policy Compliance – –
Auditing

SCAP and OVAL – –

Auditing

Tactical Scans

Badlock Detection – Web Crawler defaults

Bash Shellshock – Web Crawler defaults

Detection

DROWN Detection – –

Intel AMT Security – –

Bypass

Malware Scan – Malware defaults

Shadow Brokers – –
Scan

Spectre and –
Meltdown
Detection – –

- 406 -
 WannaCry – –
Ransomware
Detection

Report Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Report settings in the scan. You
can only modify these settings in the related user-defined template.

The Report settings include the following groups of settings:

l Processing

l Output

Default
Setting Description
Value

Processing

Override normal Disabled When disabled, provides the standard level of plugin
verbosity activity in the report. The output does not include the
informational plugins 56310, 64582, and 58651.

When enabled, this setting has two options:

l I have limited disk space. Report as little

information as possible — Provides less
information about plugin activity in the report to
minimize impact on disk space.

l Report as much information as possible —

Provides more information about plugin activity in
the report. When this option is selected, the
output includes the informational plugins 56310,
64582, and 58651.

Show missing Enabled When enabled, includes superseded patch information

patches that have in the scan report.
been superseded

- 407 -
 Default
Setting Description
Value

Hide results from Enabled When enabled, the list of dependencies is not included
plugins initiated as in the report. If you want to include the list of
a dependency dependencies in the report, disable this setting.

Output

Designate hosts by Disabled Uses the host name rather than IP address for report
their DNS name output.

Display hosts that Disabled Reports hosts that successfully respond to a ping.
respond to ping

Display Disabled When enabled, hosts that did not reply to the ping
unreachable hosts request are included in the security report as dead
hosts. Do not enable this option for large IP blocks.

Caution: Enabling this setting causes the scan to create a

finding for every target in the scan, whether responsive or
not. This may cause the scan to abort if the number of
hosts returned exceeds your license limit. For more
information, see Scan Limitations.

Display Unicode Disabled When enabled, Unicode characters appear in plugin

characters output such as usernames, installed application names,
and SSL certificate information.

Note: Plugin output may sometimes incorrectly parse or

truncate strings with Unicode characters. If this issue
causes problems with regular expressions in plugins or
custom audits, disable this setting and scan again.

Advanced Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Advanced settings in the scan.
You can only modify these settings in the related user-defined template.

- 408 -
The Advanced settings provide increased control over scan efficiency and the operations of a scan,
as well as the ability to enable plugin debugging.

Certain Tenable-provided scanner templates include preconfigured advanced settings.

If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner
template that does not include preconfigured advanced settings, you can manually configure
Advanced settings in the following categories:

l General Settings

l Performance Options

l Unix Find Command Options

l Windows File Search Options

l Debug Settings

l Stagger Scan Start (Agent scans only)

l Compliance Output Settings

Note: The following tables include settings for the Advanced Network Scan template. Depending on the
template you select, certain settings may not be available, and default values may vary.

Default
Setting Description
Value

General Settings

Enable Safe Enabled When enabled, disables all plugins that may have an
Checks adverse effect on the remote host.

Scan for Disabled Determines whether the scan searches for unpatched
unpatched vulnerabilities. This includes CVEs marked as "Will Not
vulnerabilities (no Fix" by the related vendor.
patches or
Enabling this setting may increase your overall findings
mitigations
count; each platform and package combination results in
available)
an individual plugin. If additional CVEs are found to affect
a platform and package combination, the CVEs are added

- 409 -
 Default
Setting Description
Value

to the existing plugin.

Note: If you configure a scan to produce findings for

unpatched vulnerabilities and then the setting is unchecked,
Tenable Vulnerability Management remediates unpatched
findings in the next scan. Additionally, if multiple scans
target the same device and one has enabled findings for
unpatched vulnerabilities and another does not, the findings
results may vary per scan.

Stop scanning Disabled When enabled, Tenable Vulnerability Management stops

hosts that scanning if it detects that the host has become
become unresponsive. This may occur if users turn off their PCs
unresponsive during a scan, a host has stopped responding after a
during the scan denial of service plugin, or a security mechanism (for
example, an IDS) has started to block traffic to a server.
Normally, continuing scans on these machines sends
unnecessary traffic across the network and delay the
scan.

Scan IP Disabled By default, Tenable Vulnerability Management scans a list

addresses in a of IP addresses in sequential order. When this option is
random order enabled, Tenable Vulnerability Management scans the list
of hosts in a random order within an IP address range.
This approach is typically useful in helping to distribute
the network traffic during large scans.

Automatically Disabled When enabled, if a credentialed scan tries to connect via

accept detected SSH to a FortiOS host that presents a disclaimer prompt,
SSH disclaimer the scanner provides the necessary text input to accept
prompts the disclaimer prompt and continue the scan.

The scan initially sends a bad ssh request to the target in

order to retrieve the supported authorization methods.
This allows you to determine how to connect to the

- 410 -
 Default
Setting Description
Value

target, which is helpful when you configure a custom ssh

banner and then try to determine how to connect to the
host.

When disabled, credentialed scans on hosts that present

a disclaimer prompt fail because the scanner cannot
connect to the device and accept the disclaimer. The
error appears in the plugin output.

Scan targets with Disabled
multiple domain
names in parallel
When disabled, to avoid overwhelming a host, Tenable
Vulnerability Management prevents a single scanner from
simultaneously scanning multiple targets that resolve to a
single IP address. Instead, Tenable Vulnerability
Management scanners serialize attempts to scan the IP
address, whether it appears more than once in the same
scan task or in multiple scan tasks on that scanner. Scans
may take longer to complete.

When enabled, a Tenable Vulnerability Management

scanner can simultaneously scan multiple targets that
resolve to a single IP address within a single scan task or
across multiple scan tasks. Scans complete more quickly,
but hosts could potentially become overwhelmed, causing
timeouts and incomplete results.

Create unique Enabled When enabled, the scanner creates a unique identifier
identifier on (Tenable UUID) . Tenable Vulnerability Management and
hosts scanned Tenable Security Center use the Tenable UUID to merge
using credentials incoming scan data with historical results for the asset
and ensure that license counts are accurately reflected.

For more information, see Why Tenable Tags and Agent

IDs are created during authenticated scans.

Trusted CAs None Specifies CA certificates that the scan considers as

- 411 -
 Default
Setting Description
Value

trusted. This allows you to use self-signed certificates for

SSL authentication without triggering plugin 51192 as a
vulnerability in your Tenable Vulnerability Management
environment.

Note: In addition to this setting, you can configure trusted

CAs at the individual scanner level (for more information,
see Trust a Custom CA in the Tenable Nessus User Guide).
There is no precedence or hierarchy between trusted CAs
configured in the Tenable Vulnerability Management scan
configuration and trusted CAs configured on the Tenable
Nessus scanner. Tenable Vulnerability Management uses the
correct certificate needed to complete the scan and ignores
irrelevant certificates, regardless of which product you
configure them in.

Performance Options

Slow down the Disabled When enabled, Tenable detects when it is sending too
scan when many packets and the network pipe is approaching
network capacity. If network congestion is detected, throttles the
congestion is scan to accommodate and alleviate the congestion. Once
detected the congestion has subsided, Tenable automatically
attempts to use the available space within the network
pipe again.

Use Linux kernel Disabled When enabled, Tenable Vulnerability Management uses
congestion the Linux kernel to detect when it sends too many
detection packets and the network pipe approaches capacity. If
detected, Tenable Vulnerability Management throttles the
scan to accommodate and alleviate the congestion. Once
the congestion subsides, Tenable Vulnerability
Management automatically attempts to use the available
space within the network pipe again.

- 412 -
 Default
Setting Description
Value

Network timeout 5 Specifies the time that Tenable waits for a response from
(in seconds) a host unless otherwise specified within a plugin. If you
are scanning over a slow connection, you may want to set
this to a higher number of seconds.

Max 5 Specifies the maximum number of checks a Tenable

simultaneous scanner will perform against a single host at one time.
checks per host

Max Depends on Specifies the maximum number of hosts that Tenable

simultaneous the Tenable- Vulnerability Management submits for scanning at the
hosts per scan provided same time in an individual scan task.
template
To further refine scan performance using host limits,
used for the
Tenable recommends adjusting Advanced settings for
scan
your individual scanners (for example, max_hosts,
global.max_hosts, and global.max_scans). For more
information, see Advanced Settings in the Tenable Nessus
User Guide.

If you set Max simultaneous hosts per scan to more than

scanner’s max_hosts setting, Tenable Vulnerability
Management caps Max simultaneous hosts per scan at
the max_hosts value. For example, if you set the Max
simultaneous hosts per scan to 150 and scanner's max_
hosts is set to 100, with more than 100 targets, Tenable
Vulnerability Management scans 100 hosts
simultaneously.

Note: You can only adjust individual scanner settings for

your organization's managed scanners. You cannot modify
the settings of Tenable-hosted scanners.

Max number of None Specifies the maximum number of established TCP

concurrent TCP

- 413 -
 Default
Setting Description
Value

sessions per host sessions for a single host.

This TCP throttling option also controls the number of

packets per second the SYN scanner sends, which is 10
times the number of TCP sessions. For example, if this
option is set to 15, the SYN scanner sends 150 packets
per second at most.

Max number of None Specifies the maximum number of established TCP

concurrent TCP sessions for each scan task, regardless of the number of
sessions per hosts being scanned.
scan
For scanners installed on any Windows host, you must set
this value to 19 or less to get accurate results.

Unix Find Command Options

Exclude Filepath None A plain text file containing a list of filepaths to exclude
from all plugins that search using the find command on
Unix systems.

In the file, enter one filepath per line, formatted per

patterns allowed by the Unix find command -path
argument. For more information, see the find command
man page.

Exclude None A plain text file containing a list of filesystems to exclude

Filesystem from all plugins that search using the find command on
Unix systems.

In the file, enter one filesystem per line, using filesystem

types supported by the Unix find command -fstype
argument. For more information, see the find command
man page.

Include Filepath None A plain text file containing a list of filepaths to include

- 414 -
 Default
Setting Description
Value

from all plugins that search using the find command on

Unix systems.

In the file, enter one filepath per line, formatted per

patterns allowed by the Unix find command -path
argument. For more information, see the find command
man page.

Including filepaths increases the locations that are

searched by plugins, which extends the duration of the
scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and

Exclude Filepath. This conflict may result in the filepath
being excluded from the search, though results may vary by
operating system.

Windows File Search Options

Windows Exclude None A plain text file containing a list of filepaths to exclude
Filepath from any search on Windows systems.

In the file, enter one filepath per line. This setting

overrides and removes default exclusions.

Note: Windows file exclusions do not apply to any plugins

that are managed by the operating system.

Windows Include None A plain text file containing a list of filepaths to include in
Filepath any use of Recursive search on Windows systems.

In the file, enter one filepath per line. This setting

replaces any defaults entirely.

Debug Settings

Enable plugin Disabled Attaches available debug logs from plugins to the

- 415 -
 Default
Setting Description
Value

debugging vulnerability output of this scan.

Audit Trail Default Controls verbosity of the plugin audit trail.

Verbosity
Options include:

l No audit trail — (Default) Tenable Vulnerability

Management does not generate a plugin audit trail.

l All audit trail data — The audit trail includes the

reason why plugins were not included in the scan.

l Only scan errors — The audit trail includes only

errors encountered during the scan.

Stagger Scan Start

Maximum delay 0 (Agents 8.2 and later) If set, each agent in the agent
(minutes) group delays starting the scan for a random number of
minutes, up to the specified maximum. Staggered starts
can reduce the impact of agents that use a shared
resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window,

Tenable shortens your maximum delay to ensure that
agents begin scanning at least 30 minutes before the
scan window closes.

Compliance Output Settings

Maximum 128,000 KB Controls the maximum output length for each individual
Compliance compliance check value that the target returns. If a
Output Length in compliance check value that is greater than this setting's
KB value, Tenable Vulnerability Management truncates the
result.

Note: If you notice that your compliance scan processing is

- 416 -
 Default
Setting Description
Value

slow, Tenable recommends reducing this setting to increase

the processing speed.

Generate gold Disabled Determines whether Tenable Vulnerability Management

image .audit attaches a compliance gold image .audit file to the scan
results. You can download the gold image audit from the
vulnerabilities tab labeled Compliance Export Gold Image
Audit.

For more information, see Compliance Export Gold Image.

Generate XCCDF Disabled Determines whether Tenable Vulnerability Management

result file attaches XCCDF results files to the scan results. You can
download the generated XCCDF result files from the
vulnerabilities tab labeled Export compliance results to
XCCDF.

For more information, see Compliance Export XCCDF

Results.

Generate JSON Disabled Determines whether Tenable Vulnerability Management

result file attaches a .audit JSON file to the scan results. You can
download the JSON files from the vulnerabilities tab
labeled Export compliance results to JSON.

For more information, see Compliance Export

JSON Results.

Preconfigured Advanced Settings

Certain Tenable-provided Nessus Scanner templates include preconfigured advanced settings,

described in the following table. The preconfigured advanced settings are determined by both the
template and the Mode that you select.

Template Scan Type Preconfigured Settings

- 417 -
Vulnerability Scans (Common)

Advanced Network Scan – All defaults

Basic Network Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

l Performance options:
o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

- 418 -
 o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Credentialed Patch Default (default) l Performance options:

Audit o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Host Discovery – –

Internal PCI Network Default (default) l Performance options:

Scan o 30 simultaneous hosts (max)

- 419 -
 o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Legacy Web App Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

- 420 -
 bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Mobile Device Scan – Debug Settings defaults

PCI Quarterly External Default (default) l Performance options:

Scan o 20 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

- 421 -
 o Create unique identifier on
hosts scanned using credentials

Custom l Performance Options (default options)

l Unix Find Command Exclusions

(default options)

Configuration Scans

Audit Cloud – Debug Settings defaults

Infrastructure

MDM Config Audit – –

Offline Config Audit – Debug Settings defaults

Policy Compliance Default (default) l Performance options:

Auditing o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

- 422 -
 l Asset identification options:
o Create unique identifier on
hosts scanned using credentials

Custom All defaults

SCAP and OVAL Auditing Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Tactical Scans

Badlock Detection – All defaults

- 423 -
Bash Shellshock – All defaults
Detection

DROWN Detection – All defaults

Intel AMT Security – All defaults

Bypass

Malware Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Shadow Brokers Scan – All defaults

Spectre and Meltdown – All defaults

- 424 -
 Detection

WannaCry Ransomware – All defaults

Detection

Credentials in Tenable Vulnerability Management Scans

You can use credentials to grant a Tenable Vulnerability Management scanner local access to scan a
target system without requiring an agent. Credentialed scans can perform a wider variety of checks
than non-credentialed scans, which can result in more accurate scan results. This approach
facilitates scanning of a very large network to determine local exposures or compliance violations.

Credentialed scans can perform any operation that a local user can perform. The level of scanning
depends on the privileges granted to the user account. The more privileges the scanner has via the
login account (for example, root or administrator access), the more thorough the scan results.

In Tenable Vulnerability Management, you can create credentials for use in scans in the following
ways:

Category Description Permissions

Scan-specific l You configure and store these credentials in an User

individual scan. Permissions in
Basic settings
l If you delete the scan, you also delete the
in the scan
credentials.

l If you want to use the credentials in a different

scan, you must either convert the scan-specific
credential to a managed credential or recreate the
scan-specific credential settings in the other scan.

Template- l You configure and store these credentials in a user- User

specific defined template. You can then use the template to Permissions in
create individual scans. Basic settings
in the template
l If you add credentials to a user-defined template,
other users can override those credentials by
adding scan-specific or managed credentials to
scans created from the template. Tenable

- 425 -
 recommends adding managed credentials to scans,
instead of adding credentials to user-defined
templates.

l If you delete the template, you also delete the

template-specific credentials. However, Tenable
Vulnerability Management retains the credentials in
any scans you used the template to create before
deletion.

l If you want to use the credentials in a different

template, you must recreate the template-specific
credentials in the other template.

Managed l Tenable Vulnerability Management stores managed Configure User

credentials centrally in the credential manager. You Permissions for
can configure managed credentials directly in the a Credential
credential manager or during scan configuration.
You can also convert a scan-specific credential to a
managed credential during scan configuration.

l You can use managed credentials in multiple scans.

You can also grant other users permissions to use
managed credentials in scans.

l You cannot use managed credentials in templates.

The settings you configure for a credential vary based on the credential type. Credential types
include:

l Cloud Services

l Database

l Host

l Miscellaneous

l Mobile Device Management

- 426 -
 l Patch Management

l Plaintext authentication

For more information, see:

l Add a Credential to a Scan

l Edit a Credential in a Scan

l Convert a Scan-specific Credential to a Managed Credential

l Add a Credential to a User-defined Template

l Edit a Credential in a User-defined Template

Note: Tenable Vulnerability Management opens several concurrent authenticated connections. Ensure that
the host being audited does not have a strict account lockout policy based on concurrent sessions.

Note: By default, when creating credentialed scans or user-defined templates, hosts are
identified and marked with a Tenable Asset Identifier (TAI). This globally unique identifier is
written to the host's registry or file system, and subsequent scans can retrieve and use the TAI.
This option is enabled (by default) or disabled in the Advanced -> General Settings of a scan
configuration or template: Create unique identifier on hosts scanned using credentials.

Add a Credential to a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

In the event that a scan contains multiple instances of a single type of credential (SSH logins, SMB
logins, etc.), Tenable Vulnerability Management attempts to use them on a valid target in the order
that they were added to the scan configuration.

Note: The first credential that allows successful login is used to perform credentialed checks on the
target. After a credential provides successful login, Tenable Vulnerability Management does not try any of
the other credentials in the list, even if one of the latter credentials has a greater degree of access or
privileges.

- 427 -
To add a credential to a scan:

1. Create or edit a scan.

2. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

3. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

4. Do one of the following:

Add an existing managed credential.

The Managed Credentials section of the Select Credential Type plane contains any
credentials where you have Can Use or Can Edit permissions.

a. (Optional) Search for a managed credential in the list by typing your search criteria in the
text box and clicking the button.

b. In the Managed Credentials section, click the button to display all managed
credentials.

c. Click each managed credential you want to add.

The Select Credential Type plane remains open.

d. To close the Select Credential Type plane, click the button in the upper-right corner
of the plane.

Add a scan-specific credential.

a. In the Select Credential Type plane, in any section except Managed Credentials, click
the button to display the credentials for that type.

b. Click each credential you want to add.

The settings plane for that credential type appears.

c. Configure the settings for the individual credential configuration.

- 428 -
 Add a new managed credential.
a. In any section of the Select Credential Type plane except the Managed Credentials
section, click the button to display the credentials for that type.

b. Click each credential you want to add.

The settings plane for that credential type appears.

c. Configure the settings for the new managed credential.

d. Click the Save to Managed Credentials toggle.

The managed credential settings appear.

e. In the first text box, type a name for the managed credential.

f. (Optional) In the second text box, type a brief description of the managed credential.

g. Configure user permissions for the managed credential.

5. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the scan.

Note: Upon saving, Tenable Vulnerability Management automatically orders the credentials by
ascending ID and groups the credentials by type.

6. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Edit a Credential in a Scan

- 429 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

To edit a credential in a scan:

1. Edit a scan.

2. In the left navigation menu, click Credentials.

A table of credentials configured for the scan appears.

3. In the credentials table, click the credential you want to edit.

The credential settings plane appears.

4. Do one of the following:

l For scan-specific credentials, configure the settings for the credential.

l For managed credentials:

a. Edit the name or description.

b. Configure the credential settings.

c. Configure user permissions for the managed credential.

l
Note: You can only view or edit settings for managed credentials where you have Can Edit
permissions.

5. Click Save to save your changes to the credential.

If you edited a managed credential, Tenable Vulnerability Management determines whether

any other scans use the managed credential and prompts you to confirm the changes.

6. (Managed credentials only) Click Yes to save the changes to the managed credential.

7. Click Save to save your scan changes.

Add a Credential to a User-defined Template

- 430 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Template Permissions: Can Configure

Before you add credentials to a user-defined template, consider the following:

l Other users can override template-specific credentials by adding scan-specific or managed

credentials to scans created from the template. Tenable recommends adding managed
credentials to scans, instead of adding credentials to user-defined templates.

l You cannot use managed credentials in user-defined templates. To use a single set of
credentials for multiple scans, add managed credentials to scans, instead of adding
credentials to user-defined templates.

Note: In scan configurations, the Scan-wide Credential Type settings are located in individual credentials.
In user-defined templates, these settings are located in the Authentication section of the Basic settings
for the template.

To add a template-specific credential:

1. Create or edit a template.

2. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
template.

3. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

4. In the Select Credential Type plane, click a credential type.

The settings plane for that credential type appears.

5. Configure the settings for the individual credential configuration.

6. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the template.

- 431 -
 7. Click Save to save your template changes.

Tenable Vulnerability Management adds the credential to the credentials table for the
template.

Edit a Credential in a User-defined Template

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Template Permissions: Can Configure

To edit a credential in a user-defined template:

1. Edit a user-defined template.

2. In the left navigation menu, click Credentials.

A table of credentials configured for the template appears.

3. In the credentials table, click the credential you want to edit.

The credential settings plane appears.

4. Configure the settings for the credential.

5. Click Save to save your changes to the credential.

6. Click Save to save your changes to the template.

Convert a Scan-specific Credential to a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Owner

A scan-specific credential can only be used in a single scan. To reuse a scan-specific credential in
multiple scans, convert it to a managed credential.

To convert a scan-specific credential:

- 432 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scans table, click the scan you want to edit.

The Scan Details page appears.

5. Next to the scan name, click the button.

The Update a Scan page appears.

6. In the left navigation menu, click Credentials.

A table of credentials configured for the scan appears.

7. In the credentials table, click the scan-specific credential you want to convert.

The credential settings plane appears.

8. Click the Save to Managed Credentials toggle.

The managed credential settings appear.

9. In the first text box, type a name for the managed credential.

10. (Optional) In the second text box, type a brief description of the managed credential.

11. Configure user permissions for the managed credential.

12. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the scan.

13. Click Save to save your scan changes.

Cloud Services

- 433 -
Tenable Vulnerability Management can authenticate a scan using accounts in the cloud services
listed below.

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

AWS

Default
Option Description Required
Value

AWS Access – The AWS access key ID string. yes

Key IDS

AWS Secret – AWS secret key that provides the yes

Key authentication for AWS Access Key ID.

Scan-wide Credential Type Settings

Regions to Rest of the In order for Tenable Vulnerability yes

access World Management to audit an Amazon AWS
account, you must define the regions you
want to scan. Per Amazon policy, you need
different credentials to audit account
configuration for the China region than you
do for the rest of the world.

Possible regions include:

l GovCloud — If you select this region,

you automatically select the
government cloud (e.g., us-gov-west-1).

l Rest of the World — If you select this

region, the following additional options
appear:

l us-east-1

l us-east-2

- 434 -
 l us-west-1

l us-west-2

l ca-central-1

l eu-west-1

l eu-west-2

l eu-central-1

l ap-northeast-1

l ap-northeast-2

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l China — If you select this region, the

following additional options appear:

l cn-north-1

l cn-northwest-1

HTTPS Enabled Whether Tenable Vulnerability Management no

authenticates over an encrypted (HTTPS) or
an unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management no

Certificate verifies the validity of the SSL digital
certificate.

Microsoft Azure

Default
Option Description Required
Value

Username – Username required to log in to Microsoft yes

Azure.

- 435 -
 Password – Password associated with the username. yes

Client Id – The application ID (also known as client yes

ID) for your registered application.

Scan-wide Credential Type Settings

Subscription IDs – List subscription IDs to scan, separated by no

a comma. If this field is blank, all
subscriptions are audited.

Rackspace

Option Default Value Description Required

Username – Username to log in. yes

Password or API – Password or API key associated yes

Key with the username.

Authentication API-Key Select Password or API-Key from yes

Method the drop-down box.

Scan-wide all locations Location of the Rackspace Cloud no

Credential Type selected instance. Possible locations
Settings include:

l Dallas-Fort Worth (DFW)

l Chicago (ORD)

l Northern Virginia (IAD)

l London (LON)

l Syndney (SYD)

l Hong Kong (HKG)

Salesforce.com

Option Default Description Required

- 436 -
 Value

Username – Username required to log in to yes

Salesforce.com

Password – Password associated with the Salesforce.com yes

username

Database Credentials

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

The following topic describes the available Database credentials.

DB2

The following table describes the additional options to configure for DB2 credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the IBM DB2 database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
50000.

Database The name for your database (not the name of your instance).
Name

MySQL

- 437 -
The following table describes the additional options to configure for MySQL credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Username The username for a user on the database.

Password The password associated with the username you provided.

Database The TCP port that the MySQL database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
3306.

Oracle

The following table describes the additional options to configure for Oracle credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

- 438 -
 Options Description

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the Oracle database instance listens on for communications
Port from Tenable Vulnerability Management. The default is port 1521.

Auth Type The type of account you want Tenable Vulnerability Management to use to
access the database instance:

l SYSDBA

l SYSOPER

l NORMAL

Service Type The Oracle parameter you want to use to specify the database instance: SID or
SERVICE_NAME.

Service The SID value or SERVICE_NAME value for your database instance.

The Service value you enter must match your parameter selection for the
Service Type option.

PostgreSQL

The following table describes the additional options to configure for PostgreSQL credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Client Certificate

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see

- 439 -
 Options Description

Database Credentials Authentication Types.

Database The TCP port that the PostgreSQL database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
5432.

Database The name for your database instance.

Name

SQL Server

The following table describes the additional options to configure for SQL Server credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Username The username for a user on the database.

Password The password associated with the username you provided.

Database The TCP port that the SQL Server database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
1433.

AuthType The type of account you want Tenable Vulnerability Management to use to
access the database instance: SQL or Windows.

Instance The name for your database instance.

- 440 -
 Options Description

Name

Sybase ASE

The following table describes the additional options to configure for Sybase ASE credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the Sybase ASE database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
3638.

Auth Type The type of authentication used by the Sybase ASE database: RSA or Plain
Text.

Cassandra

Option Description

Auth Type The authentication method for providing the required credentials.

l Password

l CyberArk

l Lieberman

l Hashicorp Vault

- 441 -
 Option Description

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Port The port the database listens on. The default is port 9042.

MongoDB

Option Description

Auth Type The authentication method for providing the required credentials.

Note: This option is only available for non-legacy versions of the MongoDB
authentication method.

l Password

l Client Certificate

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Username (Required) The username for the database.

Password (Required) The password for the supplied username.

Database The name of the database to authenticate to.

Tip: To authenticate via LDAP or saslauthd, type $external.

Port (Required) The TCP port that the MongoDB database instance listens on for
communications from Tenable Vulnerability Management.

Database Credentials Authentication Types

- 442 -
Depending on the authentication type you select for your database credentials, you must configure
the options described in this topic.

Client Certificate
The Client Certificate authentication type is supported for PostgreSQL databases only.

Option Description Required

Username The username for the database. yes

Client Certificate The file that contains the PEM certificate for the yes
database.

Client CA Certificate The file that contains the PEM certificate for the yes
database.

Client Certificate The file that contains the PEM private key for the yes
Private Key client certificate.

Client Certificate The passphrase for the private key, if required in no

Private Key Passphrase your authentication implementation.

Database Port The port on which Tenable Vulnerability yes

Management communicates with the database.

Database Name The name of the database. no

Password
Database
Option Description Required
Types

Username All The username for a user on the database. yes

Password All The password for the supplied username. no

Database All The port on which Tenable Vulnerability yes

Port Management communicates with the
database.

- 443 -
 Database
Option Description Required
Types

Database DB2 The name of the database. no

Name
PostgreSQL

Auth type Oracle SQL Server values include: yes

SQL Server l Windows

Sybase ASE l SQL

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Sybase ASE values include:

l RSA

l Plain Text

Instance SQL Server The name for your database instance. no

name

Service type Oracle Valid values include: yes

l SID

l SERVICE_NAME

Service Oracle The SID value for your database instance no

or a SERVICE_NAME value. The Service
value you enter must match your
parameter selection for the Service Type
option.

Import

- 444 -
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid
values to use for each item, see Database Credentials.

You must configure either CyberArk or HashiCorp credentials for a database credential in the same
scan so that Tenable Vulnerability Management can retrieve the credentials.

Database
CSV Format
Credential

DB2 target, port, database_name, username, cred_manager,

accountname_or_secretname

MySQL target, port, database_name, username, cred_manager,

accountname_or_secretname

Oracle target, port, service_type, service_ID, username, auth_type,

cred_manager, accountname_or_secretname

SQL Server target, port, instance_name, username, auth_type, cred_

manager, accountname_or_secretname

Note: Include the required data in the specified order, with commas between each value, without spaces.
For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_
id,username,SYSDBA,CyberArk,Database-Oracle-SYS.

Note: The value for cred_manager must be either CyberArk or HashiCorp.

BeyondTrust
Option Description Required

Username The username to log in to the host you want to yes

scan.

Domain The domain of the username, which is no

recommended if using domain-linked accounts
(managed accounts of a domain that are linked to a
managed system).

BeyondTrust host The BeyondTrust IP address or DNS address. yes

- 445 -
 BeyondTrust port The port on which BeyondTrust listens. yes

BeyondTrust API user The API user provided by BeyondTrust. yes

BeyondTrust API key The API key provided by BeyondTrust. yes

Checkout duration The length of time, in minutes, that you want to yes
keep credentials checked out in BeyondTrust.
Configure the checkout duration to exceed the
typical duration of your scans. If a password from a
previous scan is still checked out when a new scan
begins, the new scan fails.

Note: Configure the password change interval in

BeyondTrust so that password changes do not disrupt
your scans. If BeyondTrust changes a password
during a scan, the scan fails.

Use SSL When enabled, the integration uses SSL through IIS no
for secure communications. Configure SSL through
IIS in BeyondTrust before enabling this option.

Verify SSL certificate When enabled, the intergation validates the SSL no
certificate. Configure SSL through IIS in
BeyondTrust before enabling this option.

CyberArk
CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service. This can be the host, or the host with a custom
URL added on in a single string.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

- 446 -
Option Description Required

AppID The Application ID associated with the CyberArk yes

API connection.

Client The file that contains the PEM certificate used to no

Certificate communicate with the CyberArk host.

Client The file that contains the PEM private key for the client yes, if
Certificate certificate. private key
Private Key is applied

Client The passphrase for the private key, if required. yes, if

Certificate private key
Private Key is applied
Passphrase

Get credential The method with which your CyberArk API credentials are yes
by retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query per

target. The frequency of queries for Identifier is one query per
chunk. This feature requires all targets have the same
identifier.

Note: The Username option also adds the Address parameter

of the API query and assigns the target IP of the resolved host
to the Address parameter. This may lead to failure to fetch
credentials if the CyberArk Account Details Address field
contains a value other than the target IP address.

Username (If Get credential by is Username) The username of the no

CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved from. no

Account Name (If Get credential by is Identifier) The unique account name no
or identifier assigned to the CyberArk API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is

- 447 -
 Option Description Required

configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. Enable no
Certificate this option if CyberArk is configured to support SSL through
IIS and you want to validate the certificate.

CyberArk (Legacy)
CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Database
Option Description Required
Types

Username All The target system’s username. yes

Central All The CyberArk Central Credential Provider yes

Credential IP/DNS address.
Provider Host

Central All The port on which the CyberArk Central yes

Credential Credential Provider is listening.
Provider Port

CyberArk AIM All The URL of the AIM service. By default, no

Service URL this field uses
/AIMWebservice/v1.1/AIM.asmx.

Central All If the CyberArk Central Credential no

Credential Provider is configured to use basic
Provider authentication, you can fill in this field
Username for authentication.

Central All If the CyberArk Central Credential no

Credential Provider is configured to use basic
Provider authentication, you can fill in this field
Password for authentication.

- 448 -
 Database
Option Description Required
Types

CyberArk Safe All The safe on the CyberArk Central no

Credential Provider server that
contained the authentication
information you would like to retrieve.

CyberArk All The file that contains the PEM no

Client certificate used to communicate with
Certificate the CyberArk host.

CyberArk All The file that contains the PEM private no

Client key for the client certificate.
Certificate
Private Key

CyberArk All The passphrase for the private key, if no

Client your authentication implementation
Certificate requires it.
Private Key
Passphrase

CyberArk All The AppId that has been allocated yes

AppId permissions on the CyberArk Central
Credential Provider to retrieve the target
password.

CyberArk All The folder on the CyberArk Central no

Folder Credential Provider server that contains
the authentication information you
would like to retrieve.

CyberArk All The unique name of the credential you yes

Account want to retrieve from CyberArk.
Details Name

PolicyId All The PolicyID assigned to the credentials no

- 449 -
 Database
Option Description Required
Types

that you want to retrieve from the

CyberArk Central Credential Provider.

Use SSL All If CyberArk Central Credential Provider is no

configured to support SSL through IIS
check for secure communication.

Verify SSL All If CyberArk Central Credential Provider is no

Certificate configured to support SSL through IIS
and you want to validate the certificate,
select this option. Refer to the custom_
CA.inc documentation for how to use
self-signed certificates.

Database Port All The port on which Tenable Vulnerability yes

Management communicates with the
database.

Database DB2 The name of the database. no

Name
PostgreSQL

Auth type Oracle SQL Server values include: yes

SQL Server l Windows

Sybase ASE l SQL

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Sybase ASE values include:

l RSA

- 450 -
 Database
Option Description Required
Types

l Plain Text

Instance Name SQL Server The name for your database instance. no

Service type Oracle Valid values include: yes

l SID

l SERVICE_NAME

Service Oracle The SID value for your database instance no

or a SERVICE_NAME value. The Service
value you enter must match your
parameter selection for the Service
Type option.

Delinea
Option Description Required

Delinea Secret Name The value of the secret on the Delinea server. The yes
secret is labeled Secret Name on the Delinea
server.

Delinea Host The Delinea Secret Server IP address or DNS yes

address.

Delinea Port The port on which Delinea Secret Server listens. yes

Delinea Indicates whether to use credentials or an API key yes

Authentication for authentication. By default, credentials are
Method selected.

Delinea Login Name The username to authenticate to the Delinea yes

server.

Delinea Password The password to authenticate to the Delinea yes

server. This is associated with the Delinea Login

- 451 -
 Name you provided.

Delinea API key The API key provided by Delinea Secret Server. yes

Use SSL Enable if the Delinea Secret Server is configured to no

support SSL.

Verify SSL certificate If enabled, verifies the SSL Certificate on the no

Delinea server.

HashiCorp Vault
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged
credentials. Tenable Vulnerability Management can get credentials from HashiCorp Vault to use in a
scan.

Option Description Required

Hashicorp Vault host The Hashicorp Vault IP address or DNS address. yes

Note: If your Hashicorp Vault installation is in a

subdirectory, you must include the subdirectory
path. For example, type IP address or hostname /
subdirectory path.

Hashicorp Vault port The port on which Hashicorp Vault listens. yes

Authentication Type Specifies the authentication type for connecting yes

to the instance: App Role or Certificates.

If you select Certificates, additional options for

Hashicorp Client Certificate and Hashicorp Client
Certificate Private Key appear. Select the
appropriate files for the client certificate and
private key.

Role ID The GUID provided by Hashicorp Vault when you yes

configured your App Role.

Role Secret ID The GUID generated by Hashicorp Vault when you yes

- 452 -
 configured your App Role.

Authentication URL The path/subdirectory to the authentication yes

endpoint. This is not the full URL. For example:

/v1/auth/approle/login

Namespace The name of a specified team in a multi-team no

environment.

Vault Type The Tenable Vulnerability Management version: yes

KV1, KV2, AD, or LDAP. For additional information
about Tenable Vulnerability Management versions,
see the Tenable Vulnerability Management
documentation.

KV1 Engine URL (KV1) The URL Tenable Vulnerability Management yes, if you
uses to access the KV1 engine. select the KV1
Vault Type
Example: /v1/path_to_secret. No trailing /

KV2 Engine URL (KV2) The URL Tenable Vulnerability Management yes, if you
uses to access the KV2 engine. select the KV2
Vault Type
Example: /v1/path_to_secret. No trailing /

AD Engine URL (AD) The URL Tenable Vulnerability Management yes, if you
uses to access the active directory engine. select the AD
Vault Type
Example: /v1/path_to_secret. No trailing /

LDAP Engine URL (LDAP) The URL Tenable Vulnerability yes, if you
Management uses to access the LDAP engine. select the
LDAP Vault
Example: /v1/path_to_secret. No trailing /
Type

Username Source (KV1 and KV2) A drop-down box to specify whether yes
the username is input manually or pulled from
Hashicorp Vault.

Username Key (KV1 and KV2) The name in Hashicorp Vault that yes

- 453 -
 usernames are stored under.

Password Key (KV1 and KV2) The key in Hashicorp Vault that yes
passwords are stored under.

Secret Name (KV1, KV2, and AD) The key secret you want to yes
retrieve values for.

Use SSL If enabled, Tenable Nessus Manager uses SSL for no

secure communications. Configure SSL in
Hashicorp Vault before enabling this option.

Verify SSL Certificate If enabled, validates the SSL certificate. You must no
configure SSL in Hashicorp Vault before enabling
this option.

Database Port The port on which communicates with the yes

database.

Auth Type The authentication method for the database yes

credentials.

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Service Type (Oracle databases only) Valid values include: SID yes
and SERVICE_NAME.

Service (Oracle database only) A specific field for the yes

configuration for the database.

Lieberman
Lieberman is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.

- 454 -
Option Database Type Description Required

Username All The target system’s username. yes

Lieberman host All The Lieberman IP/DNS address. yes

Note: If your Lieberman installation is

in a subdirectory, you must include the
subdirectory path. For example, type
IP address or hostname / subdirectory
path.

Lieberman port All The port on which Lieberman listens. yes

Lieberman API All The URL Tenable Vulnerability no

URL Management uses to access
Lieberman.

Lieberman user All The Lieberman explicit user for yes

authenticating to the Lieberman API.

Lieberman All The password for the Lieberman yes

password explicit user.

Lieberman All The alias used for the authenticator in no

Authenticator Lieberman. The name should match
the name used in Lieberman.

Note: If you use this option, append a

domain to the Lieberman user option,
i.e., domain\user.

Lieberman Client All The file that contains the PEM no

Certificate certificate used to communicate with
the Lieberman host.

Note: If you use this option, you do not

have to enter information in the
Lieberman user, Lieberman
password, and Lieberman

- 455 -
Option Database Type Description Required

Authenticator fields.

Lieberman Client All The file that contains the PEM private no
Certificate key for the client certificate.
Private Key

Lieberman Client All The passphrase for the private key, if no

Certificate required.
Private Key
Passphrase

Use SSL All If Lieberman is configured to support no

SSL through IIS, check for secure
communication.

Verify SSL All If Lieberman is configured to support no

Certificate SSL through IIS and you want to
validate the certificate, check this
option. Refer to Custom CA
documentation for how to use self-
signed certificates.

System Name All In the rare case your organization uses no

one default Lieberman entry for all
managed systems, enter the default
entry name.

Database Port All The port on which Tenable yes

Vulnerability Management
communicates with the database.

Database Name DB2 (PostgreSQL and DB2 databases only) no

The name of the database.
PostgreSQL

Auth type Oracle (SQL Server, Oracle. and Sybase ASE yes
databases only)

- 456 -
 Option Database Type Description Required

SQL Server SQL Server values include:

Sybase ASE l Windows

l SQL

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Sybase ASE values include:

l RSA

l Plain Text

Instance Name SQL Server The name for your database instance. no

Service type Oracle Valid values include: no

l SID

l SERVICE_NAME

Service Oracle The SID value for your database yes

instance or a SERVICE_NAME value.
The Service value you enter must
match your parameter selection for
the Service Type option.

QiAnXin
QiAnXin is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from QiAnXin to use in a scan.

Option Description Required

QiAnXin Host The IP address or URL for the QiAnXin host. yes

- 457 -
Option Description Required

QiAnXin Port The port on which the QiAnXin API communicates. yes
By default, Tenable uses 443.

QiAnXin API Client ID The Client ID for the embedded account yes
application created in QiAnXin PAM

QiAnXin API Secret ID The Secret ID for the embedded account yes
application created in QiAnXin PAM

Username The username to log in to the hosts you want to yes

scan.

Host IP Specify the host IP of the asset containing the no

account to use. If not specified, the scan target IP
is used.

Platform Specify the platform (based on asset type) of the no

asset containing the account to use. If not
specified, a default target is used based on
credential type (for example, for Windows
credentials, the default is WINDOWS). Possible
values:

l ACTIVE_DIRECTORY — Windows Domain

Account

l WINDOWS — Windows Local Account

l LINUX — Linux Account

l SQL_SERVER — SQL Server Database

l ORACLE — Oracle Database

l MYSQL — MySQL Database

l DB2 — DB2 Database

l HP_UNIX — HP Unix

- 458 -
 Option Description Required

l SOLARIS — Solaris

l OPENLDAP — OpenLDAP

l POSTGRESQL — PostgreSQL

Region ID Specify the region ID of the asset containing the Only if using
account to use. multiple
regions

Use SSL When enabled, Tenable uses SSL for secure no

communication. This is enabled by default.

Verify SSL Certificate When enabled, Tenable verifies that the SSL no
Certificate on the server is signed by a trusted CA.

Senhasegura
Option Description Required

Senhasegura Host The IP address or URL for the yes

Senhasegura host.

Senhasegura Port The port on which the Senhasegura API yes

communicates. By default, Tenable uses
443.

Senhasegura API The Client ID for the applicable yes

Client ID Senhasegura A2A Application for Oauth
2.0 API authentication.

Senhasegura API The Secret ID for the applicable yes

Secret ID Senhasegura A2A Application for Oauth
2.0 API authentication.

Senhasegura The credential ID or identifier for the yes

Credential ID or credential you are requesting to retrieve.
Identifier

- 459 -
 Option Description Required

Private Key File The Private Key used to decrypt Required if you have
encrypted sensitive data from A2A. enabled encryption of
sensitive data in A2A
Note: You can enable encryption of Application
sensitive data in the A2A Application
Authorizations. If enabled, you must
Authorizations.
provide a private key file in the scan
credentials. This can be downloaded from
the applicable A2A application in
Senhasegura.

HTTPS This is enabled by default. yes

Verify SSL Certificate This is disabled by default. no

Host

Tenable Vulnerability Management supports the following forms of host authentication:

l SNMPv3

l Secure Shell (SSH)

l Windows

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

SNMPv3
Use SNMPv3 credentials to scan remote systems that use an encrypted network management
protocol (including network devices). Tenable Vulnerability Management uses these credentials to
scan for patch auditing or compliance checks.

Note: SNMPv3 options are only available in the Advanced Network Scan template.

Click SNMPv3 in the Credentials list to configure the following settings:

- 460 -
Option Description Default Required

Username (Required) The username for - yes

the SNMPv3 account that
Tenable Vulnerability
Management uses to
perform checks on the
target system.

Port The TCP port that SNMPv3 161 no

listens on for
communications from
Tenable Vulnerability
Management.

Security level The security level for SNMP: Authentication yes

and privacy
l Authentication
without privacy

l Authentication and
privacy

Authentication The algorithm the remove SHA1 yes (if you select
algorithm service supports: , SHA1, authentication)
SHA224, SHA-256, SHA-
384, SHA-512 or MD5.

Authentication (Required) The password - yes (if you select

password associated with the authentication)
Username.

Privacy algorithm The encryption algorithm to AES-192 yes (if you select
use for SNMP traffic: AES, authentication
AES-192, AES-192C, AES- with privacy)
256, AES-256C, or DES.

Privacy password (Required) A password used - yes (if you select

to protect encrypted SNMP authentication

- 461 -
 Option Description Default Required

communication. with privacy)

SSH
Use SSH credentials for host-based checks on Unix systems and supported network devices.
Tenable Vulnerability Management uses these credentials to obtain local information from remote
Unix systems for patch auditing or compliance checks. Tenable Vulnerability Management uses
Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-
based checks.

Tenable Vulnerability Management encrypts the data to protect it from being viewed by sniffer
programs.

Note: Non-privileged users with local access on Linux systems can determine basic security issues, such
as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system
configuration data or file permissions across the entire system, an account with root privileges is required.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable
recommends adding no more than 10 SSH credentials per scan.

Select SSH in the Credentials list to configure the settings for the following SSH authentication
methods:

SSH Authentication Method: Public Key

Public Key Encryption, also referred to as asymmetric key encryption, provides a more secure
authentication mechanism by the use of a public and private key pair. In asymmetric cryptography,
the public key is used to encrypt data and the private key is used to decrypt it. The use of public
and private keys is a more secure and flexible method for SSH authentication. Tenable Vulnerability
Management supports both DSA and RSA key formats.

Like Public Key Encryption, Tenable Vulnerability Management supports RSA and DSA OpenSSH
certificates. Tenable Vulnerability Management also requires the user certificate, which is signed by
a Certificate Authority (CA), and the user’s private key.

- 462 -
 Note:Tenable Vulnerability Management supports the OpenSSH SSH public key format. Formats from other
SSH applications, including PuTTY and SSH Communications Security, must be converted to OpenSSH
public key format.

The most effective credentialed scans are when the supplied credentials have root privileges. Since
many sites do not permit a remote login as root, Tenable Vulnerability Management can invoke su,
sudo, su+sudo, dzdo, .k5login, or pbrun with a separate password for an account that has been set
up to have su or sudo privileges. In addition, Tenable Vulnerability Management can escalate
privileges on Cisco devices by selecting Cisco ‘enable’ or .k5login for Kerberos logins.

Note:Tenable Vulnerability Management supports the blowfish-cbc, aes-cbc, and aes-ctr cipher
algorithms. Some commercial variants of SSH do not have support for the blowfish algorithm, possibly for
export reasons. It is also possible to configure an SSH server to accept certain types of encryption only.
Check your SSH server to ensure the correct algorithm is supported.

Tenable Vulnerability Management encrypts all passwords stored in policies. However, the use of
SSH keys for authentication rather than SSH passwords is recommended. This helps ensure that
the same username and password you are using to audit your known SSH servers is not used to
attempt a log into a system that may not be under your control.

Note: For supported network devices, Tenable Vulnerability Management only supports the network
device’s username and password for SSH connections.

If an account other than root must be used for privilege escalation, it can be specified under the
Escalation account with the Escalation password.

Option Description Required

Username The username to authenticate to the host. yes

Private Key The RSA or DSA Open SSH key file of the user. yes

Private key The passphrase of the Private Key. no

passphrase

Elevate The privilege escalation method you want to use to increase no

privileges with users' privileges after initial authentication. Your selection

- 463 -
 Option Description Required

determines the specific options you must configure. For

more information, see Privilege Escalation.

Targets to Specify IPs or CIDR blocks on which this credential is no

prioritize attempted before any other credential. To specify multiple
credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100 credentials,
and the successful credential is the 59th credential out of
100, the first 58 credentials have to fail before the 59th
credential succeeds. If you use Targets To Prioritize
Credentials, you configure the scan to use the successful
credential first, which allows the scan to access the target
faster.

SSH Authentication Method: Certificate

Option Description Required

Username The username to authenticate to the host. yes

User The RSA or DSA Open SSH certificate file of the user. yes
Certificate

Private Key The RSA or DSA Open SSH key file of the user. yes

Private key The passphrase of the Private Key. no

passphrase

Elevate The privilege escalation method you want to use to increase no

privileges with users' privileges after initial authentication. Your selection
determines the specific options you must configure. For
more information, see Privilege Escalation.

- 464 -
 Option Description Required

Targets to Specify IPs or CIDR blocks on which this credential is no

prioritize attempted before any other credential. To specify multiple
credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100 credentials,
and the successful credential is the 59th credential out of
100, the first 58 credentials have to fail before the 59th
credential succeeds. If you use Targets To Prioritize
Credentials, you configure the scan to use the successful
credential first, which allows the scan to access the target
faster.

SSH Authentication Method: CyberArk Vault

CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

CyberArk

Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client Certificate The file that contains the PEM certificate used to no
communicate with the CyberArk host.

Client Certificate The file that contains the PEM private key for the client yes, if

- 465 -
Option Description Required

Private Key certificate. private key

is applied

Client Certificate The passphrase for the private key, if required. yes, if
Private Key private key
Passphrase is applied

Kerberos Target If enabled, Kerberos authentication is used to log in to no

Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.

KDC Transport The KDC uses TCP by default in Linux implementations. no

For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

Realm (Required if Kerberos Target Authentication is enabled) yes

The Realm is the authentication domain, usually noted as
the domain name of the target (for example,
example.com). By default, Tenable Vulnerability
Management uses 443.

Get credential by The method with which your CyberArk API credentials yes
are retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query

per target. The frequency of queries for Identifier is one
query per chunk. This feature requires all targets have the
same identifier.

- 466 -
 Option Description Required

Note: The Username option also adds the Address

parameter of the API query and assigns the target IP of the
resolved host to the Address parameter. This may lead to
failure to fetch credentials if the CyberArk Account Details
Address field contains a value other than the target IP
address.

Username (If Get credential by is Username) The username of the no

CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved no

from.

Address The option should only be used if the Address value is no

unique to a single CyberArk account credential.

Account Name (If Get credential by is Identifier) The unique account no

name or identifier assigned to the CyberArk
API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

CyberArk Auto-Discovery

You can now take advantage of a significant improvement to Tenable’s CyberArk Integration which
gathers bulk account information for specific target groups without entering multiple targets. For
more information, see CyberArk Dynamic Scanning in the Tenable CyberArk Integrations Guide.

- 467 -
Option Description Required

CyberArk Host The IP address or FQDN name for the user’s CyberArk yes
Instance.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Safe Users may optionally specify a Safe to gather account no

information and request passwords.

AIM Web Service There are two authentication methods established in yes
Authentication the feature. IIS Basic Authentication and Certificate
Type Authentication. Certificate Authentication can be either
encrypted or unencrypted.

CyberArk PVWA Username to log in to CyberArk web console. This is yes

Web UI Login used to authenticate to the PVWA REST API and gather
Name bulk account information.

CyberArk PVWA Password for the username to log in to CyberArk web yes
Web UI Login console. This is used to authenticate to the PVWA REST
Password API and gather bulk account information.

CyberArk String used in the PVWA REST API query parameters to yes
Platform Search gather bulk account information. For example, the user
String can enter UnixSSH Admin TestSafe, to gather all
UnixSSH platform accounts containing a username
Admin in a Safe called TestSafe.

Note: This is a non-exact keyword search. A best practice

would be to create a custom platform name in CyberArk
and enter that value in this field to improve accuracy.

- 468 -
 Option Description Required

Elevate Privileges Users can only select Nothing or sudo at this time. no
with

Use SSL If enabled, the scanner uses SSL through IIS for secure yes
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

CyberArk (Legacy)

Option Description Required

Username The username of the target system. yes

CyberArk AIM The URL for the CyberArk AIM web service. By no
Service URL default, Tenable Vulnerability Management uses
/AIMWebservice/v1.1/AIM.asmx.

Central The CyberArk Central Credential Provider IP/DNS address. yes

Credential
Provider Host

Central The port on which the CyberArk Central Credential Provider yes
Credential is listening.
Provider Port

Central The username of the vault, if the CyberArk Central no

Credential Credential Provider is configured to use basic
Provider authentication.
Username

Central The password of the vault, if the CyberArk Central no

- 469 -
Option Description Required

Credential Credential Provider is configured to use basic

Provider authentication.
Password

Safe The safe on the CyberArk Central Credential Provider server yes
that contained the authentication information that you want
to retrieve.

CyberArk The file that contains the PEM certificate used to no

Client communicate with the CyberArk host.
Certificate

CyberArk The file that contains the PEM private key for the client no
Client certificate.
Certificate
Private Key

CyberArk The passphrase for the private key, if required. no

Client
Certificate
Private Key
Passphrase

AppId The AppId that has been allocated permissions on the yes
CyberArk Central Credential Provider to retrieve the target
password.

Folder The folder on the CyberArk Central Credential Provider yes

server that contains the authentication information that you
want to retrieve.

PolicyId The PolicyID assigned to the credentials that you want to no

retrieve from the CyberArk Central Credential Provider.

Use SSL If CyberArk Central Credential Provider is configured to no

- 470 -
Option Description Required

support SSL through IIS check for secure communication.

Verify SSL If CyberArk Central Credential Provider is configured to no

Certificate support SSL through IIS and you want to validate the
certificate check this. Refer to custom_CA.inc
documentation for how to use self-signed certificates.

Targets to Specify IPs or CIDR blocks on which this credential is no

Prioritize attempted before any other credential. To specify multiple
Credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100 credentials,
and the successful credential is the 59th credential out of
100, the first 58 credentials have to fail before the 59th
credential succeeds. If you use Targets To Prioritize
Credentials, you configure the scan to use the successful
credential first, which allows the scan to access the target
faster.

CyberArk The unique name of the credential you want to retrieve from no
Account CyberArk.
Details Name

CyberArk The domain for the user account. no

Address

CyberArk The privilege escalation method you want to use to increase no

elevate users' privileges after initial authentication. Your selection
privileges with determines the specific options you must configure.

Custom The password prompt used by the target host. Only use this no
password setting when an interactive SSH session fails due to

- 471 -
 Option Description Required

prompt Tenable Vulnerability Management receiving an

unrecognized password prompt on the target host's
interactive SSH shell.

DelineaSSH Authentication Method: Delinea

Option Description Required

Delinea Indicates whether to use credentials or an API key for yes

Authentication authentication. By default, Credentials is selected.
Method

Delinea Login The username to authenticate to the Delinea server. yes

Name

Delinea Password The password to authenticate to the Delinea server. This yes
is associated with the Delinea Login Name you provided.

Delinea API Key The API key generated in the Secret Server user yes
interface. This setting is required if the API Key
authentication method is selected.

Delinea Secret The value of the secret on the Delinea server. The secret yes
Name is labeled Secret Name on the Delinea server.

Delinea Host The Delinea Secret Server host to pull the secrets from. yes

Delinea Port The Delinea Secret Server Port for API requests. By yes
default, Tenable uses 443.

Use Private Key If enabled, uses key-based authentication for SSH no

connections instead of password authentication.

Use SSL Enable if the Delinea Secret Server is configured to no

support SSL.

Verify SSL If enabled, verifies the SSL Certificate on the Delinea no

Certificate server.

- 472 -
 Elevate privileges The privilege escalation method you want to use to no
with increase users' privileges after initial authentication.
Multiple options for privilege escalation are supported,
including su, su+sudo and sudo. Your selection
determines the specific options you must configure.

Custom password Some devices are configured to prompt for a password no

prompt with a non-standard string (for example, "secret-
passcode"). This setting allows recognition of these
prompts. Leave this blank for most standard password
prompts.

Targets to Specify IPs or CIDR blocks on which this credential is no

Prioritize attempted before any other credential. To specify
Credentials multiple IPs or CIDR blocks, use a comma or space-
separated list.

Using this setting can decrease scan times by

prioritizing a credential that you know works against
your selected targets. For example, if your scan
specifies 100 credentials, and the successful credential
is the 59th credential out of 100, the first 58 credentials
have to fail before the 59th credential succeeds. If you
use Targets To Prioritize Credentials, you configure the
scan to use the successful credential first, which allows
the scan to access the target faster.

SSH Authentication Method: Hashicorp Vault

HashiCorp Vault is a popular enterprise password vault that helps you manage privileged
credentials. Tenable Vulnerability Management can retrieve credentials from HashiCorp Vault to use
in a scan.

Windows and SSH Credentials

Option Description Required

- 473 -
Hashicorp Vault The Hashicorp Vault IP address or DNS address. yes
host
Note: If your Hashicorp Vault installation is in a
subdirectory, you must include the subdirectory path.
For example, type IP address or hostname /
subdirectory path.

Hashicorp Vault The port on which Hashicorp Vault listens. yes

port

Authentication Specifies the authentication type for connecting to yes

Type the instance: App Role or Certificates.

If you select Certificates, additional options for

Hashicorp Client Certificate(Required) and
Hashicorp Client Certificate Private Key (Required)
appear. Select the appropriate files for the client
certificate and private key.

Role ID The GUID provided by Hashicorp Vault when you yes

configured your App Role.

Role Secret ID The GUID generated by Hashicorp Vault when you yes
configured your App Role.

Authentication URL The path/subdirectory to the authentication yes

endpoint. This is not the full URL. For example:

/v1/auth/approle/login

Namespace The name of a specified team in a multi-team no

environment.

Vault Type The Tenable Vulnerability Management version: KV1, yes

KV2, AD, or LDAP. For additional information about
Tenable Vulnerability Management versions, see the
Tenable Vulnerability Management documentation.

- 474 -
KV1 Engine URL (KV1) The URL Tenable Vulnerability Management yes, if you
uses to access the KV1 engine. select the KV1
Vault Type
Example: /v1/path_to_secret. No trailing /

KV2 Engine URL (KV2) The URL Tenable Vulnerability Management yes, if you
uses to access the KV2 engine. select the KV2
Vault Type
Example: /v1/kv_mount_name. No trailing /

Note: You cannot use the path to the secret for the
KV2 Engine URL because an additional
string/segment, data, gets injected into the read
request made to Vault for KV v2 stores. Only enter the
name of the KV mount, not the path to the secret, in
the Engine URL field.

Note: You do not need to include the data segment

yourself. If you include it in the secret name/path, the
read call to Vault includes /data/data, which is
invalid.

AD Engine URL (AD) The URL Tenable Vulnerability Management uses yes, if you
to access the Active Directory engine. select the AD
Vault Type
Example: /v1/path_to_secret. No trailing /

LDAP Engine URL (LDAP) The URL Tenable Vulnerability Management yes, if you
uses to access the LDAP engine. select the
LDAP Vault
Example: /v1/path_to_secret. No trailing /
Type

Username Source (KV1 and KV2) A drop-down box to specify if the yes
username is input manually or pulled from Hashicorp
Vault.

Username Key (KV1 and KV2) The name in Hashicorp Vault that yes
usernames are stored under.

- 475 -
Domain Key (KV1 and KV2) The name in Hashicorp Vault that no
domains are stored under.

Password Key (KV1 and KV2) The key in Hashicorp Vault that yes
passwords are stored under.

Secret Name (KV1, KV2, and AD) The key secret you want to yes
retrieve values for.

Kerberos Target If enabled, Kerberos authentication is used to log in no

Authentication to the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is yes

Center (KDC) enabled.) This host supplies the session tickets for
the user.

KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.

KDC Transport The KDC uses TCP by default in Linux no

implementations. For UDP, change this option. If you
need to change the KDC Transport value, you may
also need to change the port as the KDC UDP uses
either port 88 or 750 by default, depending on the
implementation.

Domain (Windows) (Required if Kerberos Target Authentication is yes

enabled.) The domain to which Kerberos Target
Authentication belongs, if applicable.

Realm (SSH) (Required if Kerberos Target Authentication is yes

enabled.) The Realm is the authentication domain,
usually noted as the domain name of the target (e.g.,
example.com).

Use SSL If enabled, Tenable Vulnerability Management uses no

SSL for secure communications. Configure SSL in

- 476 -
 Hashicorp Vault before enabling this option.

Verify SSL If enabled, Tenable Vulnerability Management uses no

Certificate SSL for secure communications. Hashicorp Vault
must be using SSL to enable this option.

Enable for Tenable Enables/disables IBM DataPower Gateway use with yes
Vulnerability Tenable Vulnerability Management.
Management

Escalate Privileges Use a privilege escalation method such as su or sudo Required if you
with (SSH) to use extra privileges when scanning. wish to
escalate
Note: Tenable supports multiple options for privilege privileges.
escalation, including su, su+sudo and sudo. For
example, if you select sudo, more fields for sudo user,
Escalation Account Name, and Location of su and
sudo (directory) are provided and can be completed to
support authentication and privilege escalation
through Tenable Vulnerability Management. The
Escalation Account Name field is then required to
complete your privilege escalation.

Note: For more information about supported privilege

escalation types and their accompanying fields, see
the Nessus User Guide and the Tenable Vulnerability
Management User Guide.

Escalation account If the escalation account has a different username or no

credential ID or password from the least privileged user, enter the
identifier (SSH) credential ID or identifier for the escalation account
credential here.

SSH Authentication Method: Kerberos

Kerberos, developed by MIT’s Project Athena, is a client/server application that uses a symmetric
key encryption protocol. In symmetric encryption, the key used to encrypt the data is the same as
the key used to decrypt the data. Organizations deploy a KDC (Key Distribution Center) that contains

- 477 -
all users and services that require Kerberos authentication. Users authenticate to Kerberos by
requesting a TGT (Ticket Granting Ticket). Once a user is granted a TGT, it can be used to request
service tickets from the KDC to be able to utilize other Kerberos based services. Kerberos uses the
CBC (Cipher Block Chain) DES encryption protocol to encrypt all communications.

Note: You must already have a Kerberos environment established to use this method of authentication.

The Tenable Vulnerability Management implementation of Unix-based Kerberos authentication for

SSH supports the aes-cbc and aes-ctr encryption algorithms. An overview of how Tenable
Vulnerability Management interacts with Kerberos is as follows:

1. The end user gives the IP of the KDC.

2. The nessusd asks sshd if it supports Kerberos authentication.

3. The sshd says yes.

4. The nessusd requests a Kerberos TGT, along with login and password.

5. Kerberos sends a ticket back to nessusd.

6. The nessusd gives the ticket to sshd.

7. The nessusd is logged in.

In both Windows and SSH credentials settings, you can specify credentials using Kerberos keys
from a remote system. There are differences in the configurations for Windows and SSH.

Option Description Required

Username The username of the target system. yes

Password The password of the username specified. yes

Key This host supplies the session tickets for the user. yes
Distribution
Center (KDC)

KDC Port Directs Tenable Vulnerability Management to connect to the no

KDC if it is running on a port other than 88.

- 478 -
 Option Description Required

KDC Transport The method by which you want to access the KDC server. no

Note: if you set KDC Transport to UDP, you may also need to
change the port number, because depending on the
implementation, the KDC UDP protocol uses either port 88 or
750 by default.

Realm The authentication domain, usually noted as the domain yes

name of the target (for example, example.com).

Elevate The privilege escalation method you want to use to increase no

privileges with users' privileges after initial authentication. Your selection
determines the specific options you must configure. For
more information, see Privilege Escalation.

Targets to Specify IPs or CIDR blocks on which this credential is no

Prioritize attempted before any other credential. To specify multiple
Credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100 credentials,
and the successful credential is the 59th credential out of
100, the first 58 credentials have to fail before the 59th
credential succeeds. If you use Targets To Prioritize
Credentials, you configure the scan to use the successful
credential first, which allows the scan to access the target
faster.

If Kerberos is used, sshd must be configured with Kerberos support to verify the ticket with the
KDC. Reverse DNS lookups must be properly configured for this to work. The Kerberos interaction
method must be gssapi-with-mic.

SSH Authentication Method: Password

- 479 -
 Option Description Required

Username The username of the target system. yes

Password The password of the username specified. yes

Elevate The privilege escalation method you want to use to increase no

privileges with users' privileges after initial authentication. Your selection
determines the specific options you must configure. For
more information, see Privilege Escalation.

Custom The password prompt used by the target host. Only use this no
password setting when an interactive SSH session fails due to Tenable
prompt Vulnerability Management receiving an unrecognized
password prompt on the target host's interactive SSH shell.

Targets to Specify IPs or CIDR blocks on which this credential is no

Prioritize attempted before any other credential. To specify multiple
Credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100 credentials,
and the successful credential is the 59th credential out of
100, the first 58 credentials have to fail before the 59th
credential succeeds. If you use Targets To Prioritize
Credentials, you configure the scan to use the successful
credential first, which allows the scan to access the target
faster.

SSH Authentication Method: Lieberman RED

Lieberman is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.

- 480 -
Option Description Required

Username The target system’s username. yes

Lieberman host The Lieberman IP/DNS address. yes

Note: If your Lieberman installation is in a subdirectory, you

must include the subdirectory path. For example, type IP
address or hostname / subdirectory path.

Lieberman port The port on which Lieberman listens. yes

Lieberman API The URL Tenable Vulnerability Management uses to no

URL access Lieberman.

Lieberman user The Lieberman explicit user for authenticating to the yes
Lieberman RED API.

Lieberman The password for the Lieberman explicit user. yes

password

Lieberman The alias used for the authenticator in Lieberman. The no

Authenticator name should match the name used in Lieberman.

Note: If you use this option, append a domain to the

Lieberman user option, i.e., domain\user.

Lieberman Client The file that contains the PEM certificate used to no
Certificate communicate with the Lieberman host.

Note: If you use this option, you do not have to enter

information in the Lieberman user, Lieberman password,
and Lieberman Authenticator fields.

Lieberman Client The file that contains the PEM private key for the client no
Certificate certificate.
Private Key

- 481 -
Option Description Required

Lieberman Client The passphrase for the private key, if required. no

Certificate
Private Key
Passphrase

Use SSL If Lieberman is configured to support SSL through IIS, no

check for secure communication.

Verify SSL If Lieberman is configured to support SSL through IIS and no

Certificate you want to validate the certificate, check this option.
Refer to Custom CA documentation for how to use self-
signed certificates.

Targets to Specify IPs or CIDR blocks on which this credential is no

Prioritize attempted before any other credential. To specify
Credentials multiple IPs or CIDR blocks, use a comma or space-
separated list.

Using this setting can decrease scan times by prioritizing

a credential that you know works against your selected
targets. For example, if your scan specifies 100
credentials, and the successful credential is the 59th
credential out of 100, the first 58 credentials have to fail
before the 59th credential succeeds. If you use Targets
To Prioritize Credentials, you configure the scan to use
the successful credential first, which allows the scan to
access the target faster.

System Name In the rare case your organization uses one default no
Lieberman entry for all managed systems, enter the
default entry name.

Custom The password prompt used by the target host. Only use no

- 482 -
 Option Description Required

password prompt this setting when an interactive SSH session fails due to
Tenable Vulnerability Management receiving an
unrecognized password prompt on the target host's
interactive SSH shell.

SSH Authentication Method: QiAnXin

Option Description Required

QiAnXin Host The IP address or url for the QiAnXin host. yes

QiAnXin Port The port on which the QiAnXin API communicates. yes
By default, Tenable uses 443.

QiAnXin API Client ID The Client ID for the embedded account yes
application created in QiAnXin PAM.

QiAnXin API Secret ID The Secret ID for the embedded account yes
application created in QiAnXin PAM.

Username The username to log in to the hosts you want to yes

scan.

Host IP Specify the host IP of the asset containing the no

account to use. If not specified, the scan target IP
is used.

Platform Specify the platform (based on asset type) of the no

asset containing the account to use. If not
specified, a default target is used based on
credential type (for example, for Windows
credentials, the default is WINDOWS). Possible
values:

l ACTIVE_DIRECTORY — Windows Domain

- 483 -
Option Description Required

Account

l WINDOWS — Windows Local Account

l LINUX — Linux Account

l SQL_SERVER — SQL Server Database

l ORACLE — Oracle Database

l MYSQL — MySQL Database

l DB2 — DB2 Database

l HP_UNIX — HP Unix

l SOLARIS — Solaris

l OPENLDAP — OpenLDAP

l POSTGRESQL — PostgreSQL

Region ID Specify the region ID of the asset containing the Only if using
account to use. multiple
regions

Escalate Privileges Use the drop-down menu to select the privilege Required if you
with elevation method, or select “Nothing” to skip wish to
privilege elevation. escalate
privileges.
Note: Tenable supports multiple options for
privilege escalation, including su, su+sudo and
sudo. For example, if you select sudo, more fields
for sudo user, Escalation Account Name, and
Location of su and sudo (directory) are provided
and can be completed to support authentication
and privilege escalation through QiAnXin. The
Escalation Account Name field is only required if

- 484 -
 Option Description Required

the escalation password differs from the normal

login password.

Note: For more information about supported

privilege escalation types and their accompanying
fields, see the Nessus User Guide or the Tenable
Vulnerability Management User Guide.

Escalation Account If the escalation account has a different no

Username username or password from the least privileged
user, enter the credential ID or identifier for the
escalation account credential here.

Use SSL When enabled, Tenable uses SSL for secure no

communication. This is enabled by default.

Verify SSL Certificate When enabled, Tenable verifies that the SSL no
Certificate on the server is signed by a trusted
CA.

SSH Authentication Method: Thycotic Secret Server

Option Description Required

Username The username to authenticate via SSH to the system. yes

Thycotic Secret The value of the secret on the Thycotic server. The secret yes
Name is labeled Secret Name on the Thycotic server.

Thycotic Secret The transfer method, target, and target directory for the yes
Server URL scanner. You can find this value on the Thycotic server in
Admin > Configuration > Application Settings > Secret
Server URL.

For example, consider the following address:

https://pw.mydomain.com/SecretServer/.

- 485 -
 l Transfer method: https indicates an ssl connection.

l Target: pw.mydomain.com is the target address.

l Target Directory: /SecretServer/ is the root

directory.

Thycotic Login The username to authenticate to the Thycotic server. yes

Name

Thycotic The password to authenticate to the Thycotic server. yes

Password

Thycotic The organization you want to query. You can use this value no
Organization for cloud instances of Thycotic.

Thycotic The domain of the Thycotic server. no

Domain

Use Private Key The key for the SSH connection, if you do not use a no
password.

Verify SSL Whether you want to verify if the SSL Certificate on the no
Certificate server is signed by a trusted CA.

Thycotic The privilege escalation method you want to use to no

elevate increase users' privileges after initial authentication.
privileges with Multiple options for privilege escalation are supported,
including su, su+sudo and sudo. Your selection determines
the specific options you must configure. For more
information, see Privilege Escalation.

Custom The password prompt used by the target host. Only use no
password this setting when an interactive SSH session fails due to
prompt Tenable Vulnerability Management receiving an
unrecognized password prompt on the target host's
interactive SSH shell.

- 486 -
 Targets to Specify IPs or CIDR blocks on which this credential is no
prioritize attempted before any other credential. To specify multiple
credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100
credentials, and the successful credential is the 59th
credential out of 100, the first 58 credentials have to fail
before the 59th credential succeeds. If you use Targets To
Prioritize Credentials, you configure the scan to use the
successful credential first, which allows the scan to access
the target faster.

SSH Authentication Method: BeyondTrust

Option Description Required

Username The username to log in to the hosts you want to scan. yes

BeyondTrust The BeyondTrust IP address or DNS address. yes

host

BeyondTrust The port on which BeyondTrust listens. yes

port

BeyondTrust The API user provided by BeyondTrust. yes

API user

BeyondTrust The API key provided by BeyondTrust. yes

API key

Checkout The length of time, in minutes, that you want to keep yes
duration credentials checked out in BeyondTrust. Configure the
Checkout duration to exceed the typical duration of your
Tenable Vulnerability Management scans. If a password
from a previous scan is still checked out when a new scan
begins, the new scan fails.

- 487 -
 Note: Configure the password change interval in
BeyondTrust so that password changes do not disrupt your
Tenable Vulnerability Management scans. If BeyondTrust
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Vulnerability Management uses no

SSL through IIS for secure communications. You must
configure SSL through IIS in BeyondTrust before enabling
this option.

Verify SSL When enabled, Tenable Vulnerability Management validates no

certificate the SSL certificate. You must configure SSL through IIS in
BeyondTrust before enabling this option.

Use private key When enabled, Tenable Vulnerability Management uses no

private key-based authentication for SSH connections
instead of password authentication. If it fails, the
password is requested.

Use privilege When enabled, BeyondTrust uses the configured privilege no

escalation escalation command. If it returns something, it will use it
for the scan.

Custom The password prompt used by the target host. Only use no
password this setting when an interactive SSH session fails due to
prompt Tenable Vulnerability Management receiving an
unrecognized password prompt on the target host's
interactive SSH shell.

Targets to Specify IPs or CIDR blocks on which this credential is no

prioritize attempted before any other credential. To specify multiple
credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100

- 488 -
 credentials, and the successful credential is the 59th
credential out of 100, the first 58 credentials have to fail
before the 59th credential succeeds. If you use Targets To
Prioritize Credentials, you configure the scan to use the
successful credential first, which allows the scan to
access the target faster.

Scan-wide Credential Type Settings for SSH

These settings apply to all SSH-type credentials in the current scan. You can edit these settings in
any instance of the credential type in the current scan; your changes automatically apply to the
other credentials of that type in the scan.

Option Default Value Description

known_hosts None If you upload an SSH known_hosts file, Tenable Vulnerability

file Management only attempts to log in to hosts in this file. This
can ensure that the same username and password you are
using to audit your known SSH servers is not used to
attempt a log into a system that may not be under your
control.

Preferred 22 The port on which SSH is running on the target system.

port

Client OpenSSH_5.0 The type of SSH client Tenable Vulnerability Management

version impersonates while scanning.

Attempt Cleared Enables or disables dynamic privilege escalation. When

least enabled, Tenable Vulnerability Management attempts to run
privilege the scan with an account with lesser privileges, even if the
Elevate privileges with option is enabled. If a command
fails, Tenable Vulnerability Management escalates privileges.
Plugins 101975 and 101976 report which plugins ran with or
without escalated privileges.

Note: Enabling this option may increase scan run time by up to

- 489 -
 Option Default Value Description

30%.

SSH Authentication Method: Centrify

Option Description

Centrify Host (Required) The Centrify IP address or DNS address.

Note: If your Centrify installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

Centrify Port (Required) The port on which Centrify listens. By default, Tenable
Vulnerability Management uses port 443.

API User (Required) The API user provided by Centrify.

API Key (Required) The API key provided by Centrify.

Tenant (Required) The Centrify tenant associated with the API. By default,
Tenable Vulnerability Management uses centrify.

Authentication (Required) The URL Tenable Vulnerability Management uses to access

URL Centrify. By default, Tenable Vulnerability Management uses /Security.

Password Query (Required) The URL Tenable Vulnerability Management uses to query the
URL passwords in Centrify. By default, Tenable Security Center uses
/RedRock.

Password Engine (Required) The URL Tenable Vulnerability Management uses to access
URL the passwords in Centrify. By default, Tenable Vulnerability Management
uses /ServerManage.

Username (Required) The username to log in to the hosts you want to scan.

Checkout Duration (Required) The length of time, in minutes, that you want to keep
credentials checked out in Centrify.

Configure the Checkout Duration to exceed the typical duration of your

- 490 -
 Tenable Security Center scans so that password changes do not disrupt
your Tenable Vulnerability Management scans. If Centrify changes a
password during a scan, the scan fails. If a password from a previous
scan is still checked out when a new scan begins, the new scan fails.

Use SSL When enabled, Tenable Vulnerability Management uses SSL through IIS
for secure communications. You must configure SSL through IIS in
Centrify before enabling this option.

Verify When enabled, Tenable Vulnerability Management validates the SSL

SSL Certificate certificate. You must configure SSL through IIS in Centrify before
enabling this option.

SSH Authentication Method: Arcon

Option Description

Arcon Host (Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

Arcon Port (Required) The port on which Arcon listens. By default, Tenable Security
Center uses port 444.

API User (Required) The API user provided by Arcon.

API Key (Required) The API key provided by Arcon.

Authentication (Required) The URL Tenable Security Center uses to access Arcon.
URL

Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.

Arcon Target Type (Optional) The name of the target type. Depending on the Arcon PAM
version you are using and the system type the SSH credential has been

- 491 -
 created with, this is set to linux by default. Refer to the Arcon PAM
Specifications document (provided by Arcon) for target type/system
type mapping for the correct target type value.

Checkout Duration (Required) The length of time, in hours, that you want to keep
credentials checked out in Arcon. Configure the Checkout Duration to
exceed the typical duration of your Tenable Security Center scans. If a
password from a previous scan is still checked out when a new scan
begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password

changes do not disrupt your Tenable Security Center scans. If Arcon
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Arcon before
enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Arcon before enabling this option.

Privilege The privilege escalation method you want to use to increase users'
Escalation privileges after initial authentication. Your Privilege Escalation selection
determines the specific options you must configure. For more
information, see Privilege Escalation.

Note: Non-privileged users with local access on Unix systems can determine basic security issues, such as
patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system
configuration data or file permissions across the entire system, an account with root privileges is required.

Windows
Click Windows in the Credentials list to configure settings for the following Windows-based
authentication methods:

Windows Authentication Method: CyberArk Vault

CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

- 492 -
CyberArk

Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service. This can be the host, or the host with a custom
URL added on in a single string.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client Certificate The file that contains the PEM certificate used to no
communicate with the CyberArk host.

Client Certificate The file that contains the PEM private key for the client yes, if
Private Key certificate. private key
is applied

Client Certificate The passphrase for the private key, if required. yes, if
Private Key private key
Passphrase is applied

Kerberos Target If enabled, Kerberos authentication is used to log in to no

Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.

KDC Transport The KDC uses TCP by default in Linux implementations. no

For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

- 493 -
Option Description Required

Domain (Required if Kerberos Target Authentication is enabled) yes

The domain to which Kerberos Target Authentication
belongs, if applicable.

Get credential by The method with which your CyberArk API credentials yes
are retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query

per target. The frequency of queries for Identifier is one
query per chunk. This feature requires all targets have the
same identifier.

Note: The Username option also adds the Address

parameter of the API query and assigns the target IP of the
resolved host to the Address parameter. This may lead to
failure to fetch credentials if the CyberArk Account Details
Address field contains a value other than the target IP
address.

Username (If Get credential by is Username) The username of the no

CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved no

from.

Address The option should only be used if the Address value is no

unique to a single CyberArk account credential.

Account Name (If Get credential by is Identifier) The unique account no

name or identifier assigned to the CyberArk
API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

- 494 -
 Option Description Required

Certificate Enable this option if CyberArk is configured to support

SSL through IIS and you want to validate the certificate.

CyberArk Auto-Discovery

You can now take advantage of a significant improvement to Tenable’s CyberArk Integration which
gathers bulk account information for specific target groups without entering multiple targets. For
more information, see CyberArk Dynamic Scanning in the Tenable CyberArk Integrations Guide.

Option Description Required

CyberArk Host The IP address or FQDN name for the user’s CyberArk yes
Instance.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Safe Users may optionally specify a Safe to gather account no

information and request passwords.

AIM Web Service There are two authentication methods established in yes
Authentication the feature. IIS Basic Authentication and Certificate
Type Authentication. Certificate Authentication can be either
encrypted or unencrypted.

CyberArk PVWA Username to log in to CyberArk web console. This is yes

Web UI Login used to authenticate to the PVWA REST API and gather
Name bulk account information.

CyberArk PVWA Password for the username to log in to CyberArk web yes
Web UI Login console. This is used to authenticate to the PVWA REST
Password API and gather bulk account information.

CyberArk String used in the PVWA REST API query parameters to yes

- 495 -
 Option Description Required

Platform Search gather bulk account information. For example, the user
String can enter UnixSSH Admin TestSafe, to gather all
Windows platform accounts containing a username
Admin in a Safe called TestSafe.

Note: This is a non-exact keyword search. A best practice

would be to create a custom platform name in CyberArk
and enter that value in this field to improve accuracy.

Use SSL If enabled, the scanner uses SSL through IIS for secure yes
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

CyberArk (Legacy)

Option Description Required

Username The username of the target system. yes

CyberArk AIM The URL for the CyberArk AIM web service. By default, no
Service URL Tenable Vulnerability Management uses
/AIMWebservice/v1.1/AIM.asmx.

Domain The domain to which the username belongs. no

Central The CyberArk Central Credential Provider IP/DNS address. yes

Credential
Provider Host

Central The port on which the CyberArk Central Credential Provider yes
Credential is listening.
Provider Port

- 496 -
Option Description Required

Central The username of the vault, if the CyberArk Central no

Credential Credential Provider is configured to use basic
Provider authentication.
Username

Central The password of the vault, if the CyberArk Central no

Credential Credential Provider is configured to use basic
Provider authentication.
Password

Safe The safe on the CyberArk Central Credential Provider server yes
that contained the authentication information that you want
to retrieve.

CyberArk The file that contains the PEM certificate used to no

Client communicate with the CyberArk host.
Certificate

CyberArk The file that contains the PEM private key for the client no
Client certificate.
Certificate
Private Key

CyberArk The passphrase for the private key, if required. no

Client
Certificate
Private Key
Passphrase

AppId The AppId that has been allocated permissions on the yes
CyberArk Central Credential Provider to retrieve the target
password.

Folder The folder on the CyberArk Central Credential Provider yes

server that contains the authentication information that you
want to retrieve.

- 497 -
Option Description Required

PolicyId The PolicyID assigned to the credentials that you want to no

retrieve from the CyberArk Central Credential Provider.

Use SSL If CyberArk Central Credential Provider is configured to no

support SSL through IIS check for secure communication.

Verify SSL If CyberArk Central Credential Provider is configured to no

Certificate support SSL through IIS and you want to validate the
certificate check this. Refer to custom_CA.inc
documentation for how to use self-signed certificates.

CyberArk The unique name of the credential you want to retrieve from no
Account CyberArk.
Details Name

Windows Authentication Method: Delinea

Option Description Required

Delinea Indicates whether to use credentials or an API key for yes

Authentication authentication. By default, Credentials is selected.
Method

Delinea Login The username to authenticate to the Delinea server. yes

Name

Delinea Password The password to authenticate to the Delinea server. This yes
is associated with the Delinea Login Name you provided.

Delinea API Key The API key generated in the Secret Server user yes
interface. This setting is required if the API Key
authentication method is selected.

Delinea Secret The value of the secret on the Delinea server. The secret yes
Name is labeled Secret Name on the Delinea server.

Delinea Host The Delinea Secret Server IP address for API requests. yes

Delinea Port The Delinea Secret Server Port for API requests. By yes

- 498 -
 default, Tenable uses 443.

Checkout The duration Tenable should check out the password yes
Duration from Delinea. Duration time is in hours and should be
longer than the scan time.

Use SSL Enable if the Delinea Secret Server is configured to no

support SSL.

Verify SSL If enabled. verifies the SSL Certificate on the Delinea no

Certificate server.

Windows Authentication Method: Hashicorp Vault

HashiCorp Vault is a popular enterprise password vault that helps you manage privileged
credentials. Tenable Vulnerability Management can retrieve credentials from HashiCorp Vault to use
in a scan.

Windows and SSH Credentials

Option Description Required

Hashicorp Vault The Hashicorp Vault IP address or DNS address. yes

host
Note: If your Hashicorp Vault installation is in a
subdirectory, you must include the subdirectory path.
For example, type IP address or hostname /
subdirectory path.

Hashicorp Vault The port on which Hashicorp Vault listens. yes

port

Authentication Specifies the authentication type for connecting to yes

Type the instance: App Role or Certificates.

If you select Certificates, additional options for

Hashicorp Client Certificate(Required) and
Hashicorp Client Certificate Private Key (Required)
appear. Select the appropriate files for the client
certificate and private key.

- 499 -
Role ID The GUID provided by Hashicorp Vault when you yes
configured your App Role.

Role Secret ID The GUID generated by Hashicorp Vault when you yes
configured your App Role.

Authentication URL The path/subdirectory to the authentication yes

endpoint. This is not the full URL. For example:

/v1/auth/approle/login

Namespace The name of a specified team in a multi-team no

environment.

Vault Type The Tenable Vulnerability Management version: KV1, yes

KV2, AD, or LDAP. For additional information about
Tenable Vulnerability Management versions, see the
Tenable Vulnerability Management documentation.

KV1 Engine URL (KV1) The URL Tenable Vulnerability Management yes, if you
uses to access the KV1 engine. select the KV1
Vault Type
Example: /v1/path_to_secret. No trailing /

KV2 Engine URL (KV2) The URL Tenable Vulnerability Management yes, if you
uses to access the KV2 engine. select the KV2
Vault Type
Example: /v1/kv_mount_name. No trailing /

Note: You cannot use the path to the secret for the
KV2 Engine URL because an additional
string/segment, data, gets injected into the read
request made to Vault for KV v2 stores. Only enter the
name of the KV mount, not the path to the secret, in
the Engine URL field.

Note: You do not need to include the data segment

yourself. If you include it in the secret name/path, the
read call to Vault includes /data/data, which is
invalid.

- 500 -
AD Engine URL (AD) The URL Tenable Vulnerability Management uses yes, if you
to access the Active Directory engine. select the AD
Vault Type
Example: /v1/path_to_secret. No trailing /

LDAP Engine URL (LDAP) The URL Tenable Vulnerability Management yes, if you
uses to access the LDAP engine. select the
LDAP Vault
Example: /v1/path_to_secret. No trailing /
Type

Username Source (KV1 and KV2) A drop-down box to specify if the yes
username is input manually or pulled from Hashicorp
Vault.

Username Key (KV1 and KV2) The name in Hashicorp Vault that yes
usernames are stored under.

Domain Key (KV1 and KV2) The name in Hashicorp Vault that no
domains are stored under.

Password Key (KV1 and KV2) The key in Hashicorp Vault that yes
passwords are stored under.

Secret Name (KV1, KV2, and AD) The key secret you want to yes
retrieve values for.

Kerberos Target If enabled, Kerberos authentication is used to log in no

Authentication to the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is yes

Center (KDC) enabled.) This host supplies the session tickets for
the user.

KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.

KDC Transport The KDC uses TCP by default in Linux no

implementations. For UDP, change this option. If you
need to change the KDC Transport value, you may

- 501 -
 also need to change the port as the KDC UDP uses
either port 88 or 750 by default, depending on the
implementation.

Domain (Windows) (Required if Kerberos Target Authentication is yes

enabled.) The domain to which Kerberos Target
Authentication belongs, if applicable.

Realm (SSH) (Required if Kerberos Target Authentication is yes

enabled.) The Realm is the authentication domain,
usually noted as the domain name of the target (e.g.,
example.com).

Use SSL If enabled, Tenable Vulnerability Management uses no

SSL for secure communications. Configure SSL in
Hashicorp Vault before enabling this option.

Verify SSL If enabled, Tenable Vulnerability Management uses no

Certificate SSL for secure communications. Hashicorp Vault
must be using SSL to enable this option.

Enable for Tenable Enables/disables IBM DataPower Gateway use with yes
Vulnerability Tenable Vulnerability Management.
Management

Escalate Privileges Use a privilege escalation method such as su or sudo Required if you
with (SSH) to use extra privileges when scanning. wish to
escalate
Note: Tenable supports multiple options for privilege privileges.
escalation, including su, su+sudo and sudo. For
example, if you select sudo, more fields for sudo user,
Escalation Account Name, and Location of su and
sudo (directory) are provided and can be completed to
support authentication and privilege escalation
through Tenable Vulnerability Management. The
Escalation Account Name field is then required to
complete your privilege escalation.

- 502 -
 Note: For more information about supported privilege
escalation types and their accompanying fields, see
the Nessus User Guide and the Tenable Vulnerability
Management User Guide.

Escalation account If the escalation account has a different username or no

credential ID or password from the least privileged user, enter the
identifier (SSH) credential ID or identifier for the escalation account
credential here.

Windows Authentication Method: Kerberos

Option Default Description Required

Username None The username on the target system. yes

Password None The user password on the target system. yes

Key None The host that supplies the session tickets for yes
Distribution the user.
Center (KDC)

KDC Port 88 Directs Tenable Vulnerability Management to no

connect to the KDC if it is running on a port
other than 88.

KDC Transport TCP The method by which you want to access the no
KDC server.

Note: if you set KDC Transport to UDP, you

may also need to change the port number,
because depending on the implementation,
the KDC UDP protocol uses either port 88 or
750 by default.

Domain None The Windows domain that the KDC yes

administers.

Windows Authentication Method: Lieberman RED

- 503 -
Lieberman is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.

Option Description Required

Username The target system’s username. yes

Domain The domain, if the username is part of a domain. no

Lieberman host The Lieberman IP/DNS address. yes

Note: If your Lieberman installation is in a subdirectory, you

must include the subdirectory path. For example, type IP
address or hostname / subdirectory path.

Lieberman port The port on which Lieberman listens. yes

Lieberman API The URL Tenable Vulnerability Management uses to no

URL access Lieberman.

Lieberman user The Lieberman explicit user for authenticating to the yes
Lieberman RED API.

Lieberman The password for the Lieberman explicit user. yes

password

Lieberman The alias used for the authenticator in Lieberman. The no

Authenticator name should match the name used in Lieberman.

Note: If you use this option, append a domain to the

Lieberman user option, i.e., domain\user.

Lieberman Client The file that contains the PEM certificate used to no
Certificate communicate with the Lieberman host.

Note: If you use this option, you do not have to enter

information in the Lieberman user, Lieberman password,
and Lieberman Authenticator fields.

Lieberman Client The file that contains the PEM private key for the client no

- 504 -
 Option Description Required

Certificate certificate.
Private Key

Lieberman Client The passphrase for the private key, if required. no

Certificate
Private Key
Passphrase

Use SSL If Lieberman is configured to support SSL through IIS, no

check for secure communication.

Verify SSL If Lieberman is configured to support SSL through IIS and no

Certificate you want to validate the certificate, check this. Refer to
custom_CA.inc documentation for how to use self-signed
certificates.

System Name In the rare case your organization uses one default no
Lieberman entry for all managed systems, enter the
default entry name.

Windows Authentication Method: LM Hash

The Lanman authentication method was prevalent on Windows NT and early Windows 2000 server
deployments. It is retained for backward compatibility.

Option Description Required

Username The username on the target system. yes

Hash The hash you want to use. yes

Domain The Windows domain to which the username belongs. no

Windows Authentication Method: NTLM Hash

The NTLM authentication method, introduced with Windows NT, provided improved security over
Lanman authentication. The enhanced version, NTLMv2, is cryptographically more secure than

- 505 -
NTLM and is the default authentication method chosen by Tenable Vulnerability Management when
attempting to log into a Windows server. NTLMv2 can use SMB Signing.

Option Description Required

Username The username on the target system. yes

Hash The hash you want to use. yes

Domain The Windows domain to which the username belongs. no

Windows Authentication Method: Password

Option Description Required

Username The username on the target system. yes

Password The user password on the target system. yes

Domain The Windows domain to which the username belongs. no

Windows Authentication Method: QiAnXin

Option Description Required

QiAnXin Host The IP address or URL for the QiAnXin host. yes

QiAnXin Port The port on which the QiAnXin API communicates. yes
By default, Tenable uses 443.

QiAnXin API Client ID The Client ID for the embedded account yes
application created in QiAnXin PAM.

QiAnXin API Secret ID The Secret ID for the embedded account yes
application created in QiAnXin PAM.

Domain The domain to which the username belongs. no

Username The username to log in to the hosts you want to yes

scan.

Host IP Specify the host IP of the asset containing the no

- 506 -
Option Description Required

account to use. If not specified, the scan target IP

is used.

Platform Specify the platform (based on asset type) of the no

asset containing the account to use. If not
specified, a default target is used based on
credential type (for example, for Windows
credentials, the default is WINDOWS). Possible
values:

l ACTIVE_DIRECTORY — Windows Domain

Account

l WINDOWS — Windows Local Account

l LINUX — Linux Account

l SQL_SERVER — SQL Server Database

l ORACLE — Oracle Database

l MYSQL — MySQL Database

l DB2 — DB2 Database

l HP_UNIX — HP Unix

l SOLARIS — Solaris

l OPENLDAP — OpenLDAP

l POSTGRESQL — PostgreSQL

Region ID Specify the region ID of the asset containing the Only if using
account to use. multiple
regions.

Use SSL When enabled, Tenable uses SSL for secure no

communication. This is enabled by default.

- 507 -
 Option Description Required

Verify SSL Certificate When enabled, Tenable verifies that the SSL no
Certificate on the server is signed by a trusted CA.

Windows Authentication Method: Thycotic Secret Server

Option Description Required

Username The username to authenticate via SSH to the system. yes

Domain The domain to which the username belongs. no

Thycotic Secret The value of the secret on the Thycotic server. The secret yes
Name is labeled Secret Name on the Thycotic server.

Thycotic Secret The transfer method, target, and target directory for the yes
Server URL scanner. You can find this value on the Thycotic server in
Admin > Configuration > Application Settings > Secret
Server URL.

For example, consider the following address:

https://pw.mydomain.com/SecretServer/.

l https indicates an ssl connection.

l pw.mydomain.com is the target address.

l /SecretServer/ is the root directory.

Thycotic Login The username to authenticate to the Thycotic server. yes

Name

Thycotic The password to authenticate to the Thycotic server. yes

Password

Thycotic The organization you want to query. You can use this value no
Organization for cloud instances of Thycotic.

Thycotic The domain of the Thycotic server. no

Domain

- 508 -
 Verify SSL Whether you want to verify if the SSL Certificate on the no
Certificate server is signed by a trusted CA.

Windows Authentication Method: BeyondTrust

Option Description Required

Username The username to log in to the hosts you want to scan. yes

Domain The domain of the username, which is recommended if no

using domain-linked accounts (managed accounts of a
domain that are linked to a managed system).

BeyondTrust The BeyondTrust IP address or DNS address. yes

host

BeyondTrust The port on which BeyondTrust listens. yes

port

BeyondTrust The API user provided by BeyondTrust. yes

API user

BeyondTrust The API key provided by BeyondTrust. yes

API key

Checkout The length of time, in minutes, that you want to keep yes
duration credentials checked out in BeyondTrust. Configure the
Checkout duration to exceed the typical duration of your
Tenable Vulnerability Management scans. If a password
from a previous scan is still checked out when a new scan
begins, the new scan fails.

Note: Configure the password change interval in

BeyondTrust so that password changes do not disrupt your
Tenable Vulnerability Management scans. If BeyondTrust
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Vulnerability Management uses no

SSL through IIS for secure communications. You must

- 509 -
 configure SSL through IIS in BeyondTrust before enabling
this option.

Verify SSL When enabled, Tenable Vulnerability Management validates no

certificate the SSL certificate. You must configure SSL through IIS in
BeyondTrust before enabling this option.

Scan-wide Credential Type Settings for Windows

These settings apply to all Windows-type credentials in the current scan. You can edit these
settings in any instance of the credential type in the current scan; your changes automatically apply
to the other credentials of that type in the scan.

Option Default Description

Never send Enabled By default, for security reasons, this option is enabled.
credentials in the
clear

Do not use Enabled If the Do not use NTLMv1 authentication option is

NTLMv1 disabled, then it is theoretically possible to trick Tenable
authentication Vulnerability Management into attempting to log into a
Windows server with domain credentials via the NTLM
version 1 protocol. This provides the remote attacker with
the ability to use a hash obtained from Tenable
Vulnerability Management. This hash can be potentially
cracked to reveal a username or password. It may also be
used to log into other servers directly. Force Tenable
Vulnerability Management to use NTLMv2 by enabling the
Only use NTLMv2 setting at scan time. This prevents a
hostile Windows server from using NTLM and receiving a
hash. Because NTLMv1 is an insecure protocol, this
option is enabled by default.

Start the Remote Disabled This option tells Tenable Vulnerability Management to
Registry service start the Remote Registry service on computers being
during the scan scanned if it is not running. This service must be running

- 510 -
 Option Default Description

in order for Tenable Vulnerability Management to execute

some Windows local check plugins.

Enable Disabled This option allows Tenable Vulnerability Management to

administrative access certain registry entries that can be read with
shares during the administrator privileges.
scan

Start the Server Disabled When enabled, the scanner temporarily enables the
service during the Windows Server service, which allows the computer to
scan share files and other devices on a network. The service is
disabled after the scan completes.

By default, Windows systems have the Windows Server

service enabled, which means you do not need to enable
this setting. However, if you disable the Windows Server
service in your environment, and want to scan using SMB
credentials, you must enable this setting so that the
scanner can access files remotely.

Windows Authentication Method: Centrify

Option Description

Centrify Host (Required) The Centrify IP address or DNS address.

Note: If your Centrify installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

Centrify Port (Required) The port on which Centrify listens. By default, Tenable
Vulnerability Management uses port 443.

API User (Required) The API user provided by Centrify.

API Key (Required) The API key provided by Centrify.

Tenant (Required) The Centrify tenant associated with the API. By default,

- 511 -
 Tenable Vulnerability Management uses centrify.

Authentication (Required) The URL Tenable Vulnerability Management uses to access

URL Centrify. By default, Tenable Vulnerability Management uses /Security.

Password Query (Required) The URL Tenable Vulnerability Management uses to query the
URL passwords in Centrify. By default, Tenable Security Center uses
/RedRock.

Password Engine (Required) The URL Tenable Vulnerability Management uses to access
URL the passwords in Centrify. By default, Tenable Vulnerability Management
uses /ServerManage.

Username (Required) The username to log in to the hosts you want to scan.

Checkout Duration (Required) The length of time, in minutes, that you want to keep
credentials checked out in Centrify.

Configure the Checkout Duration to exceed the typical duration of your

Tenable Security Center scans so that password changes do not disrupt
your Tenable Vulnerability Management scans. If Centrify changes a
password during a scan, the scan fails. If a password from a previous
scan is still checked out when a new scan begins, the new scan fails.

Use SSL When enabled, Tenable Vulnerability Management uses SSL through IIS
for secure communications. You must configure SSL through IIS in
Centrify before enabling this option.

Verify When enabled, Tenable Vulnerability Management validates the SSL

SSL Certificate certificate. You must configure SSL through IIS in Centrify before
enabling this option.

Windows Authentication Method: Arcon

Option Description

Arcon Host (Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory

- 512 -
 path.

Arcon Port (Required) The port on which Arcon listens. By default, Tenable Security
Center uses port 444.

API User (Required) The API user provided by Arcon.

API Key (Required) The API key provided by Arcon.

Authentication (Required) The URL Tenable Security Center uses to access Arcon.
URL

Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.

Arcon Target Type (Optional) The name of the target type. Depending on the Arcon PAM
version you are using and the system type the SSH credential has been
created with, this is set to linux by default. Refer to the Arcon PAM
Specifications document (provided by Arcon) for target type/system
type mapping for the correct target type value.

Checkout Duration (Required) The length of time, in hours, that you want to keep
credentials checked out in Arcon. Configure the Checkout Duration to
exceed the typical duration of your Tenable Security Center scans. If a
password from a previous scan is still checked out when a new scan
begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password

changes do not disrupt your Tenable Security Center scans. If Arcon
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Arcon before
enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Arcon before enabling this option.

- 513 -
 Privilege The privilege escalation method you want to use to increase users'
Escalation privileges after initial authentication. Your Privilege Escalation selection
determines the specific options you must configure. For more
information, see Privilege Escalation.

Windows Authentication Considerations

Regarding the authentication methods:

l Tenable Vulnerability Management automatically uses SMB signing if the remote Windows
server requires it. SMB signing is a cryptographic checksum applied to all SMB traffic to and
from a Windows server. Many system administrators enable this feature on their servers to
ensure that remote users are 100% authenticated and part of a domain. In addition, make sure
you enforce a policy that mandates the use of strong passwords that cannot be easily broken
via dictionary attacks from tools like John the Ripper and L0phtCrack. There have been many
different types of attacks against Windows security to illicit hashes from computers for re-
use in attacking servers. SMB Signing adds a layer of security to prevent these man-in-the-
middle attacks.

l The SPNEGO (Simple and Protected Negotiate) protocol provides Single Sign On (SSO)
capability from a Windows client to a variety of protected resources via the users’ Windows
login credentials. Tenable Vulnerability Management supports use of SPNEGO Scans and
Policies: Scans 54 of 151 with either NTLMSSP with LMv2 authentication or Kerberos and RC4
encryption. SPNEGO authentication happens through NTLM or Kerberos authentication;
nothing needs to be set in the Tenable Vulnerability Management scan configuration.

l If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails,

Tenable Vulnerability Management attempts to log in via NTLMSSP/LMv2 authentication. If
that fails, Tenable Vulnerability Management then attempts to log in using NTLM
authentication.

l Tenable Vulnerability Management also supports the use of Kerberos authentication in a

Windows domain. To configure this, the IP address of the Kerberos Domain Controller
(actually, the IP address of the Windows Active Directory Server) must be provided.

Server Message Block (SMB) is a file-sharing protocol that allows computers to share information
across the network. Providing this information to Tenable Vulnerability Management allows it to find
local information from a remote Windows host. For example, using credentials enables Tenable

- 514 -
Vulnerability Management to determine if important security patches have been applied. It is not
necessary to modify other SMB parameters from default settings.

The SMB domain field is optional and Tenable Vulnerability Management is able to log on with
domain credentials without this field. The username, password, and optional domain refer to an
account that the target machine is aware of. For example, given a username of joesmith and a
password of my4x4mpl3, a Windows server first looks for this username in the local system’s list of
users, and then determines if it is part of a domain.

Regardless of credentials used, Tenable Vulnerability Management always attempts to log into a
Windows server with the following combinations:

l Administrator without a password

l A random username and password to test Guest accounts

l No username or password to test null sessions

The actual domain name is only required if an account name is different on the domain from that on
the computer. It is entirely possible to have an Administrator account on a Windows server and
within the domain. In this case, to log on to the local server, the username of Administrator is used
with the password of that account. To log on to the domain, the Administrator username is also
used, but with the domain password and the name of the domain.

When multiple SMB accounts are configured, Tenable Vulnerability Management attempts to log in
with the supplied credentials sequentially. Once Tenable Vulnerability Management is able to
authenticate with a set of credentials, it checks subsequent credentials supplied, but only uses
them if administrative privileges are granted when previous accounts provided user access.

Some versions of Windows allow you to create a new account and designate it as an administrator.
These accounts are not always suitable for performing credentialed scans. Tenable recommends
that the original administrative account, named Administrator be used for credentialed scanning to
ensure full access is permitted. On some versions of Windows, this account may be hidden. To
unhide the real administrator account, open a DOS prompt with administrative privileges and run
the following command:

C:\> net user administrator /active:yes

- 515 -
If an SMB account is created with limited administrator privileges, Tenable Vulnerability
Management can easily and securely scan multiple domains. Tenable recommends that network
administrators create specific domain accounts to facilitate testing. Tenable Vulnerability
Management includes a variety of security checks for Windows Vista, Windows 7, Windows 8,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012
R2 that are more accurate if a domain account is provided. Tenable Vulnerability Management does
attempt to try several checks in most cases if no account is provided.

Note: The Windows Remote Registry service allows remote computers with credentials to
access the registry of the computer being audited. If the service is not running, reading keys
and values from the registry is not possible, even with full credentials. This service must be
started for a Tenable Vulnerability Management credentialed scan to audit a system fully using
credentials.

For more information, see the Tenable blog post Dynamic Remote Registry Auditing - Now you
see it, now you don’t!

Credentialed scans on Windows systems require using a full administrator level account. Several
bulletins and software updates by Microsoft have made reading the registry to determine software
patch level unreliable without administrator privileges, but not all of them. Tenable Vulnerability
Management plugins check that the provided credentials have full administrative access to ensure
the plugins execute properly. For example, full administrative access is required to perform direct
reading of the file system. This allows Tenable Vulnerability Management to attach to a computer
and perform direct file analysis to determine the true patch level of the systems being evaluated.

Privilege Escalation

You can add privilege escalation while creating a credentialed scan if the scan uses the following
authentication methods found in the Elevate Privileges With portion of the Settings tab for your
selected Authentication Method.

Authentication Methods that Support Escalation Supported Escalation Methods

Arcon .k5login
certificate Cisco 'enable'
CyberArk dzdo
Kerberos pbrun
password su
public key su+sudo

- 516 -
 Thycotic Secret Server sudo

The tables below describe the additional credential options you must configure for privilege
escalation.

Note: BeyondTrust's PowerBroker (pbrun) and Centrify's DirectAuthorize (dzdo) are proprietary root task
delegation methods for Unix and Linux systems.

Tip: Scans run using su+sudo allow the user to scan with a non-privileged account and then switch to a
user with sudo privileges on the remote host. This is important for locations where remote privileged login
is prohibited.

Note: Scans run using sudo vs. the root user do not always return the same results because of the
different environmental variables applied to the sudo user and other subtle differences. For more
information, see: https://www.sudo.ws/docs/man/sudo.man/.

Privilege Escalation Options for Arcon

Option Escalation Type Description Required

Escalation Account Name .k5login The username yes

dzdo for the
pbrun account with
su elevated
su+sudo privileges.
sudo

Escalation Username .k5login The username yes

Cisco 'enable' for the
dzdo account with
pbrun elevated
su privileges.
su+sudo
sudo
Checkpoint Gaia 'expert'

Escalation password dzdo The password yes

su for the

- 517 -
 su+sudo account with
elevated
privileges.

Location of dzdo (directory) dzdo The directory no

path for the
dzdo
command.

Location of pbrun (directory) pbrun The directory no

path for the
pbrun
command.

Location of su (directory) su The directory no

path for the su
command.

Location of su and sudo su+sudo The directory no

(directory) path for the su
and sudo
commands.

Location sudo (directory) sudo The directory no

path for the
sudo
command.

SSH user password pbrun The password yes

for the
account with
elevated
privileges.

su login su The username yes

for the
account with

- 518 -
 su privileges.

su user su+sudo The username yes

for the
account with
su privileges.

sudo password sudo The password yes

for the
account with
sudo
privileges.

sudo user su+sudo The username yes

sudo for the
account with
sudo
privileges.

Privilege Escalation Options for Certificate, Kerberos, Password, and

Public Key
Escalation
Option Description Required
Type

Enable password Cisco 'enable' The password to run the 'enable' yes
utility on a Cisco device.

Escalation account .k5login The username for the account with yes
pbrun elevated privileges.
dzdo

Escalation password dzdo The password for the account with yes
pbrun elevated privileges.
su
su+sudo

Location of dzdo dzdo The directory path for the dzdo no

- 519 -
 (directory) command.

Location of pbrun pbrun The directory path for the pbrun no

(directory) command.

Location of su su The directory path for the su no

(directory) command.

Location of su and su+sudo The directory path for the su and no

sudo (directory) sudo commands.

Location sudo sudo The directory path for the sudo no

(directory) command.

SSH user password pbrun The password for the account with yes
elevated privileges.

su login su The username for the account with yes

su privileges.

su user su+sudo The username for the account with yes

su privileges.

sudo password sudo The password for the account with yes
sudo privileges.

sudo user su+sudo The username for the account with yes
sudo sudo privileges.

Privilege Escalation Options for CyberArk

Escalation
Option Description Required
Type

CyberArk Account .k5login The name parameter for the CyberArk yes
Details Name Cisco 'enable' account with elevated privileges.
dzdo
pbrun
su
su+sudo

- 520 -
 sudo

Escalation account dzdo The username for the account with yes
elevated privileges.

Location of dzdo dzdo The directory path for the dzdo no

(directory) command.

Location of pbrun pbrun The directory path for the pbrun no

(directory) command.

Location of su su The directory path for the su no

(directory) command.

Location of su and su+sudo The directory path for the su and no

sudo (directory) sudo commands.

Location sudo sudo The directory path for the sudo no

(directory) command.

su login su The username for the account with su yes

privileges.

su user su+sudo The username for the account with su yes

privileges.

sudo user su+sudo The username for the account with yes
sudo sudo privileges.

Privilege Escalation Options for Thycotic Secret Server

Escalation
Option Description Required
Type

Thycotic .k5login The name parameter for the Thycotic yes

Escalation Account Cisco 'enable' account with elevated privileges.
dzdo
pbrun
su
su+sudo

- 521 -
 sudo

Location of dzdo dzdo The directory path for the dzdo no

(directory) command.

Location of pbrun pbrun The directory path for the pbrun no

(directory) command.

Location of su su The directory path for the su no

(directory) command.

Location of su and su+sudo The directory path for the su and no

sudo (directory) sudo commands.

Location sudo sudo The directory path for the sudo no

(directory) command.

su user su+sudo The username for the account with su yes

privileges.

Miscellaneous

Tenable Vulnerability Management supports the additional authentication methods described below.

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

ADSI
ADSI requires the domain controller information, domain, and domain admin and password.

ADSI allows Tenable Vulnerability Management to query an ActiveSync server to determine if any
Android or iOS-based devices are connected. Using the credentials and server information, Tenable
Vulnerability Management authenticates to the domain controller (not the Exchange server) to
directly query it for device information. This feature does not require any ports be specified in the
scan configuration. These settings are required for mobile device scanning.

Option Description

Domain Controller (Required) Name of the domain controller for ActiveSync

- 522 -
 Option Description

Domain (Required) Name of the Windows domain for ActiveSync

Domain Admin (Required) Domain admin’s username

Domain Password (Required) Domain admin’s password

Tenable Vulnerability Management supports obtaining the mobile information from Exchange Server
2010 and 2013 only; Tenable Vulnerability Management cannot retrieve information from Exchange
Server 2007.

F5

Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Username (Required) Username for a scanning account on the F5 target.

Password (Required) Password associated with the scanning account.

Port Port to use when connecting to the F5 target.

HTTPS When enabled, connect using secure communication (HTTPS). When

disabled, connect using standard HTTP.

Verify SSL Verify that the SSL certificate is valid. If you are using a self-signed
Certificate certificate, disable this setting.

IBM iSeries

Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Username (Required) An iSeries username.

Password (Required) An iSeries password.

Netapp API

- 523 -
 Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Username (Required) Username for an account on the Netapp system that has HTTPS
access.

Password (Required) Password associated with the account.

vFiler If this setting is blank, the scan audits for all discovered Netapp virtual filers
(vFilers) on target systems. To limit the audit to a single vFiler, type the name
of the vFiler.

Port Ports to scan on target systems. Type a comma-separated list of port

numbers.

Nutanix Prism

Note: This credential type is only available in the Advanced Network Scan template.

Option Description Default

Nutanix Host (Required) Hostname or IP address of the Nutanix Prism -

Central host.

Nutanix Port (Required) The TCP port that the Nutanix Prism Central host 9440
listens on for communications from Tenable.

Username (Required) Username used for authentication to the Nutanix -

Prism Central host.

Password (Required) Password used for authentication to the Nutanix -

Prism Central host.

Discover Host This option adds any discovered Nutanix Prism Central hosts -
to the scan targets to be scanned.

Discover This option adds any discovered Nutanix Prism Central Virtual -
Virtual Machines to the scan targets to be scanned.
Machines

- 524 -
 Option Description Default

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify SSL When enabled, Tenable verifies that the SSL certificate on enabled
Certificate the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

OpenStack

Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Username (Required) Username for an account on the OpenStack deployment.

Password (Required) Password associated with the account.

Tenant Name for (Required) Name of the specific tenant the scan uses to authenticate. A
Authentication tenant (also known as a project) is a group of resources that can be
controlled by users in the tenant.

Port (Required) Port that the scanner uses to connect to OpenStack.

HTTPS When enabled, connect using secure communication (HTTPS). When

disabled, connect using standard HTTP.

Verify SSL Verify that the SSL certificate is valid. If you are using a self-signed
Certificate certificate, disable this setting.

Palo Alto Networks PAN-OS

Option Description

Username (Required) The PAN-OS username.

- 525 -
 Password (Required) The Pan-OS password.

Port (Required) The management port number.

HTTPS Whether Tenable Vulnerability Management authenticates over an encrypted

(HTTPS) or an unencrypted (HTTP) connection.

Verify SSL Verify that the SSL certificate is valid. If the target is using a self-signed
Certificate certificate, disable this setting.

Red Hat Enterprise Virtualization (RHEV)

Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Username (Required) Username to login to the RHEV server.

Password (Required) Username to the password to login to the RHEV server.

Port Port to connect to the RHEV server.

Verify SSL Certificate Verify that the SSL certificate for the RHEV server is valid.

VMware ESX SOAP API

Access to VMware servers is available through its native SOAP API. VMware ESX SOAP API allows
you to access the ESX and ESXi servers via username and password. Additionally, you have the
option of not enabling SSL certificate verification.

Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Username (Required) Username to login to the ESXi server.

Password (Required) Username to the password to login to the ESXi

server.

Do not verify SSL Do not verify that the SSL certificate for the ESXi server is
Certificate valid.

- 526 -
VMware vCenter SOAP API
VMware vCenter SOAP API allows you to access vCenter. If available, the vCenter REST API is used
to collect data in addition to the SOAP API.

For more information on configuring VMWare vCenter SOAP API, see Configure vSphere Scanning.

Note: You must use a vCenter admin account with read and write permissions.

Option Description

vCenter Host (Required) Name of the vCenter host.

vCenter Port Port to access the vCenter host.

Username (Required) Username to login to the vCenter server.

Password (Required) Username to the password to login to the vCenter server.

HTTPS Connect to the vCenter via SSL.

Verify SSL Certificate Verify that the SSL certificate for the ESXi server is valid.

VMware vCenter Auto Discovery

Note: This credential type is only available in the Advanced Network Scan template.

Tenable can access vCenter through the native VMware vCenter SOAP API. If available, Tenable uses
the vCenter REST API to collect data in addition to the SOAP API.

Note: Tenable supports VMware vCenter/ESXi versions 7.0.3 and later for authenticated scans. This does
not impact vulnerability checks for VMware vCenter/ESXi, which do not require authentication.

Note: The SOAP API requires a vCenter account with read permissions and settings privileges. The REST
API requires a vCenter admin account with general read permissions and required Lifecycle Manager
privileges to enumerate VIBs.

Option Description Default

vCenter Host (Required) The name of the vCenter host. -

- 527 -
 Option Description Default

vCenter Port (Required) The TCP port that vCenter listens on for 443
communications from Tenable.

Username (Required) The username for the vCenter server account -

with admin read/write access that Tenable uses to
perform checks on the target system.

Password (Required) The password for the vCenver server user. -

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS). When disabled, Tenable
connects using standard HTTP.

Verify SSL When enabled, Tenable verifies that the SSL certificate enabled
Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Auto Discover This option adds any discovered VMware ESXi hypervisor not
Managed VMware hosts to the scan targets you include in your scan. enabled
ESXi Hosts

Auto Discover This option adds any discovered VMware ESXi hypervisor not
Managed VMware virtual machines to the scan targets you include in your enabled
ESXi Virtual scan.
Machines

X.509

Note: This credential type is only available in the Advanced Network Scan template.

Option Description

Client certificate (Required) The client certificate.

Client key (Required) The client private key.

- 528 -
 Option Description

Password for key (Required) The passphrase for the key.

CA certificate to trust (Required) The trusted Certificate Authority's (CA) digital certificate.

Mobile

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

ActiveSync

Option Default Description

Domain Controller -- The domain controller for ActiveSync.

Domain -- The Windows domain for ActiveSync.

Domain Username -- The username for the domain administrator's

account that Tenable Vulnerability
Management uses to authenticate to
ActiveSync.

Domain Password -- The password for the domain administrator

user.

Scanner -- Specifies which scanner Tenable

Vulnerability Management uses when
scanning the server. Tenable Vulnerability
Management can only use one scanner to
add data to a mobile repository.

Update Schedule Every day at Specifies when Tenable Vulnerability

12:30 -04:00 Management scans the server to update the
mobile repository. On each scan, Tenable
Vulnerability Management removes the
current data in the repository and replaces it
with data from the latest scan.

- 529 -
AirWatch

Default
Setting Description Required
Value

AirWatch – The Workspace ONE API url endpoint. (For yes

Environment example, https://xxx.awmdm.com/api)
API URL

Port 443 The TCP port that AirWatch listens on for yes
communications from Tenable.

Username – The username for the AirWatch user yes

account Tenable uses to authenticate to
Workspace One's API.

Password – The password for the AirWatch user. yes

API Key – The API key for the VMware Workspace yes
ONE API.

HTTPS Enabled Enable for Tenable Vulnerability no

Management to authenticate over an
encrypted (HTTPS) or an unencrypted
(HTTP) connection.

Verify SSL Enabled Enable for Tenable Vulnerability no

Certificate Management to verify if the SSL Certificate
on the server is signed by a trusted CA.

Blackberry UEM

Option Description

Hostname The server URL to authenticate with Blackberry UEM.

Port The port to use to authenticate with Blackberry UEM.

Tenant The SRP ID in Blackberry UEM.

- 530 -
 Note: To locate the SRP ID in Blackberry UEM:
1. In the Blackberry UEM top navigation bar, click the Help drop-down.

2. Click About Blackberry UEM.

An information window containing the SRP ID appears.

3. Copy the SRP ID.

Domain The domain name for Blackberry UEM.

Username The username for the account you want Tenable Vulnerability Management to
use to authenticate to Blackberry UEM.

Password The password for the account you want Tenable Vulnerability Management to
use to authenticate to Blackberry UEM.

HTTPS When enabled, Tenable Vulnerability Management uses an encrypted

connection to authenticate with Blackberry UEM.

Verify SSL When enabled, Tenable Vulnerability Management verifies that the SSL
Certificate Certificate on the server is signed by a trusted CA.

> Intune

Option Description

Tenant The Microsoft Azure Directory (tenant) ID visible in your App registration.

Client The Microsoft Azure Application (client) ID generated during your App
registration.

Secret The secret key generated when you created your client secret key in Microsoft
Azure.

Username The username for the account you want Tenable Vulnerability Management to
use to authenticate to Intune.

Password The password for the account you want Tenable Vulnerability Management to
use to authenticate to Intune.

- 531 -
MaaS360

Default
Setting Description Required
Value

Username – The username to authenticate. yes

Password – The password to authenticate. yes

Root URL – The server URL to authenticate with MaaS360. yes

Platform ID – The Platform ID provided for MaaS360. yes

Billing ID – The Billing ID provided for MaaS360. yes

App ID – The App ID provided for MaaS360. yes

App Version – The App Version of MaaS360. yes

App access – The App Access Key provided for MaaS360. yes
key

Collect All On When enabled, the scan collects all data types. no
Device Data
When disabled, the scan collects one or more
types of data to decrease the scan time. When
disabled, choose one or more of the following
collection options:

l Collect Device Summary

l Collect Device Applications

l Collect Device Compliance

l Collect Device Policies

MobileIron

Default
Setting Description Required
Value

- 532 -
VSP Admin – The server URL Tenable Vulnerability yes
Portal URL Management uses to authenticate with the
MobileIron Admin Portal.

VSP Admin 443 The port Tenable Vulnerability Management no

Portal Port uses to authenticate with the MobileIron
Admin Portal.

Port 443 The port Tenable Vulnerability Management yes

uses to authenticate with the MobileIron
System Manager.

Username – The username to authenticate. yes

Password – The password to authenticate. yes

HTTPS Enabled Whether Tenable Vulnerability Management no

authenticates over an encrypted (HTTPS) or
an unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management no

Certificate verifies if the SSL Certificate on the server is
signed by a trusted CA.

Workspace ONE

Note: For the Workspace ONE integration to function properly, you must be assigned all the Read-Only
permissions available for the role. For more information, see the VMware documentation.

Default
Setting Description Required
Value

Workspace ONE – The Workspace ONE API url yes

Environment API URL endpoint. (For example,
https://xxx.awmdm.com/api)

Port 443 The TCP port that Workspace yes

ONE listens on for

- 533 -
 communications from Tenable.

Workspace ONE Username – The username for the yes

Workspace ONE user account
Tenable uses to authenticate to
Workspace ONE's API.

Workspace ONE Password – The password for the yes

Workspace ONE user.

API Key – The API key for the VMware yes

Workspace ONE API.

HTTPS Enabled Enable for Tenable Vulnerability no

Management to authenticate
over an encrypted (HTTPS) or an
unencrypted (HTTP) connection.

Verify SSL Certificate Enabled Enable for Tenable Vulnerability no

Management to verify if the SSL
Certificate on the server is
signed by a trusted CA.

Collect All Device Data Yes Collects all device data required no
for plugin checks.

Collect Device Applications Yes (Enabled if Collect All Device no

Data is set to "No") Collects
applications installed on mobile
devices.

Patch Management

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

Tenable Vulnerability Management can leverage credentials for patch management systems to
perform patch auditing on systems for which credentials may not be available.

- 534 -
Tenable Nessus Manager can leverage credentials for patch management systems to perform patch
auditing on systems for which credentials may not be available.

Note: Patch management integration is not available on Tenable Nessus Essentials, Tenable Nessus
Professional, Tenable Nessus Expert, or managed Tenable Nessus scanners.

Tenable Vulnerability Management supports:

Tenable Nessus Manager supports:

l Dell KACE K1000

l HCL BigFix

l Microsoft System Center Configuration Manager (SCCM)

l Microsoft Windows Server Update Services (WSUS)

l Red Hat Satellite Server

l Symantec Altiris

You can configure patch management options in the Credentials section while creating a scan, as
described in Create a Vulnerability Management Scan.

IT administrators are expected to manage the patch monitoring software and install any agents
required by the patch management system on their systems.

Note: If the credential check sees a system but it is unable to authenticate against the system, it uses the
data obtained from the patch management system to perform the check. If Tenable Vulnerability
Management is able to connect to the target system, it performs checks on that system and ignores the
patch management system output.

Note: The data returned to Tenable Vulnerability Management by the patch management system is only as
current as the most recent data that the patch management system has obtained from its managed hosts.

Note: If the credential check sees a system but it is unable to authenticate against the system, it uses the
data obtained from the patch management system to perform the check. If Tenable Vulnerability
Management is able to connect to the target system, it performs checks on that system and ignores the
patch management system output.

Note: The data returned to Tenable Vulnerability Management by the patch management system is only as
current as the most recent data that the patch management system has obtained from its managed hosts.

- 535 -
Scanning with Multiple Patch Managers
If you provide multiple sets of credentials to Tenable Vulnerability Management for patch
management tools, Tenable Vulnerability Management uses all of them.

If you provide credentials for a host and for one or more patch management systems, Tenable
Vulnerability Management compares the findings between all methods and report on conflicts or
provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to
highlight patch data differences between the host and a patch management system.

If you provide multiple sets of credentials to Tenable Vulnerability Management for patch
management tools, Tenable Vulnerability Management uses all of them.

If you provide credentials for a host and for one or more patch management systems, Tenable
Vulnerability Management compares the findings between all methods and report on conflicts or
provide a satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to
highlight patch data differences between the host and a patch management system.

Dell KACE K1000

KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux,
Windows, and macOS systems. Tenable Vulnerability Management can query KACE K1000 to verify
whether or not patches are installed on systems managed by KACE K1000 and display the patch
information through the Tenable Vulnerability Management user interface.

Tenable Vulnerability Management supports KACE K1000 versions 6.x and earlier.

KACE K1000 scanning uses the following Tenable plugins: 76867, 76868, 76866, and 76869.

Option Description Default

Server (Required) The KACE K1000 IP address or system name. -

Database Port (Required) The TCP port that KACE K1000 listens on for 3306
communications from Tenable Vulnerability Management.

Organization (Required) The name of the organization component for the ORG1
Database Name KACE K1000 database (e.g., ORG1).

Database (Required) The username for the KACE K1000 account that R1
Username Tenable Vulnerability Management uses to perform checks

- 536 -
 Option Description Default

on the target system.

K1000 Database (Required) The password for the KACE K1000 user. -
Password

HCL Tivoli Endpoint Manager (BigFix)

HCL Bigfix is available to manage the distribution of updates and hotfixes for desktop
systems.Tenable Vulnerability Management can query HCL Bigfix to verify whether or not patches
are installed on systems managed by HCL Bigfix and display the patch information.

Package reporting is supported by RPM-based and Debian-based distributions that HCL Bigfix
officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and
Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless
HCL Bigfix officially supports them, there is no support available.

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian,
Ubuntu, and Solaris are supported. Plugin 160250 must be enabled.

Tenable Vulnerability Management supports HCL Bigfix 9.5 and later and 10.x and later.

HCL Bigfix scanning uses the following Tenable plugins: 160247, 160248, 160249, 160250, and
160251.

Option Description Default

Web Reports (Required) The name of HCL Bigfix Web Reports server. -
Server

Web Reports (Required) The TCP port that the HCL Bigfix Web Reports -
Port server listens on for communications from Tenable
Vulnerability Management.

Web Reports (Required) The username for the HCL Bigfix Web Reports -
Username administrator account that Tenable Vulnerability Management
uses to perform checks on the target system.

Web Reports (Required) The password for the HCL Bigfix Web Reports -

- 537 -
 Option Description Default

Password administrator user.

HTTPS When enabled, Tenable connects using secure communication Enabled

(HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify SSL When enabled, Tenable verifies that the SSL certificate on the Enabled
certificate server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

HCL Bigfix Server Configuration

In order to use these auditing features, you must make changes to the HCL Bigfix server. You must
import a custom analysis into HCL Bigfix so that detailed package information is retrieved and
made available to Tenable Vulnerability Management.

From the HCL BigFix Console application, import the following .bes files.

BES file:

<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. <
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:43:29 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then
repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset"
architecture of operating system) of filesets of products of object repository else if (exists true whose (if tr
debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|
architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianp
(exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of
"|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exi
(if true then (exists ips image) else false)) then unique values of (full name of it & "|" & version of it as st
"pkg" & "|" & architecture of operating system) of latest installed packages of ips image else if (exists true w
then (exists pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of p
pkgdb else "<unsupported>"]]></Property>

- 538 -
 <Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Prop
<Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowerc
"SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file
"/var/opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>
</Analysis>
</BES>

BES file:

<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Task>
<Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
<Description><![CDATA[&lt;enter a description of the task here&gt; ]]></Description>
<GroupRelevance JoinByIntersection="false">
<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
<SearchText>SunOS 5.10</SearchText>
<Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS
5.10" as lowercase)</Relevance>
</SearchComponentPropertyReference>
</GroupRelevance>
<Category></Category>
<Source>Internal</Source>
<SourceID></SourceID>
<SourceReleaseDate>2021-05-12</SourceReleaseDate>
<SourceSeverity></SourceSeverity>
<CVENames></CVENames>
<SANSID></SANSID>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:50:58 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<DefaultAction ID="Action1">
<Description>
<PreLink>Click </PreLink>
<Link>here</Link>
<PostLink> to deploy this action.</PostLink>
</Description>
<ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_
patches.b64

]]></ActionScript>
</DefaultAction>
</Task>
</BES>

Microsoft System Center Configuration Manager (SCCM)

Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of
Windows-based systems. Tenable Vulnerability Management can query the SCCM service to verify

- 539 -
whether or not patches are installed on systems managed by SCCM and display the patch
information through the scan results.

Tenable Vulnerability Management connects to the server that is running the SCCM site (e.g.,
credentials must be valid for the SCCM service, so the selected user must have privileges to query
all the data in the SCCM MMC). This server may also run the SQL database, or the database and the
SCCM repository can be on separate servers. When leveraging this audit, configured sensors
Tenable Vulnerability Management must connect to the SCCM server via WMI and HTTPS.

Note: SCCM scanning with Tenable products requires one of the following roles: Read-only Analyst,
Operations Administrator, or Full Administrator. For more information, see Setting Up SCCM Scan Policies.

SCCM scanning uses the following Tenable plugins: 57029, 57030, 73636, and 58186.

Note: SCCM patch management plugins support versions from SCCM 2007 up to and including
Configuration Manager version 2309.

Credential Description Default

Server (Required) The SCCM IP address or system name. -

Domain (Required) The name of the SCCM server's domain. -

Username (Required) The username for the SCCM user account that -
Tenable Vulnerability Management uses to perform checks on
the target system. The user account must have privileges to
query all data in the SCCM MMC.

Password (Required) The password for the SCCM user with privileges to -
query all data in the SCCM MMC.

Microsoft Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of
updates and hotfixes for Microsoft products. Tenable Vulnerability Management can query WSUS to
verify whether or not patches are installed on systems managed by WSUS and display the patch
information through the Tenable Vulnerability Management user interface.

WSUS scanning uses the following Tenable plugins: 57031, 57032, and 58133.

- 540 -
 Option Description Default

Server (Required) The WSUS IP address or system name. -

Port (Required) The TCP port that Microsoft WSUS listens on 8530
for communications from Tenable Vulnerability
Management.

Username (Required) The username for the WSUS administrator -

account that Tenable Vulnerability Management uses to
perform checks on the target system.

Password (Required) The password for the WSUS administrator -

user.

HTTPS When enabled, Tenable connects using secure Enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify When enabled, Tenable verifies that the SSL certificate Enabled
SSL Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Red Hat Satellite 5 Server

Red Hat Satellite is a systems management platform for Linux-based systems. Tenable Vulnerability
Management can query Satellite to verify whether or not patches are installed on systems managed
by Satellite and display the patch information.

Although not supported by Tenable, the Red Hat Satellite plugin also works with Spacewalk Server,
the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based
on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat
Enterprise Linux.

Satellite scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, and 84238.

- 541 -
 Option Description Default

Satellite (Required) The Red Hat Satellite IP address or system name. -

Server

Port (Required) The TCP port that Red Hat Satellite listens on for 443
communications from Tenable Vulnerability Management.

Username (Required) The username for the Red Hat Satellite account -
that Tenable Vulnerability Management uses to perform
checks on the target system.

Password (Required) The password for the Red Hat Satellite user. -

Verify SSL When enabled, Tenable verifies that the SSL certificate on Enabled
Certificate the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Red Hat Satellite 6 Server

Red Hat Satellite 6 is a systems management platform for Linux-based systems. Tenable
Vulnerability Management can query Satellite to verify whether or not patches are installed on
systems managed by Satellite and display the patch information.

Although not supported by Tenable, the Red Hat Satellite 6 plugin also works with Spacewalk
Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage
distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite
server for Red Hat Enterprise Linux.

Red Hat Satellite 6 scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, 84238,
84231, 84232, and 84233.

Option Description Default

Satellite Server (Required) The Red Hat Satellite 6 IP address or system -

name.

Port (Required) The TCP port that Red Hat Satellite 6 listens 443

- 542 -
 Option Description Default

on for communications from Tenable Vulnerability

Management.

Username (Required) The username for the Red Hat Satellite 6 -

account that Tenable Vulnerability Management uses to
perform checks on the target system.

Password (Required) The password for the Red Hat Satellite 6 user. -

HTTPS When enabled, Tenable connects using secure Enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify When enabled, Tenable verifies that the SSL certificate Enabled
SSL Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Symantec Altiris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux,
Windows, and macOS systems. Tenable Vulnerability Management has the ability to use the Altiris
API to verify whether or not patches are installed on systems managed by Altiris and display the
patch information through the Tenable Vulnerability Management user interface.

Tenable Vulnerability Management connects to the Microsoft SQL server that is running on the
Altiris host. When leveraging this audit, if the MSSQL database and Altiris server are on separate
hosts, Tenable Vulnerability Management must connect to the MSSQL database, not the Altiris
server.

Altiris scanning uses the following Tenable plugins: 78013, 78012, 78011, and 78014.

Credential Description Default

Server (Required) The Altiris IP address or system name. -

- 543 -
 Credential Description Default

Database Port (Required) The TCP port that Altiris listens on for 5690
communications from Tenable Vulnerability
Management.

Database Name (Required) The name of the MSSQL database that Symantec_
manages Altiris patch information. CMDB

Database (Required) The username for the Altiris MSSQL -

Username database account that Tenable Vulnerability
Management uses to perform checks on the target
system. Credentials must be valid for a MSSQL databas
account with the privileges to query all the data in the
Altiris MSSQL database.

Database (Required) The password for the Altiris MSSQL -

Password database user.

Use Windows When enabled, use NTLMSSP for compatibility with Disabled
Authentication older Windows Servers.

When disabled, use Kerberos.

Plaintext Authentication

Caution: Using plaintext credentials is not recommended. Use encrypted authentication methods when
possible.

If a secure method of performing credentialed checks is not available, you can configure Tenable
Vulnerability Management to perform checks over unsecure protocols using the Plaintext
Authentication settings.

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

FTP
Setting Default Value Description Required?

- 544 -
 Username – Login user’s name. yes

Password – Password of the user specified. yes

HTTP
Setting Default Description Required

Authentication HTTP Login The authentication method. yes

method Form
Supported values are:

l Automatic authentication

l Basic/Digest authentication

l HTTP login form — Controls where

authenticated testing of a custom
web-based application begins.

l HTTP cookies import — Facilitates

web application testing by using
cookies imported from another
piece of software (e.g., web
browser, web proxy, etc.). when
attempting to access a web
application.

Method: Automatic Authentication

Username – Login user's name. yes

Password – Password of the user specified. yes

Method: Basic/Digest authentication

Username – Login user's name. yes

Password – Password of the user specified. yes

Method: HTTP login form

- 545 -
Setting Default Description Required

Username – Login user’s name. yes

Password – Password of the user specified. yes

Login page – The absolute path to the login page of yes

the application, e.g., /login.html.

Login submission – The action parameter for the form yes

page method. For example, the login form for
<form method="POST" name="auth_
form" action="/login.php"> would be
/login.php.

Login parameters – Specify the authentication parameters yes

(e.g.,
login=%USER%&password=%PASS%). If
the keywords %USER% and %PASS%
are used, the keywords will be
substituted with values supplied on the
Login configurations drop-down menu.
This field can be used to provide more
than two parameters if required (e.g., a
group name or some other piece of
information is required for the
authentication process).

Check – The absolute path of a protected web yes

authentication on page that requires authentication, to
page better assist Tenable Vulnerability
Management in determining
authentication status, e.g.,
/admin.html.

Regex to verify – A regex pattern to look for on the login yes

successful page. Simply receiving a 200 response

- 546 -
Setting Default Description Required

authentication code is not always sufficient to

determine session state. Tenable
Vulnerability Management can attempt
to match a given string such as
Authentication successful!

Method: HTTP cookies import

Cookies file – Upload a cookie file. The file must be in yes

Netscape format.

All methods: Scan-wide Credential Type Settings

Login method POST Specify if the login action is performed yes

via a GET or POST request.

Re-authenticate 0 The time delay between authentication yes

delay (seconds) attempts. Setting a time delay is useful
to avoid triggering brute force lockout
mechanisms.

Follow 30x 0 If a 30x redirect code is received from a yes

redirections web server, this setting directs Tenable
(# of levels) Vulnerability Management to follow the
link provided or not.

Invert Disabled A regex pattern to look for on the login no

authenticated page, that if found, tells Tenable
regex Vulnerability Management that
authentication was not successful (e.g.,
Authentication failed!).

Use Disabled Rather than search the body of a no

authenticated response, Tenable Vulnerability
regex on HTTP Management can search the HTTP
headers response headers for a given regex

- 547 -
 Setting Default Description Required

pattern to better determine

authentication state.

Case insensitive Disabled The regex searches are case sensitive no

authenticated by default. This instructs Tenable
regex Vulnerability Management to ignore
case.

IMAP
Setting Default Value Description Required?

Username – Login user’s name. yes

Password – Password of the user specified. yes

IPMI
Setting Default Value Description Required?

Username – Login user’s name. yes

Password – Password of the user specified. yes

NNTP
Setting Default Value Description Required?

Username – Login user’s name. yes

Password – Password of the user specified. yes

POP2
Setting Default Value Description Required?

Username – Login user’s name. yes

Password – Password of the user specified. yes

- 548 -
POP3
Setting Default Value Description Required?

Username – Login user’s name. yes

Password – Password of the user specified. yes

SNMPv1/v2c
SNMPv1/v2c configuration allows you to use community strings for authentication to network
devices. You can configure up to four SNMP community strings.

Default
Setting Description Required
Value

Community public The community string Tenable Vulnerability yes

string Management uses to authenticate on the
host device.

Scan-wide Credential Type Settings

UDP Port 161 Ports where Tenable Vulnerability no

Management attempts to authenticate on the
Additional 161 no
host device.
UDP port #1

Additional UDP 161 no

port #2

Additional UDP 161 no

port #3

telnet/rsh/rexec
Tenable Vulnerability Management performs patch auditing on non-Windows targets only.

Default
Setting Description Required
Value

- 549 -
 Username – Login user's name. yes

Password – Password of the user specified. yes

Scan-wide Credential Type Settings

Perform patch Disabled Tenable Vulnerability Management uses no

audits over telnet to connect to the host device for
telnet patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rsh no

audits over rsh to connect to the host device for patch
audits.

Perform patch Disabled Tenable Vulnerability Management uses no

audits over rexec to connect to the host device for
rexec patch audits.

Compliance in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Compliance settings in the scan.
You can only modify these settings in the related user-defined template.

Tenable Vulnerability Management can perform vulnerability scans of network services as well as
log in to servers to discover any missing patches.

However, a lack of vulnerabilities does not mean the servers are configured correctly or are
“compliant” with a particular standard.

You can use Tenable Vulnerability Management to perform vulnerability scans and compliance
audits to obtain all of this data at one time. If you know how a server is configured, how it is
patched, and what vulnerabilities are present, you can determine measures to mitigate risk.

At a higher level, if this information is aggregated for an entire network or asset class, security and
risk can be analyzed globally. This allows auditors and network managers to spot trends in non-
compliant systems and adjust controls to fix these on a larger scale.

When configuring a scan or policy, you can include one or more compliance checks, also known as
audits. Each compliance check requires specific credentials.

- 550 -
Some compliance checks are preconfigured by Tenable, but you can also create and upload custom
audits.

For more information on compliance checks and creating custom audits, see the Compliance
Checks Reference.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is
limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to
incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in
your scan policies be targeted and specific for the scan's scope and compliance requirements.

Compliance Check Required Credentials

Adtran AOS SSH

Alcatel TiMOS SSH

Amazon AWS Amazon AWS

Arista EOS SSH

Aruba0S SSH

Blue Coat ProxySG SSH

Brocade FabricOS SSH

Check Point GAiA SSH

Cisco ACI SSH

Cisco Firepower SSH

Cisco IOS SSH

Cisco Viptela SSH

Citrix Application Delivery SSH

Database Database

Extreme ExtremeXOS SSH

F5 F5

- 551 -
Compliance Check Required Credentials

FireEye SSH

Fortigate FortiOS SSH

Generic SSH SSH

Google Cloud Platform SSH

HP ProCurve SSH

Huawei VRP SSH

IBM DB2 DB Database

IBM iSeries IBM iSeries

Juniper Junos SSH

Microsoft Azure Microsoft Azure

Mobile Device Manager AirWatch or Mobileiron

MongoDB MongoDB

Microsoft SQL Sever DB Database

MySQL DB Database

NetApp API NetApp API

NetApp Data ONTAP SSH

OpenShift OpenShift Container Platform

OpenStack OpenStack

Oracle DB Database

NetApp Data ONTAP SSH

Palo Alto Networks PAN-OS PAN-OS

Rackspace Rackspace

- 552 -
 Compliance Check Required Credentials

RHEV RHEV

Salesforce.com Salesforce SOAP API

SonicWALL SonicOS SSH

Splunk Splunk API

Sybase DB Database

Unix SSH

Unix File Contents SSH

VMware vCenter/vSphere VMware ESX SOAP API or VMware vCenter SOAP API

WatchGuard SSH

Windows Windows

Windows File Contents Windows

Zoom Zoom

ZTE ROSNG SSH

SCAP Settings in Tenable Vulnerability Management Scans

Security Content Automation Protocol (SCAP) is an open standard that enables automated
management of vulnerabilities and policy compliance for an organization. SCAP relies on multiple
open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

Tenable Vulnerability Management allows you to add SCAP (and OVAL) compliance checks to your
scans. You can only configure SCAP settings when you use the SCAP and OVAL Auditing scan
template.

Caution: SCAP scans in Tenable Vulnerability Management are unverified.

You can select Linux (SCAP), Linux (OVAL), Windows (SCAP), or Windows (OVAL). The following
table describes each option's settings:

- 553 -
Setting Default Value Description

Linux (SCAP) or Windows (SCAP)

SCAP File None A valid zip file that contains full SCAP content.
The file contains XCCDF, OVAL, and CPE for
versions 1.0 and 1.1, DataStream for version 1.2.

SCAP Version 1.2 The SCAP version that is appropriate for the
content in the uploaded SCAP file.

SCAP Data Stream ID None (SCAP Version 1.2 only) The data-stream id
that you copied from the SCAP XML file.

Example:

<data-stream id="scap_gov.nist_
datastream_USGCB-Windows-10-
1.2.3.1.zip">

SCAP Benchmark ID None The Benchmark id that you copied from the
SCAP XML file.

Example:

<xccdf:Benchmark id="xccdf_
gov.nist_benchmark_USGCB-Windows-
7">

SCAP Profile ID None The Profile id that you copied from the
SCAP XML file.

Example:

<xccdf:Profile id="xccdf_gov.nist_
profile_united_states_government_
configuration_baseline_version_
1.2.3.1">

- 554 -
 OVAL Result Type Full results w/ The information you want the results file to
system include.
characteristics
The results file can be one of the following
types: Full results with system characteristics,
Full results without system characteristics, or
Thin results.

Linux (OVAL) or Windows (OVAL)

OVAL definitions file None A valid zip file that contains OVAL standalone
content.

Configure Plugins in Tenable Vulnerability Management Scans

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

Required Template Permissions: Can Configure

Note: If a scan is based on a user-defined template, you cannot configure Plugin settings in the scan. You
can only modify these settings in the related user-defined template.

Note: When Tenable adds new plugins to Tenable Vulnerability Management, the new plugins are
automatically enabled if the entire plugin family they belong to is enabled in your scan policy template.

If you create a scan or user-defined template using the Tenable-provided Advanced Scan template,
you can configure which security checks the scan performs by enabling or disabling plugins
individually or by plugin family.

When you create and save a scan or user-defined template, it records all the plugins that are
initially selected. When new plugins are received via a plugin update, the plugins are automatically
enabled if the family with which the plugins are associated is enabled. If the family has been
disabled or partially enabled, new plugins in that family are also automatically disabled.

- 555 -
 Caution: The Denial of Service family contains some plugins that could cause outages on a network if the
Safe Checks option is not enabled, in addition to some useful checks that do not cause any harm. The
Denial of Service family can be used with Safe Checks to ensure that any potentially dangerous plugins
are not run. However, Tenable recommends that you do not use Denial of Service family on a production
network except during a maintenance window and when staff are ready to respond to any issues.

To configure plugins for a scan or user-defined template:

1. Do one of the following:

a. Create or edit a scan.

b. Create or edit a user-defined template.

2. In the left menu of the scan configuration page, click Plugins.

The Plugins page appears. This page contains a table of plugin families.

3. Do one of the following:

l Filter the plugin families table by various attributes.

l Search the plugin families table by plugin family name. For more information on
searching, see Tenable Vulnerability Management Tables.

4. To enable or disable all the plugins in a plugin family, click the Status toggle in row for the
plugin family.

l On — The scan includes the security checks associated with the plugin family.

l Off — The scan excludes the security checks associated with the plugin family.

5. To enable or disable specific plugins for an individual plugin family:

a. In the plugin families table, click the plugin family where you want to edit plugins. The
plugin family plane appears.

b. (Optional) Click an individual plugin to review plugin details (Synopsis, Description, and
Solution).

c. For each plugin you want to enable or disable, select or clear the Status checkbox.

d. Click Save.

- 556 -
 The Plugins page appears. In the plugin families table, Tenable Vulnerability
Management updates the plugin family status as follows:

l On — If you enabled all plugins for the plugin family, the scan includes the security
checks associated with the plugin family.

l Off — If you disabled all plugins for the plugin family, the scan excludes the
security checks associated with the plugin family.

Tip: Disabling a plugin family reduces the time and resources required to run the scan.

l Mixed — If you enabled only some of the plugins for the plugin family, the scan
includes only the enabled plugins. Mixed plugin families have a padlock icon that
is locked or unlocked:

l Locked — New plugins added to the plugin family via plugin feed updates are
disabled automatically in the policy.

l Unlocked — New plugins added to the plugin family via plugin feed updates
are enabled automatically in the policy.

e. Click Save to save your changes to the plugin family.

6. Click Save to save your changes to the scan or user-defined template.

Tenable Web App Scanning Scan Settings

Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Tenable Web App Scanning scan settings are organized into the following categories:

l Basic Settings in User-Defined Templates

l Basic Settings in Tenable Web App Scanning Scans

l Scope Settings in Tenable Web App Scanning Scans

- 557 -
 l Report Settings in Tenable Web App Scanning Scans

l Assessment Settings in Tenable Web App Scanning Scans

l Advanced Settings in Tenable Web App Scanning Scans

l Credentials in Tenable Web App Scanning Scans

l Plugin Settings in Tenable Web App Scanning Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those
settings in an individual scan based on a user-defined template. These settings include
Discovery, Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to
modify these settings for individual scans, create individual scans based on a Tenable-
provided template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Basic Settings in Tenable Web App Scanning Scans

Configure settings to specify basic organizational and security-related aspects of your scan
configuration. This includes specifying the name of the scan, one or more targets, whether the scan
is scheduled, and who has access to the scan.

You can configure settings when you create a scan or user-defined scan template and select any
scan type. For more information, see Scan Templates.

- 558 -
 Tip: If you want to save your settings configurations and apply them to other scans, you can create and
configure a user-defined scan template.

The Basic settings include the following sections:

l General

l Schedule

l Notifications

l User Permissions

l Data Sharing

General
The general settings for a scan.

Default
Setting Description Required
Value

Name none Specifies the name of the scan or template. Yes

Description none Specifies a description of the scan or No

template.

Folder My Scans Specifies the folder where the scan appears Yes
after being saved.

Scanner Type Internal Specifies whether a local, internal scanner Yes

Scanner or a cloud-managed scanner performs the
scan, and determines whether the Scanner
field lists local or cloud-managed scanners
to choose from.

Scanner varies Specifies the scanner that performs the Yes

scan.

Target none Specifies the URL for the target you want to Yes
scan, as it appears on your Tenable Web

- 559 -
 Default
Setting Description Required
Value

App Scanning license. Regular expressions

and wildcards are not allowed. Targets must
start with the http:// or https:// protocol
identifier.

The Import from file link opens a file

manager window. You can import a target
list in TXT format with one target per line.
The file must be 1MB or smaller, and each
line must be shorter than 4096 characters.
After you add targets, you can search and
delete targets from the list. You cannot
modify targets inline.

Tip: If you upload a new target list, it

replaces any existing targets in the scan. If
you have multiple target lists, consolidate
them in one file before you upload them to
Tenable Web App Scanning.

You can add up to 1000 targets to a scan,

with the exception of scans that include
API targets. API scans support only one
target at a time.

Note: If the URL you type in the Target box

has a different FQDN host from the URL that
appears on your license, and your scan runs
successfully, the new URL you type counts as
an additional asset on your license.

Note: If you create a user-defined scan

template, the target setting is not saved to
the template. Type a target each time you
create a new scan.

- 560 -
Schedule
The schedule settings for the scan.

Note: If you create a user-defined scan template, your schedule settings are not saved to the scan
template. Configure the schedule settings each time you create a new scan.

Setting Default Description

Schedule off A toggle that specifies whether the scan is scheduled. By

default, scans are not scheduled.

When the Schedule toggle is disabled, the other schedule

settings remain hidden.

Click the toggle to enable the schedule and view the remaining
Schedule settings.

Frequency Once Specifies how often the scan is launched.

Note: The frequency with which you scan your target(s) depends
on several factors (e.g., how often you update your web
application, the content your web application contains, etc.). For
most web applications, Tenable recommends at least monthly
scans.

l Once: Schedule the scan at a specific time.

l Daily: Schedule the scan to occur on a daily basis, at a

specific time, up to 20 days.

l Weekly: Schedule the scan to occur on a recurring basis,

by time and day of week, up to 20 weeks.

l Monthly: Schedule the scan to occur every 1-20 months,

by:

l Day of Month: The scan repeats on a specific day

of the month at the selected time.

l Week of Month: The scan repeats monthly on the

week you begin the scan. For example, if you select

- 561 -
 Setting Default Description

a start date of October 3rd, and that falls on the

first week of the month, then the scan repeats the
first week of each subsequent month at the
selected time.

Note: If you schedule your scan to recur monthly and by

time and day of the month, Tenable recommends setting a
start date no later than the 28th day. If you select a start
date that does not exist in some months (e.g., the 29th),
Tenable Vulnerability Management cannot run the scan on
those days.

l Yearly: Schedule the scan to occur every year, by time

and day, up to 20 years.

Starts varies Specifies the exact date and time at which a scan launches.

Note: If you schedule an excessive number of scans to run

concurrently, you may exhaust the scanning capacity on Tenable
Web App Scanning. If necessary, Tenable Web App Scanning
staggers concurrent scans to ensure consistent scanning
performance.

The starting date defaults to the date you create the scan. The
starting time is the next hour interval, displayed in 24-hour
clock format. For example, if you create your scan on October
31, 2019 at 9:12 PM, the default starting date and time is
10/31/2019 and 22:00.

Timezone varies The time zone of the value set for Starts.

Notifications
The notification settings for a scan.

Default
Setting Description
Value

- 562 -
 Email None Specifies zero or more email addresses, separated by commas,
Recipient(s) whitespace, or new lines that are alerted when a scan
completes and the results are available.

User Permissions
Share the scan or user-defined scan template with other users by setting permissions for users. For
more information on adding or editing user permissions, see Set Scan Permissions.

Permission Description

No Access (Default) Users set to this permission cannot interact with the
scan in any way.

Can View Users set to this permission can view the results of the scan.

Can Control In addition to the tasks allowed by Can View, users with this
permission can launch and stop a scan. They cannot view or edit
the scan configuration or delete the scan.

Can Configure In addition to the tasks allowed by Can Control, users with this
permission can view the scan configuration and modify any
setting for the scan except scan ownership. They can also delete
the scan.

Data Sharing
Setting Default Value Description

Scan Show in Specifies whether the results of the scan should be kept
Results dashboard private or appear on your Dashboard and Findings pages.
When set to Keep private, the scan results Last Seen dates do
not update and you must access the scan directly to view the
results.

Scope Settings in Tenable Web App Scanning Scans

- 563 -
Configure Scope settings to specify the URLs and file types that you want to include in or exclude
from your scan.

You can configure Scope settings when you create a scan or user-defined scan template and select
the Overview or Scan template type. For more information, see Scan Templates.

Tip: If you want to save your settings configurations and apply them to other scans, you can create and
configure a user-defined scan template.

The Scope settings include the following sections:

l Crawl Scripts

l OpenAPI (Swagger) Specification

l Scan Inclusion

l Scan Exclusion

Crawl Scripts
Selenium scripts you want to add to your scan to enable the scanner to analyze pages with complex
access logic.

Note: If you add more than one target to your scan, these settings are disabled.

Setting Description

Add File Hyperlink that allows you to add one or more recorded Selenium script files to
your scan.

Your script must be added as a .side file.

OpenAPI (Swagger) Specification

The specification (file upload or URL of the file location) for the RESTful API that you want to scan.
The file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or
YAML format.

Setting Description

- 564 -
 File Selecting this option in the drop-down list enables you to add one or more
OpenAPI (v2 or v3) specification files as a file upload. The specification files
should be represented in either JSON or YAML format.

URL Selecting this option in the drop-down list enables you to add one or more
OpenAPI (v2 or v3) specification files by entering the URL of the file location. The
specification files should be represented in either JSON or YAML format.

Scan Inclusion
The URLs you want the scanner to include, along with how you want the scanner to crawl them.

Note: If you add more than one target to your scan, these settings are disabled.

Setting Default Description

List of URLs none A list of any URLs you want to ensure the
scanner analyzes, in addition to the target URL
you specified in the Basic settings.

Type each URL as an absolute URL.

Type each URL on a separate line.

Note: All URLs should have the same domain

and wildcards are not allowed.

Specify how the scanner Crawl all Specifies the limits you want the scanner to
handles URLs found during URLs adhere to as it crawls URLs.
the application crawl detected
Select one of the following:

l Crawl all URLs detected — The scanner

crawls all URLs and child paths it detects
on the target URL's domain host.

l Limit crawling to specified URLs and

child paths — The scanner crawls only
the target URL and child paths.

- 565 -
 Setting Default Description

l Limit crawling to specified URLs — The

scanner crawls the target URL only. It
does not crawl child paths for the target
URL.

Scan Exclusion
The attributes of URLs you want the scanner to exclude from your scan.

Default
Setting Description
Value

Regex for logout Text box option in which you can specify a regex pattern
Excluded URLs that the scanner can look for in URLs to exclude from the
scan. You can specify multiple regex patterns separated by
new lines.

Note: The regex values should be values contained within the

URL to be excluded. For example, in the URL
http://www.example.com/blog/today.htm, valid regex
values would be blog or today (not the full URL). Additionally,
regex values are case-sensitive.

File Extensions js, css, png, Text box option in which you can specify the file types you
to Exclude jpeg, gif, want the scanner to exclude from the scan.
pdf, csv,
Separate each file type with a comma.
svn-base,
svg, jpg, Note: Excluding certain file extensions may be useful as the
ico, woff, scanner may not realize something is not a web page and
woff2, exe, attempt to scan it, as if it actually is a web page. This wastes
time and slows down the scan. You can add additional file
msi, zip
extensions if you know you use them, and are certain they do
not need to be scanned. For example, Tenable includes
different image extensions by default: .png, .jpeg, etc.

Decompose not Check box option that allows you to specify whether you
Paths selected want the scanner to break down each URL identified during

- 566 -
 Default
Setting Description
Value

the scan into additional URLs, based on directory path level.

For example, if you specify www.example.com/dir1/dir2/dir3

as your target and select Decompose Paths, the scanner
analyzes each of the following as separate URLs of the
target:

l www.example.com/dir1/dir2/dir3

l www.example.com/dir1/dir2

l www.example.com/dir1

Select this option to increase the surface coverage of your

web application scan.

Note: Scans that include path decomposition can take longer

to complete than scans that do not.

Exclude selected Check box option that allows you to specify whether you
Binaries want the scanner to audit URLs with responses in binary
format.

Select this option to increase the surface coverage of your

web application scan.

Note: Scans that include binaries can take longer to complete,

because the scanner cannot read the binary responses.

Miscellaneous
Setting Description

Deduplicate Checkbox option that allows you to specify whether you want the scanner to
Similar Pages ignore pages in situations when similar pages have already been audited.

Assessment Settings in Tenable Web App Scanning Scans

- 567 -
Assessment settings specify which web application elements you want the scanner to audit as it
crawls your URLs. You can configure Assessment settings when you create a scan or user-defined
scan template. For more information, see Scan Templates.

The Assessment settings include the following sections:

l Scan Type

l Common and Backup Pages

l Credentials Bruteforcing

l Elements to Audit

l Optional

l DOM Element Exclusion

Scan Type
These settings specify the intensity of the assessment you want the scanner to perform.

Setting Default Value Description Required

Assessment Recommended Drop-down box that allows you to Yes

choose from the following options to
specify the scan type you want the
scanner to perform.

l Recommended — The scanner

audits elements based on
Tenable's recommendations.

l None — The scanner does not

audit any elements.

l Quick — The scanner audits the

most common elements listed.

l Extensive — The scanner

audits all the elements listed.

l Custom — The scanner audits

- 568 -
 Setting Default Value Description Required

only the elements you select.

Note: If you select Recommended,

Quick, or Extensive and then make
changes to the settings in this
section, the Scan Type setting
automatically changes to Custom.

Common and Backup Pages

Default
Setting Description
Value

Detection Most Drop-down box that allows you to choose from the following
Level Detected options to specify which pages you want the scanner to
Pages crawl.

l Most Detected Pages - The scanner crawls only the

most detected pages.

l Extended Dictionary - The scanner tests more path

variations for detecting hidden pages, increasing the
overall scan duration.

Note: The Detection Level drop-down box is available only when

you select Custom in the Scan Type settings.

Credentials Bruteforcing
The Credentials Bruteforcing setting is available only for the Scan template.

Setting Default Description

Credentials Disabled When enabled, any plugins that perform bruteforcing

Bruteforcing included in the Plugins settings run.

- 569 -
 Setting Default Description

When disabled, bruteforcing plugins do not run, even if they

are included in the Plugins settings.

Note: The Credentials Bruteforcing setting is available only

when you select Custom in the Scan Type settings.

File Upload Assessment

Setting Default Description

File Upload Disabled When enabled, the scanner attempts to detect file upload
Assessment vulnerabilities based on generic attacks against relevant
inputs, or specific attacks against known software
vulnerabilities. A file upload vulnerability detection can
remotely create files on the scanned web application which
the scanner cannot delete.

Elements to Audit
These settings specify the elements in your web application that you want the scanner to analyze
for vulnerabilities.

Setting Scanner Action

Cookies Checks for cookie-based vulnerabilities.

Headers Checks for header vulnerabilities and insecure configurations (for

example, missing X-Frame-Options).

Forms Checks for form-based vulnerabilities.

Links and Query Checks for vulnerabilities in links and their parameters.
String Parameters

Parameter Names Performs extensive fuzzing of parameter names.

Parameter Values Performs extensive fuzzing of parameter values.

- 570 -
 Setting Scanner Action

Path Parameters Assesses path parameters. Path parameters are used in URL rewrite to
identify the object of the action within the URL. For example, scanId is
a path parameter for the following URL, used to identify the scan to
display results:

http://example.com/scan/scanId/results

JSON Elements / Audits JSON request data.

Request Body
(JSON)

XML Elements / Audits XML request data.

Request Body
(XML)

UI Forms Checks input and button groups associated with JavaScript code.

Note: With UI Forms, Tenable Web App Scanning takes the inputs on the
page, and any buttons, and creates form-like elements from them (UI
Forms). For each button, Tenable Web App Scanning creates a UIForm
element with inputs that are all the inputs on the page.

UI Inputs Checks orphan input elements against associated document object

model (DOM) events.

Note: UI Inputs are when there is an input that responds to an event. For
example, after typing in the input in a search bar, the search bar responds to
an "onEnter" event which loads the next page. So, Tenable Web App
Scanningcreates a UIInput element to audit this vector as well.

Optional
Setting Default Description

URL for None Specifies a file on a remote host that Tenable Web App
Remote Scanning can use to test for a Remote File Inclusion (RFI)
Inclusion vulnerability.

- 571 -
 Setting Default Description

If the scanner cannot reach the internet, the scanner uses this
internally-hosted file for more accurate RFI testing.

Note: If you do not specify a file, Tenable Web App Scanning uses a
safe, Tenable-hosted file for RFI testing.

DOM Element Exclusion

DOM element exclusions prevent scans from interacting with specific page elements and their
children. This setting is available for Scan, Overview, and PCI scan templates.

Note: When the scanner is deciding whether to exclude an element based on an attribute value, it
performs an equality check. So, if you want to exclude any element with css class foo, the scanner
excludes an element that has class="foo", but not an element that has class="foo bar".

You can add exclusions by clicking the button and selecting Text Contents or CSS Attribute.

Setting Default Description

Text None Excludes elements based on text contents.

Contents
For example, if you want to prevent the scanner from clicking a
logout button named Log Out, you could match the text Log
Out.

CSS None Excludes elements based on a CSS attribute key-value pair.

Attribute
For example, if you want to prevent the scanner from
interacting with a form that contains the CSS attribute key-
value pair id="logout", type id for the key and logout for the
value.

Report Settings in Tenable Web App Scanning Scans

Report settings specify extra items to include in the scan report. For example, scan reports for
Tenable PCI ASV scans require load balancer usage details if applicable.

- 572 -
You can configure Report settings when you create a scan or user-defined scan template using the
Tenable-provided scan template, PCI. For more information, see Scan Templates.

The Report settings include the following sections:

l (Tenable PCI ASV 6.1) Load Balancers Usage

(Tenable PCI ASV 6.1) Load Balancers Usage

This setting specifies load balancer usage to include in the scan report.

Default
Setting Description Required
Value

(Tenable PCI None Text box that allows you to enter a list of No
ASV 6.1) Load load balancers and their configuration as
Balancers required for Tenable PCI ASV if applicable.
Usage

Advanced Settings in Tenable Web App Scanning Scans

Advanced settings specify additional controls you want to implement in a web application scan.

You can configure Advanced settings when you create a scan or user-defined scan template using
any Tenable-provided scan template. However, the Overview and Scan template types have more
configurable Advanced settings than the Config Audit and SSL TLS template types. For more
information, see Scan Templates.

The Advanced Settings options allow you to control the efficiency and performance of the scan.

l General

l HTTP Settings

l Screen Settings

l Limits

l Selenium Settings

l Performance Settings

l Session Settings

- 573 -
General
You can configure General options in scans and user-defined scan templates based on the
Overview and Scan templates only.

Setting Default Description

Target Scan 08:00:00 Specifies the maximum duration the scanner runs a scan
Max Time job runs before stopping, displayed in hours, minutes, and
(HH:MM:SS) seconds.

Note: The maximum duration you can set is 99:59:59 (hours:

minutes: seconds).

Maximum 08:00:00 Specifies the maximum duration the scan remains in the
Queue Time Queued state, displayed in hours, minutes, and seconds.
(HH:MM:SS)
Note: The maximum duration you can set is 48:00:00 (hours:
minutes: seconds).

Enable Debug disabled Specifies whether the scanner attaches available debug
logging for this logs from plugins to the vulnerability output of this scan.
scan

Debug Flags disabled (Only visible when you enable the Enable Debug logging for
this scan feature). Allows you to specify key and value
pairs, provided by support, for debugging.

HTTP Settings
These settings specify the user-agent you want the scanner to identify and the HTTP response
headers you want the scanner to include in requests to the web application.

You can configure Crawl Settings options in scans and user-defined scan templates based on any
Tenable-provided scan template.

Setting Default Description

Use a disabled Specifies whether you want the scanner to use a user-agent

- 574 -
different header other than Chrome when sending an HTTP request.
User Agent
to identify
scanner

User Agent Chrome's Specifies the name of the user-agent header you want the
user-agent scanner to use when sending an HTTP request.

You can configure this option only after you select the Use a
different User Agent to identify scanner checkbox.

By default, Tenable Web App Scanning uses the user-agent

that Chrome uses for the operating system and platform that
corresponds to your machine's operating system and platform.
For more information about Chrome's user-agents, see the
Google Chrome Documentation.

Note: The current Tenable Web App Scanning user-agent header

is:
Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/77.0.3865.90 Safari/537.36

Note: Not all requests from a scanner are guaranteed to have the
User Agent sent.

Add Scan ID disabled Specifies whether the scanner adds an additional X-Tenable-
HTTP Was-Scan-Id header (set with the scan ID) to all HTTP
Header requests sent to the target, which allows you to identify scan
jobs in web server logs and modify your scan configurations to
secure your sites.

Custom none Specifies the custom headers you want to inject into each
Headers HTTP request, in request and response format.

You can add additional custom headers by clicking the

button and typing the values for each additional header.

- 575 -
 Note: If you enter a custom User-Agent header, that value
overrides the value entered in the User Agent setting box.

Screen Settings
You can configure Screen Settings options in scans and user-defined scan templates based on the
Overview and Scan templates only.

Setting Default Description

Screen 1600 Specifies the screen width, in pixels, of the browser embedded in
Width the scanner.

Screen 1200 Specifies the screen height, in pixels, of the browser embedded
Height in the scanner.

Ignore disabled Specifies if the browser embedded in the scanner crawls or

Images ignores images on your target web pages.

Limits
You can configure Limits options in scans and user-defined scan templates based on the Overview
and Scan templates only.

Setting Default Description

Number of URLS 10000 Specifies the maximum number of URLs the scanner
to Crawl and attempts to crawl.
Browse

Path Directory 10 Specifies the maximum number of sub-directories

Depth the scanner crawls.

For example, if your target is www.example.com,

and you want the scanner to crawl
www.example.com/users/myname, type 2 in the
text box.

Page DOM 5 Specifies the maximum number of HTML nested

- 576 -
 Element Depth element levels the scanner crawls.

Max Response 500000 Specifies the maximum load size of a page, in bytes,
Size which the scanner analyzes.

If the scanner crawls a URL and the response

exceeds the limit, the scanner does not analyze the
page for vulnerabilities.

Request Redirect 3 Specifies the number of redirects the scanner

Limit follows before it stops trying to crawl the page.

Selenium Settings
These settings specify how the scanner behaves when it attempts to authenticate to a web
application using your recorded Selenium credentials.

Configure these options if you configured your scan to authenticate to the web application with
Selenium credentials. For more information see Credentials in Tenable Web App Scanning Scans.

You can configure Selenium Settings options in scans and user-defined scan templates based on
the Overview and Scan templates only.

Setting Default Description

Page 30000 Specifies the time (in milliseconds) the scanner waits for the
Rendering page to render.
Delay

Command 500 Specifies the time (in milliseconds) the scanner waits after
Execution processing a command before proceeding to the next
Delay command.

Script 5000 Specifies the time (in milliseconds) the scanner waits for all
Completion commands to render new content to finish processing.
Delay

Performance Settings

- 577 -
 Setting Default Description

Max Number of 10 Specifies the maximum number of established

Concurrent HTTP HTTP sessions allowed for a single host.
Connections

Max Number of HTTP 25 Specifies the maximum number of HTTP requests

Requests Per Second allowed for a single host for the duration of the scan.

Slow down the scan disabled Specifies whether the scanner throttles the scan in
when network the event of network congestion.
congestion is
detected

Network Timeout (In 30 Specifies the time, in seconds, the scanner waits for
Seconds) a response from a host before aborting the scan,
unless otherwise specified in a plugin.

If your internet connection is slow, Tenable

recommends that you specify a longer wait time.

Browser Timeout (In 60 Specifies the time, in seconds, the scanner waits for
Seconds) a response from a browser before aborting the scan,
unless otherwise specified in a plugin.

If your internet connection is slow, Tenable

recommends that you specify a longer wait time.

Timeout Threshold 100 Specifies the number of consecutive timeouts

allowed before the scanner aborts the scan.

Session Settings
Specifying these tokens speeds up the scan by allowing the scanner to skip token verification.
Session Settings are only available when you are editing an existing scan.

Token
Default Description
Type

Cookie None Name of your application's authentication cookie for the scanner

- 578 -
 to use.

Header None Name of your application's authentication header for the scanner
to use.

Credentials in Tenable Web App Scanning Scans

Note: You can set Credentials settings for single-target scans only. If you create a scan with more than
one target, these settings are not available.

In Tenable Web App Scanning scans, you can configure credentials settings that allow Tenable Web
App Scanning to perform an authenticated scan on a web application. Credentialed scans can
perform a wider variety of checks than non-credentialed scans, which can result in more accurate
scan results.

Scans in Tenable Web App Scanning use managed credentials. Managed credentials allow you to
store credential settings centrally in a credential manager. You can then add those credential
settings to multiple scan configurations instead of configuring credential settings for each
individual scan.

Tenable Web App Scanning scans support credentials in the following authentication types:

l HTTP Server Authentication

l Web Application Authentication

Tip: If want to scan an API with the API scan template, and your API requires keys or a token for
authentication, you can add the expected custom headers in the Advanced settings in the HTTP Settings
section.

You can configure credentials settings in Tenable Web App Scanning scans using the following
methods.

Credentials Authentication
Configuration Method
Category Type

HTTP Server – Use the Tenable Web App Scanning user interface
Authentication to manually configure credentials settings in
scans.

- 579 -
 Web Application Login Form
Authentication
Cookie
Authentication

API Key Use the Tenable Web App Scanning user interface
to manually configure credentials settings in
Bearer
scans.
Authentication

Tenable Web App Scanning Selenium Commands

Selenium commands in Tenable Web App Scanning are used to record authentication and crawling
scripts so that users can tell the scanner exactly what to do in certain scenarios. You can run these
commands in the Selenium IDE Extension (available for download in the Chrome Web Store).

Support for Selenium commands in Tenable Web App Scanning is detailed below:

Commands Supported Commands Not Supported

l addSelection l close

l answerOnNextPrompt l debugger

l assert l do

l assertAlert l else

l assertChecked l else if

l assertConfirmation l end

l assertEditable l execute async script

l assertElementNotPresent l execute script

l assertElementPresent l for each

l assertNotChecked l if

l assertNotEditable l repeat if

l assertNotSelectedValue l run

l assertNotText l select window

- 580 -
l assertPrompt l store

l assertSelectedLabel l store attribute

l assertSelectedValue l store json

l assertText l store text

l assertTitle l store title

l assertValue l store value

l check l store window handle

l chooseCancelOnNextConfirmation l store xpath count

l chooseCancelOnNextPrompt l times

l chooseOkOnNextConfirmation l while

l click

l clickAt

l doubleClick

l doubleClickAt

l echo

l editContent

l mouseDown

l mouseDownAt

l mouseMoveAt

l mouseOut

l mouseOver

l mouseUp

l mouseUpAt

l open

- 581 -
l pause

l removeSelection

l runScript

l select

l selectFrame

l sendKeys

Note: In addition to arbitrary text, the sendKeys

command only supports the following escape
sequences:
l ${KEY_ENTER}
l ${KEY_DELETE}
l ${KEY_BACKSPACE}

l setSpeed

l setWindowSize

l submit

l type

l uncheck

l verify

l verifyChecked

l verifyEditable

l verifyElementNotPresent

l verifyElementPresent

l verifyNotChecked

l verifyNotEditable

l verifyNotSelectedValue

- 582 -
 l verifyNotText

l verifySelectedLabel

l verifySelectedValue

l verifyText

l verifyTitle

l verifyValue

l waitForElementEditable

l waitForElementNotEditable

l waitForElementNotPresent

l waitForElementNotVisible

l waitForElementPresent

l waitForElementVisible

l webdriverAnswerOnNextPrompt

l webdriverAnswerOnVisiblePrompt

l webdriverChooseCancelOnNextConfirmation

l webdriverChooseCancelOnNextPrompt

l webdriverChooseCancelOnVisibleConfirmation

l webdriverChooseCancelOnVisiblePrompt

l webdriverChooseOkOnNextConfirmation

l webdriverChooseOkOnVisibleConfirmation

HTTP Server Authentication Settings in Tenable Web App Scanning Scans

In a Tenable Web App Scanning scan, you can configure the following settings for HTTP server-
based authentication credentials.

Option Action

- 583 -
 Username Type the username Tenable Web App Scanning uses to authenticate to
the HTTP-based server.

Password Type the password Tenable Web App Scanning uses to authenticate to
the HTTP-based server.

Authentication In the drop-down list, select one of the following authentication types:
Type
l Basic/Digest

l NTLM

l Kerberos

Kerberos Domain (Required when enabling the Kerberos Authentication Type) The realm to
which Kerberos Target Authentication belongs, if applicable.

Key Distribution (Required when enabling the Kerberos Authentication Type) This host
Center (KDC) supplies the session tickets for the user.

Note: Tenable Web App Scanning does not support multiple HTTP authentication types for a single target.

Web Application Authentication

In a Tenable Web App Scanning scan, you can configure one of the following types of Web
Application Authentication credentials:

l Login Form Authentication

l Cookie Authentication

l Selenium Authentication

l API Key Authentication

l Bearer Authentication

Tip: If the log in process causes any headers or cookies to be set, the scanner should notice this and
include those in subsequent requests. If this is not happening as you expect, use selenium authentication
and record the log in process into a .side file, then use that in the scan. If you are still experiencing
issues, contact your Tenable representative for support.

Login Form Authentication

- 584 -
Option Action

Authentication In the drop-down box, select Login Form.

Method

Login Page Type the URL of the login page for the web application you want to scan.

Credentials For each field in the target's login form (that is, username, password, and
domain, etc.) complete a credential entry as follows:

a. In the left-hand text box, type the value of the login field's name or
id HTML DOM attribute.

b. In the right-hand text box in the row, type the literal value to insert
in that text field at login.

A typical configuration example:

Tip: To see a text field's name or id HTML DOM attribute, right-click on the
text field and select "Inspect" in either your Firefox or Chrome browser.

Tip: If you perform an uncredentialed Overview scan, plugin 98033 (Login

Form Detected) may automatically detect and display the required login
boxes in the plugin output.

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Successful only if the authentication is successful (for example, Welcome, your
Authentication username!). Note that leading slashes will be escaped and .* is not
required at the beginning or end of the pattern.

Page to Verify Type the URL that Tenable Web App Scanning can continually access to
Active Session validate the authenticated session.

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Active Session only if the session is still active (for example, Hello, your username.). Note

- 585 -
 that leading slashes will be escaped and .* is not required at the
beginning or end of the pattern.

Cookie Authentication
Option Action

Authentication In the drop-down box, select Cookie Authentication.

Method

Session Cookies Do the following:

a. In the first text box, type the name of the cookie authentication
credentials.

b. In the second text box, type the value of the cookie authentication
credentials.

Page to Verify Type the URL that Tenable Web App Scanning can continually access to
Active Session validate the authenticated session.

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Active Session only if the session is still active (for example, Hello, your username.). Note
that leading slashes will be escaped and .* is not required at the
beginning or end of the pattern.

Selenium Authentication
Option Action

Authentication Select Selenium Authentication.

Method

Selenium Script Do the following:

(.side)
a. In the Selenium IDE extension, record your authentication
credentials in the Selenium IDE extension.

b. Click Add File.

- 586 -
 The file manager for your operating system appears.

c. Navigate to and select your Selenium credentials .side file.

Tenable Web App Scanning imports the credentials file.

Page to Verify Type the URL that Tenable Web App Scanning can continually access to
Active Session validate the authenticated session.

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Active Session only if the session is still active (for example, Hello, your username.). Note
that leading slashes will be escaped and .* is not required at the
beginning or end of the pattern.

API Key Authentication

Option Action

Authentication Select API Key.

Method

Headers Do the following:

a. In the first text box, type the name of the HTTP header.

b. In the second text box, type the value of the HTTP header.

c. (Optional) Add additional headers by clicking the button.

Page to Verify Type the URL that Tenable Web App Scanning can continually access to
Active Session validate the authenticated session.

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Active Session only if the session is still active (for example, Hello, your username.). Note
that leading slashes will be escaped and .* is not required at the
beginning or end of the pattern.

Bearer Authentication

- 587 -
 Option Action

Authentication Select Bearer Authentication.

Method

Bearer Token Type the value of the bearer token.

Note: Bearer Token is a part of OAuth. Tenable Web App Scanning supports
OAuth in cases where it is a part of OpenIDConnect and recordable via a
selenium script. Implementations of OAuth that are not a part of
OpenIDConnect are supported only where the token is dynamic, or you craft a
special static (non-dynamic) token for authentication purposes.

Page to Verify Type the URL that Tenable Web App Scanning can continually access to
Active Session validate the authenticated session.

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Active Session only if the session is still active (for example, Hello, your username.). Note
that leading slashes will be escaped and .* is not required at the
beginning or end of the pattern.

Client Certificate Authentication

In a Tenable Web App Scanning scan, you can configure Client Certificate Authentication
credentials.

Option Action

Client Certificate The file that contains the PEM-formatted certificate used to
communicate with the host.

Client Certificate The file that contains the PEM-formatted private key for the client
Private Key certificate.

Client Certificate The passphrase for the private key, if required.

Private Key
Passphrase

Page to Verify Type the URL that Tenable Web App Scanning can access to validate the
Successful authenticated session.

- 588 -
 Authentication

Pattern to Verify Type a word, phrase, or regular expression that appears on the website
Successful only if the authentication is successful (for example, Welcome, your
Authentication username!). Leading slashes will be escaped and .* is not required at the
beginning or end of the pattern.

Plugin Settings in Tenable Web App Scanning Scans

Required Tenable Web App Scanning User Role: Scan Manager or Administrator

Configure Plugin settings to specify the plugins and plugin families you want the scanner to use as
it scans your web application.

When you create and launch a scan, Tenable Web App Scanning uses plugins in various plugin
families, each designed to identify certain types of finding or vulnerabilities, to analyze your web
application. Tenable Web App Scanning uses the 98000-98999 and 112290-117290 plugin ID ranges
for scanning. For more information about Tenable Web App Scanning plugin families, see the
Tenable Web App ScanningTenable Web App Scanning Plugin Families site.

Note: Tenable Web App Scanning displays only the first detected 25 instances of an individual plugin per
scan in your scan results. If you see 25 instances of a single plugin in your scan results, Tenable
recommends taking remediation steps to address the corresponding vulnerability and then rescanning
your target.

You can configure Plugin settings when you create a scan or user-defined scan template and select
the API, Overview, (Basic) Scan, Standard Scan, or Custom template or scan type. For more
information, see View Your Scan Plugins.

Tip: If you want to save your settings configurations and apply them to other scans, you can create and
configure a user-defined scan template.

The plugins settings contain the following sections:

l All enabled

l Plugins table

All Enabled

- 589 -
A toggle you can click to enable or disable all plugins simultaneously.

Plugins Table
Column Description Actions

Name Specifies the plugin family to which the grouped l View the name of each
plugins belong. plugin family.

l Select the column to

sort the table
alphabetically or by
family name.

Total Specifies the number of plugins in the plugin l View the number of
family. plugins in the family.

l Select the column to

sort the table by
number of plugins in
each family.

Status Toggle that allows you to specify if you want the l Click the Status toggle
scanner to use the plugins in the plugin family to disable the plugins
to analyze your target. in the plugin family.

l (Optional) To enable a
disabled plugin family,
click the Status
toggle.

In the plugins table, you can view details about or disable individual plugins.

To view details about individual plugins:

1. In the table, click the row for the family that contains a plugin you want to view.

A plugin family details plane appears, displaying the name, ID, and status for each plugin in the
family in a paginated list.

- 590 -
 2. (Optional) To locate a specific plugin, in the Search box, type the name or ID.

3. Click the plugin for which you want to view details.

To disable individual plugins:

1. In the table, click the row for the family that contains the plugin you want to disable.

A plugin family details plane appears, displaying the name, ID, and status for each plugin in the
family in a paginated list.

2. (Optional) To locate a specific plugin, in the Search box, type the name or ID.

3. In the Status column, select the check box next to the plugin you want to disable.

4. (Optional) To enable a disabled plugin, select the check box.

5. Click Save.

The details plane disappears.

Tenable Web App Scanning updates your plugin selections.

Scan Distribution

Overview
The scan distribution feature improves the efficiency of scanning both for your organization’s
scanners as well as the cloud scanners provided by Tenable Vulnerability Management for the
platform as a whole. In the case of the scanners that belong to your organization, Tenable
Vulnerability Management distributes scans as tasks across multiple scanners in the scanner group
assigned to the scan, rather than assigning complete scan jobs to individual scanners. Similarly,
Tenable Vulnerability Management distributes scans utilizing Tenable-provided cloud scanners as
jobs across groups of scanners. Tenable Vulnerability Management breaks down those jobs into
tasks and funnels them down to scanners within the groups.

In both cases, this effectively allows multiple scans to run simultaneously, eliminating bottlenecks
that might otherwise occur if scans were staggered one after another on individual scanners. As the
requirements of your organization grow, scan performance is less likely to degrade. Even when
scans are assigned to a specific scanner, those scans are broken down into tasks that can be run
simultaneously, allowing the scanner to complete the scan job more efficiently.

- 591 -
As scanners complete the tasks, Tenable Vulnerability Management immediately reflects the
results. The results that were already obtained are not lost if the scan is canceled. If a scanner
crashes during the scan, or a problem is encountered with a target, the other tasks run as normal.

Each scan task accounts for the scanning of 120 IP addresses; the last scan task of a scan job may
account for less than 120 IP addresses (for example, Tenable Vulnerability Management splits a scan
job of 300 IP address into two 120 IP address tasks and a 60 IP address task).

How the Scan Distribution Feature Works

When scan jobs are created, the jobs are placed either directly in the job queue of a scanner (if that
scanner was specified in the scan), or into the job queue of a scanner group.

Interacting with Scans

Because of the way the scan distribution feature breaks down scans into tasks that can be
completed asynchronously, there is some nuance to the way you can interact with scans.

Scanner Groups
You can create scanner groups in order to take advantage of the scan distribution feature with your
organization’s scanners. Scanner groups maximize the efficiency of your scans by spreading out
tasks across the individual scanners you assign to the group, rather than dedicating a single
scanner to complete a whole job.

Scan Results
You can view scan results live, as scanners complete tasks. Each time a task completes, Tenable
Vulnerability Management updates scan results with new data. If a scan fails or is interrupted,
Tenable Vulnerability Management retains the already completed results, though the scan reflects
that the process was not completed.

If a job is assigned to multiple scanners and one of those scanners happens to fail, the tasks
dispatched to the other scanners are still completed.

Scanner Capacity
Tenable Vulnerability Management considers the following three types of scanner capacities when
distributing scans, in order to efficiently determine how many tasks a scanner can process.

- 592 -
 l Target Capacity: The number of assets a scanner can actively scan simultaneously. This value
is by default based on the hardware resources of the scanner, including the number of
processors and the amount of memory available.

l Task Capacity: The number of tasks (parts of a scan) that a scanner can perform
simultaneously. A scanner's task capacity is determined based on the target capacity.

l Job Capacity: The number of different jobs a scanner can include tasks from at once. In this
way, scans can be performed asynchronously, and a scanner that has available capacity can
complete multiple tasks even if those tasks are not derived from the same scan. Job capacity
is always determined to be less than equal to the task capacity so that when a scanner is at
its job capacity, it will be able to complete tasks from every job.

Scanner Group Capacity

Tenable Vulnerability Management also considers scanner group job capacities when distributing
scans. Jobs at the scanner group level are broken down into tasks when there is available capacity.
Tasks from those jobs can then be divided among the scanners in the group.

Job Queues
Tenable Vulnerability Management queues scan jobs before separating them into tasks for scan
distribution.

Scanner Group Job Queues

Tenable Vulnerability Management queues jobs for a scanner group in the order it receives the jobs.
When the scanner group has available job capacity, Tenable Vulnerability Management breaks the
earliest job in the queue into tasks and assigns them to each of the scanners in the group, one
scanner after another in succession (a “round robin” method). Tenable Vulnerability Management
dispatches the tasks to the scanners assigned to the job.

Scanner Job Queues

Tenable Vulnerability Management also queues jobs for a scanner in the order it receives the jobs,
regardless of the origin of a scan job.

For example, the job queue for a scanner may include scan jobs that were assigned directly to the
scanner as well as jobs distributed to the scanner by the groups the scanner belongs to.

- 593 -
Dispatching Tasks
When a scanner has available capacity for tasks, it polls for and is assigned additional tasks from
the jobs that have filled the scanner’s job capacity. Tasks are assigned from each job in succession,
in a round robin method, similar to the way jobs are assigned to scanners in a group. This will be a
test.

The way the tasks are dispatched to scanners varies depending on the scenario.

Example Scenario: One Scanner with One Job

In this example, assume there is one scanner with a single job queued. This scanner is not a part of
a scanner group and as such processes scan jobs one at a time in the order the jobs are queued.
This scanner has a task capacity of six. When the job is broken down into tasks, six of those tasks
are assigned to the scanner to be executed simultaneously. Tasks continue to fill the scanner’s task
capacity until the scan job is completed.

Example Scenario: One Scanner with Multiple Jobs

In this example, assume there is one scanner with multiple jobs queued. The scanner belongs to
two scanner groups, SG1 and SG2. Three scan jobs are created. The first scan was configured to use
the scanner directly. The other two scans were configured to use SG1 and SG2, respectively.

Because the first scan job was configured to use that particular scanner, it is added to the
scanner’s job queue. In the case of SG1 and SG2, the scanner happens to be next in the order of
scanners to receive jobs in both groups. The jobs from those groups are also added to the scanner’s
job queue.

This scanner has a job capacity of three, so the scanner is able to be assigned tasks from all three
jobs.

This scanner has a task capacity of five. Tasks are assigned to the scanner one at a time from each
job in succession. In this case, tasks would be assigned in the following order: Job 1, Job 2, Job 3,
Job 1, Job 2, filling the task capacity. Using this “round robin” method, the scanner begins working
on two tasks from the first job, two tasks from the second job, and one task from the third job.
When one of the tasks is completed, the next task from the third job is then dispatched.

Example Scenario: Multiple Scanners with Multiple Jobs

- 594 -
In this example, assume there are two scanners, Scanner 1 and Scanner 2. Both scanners are
assigned to a scanner group, SG1. Both Scanner 1 and Scanner 2 have a job capacity of three.

Two scan jobs are created. Job 1 is assigned directly to Scanner 1. Job 2 is assigned to SG1. Both
Jobs are broken down into Tasks. Job1 will only be worked by Scanner 1. Job 2 can be worked by
both Scanner 1 and Scanner 2.

Both Scanner 1 and Scanner 2 have a task capacity of six. Scanner 1 is assigned tasks one at a time
from each job in succession, three from Job 1 and three from Job 2. Scanner 2 is assigned six tasks
from Job 2.

Tasks for Job 2 are dispatched to Scanner 1 and Scanner 2 from SG1 as task capacity becomes
available for the scanners. This process continues until both jobs are completed.

Configure Scan Routing

With scan routing, you can automatically dispatch scanning across multiple scanner groups
according to the network areas to which each group has access. Scan routing reduces scan
configuration and management overhead by eliminating the need to configure specific scanners for
each individual scan. This feature can represent a significant benefit in large deployments. To
improve operational efficiency, team members with higher privileges can manage the scanner
pools, which can then be used by lower-privileged team members during scan configuration

Note: Scan routing is available for linked scanners only.

If you configure scan routing for a scan, when the scan runs, Tenable Vulnerability Management
automatically does the following:

l Assigns the scan targets to the scanner group configured with the narrowest matching target
range.

l Within that scanner group, assigns targets to scanners as they check in, according to their
capacity and the targets still available.

For more information, see Configuration Guidelines.

Note: Tenable recommends pre-planning your scan routing strategy to efficiently target discrete areas of
your network. If configured improperly, scan routing can prevent scanners from reaching their targets.

To configure scan routing:

- 595 -
1. Review the configuration guidelines for scan routing.

2. Configure a scanner group for scan routing.

a. Create or edit a scanner group.

b. In the Targets for Scan Routing box, type a comma-separated list of scan routing
targets.

Targets in the list must be in the supported formats.

Note: You can specify up to 10,000 individual scan routing targets for an individual scanner
group. For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24
specifies four scan routing targets. To condense a scan routing target list, Tenable
recommends using wildcard and range formats, instead of individual IP addresses.

c. Click Save.

Tenable Vulnerability Management saves your changes to the scanner group.

3. Configure a scan for scan routing.

a. Create or edit a scan configuration.

b. In the Basic settings section, configure the following options:

Option Action

Scanner Select the Auto-Select option.

When you select this option, the Network box appears.

Network Do one of the following:

l If your scans involve separate environments with overlapping

IP ranges, select the network that contains the scanner
groups that you configured for scan routing.

l If your scans do not involve separate environments with

overlapping IP ranges, retain the Default network.

Targets / Specify targets for the scan, using one of the following options:
Upload

- 596 -
 Targets / l In the Targets box, type the list of targets.
Tags l In the Upload Targets box, upload a file of targets.

l In the Tags box, specify targets by tag.

When specifying scan targets, note the following:

l Be sure to match scan targets to the scan routing targets you

specify in your scanner groups.

If you specify scan targets outside the range of scanner group

targets, Tenable Vulnerability Management scans only those
hosts inside the scanner group range and returns the partial
results with a warning that lists the hosts that were not
scanned.

l When matching scan routing targets to scan targets, Tenable

Vulnerability Management does not resolve FQDNs to IP
addresses.

For example, if you specify *.example.com as a scan routing

target, Tenable Vulnerability Management can assign a scan to
that scanner group if the scan is configured with the scan
target www.example.com. However, Tenable Vulnerability
Management does not assign a scan to that scanner group if a
scan is configured with the target 192.168.0.1, even if
www.example.com could potentially resolve to 192.168.0.1.

c. Click Save.

Tenable Vulnerability Management saves your changes to the scan configuration.

Configuration Guidelines
l When configuring scan routes, Tenable recommends using IP ranges and CIDR ranges instead
of individual IP addresses where possible. This approach differs from the recommended
approach for scan targets, where narrower target values are recommended.

- 597 -
 l Tenable Vulnerability Management does not support a numeric range format for IPv6
addresses. Instead, use a CIDR format for IPv6 address ranges.

l Typically, Tenable recommends adding an individual scanner to only one scanner group. In
some cases, however, you may want to configure overlapping scanner groups to ensure
scanning coverage or redundancy. If a host is targeted by two or more overlapping scanner
groups, Tenable Vulnerability Management chooses any one of the groups to scan it; none of
the groups is given preference.

l For a definition of scanner availability in a scanner group, see Scanner Groups.

Supported Scan Routing Target Formats

Tenable Vulnerability Management supports the following formats for scan routing targets:

Target Format Example

A single IPv4 address 192.168.0.1

A single IPv6 address 2001:db8::2120:17ff:fe56:333b

An IPv4 range with a start and end address 192.168.0.1-192.168.0.255

An IPv4 subnet with CIDR notation 192.168.0.0/24

An IPv6 subnet with CIDR notation 2001:db8::/32

A host resolvable to either an IPv4 or an IPv6 address www.yourdomain.com

A host resolvable to either an IPv4 address or an IPv 6 *.yourdomain.com

address with a wildcard as the subdomain

Scan Best Practices

Introduction
Every organization has unique needs for their vulnerability management program. These
requirements can vary from the scanner used (cloud or on-premises), the places where a sensor is
deployed, technology in your environment, and other conditions of your vulnerability management

- 598 -
program. The following information contains deployment best practices that should apply to
everyone and assist in situations where continued overages occur.

General Best Practices

Role-Based Access Control (RBAC)

Familiarize yourself with Access Control and RBAC for controlling scan and view permissions for
assets. Misconfigured access controls or User Groups can cause scan failures and asset or
vulnerability deficiencies in dashboards and reports.

Credentialed Scanning
Tenable recommends running credentialed scans whenever possible. Credentialed scans provide
your organization with a more accurate snapshot of your current environment, allowing you to
quickly and safely collect information about your network and systems. You can use this
information to fill in the gaps in your security architecture and make better decisions on how to
improve your information security program.

Credentialed scans can also perform a wider variety of checks than non-credentialed scans, which
provide you with more accurate scan results. This ensures extensive scanning of your network to
determine local exposures or compliance violations. See Credentialed Scans in the Tenable Nessus
Agent User Guide for more information about the benefits of credentialed scanning.

Proper Inventory of Assets

An accurate inventory of the existing assets in your network is the first step towards effective
vulnerability management. To learn more, review asset inventory best practices and asset inventory
analysis and review.

Deleting Assets
You can delete assets via the user interface, but they remain on the license for 90 days or until the
Asset Age Out time has aged out. If the asset is found again before the 90 period or the Asset Age
Out expiration, it counts as an additional licensed asset. With this in mind, if you expect to detect
the asset again in the future, it is best to add this asset to the global exclusion list to avoid any
licensing issues or enable Asset Age Out to purge deleted assets as early as seven days after they
were deleted. For more information, see Delete Assets.

- 599 -
You can tag all assets that need to be deleted and use the API to bulk delete those assets. For
instance, you could tag assets and use an automated script to delete assets with the “delete” tag on
a custom time interval. If you know these assets may be found again (for example, honeypot
networks), it is best practice to add these affected assets to the global exclusion list to avoid
licensing issues or reduce your target scope to omit them.

l Bulk delete API documentation

l Exclusion API documentation

l Asset age out API documentation

Agent Scanning
Agents are a great way to capture vulnerability data on assets that are mobile or highly sensitive. It
is essential to understand that an agent scan cannot interrogate the potential external exposure
such as TLS vulnerabilities. If these types of vulnerabilities on these types of assets are important
to your program, you should pair this with a network-based scan. If a credentialed vulnerability scan
is not possible, you can use a non-credentialed scan. However, it is important to understand that
non-credentialed scans on agents may produce an additional licensed asset. See the following
section for more information.

Scan Hygiene
Before scanning, Tenable recommends reviewing the Tenable Vulnerability Management Scan Tuning
Guide. Tenable Vulnerability Management limits the total number of scan schedules to 10,000. A
scan schedule includes a scan template (including discovery and assessment settings), a list of scan
targets, and (optionally) credentials and compliance audits. You can reuse can schedules, and doing
so groups the scan results under the History tab of the given scan schedule.

It is best practice to reuse “on-demand” scan schedules, reduce clutter or confusion when looking
for scan schedules, and adhere to good scan hygiene. There is little to no benefit to creating new
“on-demand” scan schedules each time a new set of assets needs to be scanned. Instead, simply
change the targets of the scan and use the history to see older data. Keep in mind, unless you avoid
sending the data to the workbench, all of the changes found during the scan are reflected in the
workbenches, reducing the need to review old scan results.

It is common to ask, “What changed since the previous scan?” This question can drive attention to
the previous scan. However, you should note that each scan updates the assets with the newest

- 600 -
information. You can use the asset Activity tab to identify when a Tenable sensor detected the
asset. Furthermore, each vulnerability indicates when the vulnerability or plugin was first seen and
last seen. The difference between those two dates typically helps in identifying what has changed
since a previous scan.

Lastly, it is best practice to use remediation scans for re-scanning the asset outside of its
predefined scan cycle. You can initiate remediation scans from the action button on the
vulnerability details page. This is the most convenient way to manage remediation scans and helps
keep scan hygiene clean.

API Scan Creation Best Practices

If you use the API to automate scan creation, it is still equally important to maintain scan hygiene. If
you cannot reuse the same scan schedule for your workloads, Tenable recommends that you make
scan deletion a part of your automated scan procedure. Instead of creating a new scan policy for
every new scan, consider using the alt_targets parameter when launching a new scan as outlined
in the API documentation.

Maintaining scan hygiene helps reduce the number of scans sent back on each request to the
/scans endpoint and may speed up the endpoint.

Duplication Challenges and Remedies

Non-credential scans may not get enough data during the scan to uniquely identify an asset. A
common example of this is an asset with multiple interfaces. The following sections describe
different examples of this with potential resolutions.

Server with Multiple NICs

Non-credentialed scans may not collect enough data to merge the two network interfaces found
during a scan.

Resolution:

l Scan the asset with credentials to uniquely identify the asset and de-duplicate the multiple
NICs.

l Exclude any extra IP addresses for the asset if they do not provide any reporting value. You
may use network scanning to “pen test” an asset, and visibility into different vulnerabilities or

- 601 -
 open ports on a different network interface may provide insight and value. To correct any
reporting accuracy issues, delete the asset using the user interface or API.

l To remove duplicates that were deleted, enable Asset Age Out to mirror your scan schedule.

Firewall and Layer 3 Switches

Non-credentialed scans cannot collect enough data to uniquely identify a firewall or Layer 3 switch
in the event that multiple interfaces are scanned. In order to do so, Tenable Vulnerability
Management would have to crawl the device’s system configuration to see the interface IPs.
However, even with credentialed scans, Tenable Vulnerability Management does not crawl the
configuration file and gather this data.

Resolution:

l When multiple interfaces are found in a scan, identify which ones are duplicates in value and
add them to the exclusion list.

l Example: In the case of a firewall with three interfaces, and therefore three IP
addresses, exclude two of the IP addresses and delete them using the user interface or
API.

l To remove duplicates that were deleted, enable Asset Age Out to mirror your scan schedule.

Agents and Non-Credentialed Scans

Non-credentialed scans may not collect enough data to merge the two findings (agent scan and
non-credentialed scan). A well-hardened server does not provide enough data to identify the asset
uniquely. However, Tenable's algorithm de-duplicates the asset reducing the license count where
there is more data.

Resolution:

l For assets that are well hardened or do not provide enough data for Tenable’s algorithms to
merge assets confidently, you should add credentials so that Tenable can collect the data
necessary to merge the assets confidently.

Ephemeral Assets

- 602 -
Ephemeral assets or assets that are terminated and rebuilt before the 90-day period has aged out
creates a new asset each time they are rebuilt or deployed. Many asset attributes may change after
the asset has been terminated, making it difficult to merge the asset with its previous version.

Resolution:

l Use the cloud connectors. The cloud connectors not only help identify ephemeral assets in
the cloud, but they also detect their termination and remove the corresponding license.

l For situations where you cannot use a cloud connector, you need to leverage the Asset Age
Out feature. The Asset Age Out feature purges assets automatically if they are not found
within the configured time period.

Scan Limitations
The following table describes scanning limitations in Tenable Vulnerability Management:

Limitation Description

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single assessment scan (for more
hostnames per information, see Discovery Scans vs. Assessment Scans). The host target
assessment scan limit is 10 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
10,000 hostnames or IP addresses in a single assessment scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single discovery scan (for more information,
hostnames per see Discovery Scans vs. Assessment Scans). The host target limit is 1,000
discovery scan times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
1,000,000 hostnames or IP addresses in a single discovery scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Host scan results Tenable Vulnerability Management limits the number of live hosts for

- 603 -
per scan which a single scan can generate scan results for. The live host scan
results limit is 1.1 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 1,100 live hosts from a single scan. If you exceed the
limit, Tenable Vulnerability Management aborts the scan. Tenable
Vulnerability Management does not apply the live host scan result limit to
discovery scans.

Tenable Vulnerability Management also limits the number of dead hosts

for which a single scan can generate scan results for. The dead host scan
results limit is 100 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 100,000 dead hosts from a single scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP You cannot specify more than 300,000 comma-separated IP addresses or

addresses or ranges when configuring a scan’s targets.
ranges per scan

Active scans You cannot have more than 25 scans running in your container
simultaneously.

Scan chunks Tenable Vulnerability Management limits scan chunks to 10,000 hosts or
150,000 findings. If a scan chunk exceeds either value, Tenable
Vulnerability Management does not process the scan and eventually
aborts it.

Note: This limits items like MDM assessments, importing Nessus files, and
very large Auto Discovery scenarios like VMware to individual scans with less
than 10,000 assessed targets.

Scan Tenable Vulnerability Management limits the number of scan

configurations configurations you can create to 10,000 scans. Tenable recommends re-
using scheduled scans instead of creating new scans. This approach
helps to avoid latency issues in the user interface.

- 604 -
Vulnerability Intelligence
In the Vulnerability Intelligence section, you can review all vulnerabilities known to Tenable without
leaving Tenable Vulnerability Management.

The vulnerabilities come from Tenable’s database, which draws on sources such as internal
expertise, vendor advisories, the GitHub Advisory Database, and the National Vulnerability Database
(NVD).

The Vulnerability Intelligence section also holds curated categories that blend known risk
indicators with insights from the Tenable Research Team to surface the most crucial vulnerabilities.

Once you have chosen which vulnerabilities to focus on, you compare them to your own findings
and build a list to take action on. To do this, use the query builder to refine the results and save your
searches to re-use or share.

The following topics explain how to use the tools in the Vulnerability Intelligence section to: 1)
search Tenable’s vulnerability database, 2) view vulnerability profiles, and 3) identify your exposure
when compared to known vulnerabilities.

l Search Known Vulnerabilities

l View Vulnerability Profiles

l Identify Your Exposure

- 605 -
Search Known Vulnerabilities
On the Vulnerability Intelligence page or the Vulnerability Profile page, you can search all
vulnerabilities known to Tenable by Common Vulnerabilities and Exposures (CVE) ID or common
name.

To search for a vulnerability:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

The Vulnerability Intelligence page appears.

3. In the drop-down, select CVE ID or Common Name.

4. In the search box, type a complete or partial search (for example, CVE-2014-0160, 2014, or
Heartbleed).

5. Press the Enter key.

6. In the list of results, click a vulnerability.

The Vulnerability Profile page appears.

View Vulnerability Profiles

On the Vulnerability Intelligence page, when you click a search result or a row in the CVEs tab, the
Vulnerability Profile page appears.

- 606 -
The Vulnerability Profile page breaks down a single vulnerability in detail and includes an event
timeline, your affected assets and products, the sources, and metrics such as risk profile and
severity.

The Vulnerability Profile page has four sections.

In this Section You Can…

Vulnerability View the Common Vulnerability Scoring System (CvSSv3), Vulnerability

Information Priority Rating (VPR), and Exploit Prediction Scoring System (EPSS) scores.

In tabs, review an event timeline, VPR and EPSS trends, identifying plugins,
all known products affected, and a summary.

How Does This View affected assets and products in your environment and build queries to
Affect Me? refine the results.

Sources View contextual intelligence such as security advisories on the external

websites where they appear.

Vulnerability In a right-hand pane, review metrics broken down by general information,

Metrics risk profile, severity, and plugin coverage.

Vulnerability Information

- 607 -
On the Vulnerability Profile page, the Vulnerability Information section provides a short summary
along the vulnerability's Vulnerability Priority Rating (VPR), Common Vulnerability Scoring System
(CVSSv3), and Exploit Prediction Scoring System (EPSS) scores.

It also contains four tabs, within which you can view an event timeline, VPR and EPSS widgets,
plugin details, known affected products, and a full summary.

Events
The Events tab appears by default and contains a timeline for the vulnerability. Use the horizontal
scroll bar or click an event marker to go to that event. Click event links to open them in your web
browser.

The timeline can contain the following events.

Event Description

Discovery Date Indicates the date Tenable first observed the vulnerability.

NVD Published Indicates the date that the National Vulnerability Database (NVD)
disclosed the vulnerability.

First Tenable Indicates the first time Tenable provided coverage for the vulnerability.
Coverage

First Proof of Indicates the date Tenable first observed a proof of concept for the
Concept vulnerability.

First Functional Indicates the date the first functional exploit for the vulnerability was
Exploit released.

Consec Plugin Appears when a new Container Security Scanner plugin for the
Published vulnerability is released.

LCE Plugin Appears when a new Log Correlation Engine plugin for the vulnerability is
Published released.

Nessus Plugin Appears when a new Tenable Nessus plugin for the vulnerability is
Published released.

NNM Plugin Appears when a new Tenable Nessus Network Monitor plugin for the

- 608 -
Published vulnerability is released.

WAS Plugin Appears when a new Tenable Web App Scanning plugin for the
Published vulnerability is released.

Ransomware Indicates the first time Tenable observed ransomware events for the
vulnerability.

Malware Indicates the first time Tenable observed malware events for the
vulnerability.

Emerging Indicates that Tenable is actively monitoring the vulnerability since it is

Threats being publicly discussed, has a viable proof of concept, and/or is widely
used.

Exploited in the Indicates that the vulnerability has been used in a cyberattack.
Wild

Persistently Appears each time Tenable observes that the vulnerability is being
Exploited persistently exploited.

CISA Known Indicates the date that the Cybersecurity and Infrastructure Security
Exploits Agency (CISA) added the vulnerability to their Known Exploited
Vulnerabilities catalog.

CISA Due-Date Indicates the date by which federal agencies must fix vulnerabilities on
the CISA Known Exploited Vulnerabilities (KEV) list.

Cyber Exposure Appears when Tenable publishes a Cyber Exposure Alert for the
Alert vulnerability.

EPSS Increased Appears when the Exploit Prediction Scoring System (EPSS) increases (for
example, EPSS Increased to 65%).

EPSS Decreased Appears when the EPSS decreases.

EPSS Assigned Appears when an EPSS score is assigned.

VPR Increased Appears when the Vulnerability Priority Rating (VPR) increases (for
example, VPR Increased to 6.1).

- 609 -
 VPR Decreased Appears when the VPR decreases.

VPR Assigned Appears when a VPR score is assigned.

Scores
The Scores tab contains ring charts for VPR and EPSS along with trend charts to track how these
scores have changed over time.

In addition, you can review the following VPR Key Drivers.

VPR Driver Description

Age of Indicates the number of days since the vulnerability was discovered.
Vulnerability

CVSSv3 Impact Indicates the NVD-provided CVSSv3 impact score from 0–10. If NVD did not
Score provide a score, Tenable generates one.

Exploit Code Indicates the highest level of exploit maturity for the vulnerability:
Maturity Unproven, PoC, Functional, or High. Drawn from Tenable’s research, as well
as key external sources.

Product Indicates the relative number of unique products affected. Values are Low,
Coverage Medium, High, or Very High.

Threat Intensity Indicates the number and frequency of recent threat events. Values are
Very Low, Low, Medium, High, or Very High.

Threat Sources Lists sources where relevant threat events occurred (for example, social
media or the dark web). If no events were observed in the past 28 days, No
recorded events appears.

Threat Recency Indicates the number of days since a threat event occurred, from 0–180.

Plugins
The Plugins tab lists plugins that detected findings for the vulnerability. From the Source drop-
down, choose between Tenable Web App Scanning and Tenable Nessus.

- 610 -
 Column Description

Plugin ID Indicates the ID of the Tenable plugin that detected the finding.

Name Indicates the name of the Tenable plugin that detected the finding.

Family Indicates the type of plugin. For example, with a Tenable Nessus plugin,
Backdoors. Or, with a Tenable Web App Scanning plugin, Code Execution. To
learn more, see About Plugin Families on the Tenable website.

Severity Indicates severity for the detected vulnerability as Low, Medium, or High.

Products
In the Products tab, view affected products by vendor. Next to a vendor, click the drop-down > to
view a list of products.

For example, a vulnerability might have the Vendor canonical with the Product linux.

Tip: Tenable curates this data. It represents all known affected products for a vulnerability, not only yours.
To view only your affected products, go to How Does This Affect Me.

Summary
In the Summary tab, read a summary and Copy it to your clipboard.

How Does This Affect Me

On the Vulnerability Profile page, view your affected assets and products that relate to the current
vulnerability in the How Does This Affect Me? section. You can build queries to refine the results.

Affected Assets
The table of results in the Affected Assets tab has the following columns, which you can show or
hide as described in Customize Tables.

Column Description

Asset ID Indicates the asset’s Universally Unique Identifier (UUID).

- 611 -
 Name Indicates the asset identifier, assigned based on the availability of
specific attributes in logical order.

IPv4 Address Indicates the IPv4 address for the affected asset.

IPv6 Address Indicates the IPv6 address for the affected asset.

Vulnerabilities Displays a heatmap for the asset’s vulnerabilities, color coded by severity.
Also lists the number of vulnerabilities.

ACR (Requires Tenable Lumin license) Indicates the Tenable-defined Asset

Criticality Rating (ACR) as an integer from 1 to 10, if available.

AES (Requires Tenable Lumin license) Indicates the Tenable-defined Asset

Exposure Score as an integer from 0 to 1000, if available.

Tags Lists any tags you applied to the affected asset.

Affected Products
The table of results in the Affected Products tab has the following columns.

Column Description

Product Indicates the name of the affected product, using Common Platform
Enumeration (CPE). For example, cpe:/a:apache:httpd. If multiple products are
affected, click the link to view a complete list.

Plugin Name Indicates the name of the Tenable plugin that detected a finding.

Findings Indicates the number of findings affected by the vulnerability which relate to
that product. Click the number to view more information on the Findings
workbench grouped by None.

Assets Indicates the number of assets with active findings relating to that product.
Affected Click the number to open that result on the Findings workbench grouped by
Asset.

Sources

- 612 -
In the Sources section, search for and review contextual intelligence such as security advisories on
the external websites where they appear.

This section contains a table with the following columns.

Column Description

Source Links to contextual intelligence about a vulnerability.

Authoritative Indicates if the source is authoritative with a label such as Tenable

Research or NVD (for the National Vulnerability Database).

Source Details Provides more information about the source via labels added by the
Tenable Research Team (for example, Third Party Advisory).

Vulnerability Metrics
In the right-hand Vulnerability Metrics pane, review key details in the following sections.

General Information
In the General Information section, review when a vulnerability was first discovered, how
exploitable it is, and other details.

Field Description

Tenable Indicates the date Tenable first discovered the vulnerability.

Discovery Date

NVD Published Indicates the date that the National Vulnerability Database (NVD) added the
Date vulnerability.

Exploitability Describes how easy it is to exploit the vulnerability (for example, Low
Complexity, Network Exploitability).

Exploit Maturity Indicates the highest level of exploit maturity for the vulnerability:
Unproven, PoC, Functional, or High. Drawn from Tenable’s research, as
well as key external sources.

First Proof of Indicates the date the first proof of concept for the vulnerability was
Concept released.

- 613 -
 First Functional Indicates the date the first functional exploit for the vulnerability was
Exploit released.

Risk Profile
In the Risk Profile section, see if the Tenable Research Team is tracking a vulnerability, learn which
categories it belongs to, and find out if it can be exploited from a remote network.

Field Description

Categories Indicates the categories the vulnerability belongs to, as described in

Vulnerability Categories. Most vulnerabilities do not have a category.

Tenable Indicates that Tenable is actively monitoring the vulnerability since it is

Research being publicly discussed, has a viable proof of concept, and/or is widely
Watchlist used.

Remotely Indicates if the vulnerability can be exploited from a remote network.

Exploitable

Proof of Indicates if Tenable has identified a proof of concept for this vulnerability.
Concept
Available

Severity Metrics
In the Severity Metrics section, view Common Vulnerability Scoring System (CVSS) v3 or CVSSv2
scores, depending on which are available, along with their vector strings.

Field Description

CVSSv3 Indicates the CVSSv3 score. When not available from NVD, Tenable determines
Base Score this score. To learn more, see CVSS vs. VPR.

CVSSv3 Lists a vector string with the values used to calculate the CVSSv3 score, for
Vector example: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. To learn more, see
this CVSSv3 calculator on the FIRST website.

CVSSv2 Indicates the CVSSv2 score. When not available from NVD, Tenable determines

- 614 -
 Base Score this score.

CVSSv2 Lists a vector string with the values used to calculate the CVSSv2 score.
Vector

Latest Plugin Coverage

In the Latest Plugin Coverage section, view the most recent Tenable Nessus and Tenable Web App
Scanning plugins to detect the vulnerability. Click the links to view plugin details on Tenable’s
website.

Field Description

Nessus Lists the release date of the newest Tenable Nessus plugin to identify the
vulnerability.

Web App Lists the release date of the newest Tenable Web App Scanning plugin to
Scanning identify the vulnerability.

Identify Your Exposure

On the Vulnerability Intelligence page, you can review all vulnerabilities known to Tenable or only
those in crucial categories such as Recently Actively Exploited. Then, you can compare the list of
vulnerabilities to findings in your environment. This process has two parts: 1) review known
vulnerabilities and, 2) compare them to your findings.

Review Known Vulnerabilities

First, build a list of known vulnerabilities to compare with your own findings.

To review vulnerabilities known to Tenable:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

- 615 -
 3. (Optional) Click a hexagon tile to choose a vulnerability category. Or, to search all
vulnerabilities, click the default category to deselect it.

In the CVEs tab on the lower area of the page, a table of results appears.

Tip: Under How Does This Affect Me? click Findings or Affected Assets to open those tabs and
start reviewing your vulnerabilities.

4. (Optional) Use the Query Builder to refine the results, as described in Work with the Query
Builder.

5. (Optional) Click a vulnerability row.

The Vulnerability Intelligence Profile page appears.

Compare Known Vulnerabilities to Your Findings

Once you have built a list of known vulnerabilities, compare them with your findings in the My
Findings tab or the My Affected Assets tab as follows.

Click the My Findings tab and do one of the following:

l Refine your results with the Query Builder.

l In a row, click the number in the Affected Assets column.

The Findings workbench appears. It is grouped by Asset and lists findings for that Tenable
plugin.

l Click the dropdown > to display a list of assets with that finding. Then, click an Asset Name.

The Asset Details page appears.

Click the My Affected Assets tab and do one of the following:

l Refine your results with the Query Builder.

In a row, click the number in the Plugin Count column.

l The Findings workbench appears. It is grouped by Plugin and lists findings for that asset.

l Click the dropdown > to display a list of assets with that finding. Then, click an Asset Name.

A list of plugins that identified findings on that asset appears.

- 616 -
Work with the Query Builder
In the three tabs on the lower part of the Vulnerability Intelligence page, use the Query Builder to
refine your search results with contextual filters.

How Queries Work

Queries are joined by Conditions (for example, AND). They have three components:

l Filter — The search criteria (for example, for a vulnerability, Common Name).

l Operator — The condition to filter on (for example, is not equal to).

l Value — The value to search (for example, a CVE ID of CVE-2024-3272).

Tip: You can nest queries with parentheses. For example, to search for CISA Known Exploited
vulnerabilities where the VPR is greater than five or the EPSS is greater than 50, use:
Category is equal to CISA Known Exploited AND (VPR is greater than 5 OR EPSS Score is greater
than 50) .

Build a Query
To build a query with the Query Builder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

The Vulnerability Intelligence page appears

3. Build a list of CVEs, findings, or affected assets, as described in Identify Your Exposure.

4. Click the query box.

The Filters list appears. To review the filters you can use, see Query Builder Filters.

5. In the Filters list, choose a filter.

The Operators list appears.

- 617 -
 6. In the Operators list, choose an operator.

For a filter where the value is text or a number, the Value Hint box appears. Otherwise, the
Value Options list appears.

7. Type a Value or select one from the list.

8. (Optional) Add another query (that is, type a Condition and then add a Filter, an Operator, and a
Value).

9. Click Search or press Enter.

A table of results appears.

Edit a Query
To edit a query, do one of the following.

Action Description

Replace a query In the query box, click the component to replace. A list of options
component appears.

Delete a query On the query component, click the X.

component

Clear a query On the right side of the query box, click Clear.

Keyboard Shortcuts
Use the following keyboard shortcuts in the Query Builder.

Shortcut Description

Up Arrow or Down Navigate lists of open-ended values such as text or numbers.

Arrow

Right Arrow or Left Move the cursor in your query or choose a date in the date picker.
Arrow

Enter Select a query component or date. If no component is selected, apply

the query.

- 618 -
 Esc Close a list (for example, the Filters list).

Ctrl-C Copy the highlighted text.

Ctrl-V Paste your clipboard contents into the Query Builder.

Ctrl-Z Undo the last action.

Ctrl-Y Redo the last action.

Query Builder Filters

On the Vulnerability Intelligence page and the Vulnerability Profile page, use the Query Builder to
refine your results. Show only the CVEs, findings, or affected assets you want to take action on.

The following table lists the filters you can use with the Query Builder and the tabs they appear in.

Filter Description Appears In...

ACR Filter by Tenable-defined Asset Criticality Rating (ACR) My Findings,

as a number from 1 to 10. My Affected
Assets

AES Filter by Tenable-defined Asset Exposure Score (AES) as My Findings,

a number from 0 to 1000. My Affected
Assets

Asset Name Filter by asset name, for example the IPv4 address My Findings,
206.206.136.40. My Affected
Assets

Category Filter by category, as described in Vulnerability CVEs, My

Categories. Findings, My
Affected
Assets

Common Name Filter by a vulnerability's common name, for example CVEs, My

Log4Shell. Not all vulnerabilies have a common name. Findings, My
Affected
Assets

- 619 -
CVE ID Filter by Common Vulnerabilities and Exposures (CVE) CVEs, My
ID, for example CVE-2002-2024. Findings, My
Affected
Assets

CVSSv2 Base Filter by the CVSSv2 score for the vulnerability, for CVEs, My
Score example 5.2. When not available from NVD, Tenable Findings, My
determines this score. To learn more, see CVSS vs. VPR. Affected
Assets

CVSSv3 Attack Filter by attack complexity, which defines how difficult it CVEs, My
Complexity is to use a vulnerability in an attack. Choose from High Findings, My
or Low. Affected
Assets

CVSSv3 Attack Filter by attack vector, which defines an attack's CVEs, My

Vector location. Choose from Adjacent, Network, Local, or Findings, My
Physical. Affected
Assets

CVSSv3 Filter by the affected asset's availability. Choose from CVEs, My

Availability High, Low, or None. For example, an affected asset with Findings, My
High is completely unavailable. Affected
Assets

CVSSv3 Base Filter by the CVSSv3 score for the vulnerability, for CVEs, My
Score example 4.3. When not available from NVD, Tenable Findings, My
determines this score. To learn more, see CVSS vs. VPR. Affected
Assets

CVSSv3 Filter by the expected impact of the affected asset's CVEs, My

Confidentiality information confidentiality loss. Choose from High, Low, Findings, My
or None. For example, an affected asset with High may Affected
have a catastrophic adverse effect on your organization Assets
or customers.

CVSSv3 Integrity Filter by the expected impact of the affected asset's CVEs, My
data integrity loss. Choose from High, Low, or None. Findings, My

- 620 -
 Affected
Assets

CVSSv3 Privileges Filter by the permission level attackers require to exploit CVEs, My
Required the vulnerability. Choose from High, Low, or None. None Findings, My
means attackers need no permissions in your Affected
environment and can exploit the vulnerability while Assets
unauthorized.

CVSSv3 Scope Filter by whether a vulnerability allows attackers to CVEs, My

compromise resources beyond an affected asset's Findings, My
normal authorization privileges. Choose from Affected
Unchanged or Changed. Changed means the Assets
vulnerability increases the affected asset's privileges.

CVSSv3 User Filter by whether a vulnerability requires other users CVEs, My

Interaction (such as end users) for attackers to be able to use it. Findings, My
Choose from Required or None. None is more severe Affected
since it means that no additional user interaction is Assets
required.

EPSS Score Filter by the percentage likelihood that a vulnerability CVEs, My

will be exploited, based on the third-party Exploit Findings, My
Prediction Scoring System (EPSS). Type a number from 1 Affected
to 100 with up to three decimal places, for example, Assets
50.5.

Exploit Maturity Filter by exploit maturity based on sophistication and CVEs, My

availability. This information is drawn from Tenable’s Findings, My
own research as well as key external sources. Choose Affected
from High, Functional, PoC, or Unproven. Assets

First Discovered Filter for the date a vulnerability was first identified. Use CVEs, My
Operators to get results based on a date range, a Findings, My
specific date, vulnerabilities older than a date, and Affected
others. Assets

First Functional Filter for the date a vulnerability was first known to be CVEs, My

- 621 -
Exploit exploited. Use Operators to get results based on a date Findings, My
range, a specific date, vulnerabilities older than a date, Affected
and others. Assets

First Proof of Filter for the date a vulnerability's first proof of concept CVEs, My
Concept was found. Use Operators to get results based on a date Findings, My
range, a specific date, vulnerabilities older than a date, Affected
and others. Assets

IPv4 Address Filter for affected asset IPv4 addresses as a single IP, an My Findings,
IP range, or an IP Classless Inter-Domain Routing (CIDR) My Affected
block. For example, type 172.16.2.1-172.16.2.100. Assets

IPv6 Address Filter for affected asset IPv6 addresses as a single IP, an My Findings,
IP range, or an IP Classless Inter-Domain Routing (CIDR) My Affected
block. For example, type ::ffff:c0a8:102. Assets

Last Seen Filter for the date a finding affected or asset last My Findings,
appeared on a scan. Use Operators to get results based My Affected
on a date range, a specific date, vulnerabilities older Assets
than a date, and others.

Plugins Available Filter by whether or not a vulnerability currently has a CVEs, My

Tenable plugin that detects it. Choose from Yes or No. Findings, My
Affected
Assets

Plugin ID Filter by the ID of the Tenable plugin that detected the CVEs, My
vulnerability, for example 157288. To look up plugin IDs, Findings, My
go to the Tenable website. Affected
Assets

Plugin Name Filter by the name of the Tenable plugin that detected My Findings,
the vulnerability, for example TLS Version 1.1 Protocol My Affected
Deprecated. Assets

Tags Filter by tags on your affected assets by choosing them My Findings,

from a list. To learn more, see Tags. My Affected

- 622 -
 Assets

VPR Filter by the Tenable-calculated Vulnerability Priority CVEs, My

Rating (VPR) score, as a number from 1 to 10. Findings, My
Affected
Note: A finding's VPR is based on the VPR of the plugin Assets
that identified it. When plugins are associated with
multiple vulnerabilities, the highest VPR appears.

VPR Threat Filter for a vulnerability's Tenable-calculated threat CVEs, My

Intensity intensity based on the number and frequency of threat Findings, My
events. Choose from Very Low, Low, Medium, High, or Affected
Very High. Assets

Weaponization Filter by whether a vulnerability is judged to be ready for CVEs, My

use in a cyberattack. Choose from Advanced Persistent Findings, My
Threat, Botnet, Malware, Ransomware, or Rootkit. Affected
Assets

Use Saved Searches in Vulnerabity Intelligence

On the Vulnerability Intelligence page, you can refine the table of results with the Query Builder and
save your search to re-use or share. This topic explains how to add and manage saved searches.

Save a Search
To save a search:

1. In the three tabs on the lower part of the Vulnerability Intelligence page, refine results with
the Query Builder.

2. Click Saved Filters.

A drop-down appears.

3. Click Save As New Filter.

4. In the New Filter Name box, type a name and click the button.

Run a Saved Search

- 623 -
To run a saved search:

1. In the three tabs on the lower part of the Vulnerability Intelligence page, click Saved Filters.

A drop-down appears with your saved searches.

2. Click any saved search.

Share a Saved Search

To share a saved earch:

1. In the three tabs on the lower part of the Vulnerability Intelligence page, click Saved Filters.

A drop-down appears with your saved searches.

2. Click Copy Link.

The system copies the link to your clipboard.

3. Paste the filter link to share it.

Note: Any Tenable Vulnerability Management user can apply a shared search, but the assets they can view
are based on their permissions. To learn more, see Access Control.

Edit a Saved Search

To edit a saved search:

1. In the three tabs on the lower part of the Vulnerability Intelligence page, click Saved Filters.

A drop-down appears with your saved searches.

2. Click the search you want to edit or delete.

3. Do one of the following:

Rename the saved search...

a. Click Edit Name.

b. Type a new name in the box and click the button.

Update the saved search...

- 624 -
 a. In the filter box, update the queries the search uses.

b. On the left, click the search name.

c. In the drop-down that appears, click Save Changes

Clone the saved search...

a. In the filter box, update the queries the search uses.

b. On the left, click the search name.

c. In the drop-down that appears, click Save as New Filter.

d. Type a new name in the box and click the button.

Delete a Saved Search

To delete a saved search:

1. In the three tabs on the lower part of the Vulnerability Intelligence page, click Saved Filters.

A drop-down appears with your saved searches.

2. Next to the search to delete, click Delete.

The system permanently deletes the search.

Tip: The system does not delete copies shared to other users.

Export from Vulnerability Intelligence

On the Vulnerability Intelligence page, you can export results from both the My Findings and My
Affected Assets tabs in JSON or CSV format. This enables you to to build reports or share data
with your organization.

To export a finding or affected asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

- 625 -
 The Vulnerability Intelligence page appears.

3. Refine the results that appear in the table on the lower area of the page, as described in
Identify Your Exposure.

4. In My Findings or My Affected Assets, select the items to export.

Note: You export different items from the Findings and Affected Assets tabs:
l My Findings — In the main table, export findings. In the drop-downs >, export the
assets that those findings appear on.
l My Affected Assets — In the main table, export assets. In the drop-downs >, export
plugin results for those assets.

Tip: To select all items, in the blue bar above the items to export, click, the check box. Then, if your
results span multiple pages, click Select all.

5. In the blue bar, depending on the items to export, click Export Findings, Export
Affected Assets, or Export Plugins.

The Export dialog appears.

6. In the Export dialog, select JSON or CSV and click Export.

The system processes your request. Once processed, a confirmation message appears and
your browser saves the file to your computer. Tenable Vulnerability Management also logs
your request to the Exports page.

Note: If you request a large export and then leave the Vulnerability Intelligence page before it is
processed, you must manually download the file from the Exports page.

CVEs
On the Vulnerability Intelligence page, the CVEs tab shows vulnerabilities from Tenable's database.
All vulnerabilities appear by default, but you can refine the results with vulnerability categories
and the query builder.

The table in the CVEs tab has the following columns, which you can show or hide as described in
Customize Tables.

- 626 -
 Column Description

CVE ID Indicates the Common Vulnerability and Exposure (CVE) identifier for the
vulnerability, as assigned by the CISA-sponsored CVE Program.

Common Indicates the informal name of the vulnerability (for example, Log4Shell). Not
Name all vulnerabilities have a common name.

VPR Indicates the Tenable-calculated Vulnerability Priority Rating (VPR) score

from 0.1 to 10.

CVSSv2 Indicates the CVSSv2 score for the vulnerability. When not available from
NVD, Tenable determines this score. To learn more, see CVSS vs. VPR.

CVSSv3 Indicates the CVSSv3 score for the vulnerability. When not available from
NVD, Tenable determines this score.

Exploit Indicates the highest level of exploit maturity for the vulnerability: Unproven,
Maturity PoC, Functional, or High. Drawn from Tenable’s research, as well as key
external sources.

EPSS Indicates the likelihood that the vulnerability will be actively exploited, based
on the third-party Exploit Prediction Scoring System (EPSS).

First Indicates the date the vulnerability was first identified.

Discovered

First Exploited Indicates the date of the vulnerability’s first-known exploitation.

First PoC Indicates the date the vulnerability’s first proof of concept was discovered.

Plugins Lists the IDs for the Tenable plugins that detected the vulnerability.

My Findings
On the Vulnerability Intelligence page, the My Findings tab shows all active, new, or resurfaced
findings findings in your environment that are being tracked by Tenable Vulnerability Management.
Refine the results with vulnerability categories and the query builder.

The My Findings tab has the following columns, which you can show or hide as described in
Customize Tables.

- 627 -
 Column Description

VPR Indicates the Tenable-calculated Vulnerability Priority Rating (VPR) score from
0.1 to 10.

Note: A finding's VPR is based on the VPR of the plugin that identified it. When
plugins are associated with multiple vulnerabilities, the highest VPR appears.

Plugin Name Indicates the name of the Tenable plugin that detected the finding.

Plugin ID Indicates the ID of the Tenable plugin that detected the finding.

Affected Indicates the number of affected assets. Click the number to open the Asset
Assets Details page.

CVSSv3 Indicates the Common Vulnerability Scoring System (CVSS) v3 score for the
finding.

Affected Assets
In any findings row, click the dropdown > to reveal a table of assets on which that finding appears,
with the following columns.

Column Description

Asset Indicates the asset identifier, assigned based on the availability of specific
Name attributes in logical order.

IPv4 Indicates the IPv4 address for the asset.

Address

IPv6 Indicates the IPv6 address for the asset.

Address

ACR (Requires Tenable Lumin license) Indicates the Tenable-defined Asset Criticality
Rating (ACR) as an integer from 1 to 10, if available.

AES (Requires Tenable Lumin license) Indicates the Tenable-defined Asset Exposure
Score as an integer from 0 to 1000, if available.

Last Seen Indicates the date when the asset last appeared on a scan.

- 628 -
 Tags Lists any asset tags you applied in Tenable Vulnerability Management.

My Affected Assets
On the Vulnerability Intelligence page, the My Affected Assets tab shows all assets in your
environment with a finding that has not yet been fixed. Refine the results with vulnerability
categories and the query builder, or add tags to provide business context.

The My Affected Assets tab has the following columns, which you can show or hide as described in
Customize Tables.

Column Description

Name Indicates the name of the asset.

IPv4 Indicates the IPv4 address for the asset.

Address

IPv6 Indicates the IPv6 address for the asset.

Address

Plugin Indicates the number of Tenable plugins that identified findings on the asset.
Count Click the number to review details on the Findings workbench.

ACR (Requires Tenable Lumin license) Indicates the Tenable-defined Asset Criticality
Rating (ACR) as an integer from 1 to 10, if available.

AES (Requires Tenable Lumin license) Indicates the Tenable-defined Asset Exposure
Score as an integer from 0 to 1000, if available.

Tags Lists any asset tags for the asset.

Plugins
In any asset row, click the dropdown > to reveal a table of plugin results for the findings on that
asset, with the following columns.

Column Description

VPR Indicates the Tenable-calculated Vulnerability Priority Rating (VPR) score from
0.1 to 10.

- 629 -
 Note: A finding's VPR is based on the VPR of the plugin that identified it. When
plugins are associated with multiple vulnerabilities, the highest VPR appears.

Severity Indicates the vulnerability's severity based on the Common Vulnerability Scoring
System (CVSS).

Plugin Indicates the name of the Tenable plugin that detected the finding.
Name

Plugin ID Indicates the ID of the Tenable plugin that detected the finding.

Findings Indicates the number of findings detected on the asset.

CVSSv3 Indicates the CVSSv3 score for the finding.

Tag Affected Assets

On the Vulnerability Intelligence page in the My Affected Assets tab, the Tags column shows all
asset tags for your assets. You can add or remove these tags using the steps below.

Add Tags to an Asset

To add tags to an asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

The Vulnerability Intelligence page appears.

3. On the lower part of the page, click My Affected Assets.

4. In My Affected Assets, select the assets to tag.

5. In the blue bar, click Add Tags.

The Add Tags dialog appears.

6. In the Add Tags dialog, do one of the following:

- 630 -
 Add new tags...

a. In the two text boxes, type a tag category and value (for example, Location:
Headquarters).

b. After you type the value, in the drop-down that appears, click Create.

The tag appears in the Tags to be Added section.

c. (Optional) Add more tags as needed.

Add recently used tags...

a. In the Recently Used Tags section, click a tag.

The tag appears in the Tags to be Added section.

b. (Optional) Add more tags as needed.

7. Click Add Tags.

The system adds the tag or tags to the assets.

Remove Tags from an Asset

To remove tags from an asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

3. On the lower part of the page, click My Affected Assets.

4. In My Affected Assets, select the assets to remove tags from.

5. In the blue bar, click Remove Tags.

The Remove Tags dialog appears.

6. In the Remove Tags dialog and the Current Tags section, click the tag or tags to remove.

- 631 -
 7. Click Remove Tags.

The system removes the tag or tags from the assets.

Vulnerability Categories
The Vulnerability Intelligence page breaks down key vulnerabilities from Tenable's database into
curated categories that you select from hexagon-shaped tiles.

While most vulnerabilities do not belong to categories, the ones that do require quick action when
found in your environment! To learn how to compare your findings to one of these categories, see
Identify Your Exposure.

You can choose from the following categories.

Category Description

Emerging Vulnerabilities being actively monitored by Tenable in three areas:

Threats
l Vulnerabilities Being Monitored — Publicly discussed, but no exploit
or proof of concept has been disclosed.

l Vulnerabilities of Interest — Publicly discussed and have a proof of

concept that could lead to widespread use by attackers.

l Vulnerabilities of Concern — Widely discussed and large-scale abuse

by attackers is being observed.

CISA Known Vulnerabilities that appear in the CISA Known Exploited Vulnerabilities
Exploited Catalog. CISA suggests that you prioritize remediation efforts for these
vulnerabilities since they are known to cause immediate harm.

In the News Vulnerabilities being widely reported in the press with notable coverage
over the past 30 days.

Recently Vulnerabilities with notable coverage in the press over the past 30 days,
Actively and for which Tenable has evidence of active exploitation.
Exploited

- 632 -
Ransomware Vulnerabilities used in current or historical ransomware attacks, as
determined from evidence gathered by the Tenable Research team.

Persistently Vulnerabilities being leveraged by threat actors over an extended period of

Exploited time in targeted attacks, ransomware, or malware campaigns. These
vulnerabilities are manually curated by the Tenable Research team.

Top 50 VPR The top 50 vulnerabilities by Vulnerability Priority Rating (VPR).

- 633 -
Explore
In Tenable Vulnerability Management, the Explore section presents your organization’s findings and
assets on customizable dashboards and workbenches. This data comes from your scans. Using a
complex algorithm, Tenable Vulnerability Management matches incoming scan data to existing
resources, or creates new ones.

You can view and analyze your data in multiple ways, including visual overviews that enable you to
spot trends, filters that return specific resources, and rich export capabilities—all in a unified
interface.

The Explore section contains three components: the Explore Overview page, the Findings
workbench, and the Assets workbench.

Tip: If you are migrating from legacy workbenches, see Explore vs. Legacy Workbenches for a feature
comparison.

Explore Overview

Findings

Assets

Explore vs. Legacy Workbenches

Vulnerabilities

Assets

Explore Overview
On the Explore Overview page, customizable dashboards present your organization’s findings and
assets in visual overviews that enable you to spot trends. For example, you can view assets by
source, average scan duration over time, or average vulnerabilities per asset over time. Tenable
Vulnerability Management updates your dashboards whenever you run a scan.

Note: Tenable Vulnerability Management indexes your scan data before updating dashboards, so updates
do not appear immediately. Tenable Vulnerability Management may display up to 30 minutes of cached
data before updating dashboards.

- 634 -
View the Explore Overview Page
To view the Explore Overview page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Explore.

The Explore Overview page appears. It contains the following widgets:

Widget Description

Trend - Shows trends for scan results, including host vulnerabilities, assets
Vulnerabilities, over time, and scan duration. In the top-right corner, filter by date
Assets, and Scan range.
Duration

Assets by Source Shows trends for assets by source over time, with each source
indicated by a colored line. In the top-right corner, filter by date
range. Asset counts for this widget are based on scans from the
last seven days.

- 635 -
Findings
On the Findings workbench, you can get insight into your organization's findings. These include
vulnerabilities, cloud misconfigurations, host audits, and web application findings.

Note:Tenable Vulnerability Management retains findings data for 15 months.

A finding is a single instance of a vulnerability appearing on an asset, uniquely identified by plugin

ID, port, and protocol. By providing comprehensive information about your findings, Tenable
Vulnerability Management helps to identify potential security risks, visibility on under-utilized
resources, and support compliance efforts.

Tenable Vulnerability Management automatically creates or updates findings when a scan

completes or scan results are imported.

See the following topics for more information.

View the Findings Workbench

You can view all your findings on the Findings workbench.

- 636 -
To view your findings:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Explore > Findings.

The Findings workbench appears with the Vulnerabilities tab active.

3. (Optional) Do one of the following:

l To view a finding type, click a tab:

o Vulnerabilities
o Cloud Misconfigurations
o Host Audits
o Web Application Findings

l In the search box, search for findings by asset name, IPv4 address or range, or Classless
Inter-Domain Routing (CIDR) block. Or, use a wildcard (*)

l Filter the displayed findings and customize your view, as described in Filter Findings or
Assets.

l Save filters as a custom search, as described in Saved Filters for Findings or Assets.

l Group findings by asset, plugin, and more, as described in Group Your Findings.

l Click Include Info Severity in the upper-right corner to include these findings. This
option only applies to Vulnerabilities and Web Application Findings and is described in
Vulnerability Severity Indicators.

l Filter the displayed findings by time period with a drop-down in the upper-right corner.

l Export findings to CSV or JSON format, as described in Export Findings or Assets.

l View details about a finding, as described in View Finding Details.

Vulnerabilities

- 637 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Vulnerabilities tab to view your asset vulnerabilities. Common
vulnerabilities include system misconfigurations, unpatched software, poor data encryption, and
weak authorization credentials.

The Vulnerabilities tab contains a table with the following columns. To show or hide columns, see
Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the finding. This
value is unique to Tenable Vulnerability Management.

Asset Name The name of the asset. This value is unique to Tenable
Vulnerability Management.

Asset Tags Tags applied to the asset.

IPv4 Address The IPv4 address for the affected asset.

IPv6 Address The IPv6 address for the affected asset.

Last Fixed The last time a previously detected vulnerability was scanned
and noted as no longer present on an asset.

Severity The vulnerability's CVSS-based severity. For more information,

see CVSS vs. VPR.

Plugin Name The name of the plugin that identified the vulnerability detected
in the finding.

Plugin ID The ID of the plugin that identified the vulnerability.

Plugin Family The family of the plugin that identified the vulnerability.

Port The port that the scanner used to connect to the asset where
the scan detected the vulnerability.

Protocol The protocol the scanner used to communicate with the asset
where the scan detected the vulnerability.

- 638 -
Time Taken to Fix How long it took your organization to fix a vulnerability identified
on a scan, in hours or days. Only appears for Fixed
vulnerabilities. Use this filter along with the State filter set to
Fixed for more accurate results.

VPR A descriptive icon indicating the VPR of the vulnerability. For

more information, see CVSS vs. VPR.

CVSSv2 Base Score The CVSSv2 base score (intrinsic and fundamental
characteristics of a vulnerability that are constant over time and
user environments). Tenable Vulnerability Management shows
the CVSSv2 or CVSSv3 column depending on the Vulnerability
Severity Metric setting.

State The state of the vulnerability.

CVSSv3 Base Score The CVSSv3 base score (intrinsic and fundamental
characteristics of a vulnerability that are constant over time and
user environments). Tenable Vulnerability Management shows
the CVSSv2 or CVSSv3 column depending on the Vulnerability
Severity Metric setting.

Scan Origin The scanner that detected the finding. Also identifies if the scan
is a work-load scan. Possible values for this column are:
Tenable Vulnerability Management, Tenable Security Center, and
Agentless Assessment.

Region The cloud region where the asset runs.

Account ID The unique identifier assigned to the asset resource in the

cloud service that hosts the asset.

Live Result Indicates whether the scan result is based on live results. In
Agentless Assessment, you can use live results to view scan
results for new plugins based on the most recently collected
snapshot data, without running a new scan. The possible values
are Yes or No. For more information, see Live Results for
Agentless Assessment.

- 639 -
 First Seen The date when a scan first found the vulnerability on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Actions In this column, click the button to view a drop-down where you
can:

l Export — Export to CSV or JSON, as described in Export

from Explore Tables.

l Generate Report — Generate a report from a template, as

described in Reports.

l Recast — Recast or accept finding severity, as described

in Add Recast or Accept Rules in Findings.

l View All Findings — View all findings for an asset, as

described in View Asset Details.

l View All Details — View complete details for a finding, as

described in View Finding Details.

l Create Remediation Project — Start a new remediation

project for an asset, as described in Remediation Projects.

l Launch Remediation Scan — Start a remediation scan to

follow up on existing scan results, as described in Launch
a Remediation Scan.

Cloud Misconfigurations

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Cloud Misconfigurations tab to view your cloud
misconfigurations. Common cloud misconfigurations include unrestricted inbound and outbound
ports, credential management and encryption, disabled monitoring and logging, insecure automated
backups, and storage access.

The Cloud Misconfigurations tab contains a table with the following columns. To show or hide
columns, see Customize Explore Tables.

- 640 -
Column Description

Resource ID A unique identifier made up of the resource type and the asset name.

Policy Name The security policy that governs the affected asset.

Policy Group The group associated with the security policy that governs the affected
Name asset.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS
vs. VPR.

Result The outcome of the vulnerability scan.

Source The environment where the affected asset runs.

First Seen The date when a scan first found the vulnerability on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Cloud Provider The name of the cloud provider that hosts the asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

Resource Name The name of the asset where the scanner detected the vulnerability.
Tenable Vulnerability Management assigns this identifier based on the
presence of certain asset attributes in the following order:

1. Agent Name (if agent-scanned)

2. NetBIOS Name

3. FQDN

4. IPv6 address

5. IPv4 address

For example, if scans identify a NetBIOS name and an IPv4 address for an
asset, the NetBIOS name appears as the Resource Name.

- 641 -
 Region The cloud region where the asset runs.

VPC The virtual private cloud on which the asset is hosted in AWS.

ARN The unique Amazon Resource Name for the asset in AWS.

Resource Type The types of assets affected, determined by plugin data.

Benchmark The benchmark associated with the finding.

Account ID The unique identifier assigned to the asset resource in the cloud service
that hosts the asset.

Repositories Any code repositories associated with the asset.

Resource Type The types of assets affected, determined by plugin data.

Policy Category The category associated with the security policy that governs the affected
asset.

Last Scan Time The date and time when Tenable Vulnerability Managementlast scanned the
asset.

Updated Time The date and time when a user last updated the asset.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Generate Report — Generate a report from a template, as described

in Reports.

l View All Findings — View all findings for an asset, as described in

View Asset Details.

Host Audits

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Host Audits tab to view your host audit findings. Host audits
assess workstations, services, or network devices in order to evaluate the configuration, hardening,

- 642 -
and security controls applied to a target. View specific host audit findings to identify issues to
remediate.

The Host Audits tab contains a table with the following columns. To show or hide columns, see
Customize Explore Tables.

Column Description

Audit The name of the compliance check the scanner performed on the affected
Check asset.
Name

Audit File The name of the audit file the scanner used to perform the compliance check.

Result The outcome of the compliance check.

Plugin The name of the plugin that identified the compliance check finding.
Name

Asset ID The UUID of the asset where a scan detected the finding. This value is unique to
Tenable Vulnerability Management.

Asset The name of the asset. This value is unique to Tenable Vulnerability
Name Management.

Asset Tags Tags applied to the asset.

State The state of the compliance check finding.

Last The date and time when a scan last performed the compliance check on the
Audited asset.

Control ID The UUID of the control instance applied on the system that hosts the impacted
asset. This value is unique to Tenable Vulnerability Management.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l View All Findings — View all findings for an asset, as described in View
Asset Details.

- 643 -
 l View All Details — View complete details for a finding, as described in
View Finding Details.

Web Application Findings

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Web Application Findings tab to view your web application
findings. Common web application findings include SQL injections, cross-site scripting, local file
inclusions, security misconfigurations, and XML external entity processing.

The Web Application Findings tab contains a table with the following columns. To show or hide
columns, see Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the vulnerability. This value is
unique to Tenable Vulnerability Management.

Asset The name of the asset where the scanner detected the vulnerability. This value
Name is unique to Tenable Vulnerability Management.

IPv4 The IPv4 address associated with the asset record.

Address
This filter supports multiple asset identifiers as a comma-separated list (for
example, hostname_example, example.com, 192.168.0.0). For IP addresses, you
can specify individual addresses, CIDR notation (for example, 192.168.0.0/24), or
a range (for example, 192.168.0.1-192.168.0.255).

Note:Tenable Vulnerability Management does not support a CIDR mask of /0 for this
parameter, because that value would match all IP addresses. If you submit a /0 value
for this parameter, Tenable Vulnerability Management returns a 400 Bad Request
error message.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS vs.
VPR.

Plugin The name of the plugin that identified the vulnerability.

Name

- 644 -
 Plugin ID The ID of the plugin that identified the vulnerability.

Plugin The family of the plugin that identified the vulnerability.

Family

CVSSv2 The CVSSv2 base score (intrinsic and fundamental characteristics of a

Base Score vulnerability that are constant over time and user environments).

Tenable Vulnerability Management shows the CVSSv2 or CVSSv3 column

depending on the Vulnerability Severity Metric setting.

CVSSv3 The CVSSv3 base score (intrinsic and fundamental characteristics of a

Base Score vulnerability that are constant over time and user environments).

Tenable Vulnerability Management shows the CVSSv2 or CVSSv3 column

depending on the Vulnerability Severity Metric setting.

State The state of the vulnerability.

First Seen The date when a scan first found the vulnerability on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Recast — Recast or accept finding severity, as described in Add Recast or

Accept Rules in Findings.

l View All Findings — View all findings for an asset, as described in View
Asset Details.

l View All Details — View complete details for a finding, as described in

View Finding Details.

View Finding Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 645 -
 Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

From the Findings workbench, you can drill down into a single asset to view it on the Finding
Details page. Tenable Vulnerability Management customizes this page by finding type.

To view finding details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Explore > Findings.

The Findings workbench appears with the Vulnerabilities tab active.

3. (Optional) Click another tab to view a different finding type.

The findings for that type appear. Each type has different default columns.

4. Filter the displayed findings and customize your view, as described in Filter Findings or
Assets.

5. Click the row for the finding to view.

At the bottom of the page, a preview appears.

6. In the preview, click See All Details.

The Finding Details page appears. Its layout varies by finding type:

l Vulnerability Details

l Cloud Misconfiguration Details

- 646 -
 l Host Audit Details

l Web Application Findings Details

Vulnerability Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Finding Details, the Finding Details page varies by finding type. For vulnerability
findings, it includes a description, the recommended solution, and the plugin output.

The Finding Details page for vulnerabilities contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Description A description of the Tenable plugin that identified the vulnerability

detected in the finding.

Solution A brief summary of how you can remediate the vulnerability detected

- 647 -
 in the finding. Only appears if an official solution is available.

See Also Links to websites that contain helpful information about the
vulnerability detected in the finding.

Asset Information Information about the affected asset, including:

l Asset ID — The UUID of the asset where a scan detected the

vulnerability.

l Name — The name of the asset where a scan detected the

vulnerability. This value is unique to Tenable Vulnerability
Management.

l IPV4 Address — The IPv4 address for the affected asset.

l IPV6 Address — The IPv6 address for the affected asset.

l Operating System — The operating system that the scan

identified as installed on the affected asset.

l System Type — The type of operating system that the scan

identified as installed on the affected asset.

l Network — The name of the network object associated with

scanners that identified the asset. The default name is Default.
For more information, see Networks.

l Public — Specifies whether the asset is available on a public

network. A public asset is within the public IP space and
identified by the is_public attribute in the Tenable
Vulnerability Management query namespace.

Cloud The number of resources that failed to comply with the configured
Misconfigurations policies. Click this number to go to the Cloud Misconfigurations tile
and view the affected resources.

Asset Scan Information about the scan that detected the vulnerability, including:
Information
l First Seen — The date when a scan first found the vulnerability
on an asset.

- 648 -
 l Last Seen — The date when a scan last found the vulnerability
on an asset.

l Last Licensed Scan — The date and time of the last scan in
which the asset was considered "licensed" and counted towards
Tenable's license limit. A licensed scan uses non-discovery
plugins and can identify vulnerabilities. Unauthenticated scans
that run non-discovery plugins update the Last Licensed Scan
field, but not the Last Authenticated Scan field. For more
information on licensed assets, see Tenable Vulnerability
Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated
scan that only uses discovery plugins updates the Last
Authenticated Scan field, but not the Last Licensed Scan field.

l Source — The source of the scan that detected the vulnerability

on the affected asset.

l Scan Origin — The scanner that detected the finding. It also

helps identify whether the scan is a work-load scan. Possible
values are: Tenable Vulnerability Management, Tenable Security
Center, and Agentless Assessment.

Additional Additional information about the vulnerability findings, including:

Information
l Network —The name of the network object associated with
scanners that identified the finding. The default network name
is Default. For more information, see Networks.

l DNS (FQDN) — The fully qualified domain name of the host on

which the vulnerability identified in the finding was detected.

l MAC Address — The static Media Access Control (MAC) address

for the affected asset.

l Tenable ID — The unique identifier for the Tenable account

associated with the affected asset.

- 649 -
 l Installed Software — Software that a scan identified on the
affected asset.

l SSH Fingerprint — The SSH key fingerprints that scans have

associated with the asset record.

Vulnerability Priority (Requires Tenable Lumin license) A descriptive icon indicating the
Rating (VPR) VPR of the vulnerability. For more information, see CVSS vs. VPR.

Asset Criticality (Requires Tenable Lumin license) Rates the criticality of an asset to
Rating (ACR) the organization from 1 to 10. A higher value means the asset is more
crucial to the business. For more information, see Tenable Lumin
Metrics.

Finding State A descriptive icon indicating the state of the vulnerability. For more
information, see Vulnerability States.

Vulnerability Information about the vulnerability that the plugin identified,

Information including:

l Severity — The severity of the vulnerability on the finding.

l Original Severity — The vulnerability's CVSS-based severity from

when a scan first detected the finding.

l Vuln Published — The oldest date on which the vulnerability was

either documented in an advisory or published in the National
Vulnerability Database (NVD).

l Exploitability — Characteristics of the vulnerability that factor

into its potential exploitability.

l Exploitability Ease — A description of how easy it is to exploit

the vulnerability.

l Exploited With — The most common ways that the vulnerability

may be exploited.

l Exploited by Malware — Indicates whether the vulnerability is

known to be exploited by malware.

- 650 -
l Exploited by Nessus — Indicates whether Tenable Nessus
exploited the vulnerability during the identification process.

l In the News — Indicates whether this plugin has received media

attention (for example, ShellShock, Meltdown).

l Last Fixed — The last time a previously detected vulnerability

was scanned and noted as no longer present on an asset.

l Malware — Indicates whether the plugin that identified the

vulnerability checks for malware.

l Time Taken to Fix — How long it took your organization to fix a

vulnerability identified on a scan, in hours or days. Only appears
for Fixed vulnerabilities. Use this filter along with the State filter
set to Fixed for more accurate results.

l Unsupported by Vendor — Software found by this plugin is

unsupported by the software's vendor (for example, Windows 95
or Firefox 3).

l Patch Published — Displays when a patch has been published

for a vulnerability.

l Port — The port that the scanner used to connect to the asset
where the scan detected the vulnerability.

l Protocol — The protocol the scanner used to communicate with

the asset where the scan detected the vulnerability.

l Live Result — Indicates whether the scan result is based on live

results. In Agentless Assessment, you can use live results to
view scan results for new plugins based on the most recently
collected snapshot data, without running a new scan. The
possible values are Yes or No. For more information, see Live
Results for Agentless Assessment.

l CPE — The Common Platform Enumeration (CPE) numbers for

vulnerabilities that the plugin identifies.

- 651 -
 l Asset Inventory — This plugin is an Tenable Inventorynventory
plugin.

l Default Account — Any default credentials or accounts.

Discovery Information about when Tenable Vulnerability Management first

discovered the vulnerability, including:

l First Seen — The date when a scan first found the vulnerability
on an asset.

l Last Seen — The date when a scan last found the vulnerability
on an asset.

l Age — The number of days since a scan first found the

vulnerability on an asset in your network.

VPR Key Drivers Information about the key drivers Tenable uses to calculate a VPR for
the vulnerability, including:

l Threat Recency — The number of days (0-730) since a threat

event occurred for the vulnerability.

l Threat Intensity — The relative intensity based on the number

and frequency of recently observed threat events related to this
vulnerability: Very Low, Low, Medium, High, or Very High.

l Exploit Code Maturity — The relative maturity of a possible

exploit for the vulnerability based on the existence,
sophistication, and prevalence of exploit intelligence from
internal and external sources (for example, Reversinglabs,
Exploit-db, Metasploit, etc.). The possible values (High,
Functional, PoC, or Unproven) parallel the CVSS Exploit Code
Maturity categories.

l Age of Vuln — The number of days since the National

Vulnerability Database (NVD) published the vulnerability.

l Product Coverage — The relative number of unique products

affected by the vulnerability: Low, Medium, High, or Very High.

- 652 -
 l CVSS3 Impact Score — The NVD-provided CVSSv3 impact score
for the vulnerability. If the NVD did not provide a score, Tenable
Vulnerability Management shows a Tenable-predicted score.

l Threat Sources — A list of all sources (for example, social media

channels, the dark web, etc.) where threat events related to this
vulnerability occurred. If the system did not observe a related
threat event in the past 28 days, the system shows No recorded
events.

Plugin Details Information about the plugin that detected the vulnerability,
including:

l Publication Date — The date on which the plugin that identified

the vulnerability was published.

l Modification Date — The date on which the plugin was last

modified.

l Family — The family of the plugin that identified the

vulnerability.

l Type — The general type of plugin check (for example, local or

remote).

l Version — The version of the plugin that identified the

vulnerability.

l Plugin ID — The ID of the plugin that identified the vulnerability.

Risk Information Information about the relative risk that the vulnerability presents to
the affected asset, including:

l Risk Factor — The CVSS-based risk factor associated with the

plugin.

l CVSSV3 Base Score — Intrinsic and fundamental characteristics

of a vulnerability that are constant over time and user
environments.

l CVSSV3 Temporal Score — Characteristics of a vulnerability

- 653 -
 that change over time.

l CVSSV3 Vector — More CVSSv3 metrics for the vulnerability.

l CVSSV2 Base Score — Intrinsic and fundamental characteristics

of a vulnerability that are constant over time and user
environments.

l CVSSV2 Temporal Score — A score that denotes characteristics

of a vulnerability that change over time, but not among user
environments.

l CVSSV2 Vector — More CVSSv2 metrics for the vulnerability.

l STIG Severity — A vulnerability's severity rating based on the

Department of Defense's Security Technical Implementation
Guide (STIG).

Reference Industry resources that provide additional information about the

Information vulnerability.

Actions In the upper-right corner, click the Actions button to view a drop-
down where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Generate Report — Generate a report from a template, as

described in Reports.

l Recast — Recast or accept finding severity, as described in Add

Recast or Accept Rules in Findings.

l View All Findings — View all findings for an asset, as described

in View Asset Details.

l View All Details — View complete details for a finding, as

described in View Finding Details.

l View All Details in New Tab — View complete details for an

asset in a new browser tab.

- 654 -
 l Create Remediation Project — Start a new remediation project
for an asset, as described in Remediation Projects.

l Launch Remediation Scan — Start a remediation scan to follow

up on existing scan results, as described in Launch a
Remediation Scan.

Cloud Misconfiguration Details

When you View Finding Details, the Finding Details page varies by finding type. For cloud
misconfiguration findings, it includes policy information, a recommended solution, and details on
the affected asset.

The Finding Details page for cloud misconfigurations contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Policy Group Name The name of the cloud policy group associated with the affected

- 655 -
 finding.

Policy Name The name of the cloud policy associated with the affected finding.

Solution A brief summary of how you can remediate the vulnerability. This
section appears only if an official solution is available.

Asset Information Information about the affected asset, including:

l Asset ID — The UUID of the asset where a scan detected the

vulnerability. This value is unique to Tenable Vulnerability
Management.

l Name — The name of the asset where a scan detected the

vulnerability. This value is unique to Tenable Vulnerability
Management.

l Project — The cloud project associated with the findings and

affected asset.

l Region — The cloud region on which the asset resides.

l VPC The unique identifier of the public cloud that hosts the
AWS virtual machine instance. Stands for "virtual private
cloud."

l Account ID — The unique identifier assigned to the asset on

which a scan detected the finding.

l Resource Name — The asset identifier.

l Types — The types of assets affected, determined by plugin

data.

l IaC Resource Type — The Infrastructure as Code (IAC)

resource type of the asset.

l Resource Type — The types of resources affected,

determined by plugin data.

l Has Drift — Indicates whether the asset has any drifts. For
more information, see Set up Drift Analysis in the Legacy

- 656 -
 Tenable Cloud Security User Guide.

l Is Mapped — Indicates whether the asset is mapped. For more

information, see Cloud Scan Workflow in the Legacy Tenable
Cloud Security User Guide.

l Is Real — Indicates whether the affected asset exists in a

cloud environment.

l Cloud Provider — The name of the cloud provider that hosts

the resource.

l Resource ID — The resource ID of the resource.

l Resource Name — The name of the asset where the scanner

detected the vulnerability. Tenable Vulnerability Management
assigns this identifier based on the presence of certain asset
attributes in the following order:

l Agent Name (if agent-scanned)

l NetBIOS Name

l FQDN

l IPv6 address

l IPv4 address
for example, if scans identify a NetBIOS name and an
IPv4 address for an asset, the NetBIOS name appears as
the Resource Name.

l ARN — The unique Amazon resource name for the asset in

AWS.

l Resource Criticality — The criticality rating for the asset

according to Container Security, based on the most recent
scan.

Additional Information The number of vulnerabilities the policy detected during the scan.

Asset Scan Information about the scan that detected the vulnerability,

- 657 -
Information including:

l First Seen — The date when a scan first found the vulnerability
on an asset.

l Last Seen — The date when a scan last found the vulnerability
on an asset.

l Last Licensed Scan — The date and time of the last scan in
which the asset was considered "licensed" and counted
towards Tenable's license limit. A licensed scan uses non-
discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update
the Last Licensed Scan field, but not the Last Authenticated
Scan field. For more information on licensed assets, see
Tenable Vulnerability Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated
scan that only uses discovery plugins updates the Last
Authenticated Scan field, but not the Last Licensed Scan
field.

l Source — The source of the scan that detected the

vulnerability on the affected asset.

Tags Tags assigned to the affected asset.

Cloud Misconfiguration Information about the vulnerability finding, including:

Information
l Finding ID — The unique ID for the individual finding. You can
view the ID for a finding by accessing the Findings Details
page for the finding and checking the page URL. The finding ID
is the alphanumeric text that appears in the path between
details and asset.

l Project — The cloud project associated with the findings and

affected asset.

- 658 -
l Policy Group ID — The type of policy group ID associated with
the finding.

l Policy ID — The unique ID for the cloud policy associated with

the affected asset.

l Rule ID — The rule ID associated with the finding.

l Environment ID — The environment ID associated with the

finding.

l Severity — A descriptive icon that indicates the CVSS-based

severity of the vulnerability. For more information, see CVSS
vs. VPR.

l Result — The result of the finding.

l Benchmark — The benchmark associated with the finding.

l Policy Category — The policy category associated with the

finding.

l IaC Type — The Infrastructure as Code (IAC) resource type of

the asset.

l Managed By — The name of the person, group, or company

that manages the affected asset.

l Policy Type — The type of cloud policy associated with the

finding.

l Rule Reference ID — The reference ID for the security rule for

which the scanner found a violation.

l Version — The version associated with the finding.

l Exists in IAC — Indicates whether the affected asset was

created via Infrastructure as Code (IaC).

l Exists in Cloud — Indicates whether the affected asset exists

in a cloud environment.

- 659 -
 l Ignored — Indicates whether Legacy Tenable Cloud Security
ignored the policy violation when determining the finding
severity.

Cloud Misconfiguration Information about when Tenable Vulnerability Management first

Discovery discovered the vulnerability, including:

l First Seen — The date when Tenable Vulnerability Management

first scanned the affected asset.

l Last Seen — The date when Tenable Vulnerability Management

last scanned the affected asset.

Actions In the upper-right corner, click the Actions button to view a drop-
down where you can:

l Generate Report — Generate a report from a template, as

described in Reports.

l View All Findings — View all findings for an asset, as

described in View Asset Details.

Host Audit Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Finding Details, the Finding Details page varies by finding type. For host audit
findings, it includes a description of the host audit finding, its recommended solution, and a
summary of the corresponding asset.

- 660 -
The Finding Details page for host assets contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Description A brief description of the plugin that identified the finding during a
compliance check.

Solution A brief summary of how you can address the compliance check findings.

Audit File The name of the audit file the scanner used to perform the compliance
check.

See Also Links to external websites that contain helpful information about the
compliance check.

Asset Information about the affected asset, including:

Information
l Asset ID — The UUID of the asset where a scan detected the
vulnerability.

- 661 -
 l Name — The name of the asset on which the scanner performed a
compliance check.

l Operating System — The operating system that the scan identified as

installed on the affected asset.

l IPV4 Address — The IPv4 address for the affected asset.

l System Type — The type of system on which the affected asset runs.

l Public — Specifies whether the asset is available on a public network.

A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Management query
namespace.

Asset Scan Information about the scan that detected the vulnerability, including:
Information
l First Seen — The date when a scan first found the vulnerability on an
asset.

l Last Seen — The date when a scan last found the vulnerability on an
asset.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan that
only uses discovery plugins updates the Last Authenticated Scan
field, but not the Last Licensed Scan field.

l Last Licensed Scan — The date and time of the last scan in which the
asset was considered "licensed" and counted towards Tenable's
license limit. A licensed scan uses non-discovery plugins and can
identify vulnerabilities. Unauthenticated scans that run non-discovery
plugins update the Last Licensed Scan field, but not the Last
Authenticated Scan field. For more information on licensed assets,
see Tenable Vulnerability Management Licenses.

l Source — The source of the scan that detected the vulnerability on the
affected asset.

Additional Additional information about the affected asset, including:

- 662 -
Information l Network — The name of the network object associated with scanners
that detected the finding. The default network name is Default. For
more information, see Networks.

l Network (FQDN) — The fully qualified domain name of the host on

which the vulnerability identified in the finding was detected.

l MAC Address — The static Media Access Control (MAC) address for the
affected asset.

l Tenable ID —The unique identifier for the Tenable account associated

with the affected asset.

l Installed Software — Software that a scan identified on the affected

asset.

Policy Value The plugin output that appears in the finding if the affected asset is
compliant with the audit policy.

Actual Value The plugin output that actually appears in the finding.

Host Audit Information about the compliance check, including:

Information
l Audit Name — The name of the compliance check the scanner
performed on the affected asset.

l Audit File — The name of the audit file the scanner used to perform
the compliance check.

l Plugin Name — The name of the plugin that identified the compliance
check.

l Result — The result for the item in a configuration audit. Results can
be: Passed, Warning, or Failed.

l State — An indication about whether the audit finding is currently

active on the affected asset. States can be: Active, Fixed, and
Resurfaced.

Audit l First Audit — The date and time when a scan first performed the
Discovery compliance check on the asset.

- 663 -
 l Last Audit — The date and time when a scan last performed the
compliance check on the asset.

Reference A list of industry resources that provide additional information about the
Information compliance check.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Generate Report — Generate a report from a template, as described in

Reports.

l View All Findings — View all findings for an asset, as described in View
Asset Details.

l View All Details — View complete details for a finding, as described in

View Finding Details.

l View All Details in New Tab — View complete details for an asset in a
new browser tab.

Web Application Findings Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Finding Details, the Finding Details page varies by finding type. For web application
findings, it includes a description, the recommended solution, and details about the affected asset.

- 664 -
The Finding Details page for web application findings contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Description A description of the Tenable plugin that identified the vulnerability

detected in the finding.

Solution A brief summary of how you can remediate the vulnerability detected in
the finding. This section appears only if an official solution is available.

See Also Links to external websites that contain helpful information about the
vulnerability detected in the finding.

Asset Information about the affected asset, including:

Information
l Asset ID — The UUID of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability
Management.

l Name — The name of the affected asset. You can click the link in the

- 665 -
 name to view details about the affected asset on the Web
Application Details page.

l IPV4 Address — The IPv4 address for your asset.

l Public — Indicates whether or not the asset is public.

Asset Scan Information about the scan that detected the vulnerability, including:
Information
l First Seen — The date and time when a scan first identified the
asset.

l Last Seen — The date and time at which the asset was last observed
as part of a scan.

l Last Licensed Scan — The date and time of the last scan in which
the asset was considered "licensed" and counted towards Tenable's
license limit. A licensed scan uses non-discovery plugins and can
identify vulnerabilities. Unauthenticated scans that run non-
discovery plugins update the Last Licensed Scan field, but not the
Last Authenticated Scan field. For more information on licensed
assets, see Tenable Vulnerability Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan
that only uses discovery plugins updates the Last Authenticated
Scan field, but not the Last Licensed Scan field.

l Source — The source of the scan that detected the vulnerability on

the affected asset.

Identification Information about how the plugin identified the vulnerability detected in
the finding, including:

l URL — The target URL where the scanner detected the vulnerability.

l Proof — Output from the scanner's attempt to verify the vulnerability

that proves the vulnerability is exploitable on the affected asset.

l Input Type — The component of the asset where an attacker could

inject malicious code (for example, a form or session cookie). This

- 666 -
 section appears only if the asset is vulnerable to injection attacks.

l Input Name — The name of the asset component where an attacker

could inject malicious code. This section appears only if the asset is
vulnerable to injection attacks.

l Output — More detailed information from the plugin about the

vulnerability detected during the scan.

Http Info Information about the HTTP messages between the scanner and the web
application, including:

l HTTP Request — The HTTP request of the scanner that identified the
vulnerability made to the web application.

l HTTP Response — The HTTP response that the web application sent
to the scanner that identified the vulnerability.

Attachments Plugin attachments that include more details about the vulnerability
detected in the finding. This section appears only if attachments are
available.

Vulnerability The Vulnerability Priority Rating Tenable calculated for the vulnerability.
Priority Rating
(VPR)

Finding State The state of the vulnerability detected in the finding. For more
information, see Vulnerability States.

Vulnerability Information about the vulnerability that the plugin identified, including:
Information
l Severity — An icon that indicates the severity of the vulnerability.

l Exploitability — Characteristics of the vulnerability that factor into

its potential exploitability.

l Exploited With — The most common ways that the vulnerability may
be exploited.

Discovery Information about when Tenable Vulnerability Management first

discovered the vulnerability detected in the finding, including:

- 667 -
 l First Seen — The date when a scan first found the vulnerability on an
asset.

l Last Seen — The date when a scan last found the vulnerability on an
asset.

l Age — The number of days since a scan first found the vulnerability
on an asset in your network.

Plugin Details Information about the plugin that detected the vulnerability detected in
the finding, including:

l Publication Date — The date on which the plugin that identified the
vulnerability was published.

l Modification Date — The date on which the plugin was last modified.

l Family — The family of the plugin that identified the vulnerability.

l Risk Factor —The CVSS-based risk factor associated with the plugin.

l Plugin ID — The ID of the plugin that identified the vulnerability.

Risk Information Information about the relative risk that the vulnerability presents to the
affected asset, including:

l Risk Factor — The CVSS-based risk factor associated with the

plugin.

l CVSSV3 Base Score — The CVSSv3 base score (intrinsic and

fundamental characteristics of a vulnerability that are constant over
time and user environments).

l CVSSV3 Vector — More CVSSv3 metrics for the vulnerability.

l CVSSV2 Base Score — The CVSSv2 base score (intrinsic and

fundamental characteristics of a vulnerability that are constant over
time and user environments).

l CVSS2 Vector — More CVSSv2 metrics for the vulnerability.

Reference Industry resources that provide additional information about the

- 668 -
 Information vulnerability that Tenable Vulnerability Management detected in the
finding, including but not limited to:

l OWASP — A link or links to each Open Web Application Security

Project (OWASP) Top 10 list on which the vulnerability appears.

l OWASP API — A link or links to each OWASP API Top 10 list on which
the vulnerability appears.

l WASC — A link to the Web Application Security Consortium (WASC)

description for the vulnerability's threat classification.

l CWE — A link to the Common Weakness Enumeration (CWE)

description for the vulnerability’s CWE score.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Generate Report — Generate a report from a template, as described

in Reports.

l Recast — Recast or accept finding severity, as described in Add

Recast or Accept Rules in Findings.

l Recast — Recast or accept finding severity, as described in Add

Recast or Accept Rules in Findings.

l View All Findings — View all findings for an asset, as described in

View Asset Details.

l View All Details — View complete details for a finding, as described

in View Finding Details.

l View All Details in New Tab — View complete details for an asset in
a new browser tab.

Findings Filters
On the Findings page, you can filter and view analytics for the following findings types:

- 669 -
 l Vulnerabilities

l Cloud Findings

l Host Audits Findings

l Web Application Vulnerabilities

You can save a set of commonly used filters as a saved filter to access later or share with other
members of your team.

Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore >
Findings or Assets views (including Group By tables) to 18.

Note: When Tenable Vulnerability Management identifies the same finding on multiple scans, it only stores
the most recent result. For example, if an Agent scan identifies a finding and then a later Tenable Nessus
scan identifies the same finding, that finding is associated with the Tenable Nessus scan. If you can't
locate a known finding with a filter such as Source, search for the finding directly.

Vulnerabilities Filters

Option Description

Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Asset Name The name of the asset where a scan detected the vulnerability. This
value is unique to Tenable Vulnerability Management. This filter is case-
sensitive, but you can use the wildcard character to turn this off.

Asset Tags A unique filter that searches tag (category: value) pairs. When you type a
tag value, you must use the category: value syntax, including the space
after the colon (:). You can use commas (,) to separate values. If there is
a comma in the tag name, insert a backslash (\) before the comma. You
can add a maximum of 100 tags.

For more information, see tags.

Note: If your tag name includes double quotation marks (" "), you must use
the UUID instead.

- 670 -
Bugtraq ID The Bugtraq ID for the plugin that identified the vulnerability.

Canvas Exploit The name of the CANVAS exploit pack that includes the vulnerability.

CERT Advisory ID The ID of the CERT advisory related to the vulnerability.

CERT Vulnerability The ID of the vulnerability in the CERT Vulnerability Notes Database.
ID

CISA KEV Due The date on which Cybersecurity and Infrastructure Security Agency
Date (CISA) Known Exploitable Vulnerability (KEV) remediation is due, as per
Binding Operational Directive 22-01. Searches by the earliest due date
for KEVs associated with the plugin. For more information, see the
Known Exploited Vulnerabilities Catalog.

CORE Exploit Indicates whether an exploit for the vulnerability exists in the CORE
Framework Impact framework.

CPE The Common Platform Enumeration (CPE) numbers for vulnerabilities

that the plugin identifies.

(200 value limit)

CVE The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities
that the plugin identifies.

(200 value limit)

CVSSv2 Base The CVSSv2 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSSv2 Temporal The CVSSv2 temporal score (characteristics of a vulnerability that

Score change over time but not among user environments).

CVSSv2 Temporal CVSSv2 temporal metrics for the vulnerability.

Vector

CVSSv2 Vector The raw CVSSv2 metrics for the vulnerability. For more information, see
CVSSv2 documentation.

CVSSv3 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a

- 671 -
Score vulnerability that are constant over time and user environments).

CVSSv3 Temporal The CVSSv3 temporal score (characteristics of a vulnerability that

Score change over time but not among user environments).

CVSSv3 Temporal CVSSv3 temporal metrics for the vulnerability.

Vector

CVSSv3 Vector More CVSSv3 metrics for the vulnerability.

CWE The Common Weakness Enumeration (CWE) for the vulnerability.

Default/Known Indicates whether the plugin that identified the vulnerability checks for
Account default accounts.

Elliot Exploit The name of the exploit for the vulnerability in the D2 Elliot Web
Exploitation framework.

Exploit Database The ID of the vulnerability in the Exploit Database.

ID

Exploitability Ease A description of how easy it is to exploit the vulnerability.

Exploited By Indicates whether the vulnerability is known to be exploited by malware.

Malware

Exploited By Indicates whether Tenable Nessus exploited the vulnerability during the
Nessus process of identification.

Exploit Hub Indicates whether an exploit for the vulnerability exists in the ExploitHub
framework.

Finding ID The unique ID for the individual finding.

Note: You can view the ID for a finding by accessing the Findings Details
page for the findings and checking the page URL. The finding ID is the alpha-
numeric text that appears in the path between details and asset.

First Seen The date when a scan first found the vulnerability on an asset.

IAVA ID The ID of the information assurance vulnerability alert (IAVA) for the

- 672 -
 vulnerability.

IAVB ID The ID of the information assurance vulnerability bulletin (IAVB) for the
vulnerability.

IAVM Severity The severity of the vulnerability in Information Assurance Vulnerability

Management (IAVM).

IAVT ID The ID of the information assurance vulnerability technical bulletin (IAVT)

for the vulnerability.

In The News Indicates whether this plugin has received media attention (for example,
ShellShock, Meltdown).

IPv4 Address The IPv4 address for the affected asset. You can add up to 256
IP addresses to this filter.

IPv6 Address The IPv6 address for the affected asset.

Last Fixed The last time a previously detected vulnerability was scanned and noted
as no longer present on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Malware Indicates whether the plugin that identified the vulnerability checks for
malware.

Metasploit Exploit The name of the related exploit in the Metasploit framework.

Microsoft Bulletin The Microsoft security bulletin that the plugin, which identified the
vulnerability, covers.

Original Severity The vulnerability's CVSS-based severity when a scan first detected the
finding. For more information, see CVSS vs. VPR.

OSVDB ID The ID of the vulnerability in the Open Sourced Vulnerability Database

(OSVDB).

Patch Published The date on which the vendor published a patch for the vulnerability.

Plugin Description The description of the Tenable plugin that identified the vulnerability.

- 673 -
Plugin Family The family of the plugin that identified the vulnerability.

(200 value limit)

Plugin ID The ID of the plugin that identified the vulnerability.

(200 value limit)

Plugin The date at which the plugin that identified the vulnerability was last
Modification Date modified.

Plugin Name The name of the plugin that identified the vulnerability.

Plugin Output Use this filter to return findings with plugin output you specify. You can
search for plugin output that contains a value or does not contain it, as
described in Use Filters.

For example, to search for output that contains “Kernel,” in Advanced

mode, type:

Plugin Output contains Kernel

Note: Manually enable this filter in Settings > General Search > Enable
Plugin Output Search. If you do not use this filter for 35 days, it is disabled
again.

Plugin Output search best practices...

Since plugin outputs can be large, broad searches may cause system
timeouts! For the best results, combine the Plugin Output filter with the
Plugin ID and Last Seen filters. Limit the number of plugin IDs you
search at once.

Specify plugin ID(s) to search for plugins or exclude them. These

approaches apply to different use cases. For example, include plugins
when searching for software listings by operating system. Exclude
plugins from exploratory searches where the top plugins appear too
frequently.

l Search for output from one plugin:

- 674 -
 Plugin Output contains Kernel AND Plugin ID is equal
to 110483

l Search for output from multiple plugins:

Plugin Output contains Chrome AND Plugin ID is equal

to 45590, 10456

l Search for output from any plugin but the ones listed:

Plugin Output contains Chrome AND Plugin ID is not

equal to 45590, 10456

Plugin Published The date on which the plugin that identified the vulnerability was
published.

Plugin Type The general type of plugin check. Possible options are:

l Local

l Remote

l Local & Remote

Port Information about the port the scanner used to connect to the asset
where the scan detected the vulnerability.

(200 value limit)

Protocol The protocol the scanner used to communicate with the asset where the
scan detected the vulnerability.

Risk Modified The risk modification applied to the vulnerability's severity. Possible
options are:

l Recasted

l Accepted

l None

For more information, see Recast/Accept Rules.

- 675 -
Scan Origin The scanner that detected the finding.

Secunia ID The ID of the Secunia research advisory related to the vulnerability.

See Also Links to external websites that contain helpful information about the
vulnerability.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS
vs. VPR.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

Solution A brief summary of how you can remediate the vulnerability.

Source The source of the scan that identified the asset. Possible values are:

l Agent (Tenable Nessus Agent)

l Nessus (Tenable Nessus scan)

l PVS/NNM (Tenable Nessus Network Monitor)

l WAS (Tenable Web App Scanning)

l AWS Connector

l Azure Connector

l GCP Connector

l Qualys Connector

State The state of the vulnerability. Appears in the filters plane by default, with
Active, Resurfaced, and New selected. For more information, see
Vulnerability States.

Stig Severity The STIG severity associated with the finding.

Synopsis A brief description of the plugin or vulnerability.

Target Groups A target group or groups associated with the scan that identified the
vulnerability. For more information, see Target Groups.

- 676 -
 Time Taken to Fix How long it took your organization to fix a vulnerability identified on a
scan, in hours or days. Only appears for Fixed vulnerabilities. Use this
filter along with the State filter set to Fixed for more accurate results.

Unsupported by Software found by this plugin is unsupported by the software's vendor

Vendor (for example, Windows 95 or Firefox 3).

VPR The Vulnerability Priority Rating Tenable calculated for the vulnerability.

Vulnerability The date when the vulnerability definition was first published (for
Published example, the date that the CVE was published).

Cloud

Cloud Misconfiguration Filters

Option Description

Filters

Account ID The unique identifier assigned to the asset resource in the cloud
service that hosts the asset on which a scan detected the finding.

ARN The Amazon Resource Name (ARN) for the asset on which a scan
detected the finding.

Asset ID The UUID of the asset on which a scan detected the finding. This
value is unique to Tenable Vulnerability Management.

Benchmark The benchmark associated with the finding.

Cluster The cluster associated with the finding.

Created Time The time and date when Tenable Vulnerability Management created
the asset record on which a scan detected the finding.

Criticality The criticality of the vulnerability finding.

Exists in Cloud Indicates whether the affected cloud resource exists in a cloud
environment.

- 677 -
Exists in IAC Indicates whether the affected asset was created via Infrastructure
as Code (IaC).

Finding ID The unique ID for the individual finding.

Note: You can view the ID for a finding by accessing the Findings
Details page for the findings and checking the page URL. The finding
ID is the alpha-numeric text that appears in the path between details
and asset.

First Seen The date when Tenable Vulnerability Management first scanned the
affected asset.

Found in Indicates whether or not the finding was discovered in a TF state.

TF State

First Seen The date when Tenable Vulnerability Management first scanned the
affected asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

IaC Type The Infrastructure as Code (IAC) type of the asset.

Ignored Indicates whether Tenable Vulnerability Management ignored the

policy violation when calculating the finding's severity.

Immutable Drift Indicates whether the asset has immutable drifts. For more
information, see Set up Drift Analysis in the Legacy Tenable Cloud
Security User Guide.

Is Attribute Specifies whether the asset is an attribute.

Last Fixed The date when the finding was last fixed.

Last Scan Time The date when a scan was last run against the finding.

Last Seen The date when Tenable Vulnerability Management last scanned the
affected asset.

Managed By The name of the person, group, or company that manages the

- 678 -
 affected asset.

Policy Category The policy category associated with the finding.

Policy ID The unique ID for the cloud policy associated with the affected
asset.

Policy Name The unique ID for the cloud policy associated with the affected
asset.

Policy Type The unique ID for the cloud policy associated with the affected
asset.

Project The project associated with the finding.

Provider The third-party provider associated with the finding.

Region The cloud region where the affected asset runs.

Repositories Any code repositories associated with the affected asset.

Resource The category of the asset resource in the cloud service that hosts
Category the affected asset.

Resource ID The ID of the asset resource in the cloud service that hosts the
affected asset.

Resource Name The name of the asset resource in the cloud service that hosts the
affected asset.

Resource Type The type of the asset resource in the cloud service that hosts the
affected asset.

Result The outcome of the scan. Possible options are:

l Failed

l Passed

l Unknown

Rule ID The unique ID for the security rule for which the scanner found a

- 679 -
 violation.

Rule Reference The reference ID for the security rule for which the scanner found a
ID violation.

Severity The vulnerability's CVSS-based severity. For more information, see

CVSS vs. VPR.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

Source Line The source line associated with the finding.

Updated Time The time and date when the asset record was last updated.

Version The version associated with the finding.

VPC The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud User Guide.

Host Audit Filters

Option Description

Filters

Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Asset Name The name of the asset on which the scanner performed an audit check.
This value is unique to Tenable Vulnerability Management.

Asset Tags A unique filter that searches tag (category: value) pairs. When you type a
tag value, you must use the category: value syntax, including the space
after the colon (:). You can use commas (,) to separate values. If there is a
comma in the tag name, insert a backslash (\) before the comma. You can
add a maximum of 100 tags.

For more information, see tags.

- 680 -
 Note: If your tag name includes double quotation marks (" "), you must use the
UUID instead.

Audit File The name of Audit file the scanner used to perform the audit. Audit files
are XML-based text files that contain the specific configuration, file
permission, and access control tests to be performed.

Audit Check The name Tenable assigned to the audit. In some cases, the compliance
Name control may be listed as the prefix within the name.

Benchmark (Not supported in Tenable FedRAMP Moderate) Benchmarks are

published best practices released from source authorities, such as Center
for Internet Security (CIS), United States Defense Information Systems
Agency (DISA), and Microsoft. This filter provides a list of the supported
benchmarks and the version of the benchmark.

Benchmark (Not supported in Tenable FedRAMP Moderate) The benchmark name.

Specification
Name

Benchmark (Not supported in Tenable FedRAMP Moderate) The benchmark version.

Version
Note: Use this filter with the Benchmark filter.

Compliance (Not supported in Tenable FedRAMP Moderate) There are a series of

Control designations within the compliance frameworks that Tenable calls
controls. For example: CSF:DE.CM-3, 800-53:AU-12c, STIG-ID:WN10-AU-
000045, and so on. This is a text-based field to filter on the specific
control(s).

Note: Use this filter in conjunction with the Compliance Framework filter.

Compliance (Not supported in Tenable FedRAMP Moderate) There are a series of

Family Name designations within compliance frameworks that Tenable calls control. For
example: ISO/IEC-27001:A.12.4.1, or CSF:DE.CM-1.

This filter groups the controls into families for easier and more efficient

- 681 -
 queries. For example: A12 - Operations security or CSF:Detect.

Note: Use this filter in conjunction with the Compliance Framework filter.

Compliance (Not supported in Tenable FedRAMP Moderate) Tenable audits

Framework configuration compliance with a variety of standards including GDPR, ISO
27000, HIPAA, NIST 800-53, PCI DSS, and so on. This filter allows
searching based on the respective framework.

Control ID An ID that can correlate results with other results that meet a certain
benchmark recommendation. You can use this filter to identify checks in
the audit portal.

First Audited Identifies the first date the audit check was performed on the asset.

FQDNs The fully qualified domain names (FQDNs) for the asset.

IPv4 Address The IPv4 address for the affected asset. You can add up to 256 IP
addresses to this filter.

IPv6 Address The IPv6 address for the affected asset.

Last Audited Identifies the date of the most recent audit check performed on the asset.

Last Fixed The date when the finding was last fixed.

Last Seen The date when a scan last observed the finding.

Original Result The result from the initial audit.

Plugin ID The Nessus Plugin ID used to perform the audit check.

Plugin Name The Nessus Plugin Name used to perform the audit check.

Plugin Name The name of the plugin that identified the audit finding.

Result The current or modified result from the audit check.

Result Modified Rules can be created to accept or modify the results of an audit check.
This filter allows you to report modified results.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS

- 682 -
 vs. VPR.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

State The state of the vulnerability detected in the finding. Appears in the filters
plane by default, with Active, Resurfaced, and New selected. For more
information, see Vulnerability States.

Web Application Vulnerabilities Filters

Option Description

Asset ID The UUID of the asset where a scan detected the vulnerability. This value is
unique to Tenable Vulnerability Management.

Asset Name The name of the asset where the scanner detected the vulnerability. This
value is unique to Tenable Vulnerability Management.

This filter appears on the filter plane by default.

Bugtraq ID The Bugtraq ID for the plugin that identified the vulnerability.

CPE The Common Platform Enumeration (CPE) numbers for vulnerabilities that
the plugin identifies.

(200 value limit)

CVE The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities
that the plugin identifies.

(200 value limit)

CVSSv2 Base The CVSSv2 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSSv2 Vector The raw CVSSv2 metrics for the vulnerability. For more information, see
CVSSv2 documentation.

CVSSv3 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

- 683 -
CVSSv3 Vector More CVSSv3 metrics for the vulnerability.

CWE The Common Weakness Enumeration (CWE) for the vulnerability.

First Seen The date when a scan first found the vulnerability on an asset.

Input Name The name of the specific web application component that the vulnerability
exploits.

Input Type The web application component type (for example, form, cookie, header)
that the vulnerability exploits.

IPv4 Address The IPv4 address for the affected asset. You can add up to 256
IP addresses to this filter.

Last Fixed The date when the finding was last fixed.

Last Seen The date when a scan last observed the finding.

Original The vulnerability's CVSS-based severity when a scan first detected the
Severity finding. For more information, see CVSS vs. VPR.

OWASP 2010 The Open Web Application Security Project (OWASP) 2010 category for the
vulnerability targeted by the plugin.

OWASP 2013 The Open Web Application Security Project (OWASP) 2013 category for the
vulnerability targeted by the plugin.

OWASP 2017 The Open Web Application Security Project (OWASP) 2017 category for the
vulnerability targeted by the plugin.

OWASP 2021 The Open Web Application Security Project (OWASP) 2021 category for the
vulnerability targeted by the plugin.

OWASP The Open Web Application Security Project (OWASP) 2019 category for the
API 2019 API vulnerability targeted by the plugin. Possible options are:

l API1:2019 Broken Object Level Authorization

l API2:2019 Broken User Authentication

l API3:2019 Excessive Data Exposure

- 684 -
 l API4:2019 Lack of Resources & Rate Limiting

l API5:2019 Broken Function Level Authorization

l API6:2019 Mass Assignment

l API7:2019 Security Misconfiguration

l API8:2019 Injection

l API9:2019 Improper Assets Management

l API10:2019 Insufficient Logging & Monitoring

Plugin The description of the Tenable plugin that identified the vulnerability.
Description

Plugin Family The family of the plugin that identified the vulnerability.

(200 value limit)

Plugin ID The ID of the plugin that identified the vulnerability.

(200 value limit)

Plugin The date on which the plugin was last modified.

Modification
Date

Plugin Name The name of the plugin that identified the audit finding.

Plugin The date on which the plugin that identified the vulnerability was published.
Published

Risk Modified The risk modification applied to the vulnerability's severity. Possible options
are:

l Recast

l Accepted

l None

For more information, see Recast/Accept Rules.

- 685 -
 See Also Links to external websites that contain helpful information about the
vulnerability.

Severity The CVSS score-based severity. For more information, see CVSS Scores vs.
VPR in the Tenable Vulnerability Management User Guide.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

Solution A brief summary of how you can remediate the vulnerability.

State The state of the vulnerability detected in the finding. Appears in the filters
plane by default, with Active, Resurfaced, and New selected. For more
information, see Vulnerability States.

Url The complete URL on which the scanner detected the vulnerability.

This filter appears in the filters plane by default.

WASC The Web Application Security Consortium (WASC) category associated with
the vulnerability targeted by the plugin.

Group Your Findings

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, you can group your findings by specific attributes. You can group host
vulnerabilities, cloud misconfigurations, and web application findings, but you cannot group host
audit findings.

To group your vulnerability findings:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Findings.

The Findings page appears, showing a table that lists your findings. By default, the
Vulnerabilities tab is active.

- 686 -
3. Do one of the following:

To group your host vulnerability findings:

a. At the top of the Findings table, next to Group By, click one of the following attributes:

l Asset — The name of the asset where a scan identified a vulnerability.

l Plugin — The name of the plugin that identified a vulnerability.

The Findings table displays your findings grouped by the selected attribute.

b. View the following details about your grouped findings. These vary depending on the
attribute you select:

Column Description

Asset

Asset Name The name of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability
Management.

Asset Tags Asset tags for the affected asset. Hover over the first tag
to view any additional tags.

Last Seen The date and time when a scan last found the vulnerability
on the asset.

Asset IP The IPv4 or IPv6 address associated with the asset record.

Vulnerabilities A descriptive image that indicates vulnerability

percentages by CVSS-based severity for each set of
grouped findings. For more information, see CVSS vs. VPR.

Vuln Count The number of vulnerabilities that Tenable Vulnerability

Management identified on each set of grouped findings.

Critical The number of vulnerabilities with a critical CVSS-based

severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

- 687 -
 High The number of vulnerabilities with a high CVSS-based
severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

Plugin

Severity The CVSS-based severity score identified on each set of

grouped findings. For more information, see CVSS vs. VPR.

Name The name of the plugin that identified the vulnerability.

Family The family of the plugin that identified the vulnerability.

Plugin ID The ID of the plugin that identified the vulnerability.

Vuln Count The number of vulnerabilities that Tenable Vulnerability

Management identified on each set of grouped findings.

To group your cloud misconfiguration findings:

a. At the top of the Findings table, next to Group By, click one of the following attributes:

l Policy — The cloud policy associated with the affected asset.

Policy Group — The unique ID for the cloud policy associated with the affected
asset.

l Resource Type — The name of the cloud resource type (for example, a resource
group or virtual machine).

The Findings table displays your findings grouped by the selected attribute.

b. View the following details about your grouped findings. These vary depending on the
attribute you select:

Column Description

Policy

Policy Name The name of the policy associated with the affected asset.

Severity The vulnerability's CVSS-based severity. For more

- 688 -
 information, see CVSS vs. VPR.

Source The source of the policy. Possible values are:

l Cloud

l IaC (Infrastructure as Code)

Last Seen The last date the vulnerability was identified in a scan.

Count of Impacted The number of cloud resources the vulnerability impacts.

Resources

Policy Group

Policy ID The unique ID for the cloud policy associated with the
affected asset.

Severity The vulnerability's CVSS-based severity. For more

information, see CVSS vs. VPR.

Policy Group The group associated with the security policy that governs
the affected asset.

Exists in Cloud Indicates whether the affected cloud resource exists in a

cloud environment.

Exists in IAC Indicates whether the affected asset was created via
Infrastructure as Code (IaC).

Count of Impacted The number of cloud resources the vulnerability impacts.

Resources

Misconfiguration The number of misconfigurations that Tenable

Count Vulnerability Management identified on each set of
grouped findings.

Resource Type

Resource Type The CVSS-based severity score identified on each set of

- 689 -
 grouped findings. For more information, see CVSS vs. VPR.

Count of Affected The number of cloud resources the vulnerability affects.

Resources

Count of Immutable The number of discrepancies between the running cloud

Drift environment on which the affected resource runs and the
Infrastructure as Code (IaC) that was used to deploy it.

Misconfiguration The number of misconfigurations that Tenable

Count Vulnerability Management identified on each set of
grouped findings.

To group your web application findings:

a. At the top of the Findings table, next to Group By, click one of the following attributes:

l Asset — The unique name for the web application associated with the affected
asset.

l Plugin — The ID of the web application resource type (for example, a resource
group or virtual machine).

The web application findings table appears with your findings grouped by the selected
attribute.

b. View the following details about your grouped findings. These vary depending on the
attribute you select:

Column Description

Asset

Asset Name The name of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability
Management.

Vulnerabilities A descriptive image that indicates vulnerability

percentages by CVSS-based severity for each set of
grouped findings. For more information, see CVSS vs. VPR.

- 690 -
Critical The number of vulnerabilities with a critical CVSS-based
severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

High The number of vulnerabilities with a high CVSS-based

severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

Vuln Count The number of vulnerabilities that Tenable Vulnerability

Management identified on each set of grouped findings.

Last Seen The date and time when a scan last found the vulnerability
on the asset.

Actions The actions you can perform with each set of grouped
findings.

Plugin

Severity The CVSS-based severity score identified on each set of

grouped findings. For more information, see CVSS vs. VPR.

Name The name of the plugin that identified the vulnerability.

Family The family of the plugin that identified the vulnerability.

CVSSv2 Base Score The CVSSv2 base score (intrinsic and fundamental
characteristics of a vulnerability that are constant over
time and user environments).

Note: Based on your severity metric settings, this parameter

may display CVSSv3 base scores. For more information, see
General Settings.

Plugin ID The ID of the plugin that identified the vulnerability.

Asset Count The number of assets that Tenable Vulnerability

Management identified on each set of grouped findings.

- 691 -
 Vuln Count The number of vulnerabilities that Tenable Vulnerability
Management identified on each set of grouped findings.

Actions The actions you can perform with each set of grouped
findings.

Add Recast or Accept Rules in Findings

In Tenable Vulnerability Management, you can create rules for your vulnerability findings to
customize how they present risk. While Recast rules change the severity of your findings, Accept
rules accept their risk without modifying severity.

Tip: This topic describes how to create rules from the Findings workbench, but you can also create rules
from the Tenable Vulnerability Management Settings. For more information, including examples on when
to create rules, see Recast/Accept Rules.

Note: If a rule is targeted by IP address, that rule applies to the specified IP in each network in which it is
found. For more information, see Networks.

Create a Recast Rule in Findings

To create a Recast rule from the Findings workbench:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane and the Explore section, click Findings.

The Findings page appears with the Vulnerabilities tab active and your findings shown in a
table view.

3. (Optional) Click Web Application Findings.

The Web Application Findings tab appears.

4. In the row for the finding to create a rule for, click the button.

A drop-down menu appears.

5. Click Recast.

- 692 -
 The Add Rule plane appears.

6. In the Rule Information section, complete the following options:

a. Vulnerability Plugin ID – Type the ID of the plugin to recast, if different than the one
preselected. For example, 51192.

Note: If the plugin ID corresponds to a Tenable Nessus plugin, the Original Severity indicator
changes to match the default severity of the vulnerability.

b. New Severity – Select the desired severity level for the vulnerability.

c. Targets – Select All to target all assets or Custom to specify targets that you want the
rule to run against.

Note: If you set the Targets drop-down to All, a warning appears indicating that this option
may override existing rules.

d. Target Hosts – Type one or more custom targets for the rule, if necessary. You can type
a comma-separated list that includes any combination of IP addresses, IP ranges, CIDR,
and hostnames.

Caution: You can only specify 1000 comma-separated custom entries. If you want to target a
larger number of custom entries, create multiple rules.

e. (Optional) Expires – Select when you want the rule to expire.

f. (Optional) Comments – Type a description of the rule. This option is only visible when the
rule is modified.

7. Click Save.

Tenable Vulnerability Management starts applying the rule to existing findings. This process
may take some time, depending on the system load and the number of matching findings.
Tenable Vulnerability Management updates your dashboards, where a label appears to indicate
how many instances of affected findings were recast.

Note: A recast rule does not affect the historical results of a scan.

Create an Accept Rule in Findings

- 693 -
To create an Accept rule from the Findings workbench:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane and the Explore section, click Findings.

The Findings page appears with the Vulnerabilities tab active and your findings shown in a
table view.

3. (Optional) Click Web Application Findings.

The Web Application Findings tab appears.

4. In the row for the finding to create a rule for, click the button.

A drop-down menu appears.

5. Click Recast.

The Add Recast Rule plane appears.

6. On the Add Recast Rule plane, in the Action section, click Accept.

7. In the Rule Information section, complete the following options:

a. Vulnerability Plugin ID – Type the ID of the plugin to accept, if different than the one
preselected. For example, 51192.

Note: If the plugin ID corresponds to a Tenable Nessus plugin, the Original Severity indicator
changes to match the default severity of the vulnerability.

b. Targets – Select All to target all assets or Custom to specify targets that you want the
rule to run against.

c. Target Hosts – Type one or more custom targets for the rule, if necessary. You can type
a comma-separated list that includes any combination of IP addresses, IP ranges, CIDR,
and hostnames.

Caution: You can only specify 1000 comma-separated custom entries. If you want to target a
larger number of custom entries, create multiple rules.

- 694 -
 d. (Optional) Expires – Select when you want the rule to expire.

e. (Optional) Comments – Type a description of the rule. This option is only visible when the
rule is modified.

8. (Optional) To report the vulnerability as a false positive:

a. Enable the Report as false positive toggle.

A Message To Tenable box appears.

b. In the Message to Tenable box, type a description of the false positive.

9. Click Save.

Tenable Vulnerability Management starts applying the rule to existing findings. This process
may take some time, depending on the system load and the number of matching findings.

Generate a Findings Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, on the Findings workbench, you can generate a report to PDF
from a template. You can schedule this report and email it.

Note: You cannot generate a report for more than 10,000 findings. When you select more than that number
of findings and generate a report, an error appears.

Note: You can only generate reports for vulnerabilities findings, not other finding types.

To generate a report:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, click Findings.

The Findings workbench appears with the Vulnerabilities tab displayed.

3. (Optional) Refine the list of findings, as described in Use Filters.

- 695 -
 Note: You can apply a maximum of 5 filters to a report.

4. Select the check box or check boxes next to the findings to report on.

Tip: Select the check box at the top of the list to select all findings.

The action bar appears.

5. In the action bar, click Generate Report.

The Generate Report plane appears. It contains the following options:

Option Description

Name (Optional) Type a custom name for the report.

Templates Select a template for the report. Choose from the following templates:

l Host Findings Executive Summary Report — Summarizes

severity levels for the vulnerabilities you are reporting on, as well
as the criticality, last scan time, and port count of the associated
assets.

l Host Findings Vulnerability Details by Plugin — Details the

vulnerabilities you are reporting on by plugin.

l Host Findings Vulnerability Details by Asset — Details associated

assets for the vulnerabilities you are reporting on.

Schedule Turn on the Schedule toggle to schedule the report:

a. In the Start Date and Time section, choose the date and time
when the report will run.

b. In the Time Zone drop-down, choose a time zone.

c. In the Repeat drop-down, choose the cadence on which you want

the report to repeat (for example, daily).

d. In the Repeat Ends drop-down, choose the date when the report
will stop running.

- 696 -
 Add (Optional) Type the emails where you want Tenable Vulnerability
Recipients Management to send the finished report.

Password (Optional) Enable this toggle to password-protect your report with AES
Protection 128-bit encryption. In the Encryption Password field, type a password
to provide to the recipients.

6. Click Generate Report.

A confirmation message appears and Tenable Vulnerability Management starts to build the
report. Click the link in the message to view the report. Or, go to the Act > Reports > Report
Results page.

Assets
On the Assets workbench, you can get insight into your organization's assets. These include host
assets, cloud resources, web applications, and domain inventory.

Assets are entities of value on a network that can be exploited. They include laptops, desktops,
servers, routers, mobile phones, virtual machines, software containers, and cloud instances. By

- 697 -
providing comprehensive information about your assets, Tenable Vulnerability Management helps to
eliminate potential security risks, identify under-utilized resources, and support compliance efforts.

Tenable Vulnerability Management automatically creates or updates assets when a scan completes
or scan results are imported. Tenable Vulnerability Management attempts to match incoming scan
data to existing assets through a complex algorithm which looks at host attributes and employs
heuristics to choose the best possible match. If Tenable Vulnerability Management cannot find a
match, it assumes this is the first time it has encountered the asset and creates a new record. If
Tenable Vulnerability Management finds a matching asset, it updates any newly changed properties.

When available, Tenable Vulnerability Management gathers other asset

information.
l Interfaces (IP address and MAC address)

l DNS names

l NetBIOS names

l Operating System(s)

l Installed software

l UUIDS (Tenable, ePO, BIOS)

l Whether an agent is present

See the following topics for more information.

View the Assets Workbench

You can view all your assets on the Assets workbench.

To view your assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Explore > Assets.

The Assets workbench appears with the Hosts tile active.

- 698 -
 3. (Optional) Do one of the following:

l To customize which asset types appear, select or deselect tiles:

l Host Assets

l Cloud Resources

l Web Applications

l Domain Inventory

l In the Search box, search by Agent Name, NetBios Name, DNS (FQDN), or IP Address.
Use (*) as a wildcard.

l Filter the displayed assets and customize your view, as described in Filter Findings or
Assets.

Tip: To view definitions for all Asset filters, see Asset Filters.

l Save filters as a custom search, as described in Saved Filters for Findings or Assets.

l Export assets to CSV or JSON format, as described in Export Findings or Assets.

l Filter the displayed assets by time period with a drop-down in the upper-right corner.

l View details about an asset, as described in View Asset Details.

l View visualizations for the displayed assets, as described in View Asset Visualizations.

Host Assets

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your host assets, select the Hosts tile and deselect other
tiles. Common host assets include workstations, servers, virtual machines, printers, network
switches, routers, and wireless access points.

The Hosts tile contains a table with the following columns. To show or hide columns, see Customize
Explore Tables.

Column Description

- 699 -
Asset ID The UUID of the asset. This value is unique to Tenable Vulnerability
Management.

Name Indicates the asset identifier, assigned based on the availability of

specific attributes in logical order.

AES The Asset Exposure Score of the asset.

ACR The Asset Criticality Rating of the asset.

IPV4 Address The IPv4 address for the affected asset.

IPV6 Address The IPv6 address for the affected asset.

Operating System The operating system that a scan identified as installed on the asset.

Licensed Indicates if the asset is licensed within Tenable Vulnerability

Management. For more information, see Tenable Vulnerability
Management Licenses.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Last Licensed The date and time of the last scan in which the asset was considered
Scan "licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For more
information on licensed assets, see Tenable Vulnerability Management
Licenses.

Last The date and time of the last authenticated scan run against the asset.
Authenticated An authenticated scan that only uses discovery plugins updates the Last
Scan Authenticated Scan field, but not the Last Licensed Scan field.

Source The source of the scan that identified the asset.

Tags Tags applied to the asset.

System Type The operating system installed on the asset.

- 700 -
NetBIOS Name The asset's NetBIOS name.

DNS (FQDN) The fully qualified domain name of the asset host.

Note: When processing fully qualified domain names (FQDNs) for host assets,
Tenable Vulnerability Management normalizes all FQDNs to lowercase and
then merges any duplicates.

MAC Address A MAC address that a scan has associated with the asset record.

ServiceNow Sys Where applicable, the unique record identifier of the asset in
ID ServiceNow. For more information, see the ServiceNow documentation.

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Updated Date The date and time when Tenable Vulnerability Management last updated
the asset record.

Has Plugin Specifies whether the asset has plugin results associated with it.
Results

Public Specifies whether the asset is available on a public network.

Note: A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Management query namespace.

AWS Availability Where applicable, the AWS availability zone of the asset, as described in
Zone the Tenable Vulnerability Management AWS documentation.

AWS EC2 AMI ID Where applicable, the AWS EC2 AMI ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS EC2 Where applicable, the AWS EC2 instance ID of the asset, as described in
Instance ID the Tenable Vulnerability Management AWS documentation.

AWS Security Where applicable, the AWS security group of the asset, as described in
Group the Tenable Vulnerability Management AWS documentation.

- 701 -
AWS Instance Where applicable, the AWS instance state of the asset, as described in
State the Tenable Vulnerability Management AWS documentation.

AWS Instance Where applicable, the AWS instance type of the asset, as described in the
Type Tenable Vulnerability Management AWS documentation.

AWS EC2 Name Where applicable, the AWS EC2 name of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS EC2 Product Where applicable, the AWS EC2 product code of the asset, as described
Code in the Tenable Vulnerability Management AWS documentation.

AWS Owner ID Where applicable, the AWS owner ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS Region Where applicable, the AWS region of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS Subnet ID Where applicable, the AWS subnet ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS VPC ID Where applicable, the AWS VPC ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

Azure Resource Where applicable, the AWS resource ID of the asset, as described in the
ID Tenable Vulnerability Management AWS documentation.

Azure VM ID Where applicable, the Azure VM ID of the asset, as described in the

Tenable Vulnerability Management Microsoft Azure documentation.

Google Cloud Where applicable, the Google cloud instance ID of the asset, as described
Instance ID in the Tenable Vulnerability Management Google Cloud Platform
documentation.

Google Cloud Where applicable, the Google cloud project ID of the asset, as described
Project ID in the Tenable Vulnerability Management Google Cloud Platform
documentation.

Google Cloud Where applicable, the Google cloud zone of the asset, as described in the
Zone Tenable Vulnerability Management Google Cloud Platform

- 702 -
 documentation.

Resource Tags Specifies the tags or labels that have been imported from the cloud
provider. This field appears for assets with source as Cloud Discovery
Connector.

Note: Tenable Vulnerability Management imports tags and labels with the
following considerations:

l For AWS and Azure, the limit is 50 tags per resource.

l For GCP, the limit is 64 labels per resource.
l Tenable Vulnerability Management does not support importing
JSON strings for Azure tags.

Cloud Provider Indicates whether the asset is from AWS, Azure, or GCP.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears,

click a tag and click Remove.

l Edit ACR – (Tenable Lumin-only). Edit the Asset Criticality Rating, as

described in Edit the ACR for Host Assets.

l Move — Move an asset to another network, as described in Move

Assets to Another Network.

l View All Details — View complete details for an asset, as described

in View Asset Details.

l View All Details in New Tab — View complete details for an asset in
a new browser tab.

l View All Solutions — View available solutions for asset

- 703 -
 vulnerabilities, as described in Solutions.

l Delete — Permanently delete an asset, as described in Delete

Assets.

Cloud Resources

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your cloud resources, select the Cloud Resources tile and
deselect other tiles. A cloud resource can be any compute instance, storage object, networking
device, or object you can create or configure within a cloud platform. Examples of cloud resources
include assets such as virtual servers, buckets, databases, disks, and containers. Other examples of
cloud resources are configurable items such as resource groups, policies, users, and roles.

The Cloud Resources tile contains a table with the following columns. To show or hide columns, see
Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the finding. This value is unique
to Tenable Vulnerability Management.

Name Indicates the asset identifier, assigned based on the availability of specific
attributes in logical order.

Resource The name of the cloud resource type (for example, a resource group or virtual
Type machine).

Resource The name of the category to which your cloud resource type belongs (for
Category example, object storage or virtual network).

Resource Tags synced from a cloud source such as Amazon Web Services (AWS). Only
Tags the first tag is shown. Hover on the displayed tag to view a complete list.

Cloud The name of the cloud provider that hosts the asset.
Provider

Region The cloud region where the asset runs.

- 704 -
 Licensed Indicates if the asset is licensed within Tenable Vulnerability Management. For
more information, see Tenable Vulnerability Management Licenses.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Source The source of the scan that identified the asset.

Tags Any Tenable Vulnerability Management tags applied to the asset.

Created Date The date and time when Tenable Vulnerability Management created the asset
record.

Updated The date and time when Tenable Vulnerability Management last updated the
Date asset record.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a Category
and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click a
tag and click Remove.

Web Applications

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your web application assets, select the Web Applications
tile and deselect other tiles. A web application is software that runs in a browser. Examples of web
applications are: workplace collaboration apps, ecommerce apps, email apps, and banking apps.

The Web Applications tile contains a table with the following columns. To show or hide columns,
see Customize Explore Tables.

Column Description

- 705 -
Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Name Indicates the asset identifier, assigned based on the availability of

specific attributes in logical order.

AES The Asset Exposure Score of the asset.

ACR The Asset Criticality Rating of the asset.

Licensed Indicates if the asset is licensed within Tenable Vulnerability

Management. For more information, see Tenable Vulnerability
Management Licenses.

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

IPV4 Address The IPv4 address for the affected asset.

Operating System The operating system installed on the asset.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Last Licensed The date and time of the last scan in which the asset was considered
Scan "licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For more
information on licensed assets, see Tenable Vulnerability Management
Licenses.

Last The date and time of the last authenticated scan run against the asset.
Authenticated An authenticated scan that only uses discovery plugins updates the Last
Scan Authenticated Scan field, but not the Last Licensed Scan field.

Public Specifies whether the asset is available on a public network.

Note: A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Management query namespace.

- 706 -
 Source The source of the scan that identified the asset.

Tags Tags applied to the asset.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Updated Date The date and time when Tenable Vulnerability Management last updated
the asset record.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears,

click a tag and click Remove.

l View All Details — View complete details for a finding, as described

in View Finding Details.

l Delete — Permanently delete an asset, as described in Delete

Assets.

Domain Inventory

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your domain inventory assets, select the Domain Inventory
tile and deselect other tiles. A domain inventory is a complete account of every domain owned by
your organization. Domains are associated with a wide range of assets: databases, applications,
directory services, and identity or access management platforms.

The Domain Inventory tile contains a table with the following columns. To show or hide columns,
see Customize Explore Tables.

Column Description

- 707 -
Asset ID The UUID of the asset where a scan detected the finding. This value is unique
to Tenable Vulnerability Management.

Name Indicates the asset identifier, assigned based on the availability of specific
attributes in logical order.

Host Name The name of the host of the asset.

Record Type The type of asset.

Record The record value of the asset.

Value

Domain The domain to which the asset belongs.

DNS (FQDN) The fully qualified domain name of the asset host.
(ASM)

IPv4 The IPv4 address for the asset.

Address
(ASM)

IPv4 The IPv6 address for the asset.

Address
(ASM)

Hosting The provider hosting the asset.

Provider

ASN The Autonomous System Number (ASN) of the asset.

Licensed Indicates if the asset is licensed within Tenable Vulnerability Management. For
more information, see Tenable Vulnerability Management Licenses.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Source The source of the scan that identified the asset.

Tags Tags applied to the asset.

- 708 -
 Created The date and time when Tenable Vulnerability Management created the asset
Date record.

Updated The date and time when Tenable Vulnerability Management last updated the
Date asset record.

Port The port associated with the asset.

Actions In this column, click the button to view a drop-down where you can:

l Add Tags — Add new tags. In the dialog that appears, choose a Category
and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click a
tag and click Remove.

l Create Advanced Network Scan — Create an advanced network scan, as

described in Create a Scan

l Create Web Application Scan — Create a web application scan, as

described in Create a Scan

l Delete — Permanently delete an asset, as described in Delete Assets.

View Asset Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can View permission for applicable assets.

From the Assets workbench, you can drill down into a single asset to view it on the Asset Details
page. Tenable Vulnerability Management customizes this page by asset type.

Note: Domain Inventory assets do not have an Asset Details page, but you can view them in a preview, as
described in Domain Inventory Preview.

To view asset details:

- 709 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Explore > Assets.

The Assets workbench appears with the Hosts tile active.

3. (Optional) Click another tile to expand the results.

The assets for that tile appear. Each asset type has different default columns.

4. Filter the displayed assets and customize your view, as described in Filter Findings or Assets.

5. Click the row for the asset to view.

At the bottom of the page, a preview appears.

6. In the preview, click See All Details.

The Asset Details page appears. Its layout varies by asset type as follows:

l Host Asset Details

l Cloud Resource Details

l Web Application Details

Host Asset Details

When you View Asset Details, the Asset Details page varies by asset type. For host assets, it
includes asset information, a list of associated findings, the AES, and the ACR.

- 710 -
The Asset Details page for host assets contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Asset Information about the host asset, including:

- 711 -
Information l Asset ID — The UUID of the asset.

l Licensed — Specifies whether the asset is licensed.

l System Type — The system types as reported by Plugin ID 54615. For

more information, see Tenable Plugins.

l Operating System — The operating system that a scan identified as

installed on the asset.

l IPv4 Address — An IPv4 address for the asset.

l IPv6 Address — An IPv6 address for the asset.

l MAC Address — The MAC address for the asset.

l Network — The name of the network object associated with scanners

that identified the asset. The default network name is Default. For
more information about networks, see Networks.

l Agent Name — The name of the Tenable Nessus Agent that scanned
and identified the asset.

l DNS (FQDN) — The fully qualified domain name of the asset host.

l SSH Fingerprint — The SSH key fingerprints that scans have

associated with the asset record.

l Tenable ID — The UUID of the asset in Tenable Vulnerability

Management.

l Public — Specifies whether the asset is available on a public network.

A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Managementquery
namespace.

l BIOS ID — The asset's BIOS UUID.

l ServiceNow Sys ID — Where applicable, the unique record identifier of

the asset in ServiceNow.

l Custom Attributes — Custom attributes added to the asset. For more

- 712 -
 information, see the Tenable Developer Portal.

Findings Click the Findings tab to view all findings associated with the asset:

l In the drop-down, switch between Vulnerability and Host Audit

findings.

l Click the Show All Vulnerabilities toggle to hide Fixed and Accepted
vulnerabilities or host audits.

l Click Open in Findings to view all findings on the Findings workbench.

l In a finding row, click to show a menu where you can view findings
details, export a finding, or launch a remediation scan.

l Show or hide columns, as described in Customize Explore Tables.

Open Ports Click the Open Ports tab to view open ports on the asset:

l Open Ports – Specifies open ports on the asset.

l Protocol – Specifies the protocol with which information is

transported to the open port, for example, TCP or UDP.

l First Detected Open – The date and time the port was first detected
as open.

l Last Detected Open – The date and time the port was last detected as
open.

l Service – The service running on the open port, such as HTTPS, SSH,
or FTP. To learn more about possible services, see Service Name and
Transport Protocol on the Internet Assigned Numbers Authority
website.

Activity Click the Activity tab to view activity for the asset:

l Event – Specifies all asset events logged by Tenable Vulnerability

Management, for example, Asset Discovered.

l Date – Specifies the event date.

l Source – Specifies the event source, for example, Nessus Scan.

- 713 -
Mitigations Click the Mitigations tab to view information about any mitigation software
that a scan identified on the asset.

Asset (Requires Tenable Lumin license) An icon indicating the Asset Exposure
Exposure Score (AES) calculated for the asset.
Score

Asset (Requires Tenable Lumin license) An icon indicating the asset's Asset
Criticality Criticality Rating.
Rating

Cloud Cloud resource information including:

Resource
l AWS Availability Zone — The AWS EC2 AMI ID of the asset. For more
Information
information, see the Tenable Vulnerability Management AWS
documentation.

l AWS EC2 AMI ID — The AWS EC2 instance ID of the asset.

l AWS EC2 Instance ID — The AWS EC2 instance ID of the asset.

l AWS Security Group — The AWS security group of the asset.

l AWS Instance State — The AWS instance state of the asset.

l AWS instance Type — The AWS instance type of the asset.

l AWS EC2 Name —The AWS EC2 name of the asset.

l AWS EC2 Product Code — The AWS EC2 product code of the asset.

l AWS Owner ID — The AWS owner ID of the asset.

l AWS Region — The AWS region of the asset.

l AWS Subnet ID — The AWS subnet ID of the asset.

l AWS VPC ID — The AWS VPC ID of the asset.

l Google Cloud Instance ID — The Google cloud instance ID of the asset.

For more information, see the Tenable Vulnerability
ManagementGoogle Cloud Platform documentation.

- 714 -
 l Google Cloud Project ID —The Google cloud project ID of the asset.

l Google Cloud Zone — The Google cloud zone of the asset.

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Asset Scan Information about the asset's scan history, including:

Information
l First Seen — The time and date when a scan first identified the asset.

l Last Seen — The date and time of the scan that most recently
identified the asset.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan that
only uses discovery plugins updates the Last Authenticated Scan
field, but not the Last Licensed Scan field.

l Last Licensed Scan — The date and time of the last scan in which the
asset was considered "licensed" and counted towards Tenable's
license limit. A licensed scan uses non-discovery plugins and can
identify vulnerabilities. Unauthenticated scans that run non-discovery
plugins update the Last Licensed Scan field, but not the Last
Authenticated Scan field. For more information on licensed assets,
see Tenable Vulnerability Management Licenses.

l Source — The source of the scan that identified the asset.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click
a tag and click Remove.

- 715 -
 l Edit ACR – (Tenable Lumin-only). Edit the Asset Criticality Rating, as
described in Edit the ACR for Host Assets.

l Move — Move an asset to another network, as described in Move

Assets to Another Network.

l View All Solutions — View available solutions for asset vulnerabilities,

as described in Solutions.

l Delete — Permanently delete an asset, as described in Delete Assets.

Cloud Resource Details

When you View Asset Details, the Asset Details page varies by asset type. For cloud resource
assets, it includes a summary, a list of associated findings, the AES, and the ACR.

The Asset Details page for cloud resources contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

- 716 -
 2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Cloud Information about the cloud resource, including:

Resource
l Asset ID — The resource's UUID.
Information
l Licensed — Whether the resource is licensed.

l Resource Name — The name of the resource.

l Resource ID — The unique identifier assigned to the resource in the

cloud service that hosts it.

l Resource Criticality — The criticality rating for the resource according

to Tenable Container Security, based on the most recent scan.

l Region — The cloud region where the resource runs.

l Cloud Provider — The name of the cloud provider that hosts the asset.

l Account ID — The account ID for the Legacy Tenable Cloud Security

account associated with the resource.

l VPC — Virtual Private Cloud; the unique identifier of the public cloud
that hosts the AWS virtual machine instance.

l Resource Type — The asset's cloud resource type (for example,

network, virtual machine).

l Resource Category — The name of the category to which your cloud

resource type belongs (for example, object storage or virtual network).

l Resource Tag - The labels associated with the resource by the cloud
provider.

l IaC Resource Type — The Terraform resource type associated with

- 717 -
 the Infrastructure as Code (IaC) cloud resource asset.

l Repositories — The path to the asset's source directory.

l Has Drift — Indicates whether the asset has any drifts. For more
information, see Set up Drift Analysis in the Legacy Tenable Cloud
Security User Guide.

l Is Mapped — Indicates whether the asset is mapped. For more

information, see Cloud Scan Workflow in the Legacy Tenable Cloud
Security User Guide.

l Project — The cloud project associated with the asset.

l Network — The name of the network to which the scanner that scans
the asset belongs. For more information, see Networks.

l Availability Zone — The name of the availability zone where the virtual
machine instance is hosted.

Findings A table that lists all the findings associated with the resource. Click Open in
Findings to view the Vulnerabilities page.

Asset (Requires Tenable Lumin license) An icon indicating the Asset Exposure
Exposure Score calculated for the asset.
Score

Asset (Requires Tenable Lumin license) An icon indicating the asset's Asset
Criticality Criticality Rating.
Rating

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Asset Scan l First Seen — The time and date when a scan first identified the asset.
Information l Last Seen — The date and time of the scan that most recently
identified the asset.

l Last Licensed Scan — The date and time of the last scan in which the
asset was considered "licensed" and counted towards Tenable's

- 718 -
 license limit. A licensed scan uses non-discovery plugins and can
identify vulnerabilities. Unauthenticated scans that run non-discovery
plugins update the Last Licensed Scan field, but not the Last
Authenticated Scan field. For more information on licensed assets,
see Tenable Vulnerability Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan that
only uses discovery plugins updates the Last Authenticated Scan
field, but not the Last Licensed Scan field.

l Source — The source of the scan that identified the asset.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click
a tag and click Remove.

l View All Details — View complete details for an asset, as described in

View Asset Details.

l View All Details in New Tab — View complete details for an asset in a
new browser tab.

Web Application Details

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Asset Details, the Asset Details page varies by asset type. For web application
assets, it includes asset information, a list of associated findings, the AES, and the ACR.

- 719 -
The Asset Details page for web application assets contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Asset Information about the asset, including:

Information
l Asset ID — The UUID of the asset.

l Licensed — Specifies whether the asset is licensed.

l System Type — The system types as reported by Plugin ID 54615. For

- 720 -
 more information, see Tenable Plugins.

l IPv4 Address — The first IPv4 address for the asset. If there is no IPv4
address, then the first IPv6 for the asset.

l Public — Specifies whether the asset is available on a public network.

A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Managementquery
namespace.

l DNS — The fully qualified domain name of the asset host.

l Operating System — The operating system that a scan identified as

installed on the asset.

l Network — The name of the network object associated with scanners

that identified the asset. The default network name is Default. For
more information, see Networks.

l MAC Address — The static Media Access Control (MAC) address for the
asset.

l SSH Fingerprint — The SSH key fingerprints that scans have

associated with the asset record.

l Tenable UUID — The unique identifier for the Tenable account

associated with the asset.

l Custom Attributes — Custom attributes added to the asset. For more

information, see the Tenable Developer Portal.

Findings A table that lists all the findings associated with the asset. In this section,
you can perform the following actions:

l Export selected findings.

l Click Open in Findings to view the Vulnerabilities page for the asset.

Asset (Requires Tenable Lumin license) An icon indicating the Asset Exposure
Exposure Score for the asset.
Score

- 721 -
 Asset (Requires Tenable Lumin license) An icon indicating the asset's Asset
Criticality Criticality Rating.
Rating

Screenshot An interactive button that indicates whether a screenshot is available. To

Available view a screenshot, click the button.

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Scan Information about the asset's scan history, including:

Information
l First Seen — The date and time when a scan first identified the asset.

l Last Seen — The date and time at which the asset was last observed
as part of a scan.

l Source — The source of the scan that identified the asset.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click
a tag and click Remove.

l View All Details — View complete details for an asset, as described in

View Asset Details.

l View All Details in New Tab — View complete details for an asset in a
new browser tab.

l Delete — Permanently delete an asset, as described in Delete Assets.

Domain Inventory Preview

- 722 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, click a domain inventory asset to preview its details.

The preview contains the following sections.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Asset Information about the asset, including:

Information
l Asset ID — The UUID of the asset.

l Licensed — Specifies whether the asset is licensed.

l IPV4 Address — The first IPv4 address for the asset.

l IPV6 Address —The first IPv6 address for the asset.

Asset Scan Information about the asset's scan history, including:

Information
l First Seen — The date and time when a scan first identified the asset.

l Last Seen — The date and time at which the asset was last observed
as part of a scan.

l Updated Date — The date and time when the asset record was last

- 723 -
 updated.

l Source — The source of the scan that identified the asset.

Related Assets Links to filtered lists of assets, showing the other times Tenable
Vulnerability Management scans identified the asset.

Asset Filters

Note: This topic describes filters available for assets within the Explore section. To view filters available
for assets in legacy workbenches, see Asset Filters.

On the Assets page, you can filter your assets via standard filters that apply to all assets or by
asset-specific filters.

You can save a set of commonly used filters as a saved filter to access later or share with other
members of your team.

Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore >
Assets views (including Group By tables) to 35.

Note: You can right-click on values within a table cell to use the Filter By option. For more information,
see Right-Click Filtering.

You can select from the following filter types:

All
The following table describes the filters that apply to all assets:

Filter Description

Account ID The unique identifier assigned to the asset resource in the cloud service
that hosts the asset.

ACR (Requires Tenable Lumin license) The asset's ACR.

ACR Severity (Requires Tenable Lumin license) The ACR category of the ACR calculated
for the asset.

- 724 -
AES (Requires Tenable Lumin license)The Asset Exposure Score (AES)
calculated for the asset.

AES Severity (Requires Tenable Lumin license) The AES category of the AES calculated
for the asset.

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

ARN The Amazon Resource Name (ARN) for the asset.

ASN The Autonomous System Number (ASN) for the asset.

Assessed vs. Specifies whether Tenable Vulnerability Management scanned the asset
Discovered for vulnerabilities or if Tenable Vulnerability Management only discovered
the asset via a discovery scan. Possible values are:

l Assessed

l Discovered Only

Note: This filter is selected by default.

Asset ID The asset's UUID.

AWS Availability The name of the Availability Zone where AWS hosts the virtual machine
Zone instance. For more information, see Regions and Availability Zones in the
AWS documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI image in Amazon Elastic Compute
Cloud (Amazon EC2). For more information, see the Amazon Elastic
Compute Cloud Documentation.

AWS EC2 The unique identifier of the Linux instance in Amazon EC2. For more
Instance ID information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product The product code associated with the AMI used to launch the virtual
Code machine instance in Amazon EC2.

- 725 -
AWS Instance The state of the virtual machine instance in AWS at the time of the scan.
State For possible values, see API Instance State in the Amazon Elastic
Compute Cloud Documentation.

AWS Instance The type of virtual machine instance in Amazon EC2. Amazon EC2
Type instance types dictate the specifications of the instance (for example,
how much RAM it has). For a list of possible values, see Amazon EC2
Instance Types in the AWS documentation.

AWS Owner ID A UUID for the Amazon AWS account that created the virtual machine
instance. For more information, see AWS Account Identifiers in the AWS
documentation.

This attribute contains a value for Amazon EC2 instances only. For other
asset types, this attribute is empty.

AWS Region The region where AWS hosts the virtual machine instance, for example,
us-east-1. For more information, see Regions and Availability Zones in
the AWS documentation.

AWS Security The AWS security group (SG) associated with the Amazon EC2 instance.
Group

AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine
instance was running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual Private
Cloud User Guide.

Azure Location The location of the resource in the Azure Resource Manager. For more
information, see the Azure Resource Manager Documentation.

Azure Resource The name of the resource group in the Azure Resource Manager. For
Group more information, see the Azure Resource Manager Documentation.

Azure Resource The unique identifier of the resource in the Azure Resource Manager. For
ID more information, see the Azure Resource Manager Documentation.

- 726 -
Azure Resource The resource type of the resource in the Azure Resource Manager. For
Type more information, see the Azure Resource Manager Documentation.

Azure The unique subscription identifier of the resource in the Azure Resource
Subscription ID Manager. For more information, see the Azure Resource Manager
Documentation.

Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance. For
more information, see Accessing and Using Azure VM Unique ID in the
Microsoft Azure documentation.

BIOS ID The NetBIOS name for the asset.

Cloud Provider The name of the cloud provider that hosts the asset.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair. For
more information about custom attributes, see the Tenable Developer
Portal.

DNS The fully-qualified domain name of the host that the vulnerability was
detected on.

Domain The domain to which the asset belongs.

First Seen The date and time when a scan first identified the asset.

Google Cloud The unique identifier of the virtual machine instance in Google Cloud
Instance Platform (GCP).

Google Cloud The customized name of the project to which the virtual machine
Project ID instance belongs in GCP. For more information, see Creating and
Managing Projects in the GCP documentation.

Google Cloud The zone where the virtual machine instance runs in GCP. For more
Zone information, see Regions and Zones in the GCP documentation.

Has Plugin Specifies whether the asset has plugin results associated with it.

- 727 -
Results

Host Name The host name for assets found during attack surface management
(Domain scans; only for use with Domain Inventory assets.
Inventory)

Hosting Provider The hosting provider for the asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

Installed A list of Common Platform Enumeration (CPE) values that represent

Software software applications a scan identified as present on an asset. This field
supports the CPE 2.2 format. For more information, see the Component
Syntax section of the CPE Specification documentation, Version 2.2. For
assets identified in Tenable scans, this field contains data only if a scan
using Tenable Nessus Plugin ID 45590 has evaluated the asset.

Note: If no scan detects an application within 30 days of the scan that

originally detected the application, Tenable Vulnerability Management
considers the detection of that application expired. As a result, the next time
a scan evaluates the asset, Tenable Vulnerability Management removes the
expired application from the Installed Software attribute. This activity is
logged as a remove type of attribute change in the asset activity log.

IPV4 Address The IPv4 address associated with the asset record.

IPV6 Address The IPv6 address associated with the asset record.

Is Attribute Specifies whether the asset is an attribute.

Is Auto Scale Specifies whether the asset scales automatically.

Is Unsupported Specifies whether the asset is unsupported in Tenable Vulnerability

Management.

Last Audited The time and date at which the asset was last audited.

Last The date and time of the last authenticated scan run against the asset.
Authenticated An authenticated scan that only uses discovery plugins updates the Last

- 728 -
Scan Authenticated Scan field, but not the Last Licensed Scan field.

Port Last Filter for all assets that had detected open ports as of a date or a date
Detected Open range you specify. For the best results, combine with the Ports filter.

Last Licensed The date and time of the last scan in which the asset was considered
Scan "licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For more
information on licensed assets, see Tenable Vulnerability Management
Licenses.

Last Scan Time The date when a scan was last run against the asset.

Last Seen The date and time at which the asset was last observed as part of a scan.

Licensed Specifies whether the asset is included in the asset count for the Tenable
Vulnerability Management instance.

MAC Address A MAC address that a scan has associated with the asset record.

Mitigated Specifies whether a scan has identified mitigation software on the asset.

Mitigation Last The date and time of the scan that last identified mitigation software on
Detection the asset.

Mitigation The name of the mitigation software identified on the asset. Tenable
Product Name Lumin defines mitigations as security agent software running on
endpoint assets, which include antivirus software, Endpoint Protection
Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

Mitigation Vendor The name of the vendor for the mitigation that a scan identified on the
Name asset.

Mitigation The version of the mitigation that a scan identified on the asset.
Version

Name Indicates the asset identifier, assigned based on the availability of

specific attributes in logical order.

- 729 -
 Note: This filter is selected by default.

NetBIOS Name The NetBIOS name for the asset.

Network The name of the network object associated with scanners that identified
the asset. The default name is Default. For more information, see
Networks.

Operating System The operating system that a scan identified as installed on the asset.

Note: This filter is selected by default.

Operating System The Tenable Web App Scanning (Tenable Web App Scanning) operating
(WAS) system that a scan identified as installed on the asset.

Port Search your hosts or domain inventory by port values or ranges for assets
with a relationship to that port. For example, assets with port 80. If you
import data from Tenable Attack Surface Management, those ports also
appear.

Public Specifies whether the asset is available on a public network. A public

asset is within the public IP space and identified by the is_public
attribute in the Tenable Vulnerability Management query namespace.

Record Type The asset type.

Region The cloud region where the asset runs.

Repositories Any code repositories associated with the asset.

Resource Type The asset's cloud resource type (for example, network, virtual machine).

Note: This filter is selected by default.

Scan Frequency The number of times the asset was scanned within the past 90 days.

ServiceNow Sys Where applicable, the unique record identifier of the asset in
ID ServiceNow. For more information, see the ServiceNow documentation.

Source The source of the scan that identified the asset. Possible values are:

- 730 -
 l AWS

l AWS FA

l Azure

l AZURE FA

l Cloud Connector

l Cloud IAC

l Cloud Runtime

l GCP

l Nessus Agent

l Nessus Scan

l NNM

l ServiceNow

l WAS

Note: This filter is selected by default.

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

System Type The system types as reported by Plugin ID 54615. For more information,
see Tenable Plugins.

Tags A unique filter that searches tag (category: value) pairs. When you type a
tag value, you must use the category: value syntax, including the space
after the colon (:). You can use commas (,) to separate values. If there is a
comma in the tag name, insert a backslash (\) before the comma. You can
add a maximum of 100 tags.

For more information, see tags.

- 731 -
 Note: If your tag name includes double quotation marks (" "), you must use the
UUID instead.

Note: This filter is selected by default.

Target Groups The target group to which the asset belongs. This attribute is empty if
the asset does not belong to a target group. For more information, see
Target Groups.

Tenable ID The UUID of the asset in Tenable Vulnerability Management.

Terminated Specifies whether or not the asset is terminated.

Type The system type on which the asset is managed. Possible options are:

l Cloud Resource

l Container

l Host

l Cloud

Note: This filter is selected by default.

Host Assets
The following table describes the Host asset filters:

Filter Description

ACR (Requires Tenable Lumin license) The asset's ACR.

ACR Severity (Requires Tenable Lumin license) The ACR category of the ACR
calculated for the asset.

AES (Requires Tenable Lumin license)The Asset Exposure Score (AES)

calculated for the asset.

AES Severity (Requires Tenable Lumin license) The AES category of the AES
calculated for the asset.

- 732 -
Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

Asset ID The asset's UUID.

AWS Availability The name of the Availability Zone where AWS hosts the virtual machine
Zone instance. For more information, see Regions and Availability Zones in
the AWS documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI image in Amazon Elastic
Compute Cloud (Amazon EC2). For more information, see the Amazon
Elastic Compute Cloud Documentation.

AWS EC2 Instance The unique identifier of the Linux instance in Amazon EC2. For more
ID information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product The product code associated with the AMI used to launch the virtual
Code machine instance in Amazon EC2.

AWS Instance State The state of the virtual machine instance in AWS at the time of the
scan. For possible values, see API Instance State in the Amazon Elastic
Compute Cloud Documentation.

AWS Instance Type The type of virtual machine instance in Amazon EC2. Amazon EC2
instance types dictate the specifications of the instance (for example,
how much RAM it has). For a list of possible values, see Amazon EC2
Instance Types in the AWS documentation.

AWS Owner ID A UUID for the Amazon AWS account that created the virtual machine
instance. For more information, see AWS Account Identifiers in the
AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For
other asset types, this attribute is empty.

AWS Region The region where AWS hosts the virtual machine instance, for example,
us-east-1. For more information, see Regions and Availability Zones

- 733 -
 in the AWS documentation.

AWS Security The AWS security group (SG) associated with the Amazon EC2 instance.
Group

AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine
instance was running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud User Guide.

Azure Location The location of the resource in the Azure Resource Manager. For more
information, see the Azure Resource Manager Documentation.

Azure Resource The name of the resource group in the Azure Resource Manager. For
Group more information, see the Azure Resource Manager Documentation.

Azure Resource ID The unique identifier of the resource in the Azure Resource Manager.
For more information, see the Azure Resource Manager
Documentation.

Azure Resource The resource type of the resource in the Azure Resource Manager. For
Type more information, see the Azure Resource Manager Documentation.

Azure Subscription The unique subscription identifier of the resource in the Azure
ID Resource Manager. For more information, see the Azure Resource
Manager Documentation.

Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance.
For more information, see Accessing and Using Azure VM Unique ID in
the Microsoft Azure documentation.

BIOS ID The NetBIOS name for the asset.

Cloud Provider The cloud provider for the asset — AWS, Azure, or GCP.

Note: Filter with the Cloud Provider instead of Source to search for
resources with imported tags.

- 734 -
Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair.
For more information about custom attributes, see the Tenable
Developer Portal.

DNS The fully-qualified domain name of the host that the vulnerability was
detected on.

Domain The domain to which the asset belongs.

First Seen The date and time when a scan first identified the asset.

Google Cloud The unique identifier of the virtual machine instance in Google Cloud
Instance Platform (GCP).

Google Cloud The customized name of the project to which the virtual machine
Project ID instance belongs in GCP. For more information, see Creating and
Managing Projects in the GCP documentation.

Google Cloud Zone The zone where the virtual machine instance runs in GCP. For more
information, see Regions and Zones in the GCP documentation.

Has Plugin Results Specifies whether the asset has plugin results associated with it.

Installed Software A list of Common Platform Enumeration (CPE) values that represent
software applications a scan identified as present on an asset. This
field supports the CPE 2.2 format. For more information, see the
Component Syntax section of the CPE Specification documentation,
Version 2.2. For assets identified in Tenable scans, this field contains
data only if a scan using Tenable Nessus Plugin ID 45590 has evaluated
the asset.

Note: If no scan detects an application within 30 days of the scan that

originally detected the application, Tenable Vulnerability Management
considers the detection of that application expired. As a result, the next
time a scan evaluates the asset, Tenable Vulnerability Management
removes the expired application from the Installed Software attribute. This

- 735 -
 activity is logged as a remove type of attribute change in the asset activity
log.

IPv4 Address The IPv4 address associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated list

(for example, hostname_example, example.com, 192.168.0.0). For IP
addresses, you can specify individual addresses, CIDR notation (for
example, 192.168.0.0/24), or a range (for example, 192.168.0.1-
192.168.0.255).

Note: Tenable Vulnerability Management does not support a CIDR mask of

/0 for this parameter, because that value would match all IP addresses. If
you submit a /0 value for this parameter, Tenable Vulnerability Management
returns a 400 Bad Request error message.

Note: Ensure the filter value does not end in a period.

IPv6 Address An IPv6 address that a scan has associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated

list. The IPV6 address must be an exact match. (for example,
0:0:0:0:0:ffff:c0a8:0).

Note: Ensure the filter value does not end in a period.

Last Authenticated The date and time of the last credentialed scan run on the asset.
Scan

Last Licensed Scan The date and time of the last scan that identified the asset as licensed.
For more information about licensed assets, see Tenable Vulnerability
Management Licenses.

Last Seen The date and time at which the asset was last observed as part of a
scan.

Note: This filter is selected by default.

- 736 -
Licensed Specifies whether the asset is included in the asset count for the
Tenable Vulnerability Management instance.

Note: This filter is selected by default.

MAC Address A MAC address that a scan has associated with the asset record.

Mitigated Specifies whether a scan has identified mitigation software on the

asset.

Mitigation Last The date and time of the scan that last identified mitigation software
Detection on the asset.

Mitigation Product The name of the mitigation software identified on the asset. Tenable
Name Lumin defines mitigations as security agent software running on
endpoint assets, which include antivirus software, Endpoint Protection
Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

Mitigation Vendor The name of the vendor for the mitigation that a scan identified on the
Name asset.

Mitigation Version The version of the mitigation that a scan identified on the asset.

Name Indicates the asset identifier, assigned based on the availability of

specific attributes in logical order.

Note: This filter is selected by default.

NetBIOS Name The NetBIOS name for the asset.

Network The name of the network object associated with scanners that
identified the asset. The default name is Default. For more information,
see Networks.

Operating System The operating system that a scan identified as installed on the asset.

Public Specifies whether the asset is available on a public network. A public

asset is within the public IP space and identified by the is_public
attribute in the Tenable Vulnerability Management query namespace.

- 737 -
Resource Tags (By The key in the key-value pair of the tags or labels imported from the
Key cloud provider.

Resource Tags (By The value in the key-value pair of the tags or labels imported from the
Value cloud provider.

Scan Frequency The number of times the asset was scanned within the past 90 days.

ServiceNow Sys ID Where applicable, the unique record identifier of the asset in
ServiceNow. For more information, see the ServiceNow
documentation.

Source The source of the scan that identified the asset. Possible values are:

l AWS

l AWS FA

l Azure

l Azure FA

l Cloud Discovery Connector

Note: Tenable Vulnerability Management shows this source for

compute assets with imported resource tags.
l For existing assets, the Source column shows Cloud
Discovery Connector along with the existing source (AWS,
Azure, or GCP).

For new assets, the Source column shows Cloud Discovery

l

Connector.
See the Cloud Provider column to view from where the asset is
imported from.

Caution: If you currently have queries utilizing AWS, GCP, or Azure as

sources, you must update these queries. The Cloud Discovery
Connector source now replaces AWS, GCP, and Azure sources.
Additionally, for the source of assets, use the Cloud Provider
parameter to indicate AWS, Azure, or GCP.

l Cloud IaC

- 738 -
 l Cloud Runtime

l GCP

l Nessus Agent

l Nessus Scan

l NNM

l ServiceNow

l WAS

Note: This filter is selected by default.

System Type The system types as reported by Plugin ID 54615. For more information,
see Tenable Plugins.

Tags A unique filter that searches tag (category: value) pairs. When you type
a tag value, you must use the category: value syntax, including the
space after the colon (:). You can use commas (,) to separate values. If
there is a comma in the tag name, insert a backslash (\) before the
comma. You can add a maximum of 100 tags.

For more information, see tags.

Note: If your tag name includes double quotation marks (" "), you must use
the UUID instead.

Note: This filter is selected by default.

Target Groups The target group to which the asset belongs. This attribute is empty if
the asset does not belong to a target group. For more information, see
Target Groups.

Tenable ID The UUID of the agent present on the asset.

Terminated Specifies whether or not the asset is terminated.

Updated Date The time and date when the asset record was last updated.

- 739 -
Cloud Resources Assets
The following table describes the cloud resources asset filters:

Option Description

Account ID The account ID associated with the asset.

ARN The Amazon Resource Name (ARN) for the asset.

Asset ID The asset's UUID.

Cloud Provider The name of the cloud provider that hosts the asset.

Created Date The time and date when Tenable Vulnerability Management created the
asset record.

First Seen The date and time when a scan first identified the asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

Is Attribute Specifies whether the asset is an attribute.

Is Auto Scale Specifies whether the asset scales automatically.

Is Unsupported Specifies whether the asset is unsupported in Tenable Vulnerability

Management.

Last Audited The time and date when Tenable Vulnerability Management last audited the
asset.

Last Licensed The date and time of the last scan in which the asset was considered
Scan "licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For more
information on licensed assets, see Tenable Vulnerability Management
Licenses.

Last Seen The date and time at which the asset was last observed as part of a scan.

- 740 -
Licensed Specifies whether the asset is included in the asset count for the Tenable
Vulnerability Management instance.

Name Indicates the asset identifier, assigned based on the availability of specific
attributes in logical order.

Note: This filter is selected by default.

Region The cloud region where the asset runs.

Repositories Any code repositories associated with the asset.

Resource The category of the asset resource in the cloud service that hosts the
Category asset.

Resource Tags Tags synced from a cloud source such as Amazon Web Services (AWS),
(By Key) matched by the tag key (for example, Name). Separate individual search
items with commas and use wildcards (*) to locate keys that equal, begin
with, end with, or contain part of a string. Alternately, search for Assets
with or without tags.

Resource Tags Tags synced from a cloud source such as Amazon Web Services (AWS),
(By Value) matched by the tag value. Separate individual search items with commas
and use wildcards (*) to locate values that equal, begin with, end with, or
contain part of a string. Alternately, search for Assets with or without tags.

Resource Type The asset's cloud resource type (for example, network, virtual machine).

Note: This filter is selected by default.

Source The source of the scan that identified the asset. Possible values are:

l Cloud IaC

l Cloud Runtime

Note: This filter is selected by default.

Tags A unique filter that searches tag (category: value) pairs. When you type a

- 741 -
 tag value, you must use the category: value syntax, including the space
after the colon (:). You can use commas (,) to separate values. If there is a
comma in the tag name, insert a backslash (\) before the comma. You can
add a maximum of 100 tags.

For more information, see tags.

Note: If your tag name includes double quotation marks (" "), you must use the
UUID instead.

Note: This filter is selected by default.

Web Applications Assets

The following table describes the web application asset filters:

Filter Description

ACR (Requires Tenable Lumin license) The asset's ACR.

ACR Severity (Requires Tenable Lumin license) The ACR category of the ACR calculated
for the asset.

AES (Requires Tenable Lumin license) The AES category of the AES calculated
for the asset.

AES Severity (Requires Tenable Lumin license) The AES category of the AES calculated
for the asset.

Asset ID The asset's UUID.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair. For
more information about custom attributes, see the Tenable Developer
Portal.

First Seen The date and time when a scan first identified the asset.

- 742 -
Last The date and time of the last authenticated scan run against the asset.
Authenticated An authenticated scan that only uses discovery plugins updates the Last
Scan Authenticated Scan field, but not the Last Licensed Scan field.

Last Licensed The time and date of the last scan that identified the asset as licensed.
Scan For more information about licensed assets, see License Information.

Last Seen The date and time at which the asset was last observed as part of a scan.

Note: This filter is selected by default.

Licensed Specifies whether the asset is included in the asset count for the Tenable
Web App Scanning instance.

An asset is licensed if it meets the following criteria:

l The scan results for the asset do not include discovery plugin
results.

l The scan results for the asset do not include Tenable Web App
Scanning sources (e.g., results from Tenable Nessus scanners,
Agents, Tenable Nessus Network Monitor).

l The asset has not been terminated.

Mitigated Specifies whether a scan has identified mitigation software on the asset.

Mitigation Last The date and time of the scan that last identified mitigation software on
Detected the asset.

Mitigation The name of the mitigation software identified on the asset. Tenable
Product Name Lumin defines mitigations as security agent software running on
endpoint assets, which include antivirus software, Endpoint Protection
Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

Mitigation The version of the mitigation software that a scan identified on the asset.
Version

Name Indicates the asset identifier, assigned based on the availability of

specific attributes in logical order.

- 743 -
 Note: This filter is selected by default.

Operating System The operating system that a scan identified as installed on the asset.
(WAS)

Public Specifies whether the asset is available on a public network.

Note: A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Management query namespace.

Source The source of the scan that identified the asset. Possible values are:

l ASM

l AWS

l AWS FA

l Azure

l Azure FA

l Cloud IAC

Note: This filter is selected by default.

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

Tags A unique filter that searches tag (category: value) pairs. When you type a
tag value, you must use the category: value syntax, including the space
after the colon (:). You can use commas (,) to separate values. If there is a
comma in the tag name, insert a backslash (\) before the comma. You can
add a maximum of 100 tags.

For more information, see tags.

Note: If your tag name includes double quotation marks (" "), you must use the
UUID instead.

- 744 -
 Note: This filter is selected by default.

Updated Date The time and date when the asset record was last updated.

Domain Inventory Assets

The following table describes the domain inventory asset filters:

Filter Description

ASN The Autonomous System Number (ASN) for the asset.

Asset ID The asset's UUID.

Created The date and time when Tenable Vulnerability Management created the asset
Date record.

DNS (FQDN) The fully-qualified domain name of the host that the vulnerability was detected
on.

Domain The domain name for the asset.

Host Name The hostname of the asset. This string is determined by information reported
by target plugins, and is dependent on the user's environment and
configuration.

Hosting The hosting provider for the asset.

Provider

IPv4 The IPv4 address associated with the asset record.

Address
This filter supports multiple asset identifiers as a comma-separated list (for
example, hostname_example, example.com, 192.168.0.0). For IP addresses, you
can specify individual addresses, CIDR notation (for example, 192.168.0.0/24),
or a range (for example, 192.168.0.1-192.168.0.255).

Note: Tenable Vulnerability Management does not support a CIDR mask of /0 for
this parameter, because that value would match all IP addresses. If you submit a /0
value for this parameter, Tenable Vulnerability Management returns a 400 Bad
Request error message.

- 745 -
 Note: Ensure the filter value does not end in a period.

IPv6 An IPv6 address that a scan has associated with the asset record.
Address
This filter supports multiple asset identifiers as a comma-separated list. The
IPV6 address must be an exact match. (for example, 0:0:0:0:0:ffff:c0a8:0).

Note: Ensure the filter value does not end in a period.

Last Seen The date and time at which the asset was last observed as part of a scan.

Licensed Specifies whether the asset is included in the asset count for the Tenable
Vulnerability Management instance.

Name Indicates the asset identifier, assigned based on the availability of specific
attributes in logical order.

Note: This filter is selected by default.

Port A port associated with the asset, open or closed. Only applies to Domain
Inventory assets.

Record Type The type of asset.

Source The source of the scan that identified the asset. Possible values are:

l ASM

l AWS

l AWS FA

l Azure

l Azure FA

l Cloud IAC

Note: This filter is selected by default.

Tags A unique filter that searches tag (category: value) pairs. When you type a tag

- 746 -
 value, you must use the category: value syntax, including the space after the
colon (:). You can use commas (,) to separate values. If there is a comma in the
tag name, insert a backslash (\) before the comma. You can add a maximum of
100 tags.

For more information, see tags.

Note: If your tag name includes double quotation marks (" "), you must use the UUID
instead.

Updated The time and date when the asset record was last updated.
Date

Open Ports and the Assets workbench

Tip: For more information about open ports and the Tenable Vulnerability Management API, see the API
changelog in the Tenable Developer Portal. For more information, contact Tenable Customer Support.

Tenable Vulnerability Management displays open port findings on the Asset Details page, which
appears when you click a host asset on the Assets workbench and then click See All Details. On the
Asset Details page, the Open Ports tab shows open ports on an asset and includes the port
protocol, when the port was first and last detected open, and the service running on the port.

- 747 -
Working with Ports
Use the following features to search for, manage, and export your port data:

l Ports — On the Assets workbench, search for ports on your host assets (or your domain
inventory if you have imported data from Tenable Attack Surface Management.

l Port tag rule — On the Assets workbench, add tags to your ports.

l Port export field — With a custom field, export port data from the Assets workbench.

Supported Plugins
The Open Ports tab shows output from the following high-traffic plugins:

l 34220 - Netstat Portscanner (WMI)

l 34252 - Microsoft Windows Remote Listeners Enumeration (WMI)

l 11219 - Nessus SYN Scanner

- 748 -
 l 14272 - Netstat Portscanner (SSH)

l 25221 - Remote listeners enumeration (Linux / AIX)

l 10736 - DCE Services Enumeration

l 99265 - macOS Remote Listeners Enumeration

l 10335 - Nessus TCP scanner

l 14274 - Nessus SNMP Scanner

l 34277 - Nessus UDP Scanner

View Asset Visualizations

On the Assets page, you can view interactive visualizations that break down your assets across a
number of metrics and automatically update based on applied filters. You can also export
visualizations to PDF, JPG, or PNG.

l To view asset visualizations, on the right side of the Assets page, click Show Visualization.

l To hide asset visualizations, on the right side of the Assets page, click Hide Visualization.

Visualization Types
The following table describes the visualizations on the Assets page.

Widget Description

Assets by Groups assets by type and shows if they are or Live or Terminated. This metric
Live Status is particularly relevant for cloud assets.

Assets by Groups assets by type and shows if they are Discovered but not scanned,
Scan Scanned without authentication, or have received an Authenticated Scan.

- 749 -
 Status

Assets by Groups assets by type and shows if they are Licensed or Un-Licensed. For more
License information on licensed assets, see Tenable Vulnerability Management Licenses.
Status

Export a Visualization
You can export a visualization to PDF, JPG, or PNG.

To export a visualization:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane and the Explore section, click Assets.

The Assets page appears.

3. On the right side of the page, click Show Visualization.

The asset visualizations appear.

4. In the top right corner of the visualization you want to export, click the button with three dots.

A menu appears.

5. Select the type of export you want to use.

The file is downloaded to your computer.

Edit the ACR for Host Assets

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

In the Explore section of Tenable Vulnerability Management, you can manually override the Asset
Criticality Rating (ACR) of Host assets to better reflect the unique infrastructure or needs of your
organization.

- 750 -
To edit an Explore asset's ACR:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Assets.

The Assets page appears. By default, the Hosts tab is visible.

3. In the Host assets table, in the Actions column, click the button in the row for the host asset
whose ACR you want to edit.

A menu appears.

4. Click Edit ACR.

The Edit Asset Criticality Rating window appears.

- 751 -
5. On the Asset Criticality Rating slider, click the number of the score to which you want to
change the ACR.

6. In the Overwrite Reasoning section, select the check box next to the reason that best
matches why you want to edit the ACR.

7. (Optional) In the Notes section, type any additional notes you want to add.

8. Click Save.

- 752 -
 Tenable Vulnerability Management may take up to 24 hours to apply the new ACR to the asset.
While the update processes, in the host assets table, the ACR may show as Processing.

Move Assets to Another Network

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management automatically assigns scanned assets to a network based on the
scanner's network ID. However, you may need to manually move assets to another network in some
scenarios. For example, you might have multiple assets with the same IP address which belong on
different subnets so they can be identified as separate entities.

You can move assets to another network from the Assets workbench. If you first need to create the
network to move assets to, see Create a Network.

Tip: You can also move assets to a network via the Settings section.

When you move assets, be sure to move the scanner as well as the asset. Otherwise, the scanner
will create the same asset again. For more information, see Add a Scanner to a Network.

Note: Move assets before you run scans on a new network. If you move assets to a network where scans
have already run, Tenable Vulnerability Management may create duplicate records that count against your
license.

Tip: On the Assets workbench, you can move host assets, cloud resources, or web applications to another
network. You cannot move domain inventory assets.

To move assets to another network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane and the Explore section, click Assets.

The Assets workbench appears with the Hosts tile active and your assets shown in a table
view.

3. (Optional) Refine the table data. For more information, see Filter Findings or Assets.

- 753 -
 4. Select the check boxes for the asset or assets you want to move.

The action bar appears at the top of the table.

5. In the action bar, select Move.

A dialog appears.

6. In the dialog, under Choose a New Destination Network, select the network you want to move
the assets to.

7. Click Move.

The assets are moved to the destination network. Depending on the number of assets
selected, it may take some time for Tenable Vulnerability Management to complete the move.

Remove and Prevent Duplicate Assets

In Tenable Vulnerability Management, assets get assigned a unique ID when scanned with
credentialed or agent scans. Tenable Vulnerability Management checks this unique ID each time a
scan runs, so that it can update the existing asset record with new findings, resolved findings, or
resurfaced findings. When you then run an uncredentialed scan against the same asset, the scan
cannot log in to the asset and retrieve the unique ID. This causes Tenable Vulnerability Management
to view the asset as new, and therefore create a new record (in this case a duplicate of an asset).

Remove Duplicate Assets

To remove duplicate assets in Tenable Vulnerability Management:

1. Within the Explore section, view your asset list.

2. Delete any duplicate assets.

Once an asset is deleted, Tenable Vulnerability Management immediately returns the license
to your available license count.

Prevent Duplicate Assets

Preventing duplicate assets from appearing in Tenable Vulnerability Management is usually as
simple as avoiding the causes mentioned above. As a best practice, and to resolve duplicate issues,

- 754 -
we never recommend scanning assets with uncredentialed and credentialed or agent scans.
Instead, pick one or the other.

While there are different use cases for each scan type, generally, Tenable recommends prioritizing
the types of scans you run in the following order:

1. Credentialed Scans from a Tenable Nessus Scanner

2. Tenable Nessus Agent Scans

3. Uncredentialed Scans

4. Tenable Nessus Network Monitor

For more information, see Create a Tenable Vulnerability Management Scan.

Download Inventory Debug Data

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags

Required Access Group Permissions: Can View

When you open a support case related to a Tenable Vulnerability Management-managed asset, you
can download the asset's inventory data (a .zip file containing the asset's scan data) and attach it to
the support ticket.

You can download asset data in either of the following locations:

l Explore > Assets

l Explore > Assets > Asset Details > Actions drop-down menu

Note: The scan data included in the .zip file is only intended for support cases and may change without
notice.

Note: The Download Inventory Debug Data action is only available for assets that Tenable Vulnerability
Management scanned in the last 90 days and have one of the following source types: SSM, AZURE_FA, or
NESSUS_AGENT scans with enabled inventory collection plugins (hybrid agents).

- 755 -
To download asset scan data from the Explore > Assets page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Assets.

The Assets page appears. By default, the Hosts tab is visible.

3. (Optional) Refine the displayed data, as described in Filter Findings or Assets.

4. Do one of the following:

l In the assets table, right-click the row for the asset whose scan data you want to
download.

l In the assets table, in the Actions column, click the button in the row for the asset
who's scan data you want to download.

The action buttons appear in the row.

5. To download the asset data, click Download Inventory Debug Data.

The asset's scan data downloads as a .zip file.

Delete Assets

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, you can delete host assets, web application assets, or domain inventory
assets. When you delete an asset, Tenable Vulnerability Management removes it from the Assets
workbench, deletes all associated findings, and stops matching scan results to the asset. Within 24
hours, Tenable Vulnerability Management also removes the asset from your license count.

Note: On a network with Asset Age Out enabled, assets expire on a schedule. For more information, see
View or Edit a Network and Create a Network.

Caution: Deleting assets quickly removes decommissioned hosts or other irrelevant assets from your
license count and reports, but it is permanent! Be careful with this feature.

- 756 -
 Caution: If you see deleted assets when using the Asset ID filter, these are temporary. Deleted assets do
not count against your license and have no associated findings. Deleted assets are labeled as Deleted.

To delete assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, click Assets.

The Assets workbench appears.

3. On the Assets workbench, do one of the following:

l
Delete a single asset with the button

a. In the row for the asset to delete, click the button.

A menu appears.

b. In the menu, click Delete.

c. In the confirmation window that appears, click Delete again.

Tip: You can also delete single assets from the Asset Details page.

l
Delete multiple assets from the action bar

a. Select the check boxes next to the assets to delete.

The action bar appears.

Tip: To delete all assets, click Select all. You can only delete 1,000 assets at a time.

b. In the action bar, click More.

c. In the menu that appears, click Delete.

d. In the confirmation window that appears, click Delete again.

Filter Findings or Assets

- 757 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Findings and Assets workbenches use Explore tables to present your organization's data. You
can filter these tables to view specific assets or findings.

Use Filters
In Explore tables on the Findings and Assets workbenches, you can use filters to view specific
findings or assets.

Note: To optimize performance, Tenable limits the number of Findings filters that you can apply to 18 and
the number of Asset filters that you can apply to 35.

Tip: For a list of available filters, see Findings Filters or Asset Filters.

Note: When filtering findings to generate a Findings Report, you can apply a maximum of 5 filters to each
report.

To use filters in Explore tables:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, click Findings or Assets.

3. Do one of the following:

Filter the table in Basic mode

a. In the upper-left corner, click the button.

The filters plane expands with a list of default filters selected.

b. Click Select Filters.

The Select Filters box appears with all available filters.

c. Select the filters you want to apply.

- 758 -
d. Click outside the Select Filters box.

The Select Filters box closes.

e. For each filter, choose the appropriate operator and option. For example, to return
vulnerabilities with Critical Severity, select an operator of is equal to and the Critical
option, as shown in the following image:

Search operators are contextual, depending on the filter you select. For a complete
reference, see the following table:

Operator Description

exists Filters for items for which the selected filter exists.

does not Filters for items for which the selected filter does not exist.
exist

is equal to Filters for items that match the filter value.

is not equal Filters for items that do not include the filter value.
to

is greater Filters for items with a value greater than the specified filter value.

- 759 -
Operator Description

than If you want to include the value you specify in the filter, then use
the is greater than or equal to operator.
is greater
than or
equal to

is less than Filters for items with a value less than the specified filter value. If
you want to include the value you specify in the filter, then use the
is less than
is less than or equal to operator.
or equal to

within last Filters for items with a date within a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

after Filters for items with a date after the specified filter value.

before Filters for items with a date before the specified filter value.

older than Filters for items with a date more than a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

is on Filters for items with a specified date.

between Filters for items with a date between two specified dates.

contains Filters for items that contain the specified filter value.

does not Filters for items that do not contain the specified filter value.
contain

wildcard Filters for items with a wildcard (*) as follows:

l Begin or end with – Filters for values that begin or end with
text you specify. For example, to find all values that begin
with "1", type 1*. To find all values that end in "1", type *1.

- 760 -
 Operator Description

l Contains –Filters for values that contain text you specify. For
example, to find all values with a "1" between the first and last
characters, type *1*.

l Turn off case sensitivity – Filters for values without case

sensitivity. For example, to search for findings with a Plugin
Name of "TLS Version 1.2 Protocol Detection" or "tls version 1.2
protocol detection", type *tls version 1.2 protocol detection.

f. (Optional) To remove or reset filters, do one of the following:

l To clear the values for a filter, hover on the right side of the filter and click Clear.

l To remove a filter, hover on the right side of the filter and click Remove.

l On the Findings workbench, to reset filters to the default set, at the top of the
filters plane, click Reset.

l On the Assets workbench, to remove all filters, at the top of the filters plane, click
Clear All.

g. Click Apply.

Tenable Vulnerability Management filters your data.

Filter the table in Advanced mode

a. In the upper-left corner, click Advanced.

A box appears with the current filters displayed.

b. Click inside the box.

- 761 -
 A drop-down appears.

c. In the drop-down, select the AND or OR conditions or type them in the box.

d. In the drop-down, select a filter or type its name in the box.

e. In the drop-down, select one of the following operators or type it in the box.

Note: If you want to filter on a value that starts with (') or ("), or includes (*) or (,), then you
must wrap the value in quotation marks (").

Note: Filters can have a maximum of two nesting levels.

Operator Description

exists Filters for items for which the selected filter exists.

does not Filters for items for which the selected filter does not exist.
exist

is equal to Filters for items that match the filter value.

is not equal Filters for items that do not include the filter value.
to

is greater Filters for items with a value greater than the specified filter value.
than If you want to include the value you specify in the filter, then use
the is greater than or equal to operator.
is greater
than or
equal to

is less than Filters for items with a value less than the specified filter value. If
you want to include the value you specify in the filter, then use the
is less than
is less than or equal to operator.
or equal to

within last Filters for items with a date within a number of hours, days,
months, or years before today. Type a number, then select a unit of

- 762 -
 Operator Description

time.

after Filters for items with a date after the specified filter value.

before Filters for items with a date before the specified filter value.

older than Filters for items with a date more than a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

is on Filters for items with a specified date.

between Filters for items with a date between two specified dates.

contains Filters for items that contain the specified filter value.

does not Filters for items that do not contain the specified filter value.
contain

wildcard Filters for items with a wildcard (*) as follows:

l Begin or end with – Filters for values that begin or end with
text you specify. For example, to find all values that begin
with "1", type 1*. To find all values that end in "1", type *1.

l Contains –Filters for values that contain text you specify. For
example, to find all values with a "1" between the first and last
characters, type *1*.

l Turn off case sensitivity – Filters for values without case

sensitivity. For example, to search for findings with a Plugin
Name of "TLS Version 1.2 Protocol Detection" or "tls version 1.2
protocol detection", type *tls version 1.2 protocol detection.

f. In the drop-down, select a filter value or type one in the box.

g. (Optional) To add or remove filters, do one of the following:

- 763 -
 l To add multiple filters, press Space and then select another condition, operator,
filter, and value.

l To remove one filter, click the button on the right side of the filter.

l To remove all filters, on the right side of the text box, click the button.

h. Click Apply.

Tenable Vulnerability Management filters your data.

4. (Optional) Save the filters to access later or share with other team members.

Tip: Tenable Vulnerability Management runs Findings searches in the background so that you can
navigate away from the Findings page and return when a complex search is complete. You can also
Cancel a search. Finally, Tenable Vulnerability Management caches your most recent search for 30
minutes, notes the date and time in the top toolbar, and saves the state of the Findings page for
your next visit.

Use the Context Menu

In Explore tables, on the Findings and Assets workbenches, right-click any row to show a menu
with contextual options for both findings and assets. In the menu, the following options always
appear.

Option Description

View Open the details page for the finding or asset.

All Details

View Open the details page for the finding or asset in a new browser tab.
All Details in
New Tab

Copy to Get any value from an Explore table. For example, when creating a tag, copy
Clipboard an operating system value from a field on the Assets workbench and paste it
into your tag.

Filter by Filter an Explore table by any value. For example, on the Findings workbench,
Value right-click on an IPv4 address and click this option to view all findings with
that IPv4 address.

- 764 -
 Option Description

Filter Out Remove all entries with a certain value from an Explore table. For example, on
Value the Assets workbench, right click an operating system type to filter out all
assets with that operating system.

Customize Explore Tables

In the Explore section, on the Findings or Assets workbenches, you can customize the table
columns.

To customize an Explore table:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, click Findings or Assets.

3. On the right side, above the table, click Columns.

The Customize Columns dialog appears.

4. Do one of the following:

- 765 -
 Action Description

Add or remove a In the Customize Columns dialog, select or clear the check
column box next to the column.

Find a column to add In the Customize Columns dialog, search for a column and
select its check box.

Reorder columns In the Customize Columns dialog, click and drag columns
from top to bottom.

Change column width In the Assets or Findings tables, hover on the separator
between column headings and drag left or right.

Reset column width to In the Customize Columns dialog, click Reset Column Width.
default

Reset all column In the Customize Columns dialog, click Reset to Defaults.
customizations to
default

Export Findings or Assets

You can export data from the Findings and Assets workbenches to CSV or JSON. You can
customize, schedule, email, password-protect, and set your exports to age out. While these
workbenches contain different data, the basic export process is the same.

To export findings or assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, do one of the following:

l To export your organization's scanned vulnerability findings, click Findings.

The Findings workbench appears.

- 766 -
 l To export your organization's scanned assets, click Assets.

The Assets workbench appears.

3. On either workbench, refine the displayed data, as described in Use Filters.

Note: On the Findings workbench, when using the Group By filter to group findings, you can only
export five findings at a time.

4. Select the check box or check boxes next to the findings or assets to export.

Note: You can manually select up to 200 findings or assets. Otherwise, you must select them all.

Tip: Select the check box at the top of the list to select all findings or assets.

5. In the action bar, click Export.

The Export plane appears. It contains the following options:

Option Description

Name Type a custom name for your export.

Formats Select an export format:

l CSV – A CSV file that you can open in a spreadsheet

application such as Microsoft Excel.

Note: For findings exports, Tenable Vulnerability Management

automatically trims cells longer than 32,000 characters so they
appear correctly in Microsoft Excel. Select Untruncated Data to
disable this.

Note: If your export file contains a cell that starts with any of
the following characters (=, +, -, @), Tenable Vulnerability
Management adds a single quote (') at the beginning of the cell.
For more information, see the Knowledge Base.

l JSON – A JSON file containing a nested list of findings, with

no empty fields.

- 767 -
 Configurations Select the fields to include:

l Under Select Field Set, search for or select the fields to add
to your export.

l To view only selected fields, click View Selected.

l In the Expiration box, type the number of days before the

export file ages out.

Schedule Turn on the Schedule toggle to schedule your export:

a. In the Start Date and Time section, choose the date and time
for the export.

b. In the Time Zone drop-down, choose a time zone.

c. In the Repeat drop-down, choose the cadence on which you

want the export to repeat (for example, daily).

d. In the Repeat Ends drop-down, choose the date when

exports end. If you select Never, the export repeats until you
modify or delete it.

Email Turn on the Email Notification toggle to send email notifications:

Notifications
a. In the Add Recipients box, type the emails to notify.

b. In the Password box, type a password for the export file.

Share this password with the recipients so they can download
the export file.

6. Click Export.

Depending on its size, the export file may take several minutes to process. When processing
completes, Tenable Vulnerability Management downloads the file to your computer.

Tip: If you close the Export plane before the download completes, you can access the export file in
Settings > Exports.

Saved Filters for Findings or Assets

- 768 -
On the Findings or Assets workbenches, you can apply filters and then save the exact combination
of those filters for later. You can also share saved filters with your team.

Note: Saved filters are specific to a finding or asset type. For example, you cannot use a saved filter
created for Host Vulnerability findings on Host Audit findings.

Tip: For a list of available filters, see Findings Filters or Asset Filters.

Create a Saved Filter

To create a saved filter:

1. On the Findings or Assets workbenches, add filters to create a custom search.

2. To the left of the search bar, click the Saved Filters drop-down.

A drop-down box appears.

3. In the drop-down box, click Save.

4. In the drop-down box, type a filter name.

Tenable Vulnerability Management only accepts ASCII characters.

5. Click the button.

Tenable Vulnerability Management saves the filters.

Use a Saved Filter

To use a saved filter:

1. On the Findings or Assets workbenches, to the left of the search bar, click the Saved Filters
drop-down.

A drop-down box appears.

2. In the drop-down box, click the filter to apply.

Your search results appear.

Edit a Saved Filter

- 769 -
You can edit a filter. After you have made changes, you can update the existing filter or save your
changes as a new filter.

To edit a saved filter:

1. On the Findings or Assets workbenches, to the left of the search bar, click the Saved Filters
drop-down.

A drop-down box appears with your saved filters.

2. Click the saved filter to edit.

3. Add or remove filters. For more information, see Filter Findings or Assets.

An Edited badge appears next to the filter name.

4. In the Saved Filters drop-down, choose an option:

a. To update the filter, click Update

b. To save the filter as a new version, click Save as New.

Tip: To discard your changes, to the right of the filter name, click the button.

Rename a Saved Filter

To rename a saved filter:

1. On the Findings or Assets workbenches, to the left of the search bar, click the Saved Filters
drop-down.

A drop-down box appears with your saved filters.

2. To the right of the filter to rename, click the button.

A drop-down appears.

3. In the drop-down, click Edit Name.

4. In the box that appears, type a new filter name.

Click the button.

Tenable Vulnerability Management renames the filter.

- 770 -
Share a Saved Filter
You can share a saved filter with your team through a link.

Note: If your team has a different access level in Tenable Vulnerability Management, they cannot view the
same findings or assets. For more information, see Permissions.

To share a saved filter:

1. On the Findings or Assets workbenches, to the left of the search bar, click the Saved Filters
drop-down.

A drop-down box appears.

2. To the right of the saved filter, click the button.

A drop-down appears.

3. In the drop-down, click Copy Link.

Tenable Vulnerability Management copies a link to your clipboard.

Delete a Saved Filter

You can delete a saved filter. Deleting a saved filter is permanent. If you delete a saved filter that is
currently applied to your findings or assets, Tenable Vulnerability Management resets your current
view.

To delete a saved filter:

1. On the Findings or Assets workbenches, to the left of the search bar, click the Saved Filters
drop-down.

A drop-down box appears.

2. To the right of the saved filter to delete, click the button.

A drop-down appears.

3. Click Delete.

- 771 -
 4. To confirm you want to delete the saved filter, click Delete again.

Tenable Vulnerability Management deletes the saved filter.

Explore vs. Legacy Workbenches

On Tenable Vulnerability Management's Explore workbenches, you can view, analyze, and export all
your findings and assets in a streamlined user interface that replaces the legacy workbenches
Tenable has deprecated.

In Tenable Vulnerability Management's left navigation plane, two workbenches appear in the Explore
section:

l Findings workbench — Single location for vulnerabilities, cloud misconfigurations, host audits,
and web application findings

l Assets workbench — Combined view of vulnerabilities, cloud misconfigurations, host audits,

and web application findings

The following table compares the Explore workbenches with the legacy workbenches and links to
supporting documentation.

Feature Legacy Workbenches Explore Workbenches Learn More

Assets Host assets were l View host assets, l Assets

workbench view-only cloud resources, l View the Assets
web applications,
Workbench
and domain
inventory in a single l Customize
location Explore Tables

l Customize the l View Asset

Assets workbench Visualizations
by adding columns

l View asset
visualizations

Asset Details Asset type l View additional l View Asset

page customization were details by asset type Details

- 772 -
 not supported l Open Ports and
the Assets
l Vulnerabilities tab
workbench
renamed to Findings

l Open Ports tab now

contains open port
findings for high-
traffic plugins

Findings l Only l View vulnerabilities, l Findings

workbench vulnerabilities cloud l View the
appeared misconfigurations,
Findings
host audits, and web
l Findings were Workbench
application findings
only grouped by
in a single location l Group Your
plugin or asset
Findings
l Group by plugin or
l Findings
asset—or view all l Filter Findings
visualizations
resources without or Assets
were supported
groups

l Customize the
Findings workbench
by adding columns

l Findings
visualizations not
supported

Findings and l No advanced l Build complex l Findings Filters

assets filters filter mode queries with l Assets
advanced filter
l No nested filter
mode l Filter Findings
support
or Assets
l Nested filter
support

Findings and Export to HTML, PDF, l Export to JSON or Export Findings or

- 773 -
 assets CSV, or JSON CSV Assets
exports l For PDF, in the
menu on the right
side of each row on
the Findings
workbench, click
Generate Report.

l From both the

Findings and Assets
workbenches,
export more data
with new fields

Sidebar l Assets and l Findings and assets Navigate Planes

navigation vulnerabilities appear in the
appeared in two Explore section on
separate the left navigation
sections plane

l Scans appeared l Scans appear in the

in the Scans section on
Vulnerabilities the left navigation
section plane

Vulnerabilities
The following feature is only available in Tenable FedRAMP Moderate environments.

This page contains top-level widgets that provide a snapshot of the vulnerabilities on your assets
and a table that lists vulnerabilities that scans have identified in your network.

To access the Vulnerabilities page:

- 774 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Vulnerabilities.

The Vulnerabilities page appears.

The top-level widgets include:

Widget Description

Vulnerability Priority This widget summarizes the number of vulnerabilities on your

Rating by Total network, organized by VPR. For more information, see CVSS vs. VPR.
Instances
To view a list of vulnerabilities filtered by a VPR range, click one of
the tiles. For more information, see View Vulnerabilities by Plugin.

Unique Vulnerability by This widget summarizes vulnerabilities by New, Active, Fixed, and
State Resurfaced state.

Vulnerability Instance This widget summarizes vulnerability instances based on the

by Age selected date range.

The Vulnerabilities page provides insight into your organization's vulnerabilities and the assets
where scans found the vulnerabilities. The Vulnerabilities page shows vulnerabilities grouped by
plugin and by asset.

- 775 -
View Vulnerabilities by Plugin

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

Note: By default, Tenable Vulnerability Management does not filter for informational level plugin IDs. For
more information, see the knowledge base article.

To view vulnerabilities by plugin:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. Do one of the following:

View Tenable Vulnerability Management vulnerabilities:

a. In the left navigation plane, in the Vulnerability Management section, click
Vulnerabilities.

The Vulnerabilities page appears.

- 776 -
 By default, this page displays the By Plugin tab. The tab contains the plugins table. The
plugins table lists plugins by decreasing severity.

b. From this page, you can:

l View information about each vulnerability in the table:

l Severity — The vulnerability's CVSS-based severity. For more information,

see CVSS vs. VPR.

l Name — The name of the plugin that identified the vulnerability.

l Plugin ID — The ID of the plugin that identified the vulnerability.

l Family — The family of the plugin that identified the vulnerability.

l Count — The number of vulnerability instances.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an

asset, identified uniquely by plugin ID, port, and protocol.

l VPR — The VPR Tenable calculated for the vulnerability.

l CVSS — The CVSSv2 or CVSSv3 score associated with the vulnerability. For
more information, see CVSS vs. VPR.

l Refine the data in the plugins table. For more information, see Tenable
Vulnerability Management Tables.

- 777 -
 l Create, edit, or apply a saved search.

Note: If you apply a saved search in the By Plugins tab, Tenable Vulnerability
Management also applies the saved search to the By Assets tab.

l View the number of plugin results, next to the Search box.

l Export data for a specific plugin.

l View vulnerability details.

View Tenable Web App Scanning vulnerabilities:

a. In the left navigation plane, in the Web App Scanning section, click Vulnerabilities.

The Vulnerabilities page appears.

By default, this page displays the By Plugin tab. The tab contains the plugins table. The
plugins table lists plugins by decreasing severity.

b. From this page, you can:

l Filter the plugins table by vulnerability attributes.

l Search the plugins table.

l View the number of plugin results, next to the Search box.

l View vulnerability details.

View Vulnerabilities by Asset

The following feature is only available in Tenable FedRAMP Moderate environments.

- 778 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To view vulnerabilities by asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Vulnerabilities.

The Vulnerabilities page appears.

3. In the page header, click By Asset.

The By Asset tab appears. This tab contains the assets table.

4. On this page, you can:

- 779 -
 l Refine the data in the assets table. For more information, see Tenable Vulnerability
Management Tables.

l Apply a saved search to the table.

l View the number of assets in the table, next to the Search box.

l Export vulnerabilities identified on assets.

l Add and remove asset tags.

l Delete an asset.

l View asset details.

l View asset activity.

View Vulnerabilities by Application in Tenable Web App Scanning

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Additional License: Tenable Web App Scanning

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To view vulnerabilities by application:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Web App Scanning section, click Vulnerabilities.

The Vulnerabilities page appears.

- 780 -
 3. Click the By Application tab.

The By Application tab appears. This tab contains the applications table.

4. From this page, you can:

l Filter the applications table by application attributes.

l Search the applications table.

l View the number of application results, next to the Search box.

l View application details.

View Vulnerability Details

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

- 781 -
To view vulnerability details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Vulnerabilities.

The Vulnerabilities page appears.

By default, this page displays the By Plugin tab. The tab contains the plugins table. The
plugins table lists plugins by decreasing severity.

3. (Optional) Refine the plugins listed in the table. For more information, see Tenable
Vulnerability Management Tables.

4. In the plugins table, click the plugin where you want to view details.

- 782 -
 The Vulnerability Details page appears.

On the Vulnerability Details page, you can do the following:

Section Action

Right section

Plugin Details View information about the plugin that identified the vulnerability. Details
include:

l Publication Date — The date on which the plugin that identified the
vulnerability was published.

l Modification Date — The date on which the plugin was last modified.

l Family — The family of the plugin that identified the vulnerability.

l Type — The general type of plugin check (for example, local or

remote).

l Plugin ID — The ID of the plugin that identified the vulnerability.

Exploitability View information about the vulnerability when the Exploit Available filter is
Information applied. See Vulnerability Filters for more information.

Discovery View information about when Tenable Vulnerability Management

- 783 -
 discovered the vulnerability. Details include:

l First Seen — The date when a scan first found the vulnerability on an
asset.

l Last Seen — The date when a scan last found the vulnerability on an
asset.

l Age — The number of days since a scan first found the vulnerability
on an asset in your network.

VPR Key Drivers View details about the key drivers Tenable used to calculate a VPR for the
vulnerability. For more information about VPR key drivers, see CVSS vs.
VPR.

Risk Information View information about the risk that the vulnerability poses to your
network. Details include:

l Vulnerability Priority Rating (VPR) — The VPR Tenable calculated for

the vulnerability.

l Risk Factor — The CVSS-based risk factor associated with the plugin.

l CVSS Base Score — The CVSSv2 base score (intrinsic and

fundamental characteristics of a vulnerability that are constant over
time and user environments).

l CVSS Vector — The raw CVSSv2 metrics for the vulnerability. For
more information, see CVSSv2 documentation.

For more information, see CVSS vs. VPR.

Vulnerability View information about the vulnerability that the plugin identified. Details
Information include:

l Vuln Published — The date when the vulnerability definition was first
published (for example, the date that the CVE was published).

l Exploitability — Characteristics of the vulnerability that factor into

its potential exploitability. Roll over the exploitability icons to view
descriptions of characteristics.

- 784 -
 l Patch Published — The date on which the vendor published a patch
for the vulnerability.

l CPE — The Common Platform Enumeration (CPE) numbers for

vulnerabilities that the plugin identifies.

Reference View a list of references to third-party information about the vulnerability,

Information exploit, or update associated with the plugin. Details include:

l CVE — Link to external documentation of a CVE that the plugin

identifies.

Upper-right corner

Date range Change the date range for data showing on the tabs.For more information,
selector see Tenable Vulnerability Management Tables.

Bottom section

Assets Affected View information about vulnerability instances on assets in your network.
Details include:

l Time Since First Seen widgets for the vulnerability instances in your
network.

l A table listing the vulnerability instances that scans have identified

on your assets.

Note: Tenable Vulnerability Management shows only the first 500

affected assets.

On this tab, you can:

l Filter the vulnerability instances table using various attributes.

l Search the vulnerability instances table. For more information, see

Tenable Vulnerability Management Tables.

Note: Tenable Vulnerability Management returns assets for which

hostname/IP address starts with the specified text. For example,
searching "192" returns only results that start with the same characters,

- 785 -
 such as "192.0.2.202" and "192.0.2.50."

l Copy output for the plugin that identified the vulnerability instance.

l Export vulnerability instance data.

l Recast the vulnerability's severity, or accept the related risk.

l Launch a remediation scan for the vulnerability on one or more

assets.

l Click a row in the vulnerability instances table to view asset details.

Output View more details about the plugin that identified the vulnerability. This
tab contains information about the vulnerability and a table listing
vulnerability instances on your network.

When you access the Vulnerability Details page, this tab is active by
default.

Note: Tenable Vulnerability Management shows only the first 500 vulnerability
instances in the table.

Details on this tab include:

l Description — The description of the Tenable plugin that identified

the vulnerability.

l Solution — A brief summary of how you can remediate the

vulnerability.

l See Also — Links to external websites that contain helpful

information about the vulnerability.

l Output — The text output of the Nessus scanner that identified the
vulnerability.

Note: Tenable Vulnerability Management limits the output for an

individual plugin to 1,024 KB (1 MB).

In the Output section of the Details tab, you can:

- 786 -
 l Export vulnerability instance data.

l Copy plugin output to your computer's clipboard.

l View plugin attachments.

l Launch a remediation scan for the vulnerability on one or more

assets.

l Click a row in the vulnerability instances table to view asset details.

Create an Accept Rule from Vulnerability Details

The following feature is only available in Tenable FedRAMP Moderate environments.

Required User Role: Administrator

Required Access Group Permissions: Can View

You can create accept rules via the Settings page, or via the Vulnerability Details page.

To create an accept rule via the Vulnerability Details page:

1. View the Vulnerability Details page.

2. In the Assets Affected table, select one or more check boxes next to the assets for which you
want to create an accept rule.

3. In the upper-right corner, click the Actions button.

The actions menu appears.

4. in the actions menu, click Recast.

The Recast Rule plane appears.

- 787 -
5. In the Action section, select Accept.

6. In the Vulnerability section, confirm the plugin ID populated by Tenable Vulnerability

Management.

- 788 -
 7. In the Targets section, confirm the target populated by Tenable Vulnerability Management.
For example:

Note: Tenable Vulnerability Management does not support bulk actions for recast or accept rules.
You must select each target individually to populate your list of targets.

l If you select only some of the assets on the Vulnerability Details page, Tenable
Vulnerability Management sets the target to Custom.

8. (Optional) In the Expires box, set an expiration date for the rule.

This action is only necessary if you want the rule to age out. By default, the rule applies
indefinitely.

9. (Optional) In the Comments box, type a description of the rule. The text you type in this box is
only visible if the rule is modified and has no functional effect.

10. (Optional) To report the vulnerability as a false positive:

a. Enable the Report as false positive toggle.

A Message To Tenable box appears.

b. In the Message to Tenable box, type a description of the false positive to send to
Tenable.

11. Click Save.

Tenable Vulnerability Management starts applying the rule to the appropriate vulnerabilities.
This process may take some time, depending on the system load and the number of matching
vulnerabilities. Tenable Vulnerability Management hides the affected vulnerability on your
dashboards.

Note: To view vulnerabilities hidden from your dashboards, use the Recast & Accept filter.

Create a Recast Rule from Vulnerability Details

The following feature is only available in Tenable FedRAMP Moderate environments.

Required User Role: Administrator

Required Access Group Permissions: Can View

- 789 -
You can create recast rules via the Settings page, or via the Vulnerability Details page.

To create a recast rule via the Vulnerability Details page:

1. View the Vulnerability Details page.

2. In the Assets Affected table, select the check boxes next to the assets for which you want to
create a recast rule.

3. In the upper-right corner, click the Actions button.

The actions menu appears.

4. In the actions menu, click Recast.

The Recast Rule plane appears.

- 790 -
5. In the Action section, select Recast.

6. In the Vulnerability section, confirm the plugin ID populated by Tenable Vulnerability

Management.

7. From the New Severity drop-down box, select the severity level for the vulnerability.

- 791 -
 8. In the Targets section, confirm the target populated by Tenable Vulnerability Management.
For example:

Note: Tenable Vulnerability Management does not support bulk actions for recast or accept rules.
You must select each target individually to populate your list of targets.

l If you select only some of the assets on the Vulnerability Details page, the target is set
to Custom, and Tenable Vulnerability Management populates the Target Hosts box with
the appropriate targets.

Tip: If you encounter an error with the targets listed in the Target Hosts box, check that the
target hosts match your existing assets. Tenable recommends using FQDN targets for extra
reliability.

9. (Optional) In the Expires box, set an expiration date for the rule.

This action is only necessary if you want the rule to age out. By default, the rule applies
indefinitely.

10. (Optional) In the Comments box, type a description of the rule.

The text you type in this box is only visible if the rule is modified and has no functional effect.

11. Click Save.

Tenable Vulnerability Management starts applying the rule to the appropriate vulnerabilities.
This process may take some time, depending on the system load and the number of matching
vulnerabilities. Tenable Vulnerability Management updates your dashboards, where a label
appears to indicate how many affected vulnerabilities Tenable Vulnerability Management
recasted.

Note: A recast rule does not affect the historical results of a scan.

View Plugin Output

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 792 -
 Required Access Group Permissions: Can View

Note: Tenable Vulnerability Management limits output for an individual plugin to 1,024 KB (1 MB).

To view plugin output:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Vulnerabilities.

The Vulnerabilities page appears.

By default, this page displays the By Plugin tab. The tab contains the plugins table. The
plugins table lists plugins by decreasing severity.

3. (Optional) Refine the plugins listed in the table. For more information, see Tenable
Vulnerability Management Tables.

4. In the vulnerabilities table, click the vulnerability where you want to view details.

The Vulnerability Details page appears.

- 793 -
 5. Click the Output tab.

Tenable Vulnerability Management shows the plugin output.

Note: Tenable Vulnerability Management limits output for an individual plugin to 1,024 KB (1 MB).

6. (Optional) Copy the plugin output to your computer's clipboard.

Copy Plugin Output

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

- 794 -
 Note: Tenable Vulnerability Management limits the output for an individual plugin to 1,024 KB (1 MB).

To copy the plugin output for a vulnerability instance:

1. View the vulnerability details.

2. Click the Output tab.

Tenable Vulnerability Management shows the plugin output.

3. In the upper-right corner of a plugin output box, click the button.

Tenable Vulnerability Management copies the output to your computer's clipboard. A

confirmation message appears.

View Plugin Attachments

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can View

Certain plugins include attachments that provide more details about specific vulnerabilities. For
example, Plugin ID 92365 collects the hosts file from a remote host. After a scan is complete, you
can view and save the attachment.

Note: Not all vulnerability output details include attachments.

Note: Attachments have a size limit of 1 MB.

- 795 -
To view plugin attachments for Tenable Vulnerability Management scans:

1. View individual scan details for a scan that includes plugin attachments.

2. On the Vulns by Plugin tab, click a vulnerability row with a plugin that includes attachments.

The Vulnerability Details page appears.

3. Click the Output tab.

Tenable Vulnerability Management shows the plugin output.

4. In the output table, in the row for the plugin that includes attachments, click the button.

The attachment plane appears. This plane contains a table that lists available attachments.

5. In the attachments table, click the attachment you want to view.

The attachment contents appear in a new browser tab.

To view plugin attachments for Tenable Web App Scanning scans:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Web App Scanning section, click Scans.

The Tenable Web App Scanning Scans page appears.

- 796 -
 Note: If your Tenable Web App Scanning license expires, your web application scans no longer
appear in the scans table.

3. In the scans table, click the scan that has a plugin attachment you want to view.

The Scan Details page appears.

4. In the Vulns by Plugin tab, click the plugin you want to view.

The Vulnerability Details page appears.

5. Click the Instances tab.

A list of instances found for that plugin appears, categorized by URL.

6. Click the instance that has attachments you want to include.

The instance details plane appears.

7. In the instance details plane, click the Attachments tab.

The attachments table appears.

Note: The Attachments tab appears only if the plugin instance includes an attachment.

8. Click the attachment you want to view.

The attachment opens as a .png image or complete HTTP web page.

Export Vulnerability Data

- 797 -
 The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To export vulnerability data:

1. View vulnerability data in either of the following locations:

l By Plugin tab on the Vulnerabilities page

l By Asset tab on the Vulnerabilities page

2. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Tables.

3. (Optional) Apply a saved search to the table.

4. Select the vulnerabilities you want to export:

Export Scope Action

All vulnerabilities on all In the upper-right corner of the page, click the Export
affected assets button.

The export file is the same, regardless of whether the By

Plugin or By Asset tab is active.

All vulnerabilities on an To export from the By Asset tab:

individual asset
a. Click the By Asset tab.

b. In an individual row of the assets table, click the

button.

All vulnerabilities on To export from the By Asset tab:

multiple assets
a. Click the By Asset tab.

b. In the assets table, select the check box next to

- 798 -
 each asset you want to export.

The action bar appears at the bottom of the page.

c. In the action bar, click the button.

An individual vulnerability on To export from the By Plugin tab, click the button in
all affected assets an individual row of the plugins table.

To export from the Vulnerability Details page:

a. In the plugins table on the By Plugin tab, click an

individual row.

The Vulnerability Details page appears.

b. In the upper-right corner, click the Actions button.

The actions menu appears.

c. In the actions menu, click Export.

An individual vulnerability on To export from the By Plugin tab:

an individual asset
a. In the plugins table, click an individual row.

The Vulnerability Details page appears.

b. In the Output section of the Details tab, locate the

box for the vulnerability you want to export.

c. In the upper-right corner of the plugin output box,

click the button.

To export from the Asset Details page:

a. Click the By Asset tab.

b. In the assets table, click an individual row.

The Asset Details page appears.

c. In an individual row of the vulnerabilities table, click

- 799 -
 the button.

An individual vulnerability on To export from the By Plugin tab:

multiple assets
a. In the plugins table on the By Plugin tab, click an
individual row.

The Vulnerability Details page appears.

b. Click the Assets Affected tab.

c. In the assets table, select the check box for each

asset you want to export.

The action bar appears at the bottom of the page.

d. In the action bar, click the button.

Multiple vulnerabilities on all To export from the By Plugin tab:

affected assets
a. In the Output section, select the check box next to
each vulnerability you want to export.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

Multiple vulnerabilities on an To export from the By Asset tab:

individual asset
a. Click the By Asset tab.

b. In the assets table, click an individual row.

The Asset Details page appears.

c. In the plugins table, select the check box next to

each vulnerability you want to export.

The action bar appears at the bottom of the page.

d. In the action bar, click the button.

Multiple vulnerabilities on To export from the By Asset tab:

- 800 -
 multiple assets a. Click the By Asset tab.

b. Filter the assets table on the vulnerabilities you

want to export.

c. In the assets table, select the check box for each

asset you want to export.

The action bar appears at the bottom of the page.

d. In the action bar, click the button.

e. This exports all vulnerabilities for the selected

assets.

The Exports plane appears. This plane contains:

l A brief description of the export scope you selected under the Export label. This
description specifies the number of vulnerabilities you selected for the export, whether
you added more filters to the data, and the number of affected assets you selected for
the export.

For example, All Vulns indicates that you selected all vulnerabilities on all affected
assets, and All Filtered Vulns for 5 Assets indicates that you selected all vulnerabilities

- 801 -
 on multiple assets and also filtered the data.

l A list of available export formats.

5. Click the export format you want to use:

Format Description

PDF - Adobe PDF file.

Current

PDF -
Executive
Summary

HTML - Web-based HTML file.

Current

HTML -
Executive
Summary

Tenable Nessus file. Tenable Nessus exports are the only file format that you can
Nessus import into Tenable Vulnerability Management.

CSV .csv text file.

If you chose this format, a list of export fields appears. You can select
which fields the export includes by selecting the check box next to any
field. To view only the selected fields, click View Selected. To view all
possible fields, click View All.

For more information, see CSV Export Fields.

Note: Tenable Vulnerability Management supports tag filters in the CSV export format only.

Tenable Vulnerability Management begins processing the report. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
report.

- 802 -
 When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

6. Access the export file via your browser's downloads directory.

CSV Vulnerability Export Fields

The following feature is only available in Tenable FedRAMP Moderate environments.

Each line in the .csv file is composed of the fields described in the following table. On the
Vulnerabilities page, you can export vulnerabilities as a .csv file.

Field Description

Asset UUID The UUID of the asset where a scan detected the vulnerability. This value is
unique to Tenable Vulnerability Management.

CVE The Common Vulnerability and Exposure (CVE) ID for the plugin that
identified the vulnerability.

CVSS The severity of the vulnerability.

CVSS Base The CVSSv2 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSS Temporal The CVSSv2 temporal score (characteristics of a vulnerability that change
Score over time but not among user environments).

CVSS Temporal CVSSv2 temporal metrics for the vulnerability.

Vector

CVSS Vector More CVSSv2 metrics for the vulnerability.

CVSS3 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSS3 Temporal The CVSSv3 temporal score (characteristics of a vulnerability that change
Score over time but not among user environments).

CVSS3 Temporal CVSSv3 temporal metrics for the vulnerability.

Vector

- 803 -
CVSS3 Vector More CVSSv3 metrics for the vulnerability.

Description The description of the plugin used to detect the vulnerability.

FQDN The fully qualified domain name of the host that the vulnerability was
detected on.

Host The hostname of the asset where a scan found the vulnerability.

Host End The UNIX timestamp for when the scan completed.

Host Start The UNIX timestamp for when the scan began.

IP Address The hostname of the asset where a scan found the vulnerability.

MAC Address The MAC address of the host where a scan found the vulnerability.

Name The name of the plugin that detected the vulnerability.

NetBios The NetBios name of the host where a scan found the vulnerability.

OS The operating system of the host where a scan found the vulnerability.

Plugin Family The plugin family of the exported vulnerabilities.

Plugin ID The ID of the plugin that identified the vulnerability.

Plugin Output The text output of the plugin that identified the vulnerability.

Port Information about the port the scanner used to connect to the asset where
the scan found the vulnerability.

Protocol The protocol the scanner used to communicate with the asset where the
scan found the vulnerability.

Risk The CVSS-based risk factor associated with the plugin.

See Also Links to external websites that contain helpful information about the
vulnerability.

Solution Remediation information for the vulnerability.

Synopsis Brief description of the plugin or vulnerability.

- 804 -
 System Type Device type.

Vulnerability The VPR that Tenable calculates for the vulnerability. For more
Priority Rating information, see Risk Metrics.
(VPR)

Vulnerability The state of the vulnerability. For more information, see Vulnerability
State States.

Vulnerability Filters

The following feature is only available in Tenable FedRAMP Moderate environments.

On the Vulnerabilities page, you can filter vulnerabilities using Tenable-provided filters and filters
based on asset tags.

Tenable-provided Filters
Tenable Vulnerability Management provides the following vulnerability filters:

Filter Description

Asset ID The UUID of the asset where a scan detected the vulnerability. This value
is unique to Tenable Vulnerability Management.

Bugtraq ID The Bugtraq ID for the plugin that identified the vulnerability.

CANVAS Exploit Indicates whether an exploit for the vulnerability exists in the Immunity
Framework CANVAS framework.

CANVAS Package The name of the CANVAS exploit pack that includes the vulnerability.

CERT Advisory ID The ID of the CERT advisory related to the vulnerability.

CERT Vulnerability The ID of the vulnerability in the CERT Vulnerability Notes Database.
ID

Check Name The description of the compliance check that detected the vulnerability.

Compliance The name of the reference file the scan used for the compliance check.
Reference

- 805 -
CORE Exploit Indicates whether an exploit for the vulnerability exists in the CORE
Framework Impact framework.

CPE The Common Platform Enumeration (CPE) numbers for vulnerabilities

that the plugin identifies.

CVE The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities
that the plugin identifies.

CVSS Base Score The CVSSv2 base score (intrinsic and fundamental characteristics of a
vulnerability that are constant over time and user environments).

CVSS Temporal The CVSSv2 temporal score (characteristics of a vulnerability that change
Score over time but not among user environments).

CVSS Temporal CVSSv2 temporal metrics for the vulnerability.

Vector

CVSS v3.0 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSS v3.0 The CVSSv3 temporal score (characteristics of a vulnerability that change
Temporal Score over time but not among user environments).

CVSS v3.0 CVSSv3 temporal metrics for the vulnerability.

Temporal Vector

CVSS v3.0 Vector More CVSSv3 metrics for the vulnerability.

CVSS Vector The raw CVSSv2 metrics for the vulnerability. For more information, see
CVSSv2 documentation.

CWE The Common Weakness Enumeration (CWE) for the vulnerability.

Check Name The description of the compliance check that detected the vulnerability.

Compliance The name of the reference file the scan used for the compliance check.
Reference

Default/Known Indicates whether the plugin that identified the vulnerability checks for
Accounts default accounts.

- 806 -
Elliot Exploit Indicates whether an exploit for the vulnerability exists in the D2 Elliot
Framework Web Exploitation framework.

Elliot Exploit The name of the exploit for the vulnerability in the D2 Elliot Web
Name Exploitation framework.

Exploit Available Indicates whether a public exploit exists for the vulnerability.

Exploit Database The ID of the vulnerability in the Exploit Database.

ID

ExploitHub Indicates whether an exploit for the vulnerability exists in the ExploitHub
framework.

Exploitability Ease Description of how easy it is to exploit the vulnerability.

Exploited by Indicates whether the vulnerability is known to be exploited by malware.

Malware

Exploited by Indicates whether Tenable Nessus exploited the vulnerability during the
Nessus process of identification.

ExploitHub Indicates whether an exploit for the vulnerability exists in the ExploitHub
framework.

Hostname/IP The hostname of the asset where a scan found the vulnerability.
Address
Note: Ensure the search query does not end in a period.

IAVA ID The ID of the information assurance vulnerability alert (IAVA) for the
vulnerability.

IAVB ID The ID of the information assurance vulnerability bulletin (IAVB) for the
vulnerability.

IAVM Severity The severity of the vulnerability in Information Assurance Vulnerability

Management (IAVM).

IAVT ID The ID of the information assurance vulnerability technical bulletin (IAVT)

for the vulnerability.

- 807 -
In the News Indicates whether this plugin has received media attention (for example,
ShellShock, Meltdown).

Malware Indicates whether the plugin that identified the vulnerability checks for
malware.

Metasploit Exploit Indicates whether an exploit for the vulnerability exists in the Metasploit
Framework framework.

Metasploit Name The name of the related exploit in the Metasploit framework.

Microsoft Bulletin The Microsoft security bulletin the plugin that identified the vulnerability
covers.

OSVDB ID The ID of the vulnerability in the Open Sourced Vulnerability Database

(OSVDB).

Patch Publication The date on which the vendor published a patch for the vulnerability.
Date

Plugin Description The description of the Tenable plugin that identified the vulnerability.

Plugin Family The family of the plugin that identified the vulnerability.

Plugin ID The ID of the plugin that identified the vulnerability.

Plugin The date on which the plugin was last modified.

Modification Date

Plugin Name The name of the plugin that identified the vulnerability.

Plugin Output The text output of the Nessus scanner that identified the vulnerability.

Plugin Publication The date on which the plugin that identified the vulnerability was
Date published.

Plugin Type The general type of plugin check (for example, local or remote).

Port Information about the port the scanner used to connect to the asset
where the scan detected the vulnerability.

Protocol The protocol the scanner used to communicate with the asset where the

- 808 -
 scan detected the vulnerability.

Recast & Accept Indicates whether the vulnerability is affected by a recast or accept rule.

Risk Modified Indicates whether you have accepted or recasted (or both) the severity of
a vulnerability. For more information, see Create Recast/Accept Rules in
Findings.

Secunia ID The ID of the Secunia research advisory related to the vulnerability.

See Also Links to external websites that contain helpful information about the
vulnerability.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS
vs. VPR.

Solution A brief summary of how you can remediate the vulnerability.

Synopsis Brief description of the plugin or vulnerability.

Tag (Category: A unique filter that searches tags (category: value) pairs. For more
Value) information, see tags.

Note: When filtering by tag, Tenable Vulnerability Management shows up to

25,000 tag results. To view the full results, refine your tag filter, or export the
vulnerability data.

Target Group A target group. For more information, see Target Groups.

Unsupported By Software found by this plugin is unsupported by the software's vendor

Vendor (for example, Windows 95 or Firefox 3).

Vulnerability First The date when a scan first found the vulnerability on an asset.
Seen

Vulnerability Last The date when a scan last found the vulnerability on an asset.
Seen

Vulnerability The VPR Tenable calculated for the vulnerability.

Priority Rating
(VPR)

- 809 -
 Vulnerability The date when the vulnerability definition was first published (for
Publication Date example, the date that the CVE was published).

Vulnerability State The state of the vulnerability. For more information, see Vulnerability
States.

Tenable Web App Scanning Vulnerability Filters

Filter Description

Application The number of applications affected by the vulnerability.

Count

Bugtraq Id The Bugtraq ID for the plugin that identified the vulnerability.

CPE The Common Platform Enumeration (CPE) numbers for vulnerabilities that
the plugin identifies.

CVE The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities
that the plugin identifies.

CVSS Base The CVSSv2 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSS v3.0 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSS v3.0 More CVSSv3 metrics for the vulnerability.

Vector

CVSS Vector The raw CVSSv2 metrics for the vulnerability. For more information, see
CVSSv2 documentation.

CWE The Common Weakness Enumeration (CWE) for the vulnerability.

First Seen The date on which the first instance of the vulnerability was detected.

Host The host of the URL where the vulnerability was detected.

OWASP Top 10 The Open Web Application Security Project (OWASP) 2010 category for the
2010 vulnerability targeted by the plugin.

- 810 -
 OWASP Top 10 The Open Web Application Security Project (OWASP) 2013 category for the
2013 vulnerability targeted by the plugin.

OWASP Top 10 The Open Web Application Security Project (OWASP) 2017 category for the
2017 vulnerability targeted by the plugin.

Plugin The description of the Tenable plugin that identified the vulnerability.
Description

Plugin Family The family of the plugin that identified the vulnerability.

Plugin ID The ID of the plugin that identified the vulnerability.

Plugin The date on which the plugin was last modified.

Modification
Date

Plugin Name The name of the plugin that identified the vulnerability.

Plugin The date on which the plugin that identified the vulnerability was published.
Publication
Date

See Also Links to external websites that contain helpful information about the
vulnerability.

Severity The CVSS score-based severity. For more information, see CVSS Scores vs.
VPR in the Tenable Vulnerability Management User Guide.

Solution A brief summary of how you can remediate the vulnerability.

WASC The Web Application Security Consortium (WASC) category associated with
the vulnerability targeted by the plugin.

Tag Filters
In Tenable Vulnerability Management, tags allow you to add descriptive metadata to assets that
helps you group assets by business context. For more information, see Tags.

On both the By Plugin and By Asset tabs of the Vulnerabilities page, you can filter vulnerabilities by
tags applied to the related assets.

- 811 -
 Note: When using the contains or does not contain operators, use the following best practices:

l For the most accurate and complete search results, use full words in your search value.
l Do not use periods in your search value.
l Remember that when filtering assets, the search values are case-sensitive.
l Filter by only one value per filter. For example, to filter by two different IP addresses, add two
separate filters for each IP address.
l Where applicable, Tenable recommends using the contains or does not contain instead of the is
equal to or is not equal to operators.

In the Category drop-down box for a filter, your organization's tags appear at the bottom of the list,
after the Tenable-provided filters.

If you want to export vulnerabilities filtered by tag, use the .csv export format. Tag filters are not
supported in other export formats.

Note: If you exceed the current asset query limitation of 5,000, a message appears in your interface. You
should refine the query to a smaller set of asset tags.

Application Filters in Tenable Web App Scanning

The following feature is only available in Tenable FedRAMP Moderate environments.

On the Vulnerabilities page, on the By Applications tab, you can filter applications using Tenable-
provided filters.

Tenable-provided Filters
Tenable Web App Scanning provides the following application filters:

Filter Description

Finding The number of Vulnerabilities detected on the application across all scans.
Count

First Seen The date on which the application was first scanned successfully.

Host The host name of the asset where a scan found the vulnerability.

- 812 -
 Last Seen The date on which the application was last scanned successfully.

Plugin ID The ID of the plugin that identified the vulnerability.

Severity The CVSS score-based severity. For more information, see CVSS Scores vs. VPR
in the Tenable Vulnerability Management User Guide.

Assets
The following feature is only available in Tenable FedRAMP Moderate environments.

The Assets page provides insight into your organization's assets and their vulnerabilities.

This page contains top-level widgets that provide a snapshot of the asset scanning status, and a
table that lists assets scans have identified in your network. The top-level widgets include:

Widget Description

Asset by This widget lists the top 5 tags applied to the highest number of assets. For
Tags more information, see Tags.

Asset This widget summarizes how thoroughly your scans assessed your
Coverage environment during the past 90 days.

l Authenticated Scans — Authenticated assessment scans configured to

find vulnerabilities on assets.

l Unauthenticated Scans — Unauthenticated assessment scans

- 813 -
 configured to find vulnerabilities on assets.

l Detected Only — Scans configured to discover assets.

For more information, see Discovery Scans vs. Assessment Scans.

Statistics This widget summarizes any licensed asset (in that Tenable Vulnerability
Management scanned the asset in the last 90 days).

About Assets
Tenable Vulnerability Management includes the ability to track assets that belong to your
organization. Assets are entities of value on a network that can be exploited. This includes laptops,
desktops, servers, routers, mobile phones, virtual machines, software containers, and cloud
instances. By providing comprehensive information about the assets that belong to your
organization, Tenable Vulnerability Management helps to eliminate potential security risks, identify
under-utilized resources, and support compliance efforts.

Tenable Vulnerability Management automatically creates or updates assets when a scan completes
or scan results are imported. Tenable Vulnerability Management attempts to match incoming scan
data to existing assets using a complex algorithm. This algorithm looks at attributes of the scanned
hosts and employs various heuristics to choose the best possible match. If Tenable Vulnerability
Management cannot find a match, the system assumes this is the first time Tenable Vulnerability
Management has encountered the asset and creates a new record for it. Otherwise, if Tenable
Vulnerability Management finds a matching asset, the system updates any properties that have
changed since the last time Tenable Vulnerability Management encountered the asset.

In addition to vulnerability information, Tenable Vulnerability Management also attempts to gather

various other information about the asset, including:

l Interfaces (IP address and MAC address)

l DNS Names

l NetBIOS Name

l Operating System

l Installed Software

- 814 -
 l UUIDS (Tenable, ePO, BIOS)

l Whether an agent is present

View Assets

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To view assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

On this page, you can:

Section Action

Action buttons l Export asset data.

l Change the table date range. For more

- 815 -
 information, see Tenable Vulnerability
Management Tables.

Filters box Filter the assets table.

Search box Search the assets table. For more information, see
Tenable Vulnerability Management Tables.

Saved Searches box Create a saved search, edit an existing saved search,
or apply an existing saved search.

Assets table l View information about the asset.

l Name —

Indicates the asset identifier, assigned

based on the availability of specific
attributes in logical order.

l AES — (Requires Tenable

Lumin license) The AES for the asset.

l ACR — (Requires Tenable

Lumin license) The asset's ACR.

l IP — The asset's IP address.

l OS — The asset's operating system.

l Mitigations — (Requires Tenable

Lumin license) Basic mitigation details for
the asset.

l Last Seen — The time and date when the

credentialed scan ran on the asset.

l Source — The scanner type that first

scanned the asset.

l View asset details.

- 816 -
 l (Requires Tenable Lumin license) Edit an ACR.

l Export asset data.

l Add or remove an asset tag.

l Delete an asset.

l To sort, increase or decrease the number of

rows per page, or navigate to another page of
the table, see Tenable Vulnerability
Management Tables.

Asset View

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Asset View page provides a single view of all the assets in your environment. This can help
security teams understand their full attack surface. On the Asset View page, you can view the
following types of assets:

l Managed assets that Tenable Vulnerability Management has assessed for vulnerabilities

l Unmanaged assets that Tenable Vulnerability Management discovered, but did not yet assess
for vulnerabilities

- 817 -
This Tenable-provided dashboard visualizes actionable insights for your Tenable Vulnerability
Management assets. You can roll over individual items to reveal additional information or click on
items to drill down into details behind the data.

Note: The access group to which you belong determines the assets shown on the Asset View. For more
information, see Access Groups.

Note: The Asset View page does not include assets from Tenable Web App Scanning or Tenable Container
Security.

To view the Asset View page:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

a. In the left navigation plane, click Asset View.

l Click the Dashboards button.

The Dashboards plane appears with a list of configured dashboards.

a. Click Asset View.

The Asset View page appears.

On the Asset View page, you can interact with the following widgets:

- 818 -
 Widget Action

Statistics This widget summarizes the actionable metrics for your inventory during the
past 90 days.

To view a list of assets, click the assets count or one of the recent discovery
metrics. For more information, see View Asset Details.

Asset This widget summarizes how thoroughly your scans assessed your
Coverage environment during the last 90 days.

l Authenticated Scans — Authenticated scans configured to find

vulnerabilities on assets.

l Unauthenticated Scans — Unauthenticated scans configured to find

vulnerabilities on assets.

l Detected Only — Scans configured to discover assets.

Most Common This widget summarizes the most common operating systems running on
Operating your assets, organized by percentage of your assets running each operating
Systems system.

Assets by This widget lists the top 50 tags applied to the highest number of assets.
Tags For more information, see Tags.

Assets This widget lists assets found by Tenable Nessus Plugins running on web
Running Web servers.
Servers

Assets This widget lists assets found by Tenable Nessus Plugins running on docker
Running hosts.
Docker Hosts

For more information about how to Discover and Assess in Tenable Vulnerability Management, in
the upper-right corner, click the Discover and Assess button.

Discover and Assess

The following feature is only available in Tenable FedRAMP Moderate environments.

- 819 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Discover and Assess page highlights the asset discovery options available in Tenable
Vulnerability Management. On the Discovery page, user role permissions determine the access to
certain widgets. For example, an administrator can access the Cloud Connectors widget, but a
standard user cannot.

To view the Discover and Assess page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Discovery.

The Discover and Assess page appears.

3. Click any of the following widgets:

Widget Action

Select a Discovery Method To find assets on your

network:

a. Click Start Scan.

The Create a Scan

page appears.

- 820 -
 b. Create a scan. For
more information,
see Create a Scan.

Cloud Connectors To get real-time visibility

into your cloud assets:

a. Click Set Up
Connectors.

The Connectors
page appears.

b. Configure a
connector. For more
information, see
Connectors.

Connect to ServiceNow To discover assets with

your CMDB:

a. Click Learn More.

b. Configure a two-way
sync between
Tenable
Vulnerability
Management and
ServiceNow. For
more information,
see the ServiceNow
Integration Guide.

Set up Nessus Monitor To get continuous

visibility into managed
and unmanaged assets on
your networks:

- 821 -
 a. Click Learn More.

The Add a
Nessus Network
Monitor plane
appears.

b. Copy the linking key.

c. Use the key to link

an NNM instance to
Tenable
Vulnerability
Management. For
more information,
see Link a Sensor.

View Asset Details

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To view details for a specific asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

3. In the assets table, click the asset where you want to view details.

- 822 -
 The Asset Details page appears.

On the Asset Details page, you can:

Section Action

Top section

Asset Name Indicates the asset identifier, assigned based on the availability of
specific attributes in logical order.

Asset View summary asset information.

Information
This information includes:

l Operating System — The operating system that a scan identified as

installed on the asset.

l IPv4 Addresses — The IPv4 addresses that scans have associated

with the asset.

l IPv6 Addresses — The IPv6 addresses that scans have associated

with the asset.

l Network — The name of the network object associated with

scanners that identified the asset. The default name is Default. For
more information, see Networks.

Right section

- 823 -
Vulnerability l View the number of vulnerabilities associated with the asset.
Information l View the number of exploitable vulnerabilities associated with the
asset.

l View a list of vulnerabilities separated by severity.

Tags l View asset tags applied to the asset: manual application ( ) and
dynamic application ( ).

l Add tags to the asset by clicking the button next to Tags.

l Remove tags from the asset.

l Search assets by a specific tag.

Scan Information View summary scan information.

This information includes:

l First Seen — The date and time when a scan first identified the
asset.

l Last Seen — The date and time at which the asset was last
observed as part of a scan.

l Last Auth Scan — The date and time of the last authenticated scan
run against the asset. An authenticated scan that only uses
discovery plugins updates the Last Authenticated Scan field, but
not the Last Licensed Scan field.

l Source — The source of the scan that identified the asset.

KB Click Download to download a .txt knowledge base file of the scan.

Scanners generate a KB while performing a scan. The KB records any

plugin information shared between different scripts and hosts. In most
cases, you only need to download the KB when Tenable Support requests
it for support cases.

Scan DB Click Download to download a .db file of the scan results.

- 824 -
 The scan DB shows the scan's settings, plugin outputs, plugin audit trail,
KB, and other attachments. In most cases, you only need to download the
scan DB when Tenable Support requests it for support cases.

Note: In Tenable Vulnerability Management, scan DB data is only accessible

for a 45-day period after the scan completes. After this period, you cannot
download a scan DB for the given scan result.

ACR Key Drivers View information about the key driversTenable used to calculate the ACR
for this asset.

Lower section

Activity View asset activity.

Vulnerabilities l Refine the data in the vulnerabilities table. For more information,
see Tenable Vulnerability Management Tables.

l View the total number of vulnerabilities on the asset, next to the

Search box.

l Click the vulnerability row to view vulnerability details.

l Export vulnerability data for the asset.

l Add or remove asset tags.

l Delete an asset.

l Launch a remediation scan for a vulnerability or vulnerabilities seen

on the asset.

Solution (Requires l View the recommended solutions for the asset.

Tenable l CVE Count — The number of vulnerabilities on this asset
Lumin license)
addressed by the solution.

l VPR — The highest VPR of the vulnerabilities included in the

solution.

l CVSS — The highest CVSSv2 score (or CVSSv3 score, when

available) of the vulnerabilities included in the solution.

- 825 -
 l To sort, increase or decrease the number of rows per page, or
navigate to another page of the table, see Tenable Vulnerability
Management Tables.

View Asset Activity

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In the asset Activity tab, you can view asset history to help you troubleshoot issues. You can see
when your asset was discovered, seen, updated, tagged, or deleted, and relevant metadata about
the activity. You can also search the asset activity log.

To view asset activity:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

3. In the assets table, click the asset where you want to view details.

The asset details page appears.

4. Click the Activity tab.

The asset activity events table appears.

5. Do the following:

- 826 -
 a. (Optional) Search for specific events by Event value. For more information, see Tenable
Vulnerability Management Tables.

b. Click an event row to view more details.

The Activity details plane appears and shows metadata for the event. Depending on the
event, the metadata can include information such as:

l the scan that generated the event

l the event date

l properties that were changed on the asset

l the user who performed the action.

Tip: To view the scan that generated an Asset Discovered, Asset Seen, or Asset Updated event,
click the link to the scan under Seen by.

Manage Asset Tags

The following feature is only available in Tenable FedRAMP Moderate environments.

Add your own business context to assets by tagging them with descriptive metadata in Tenable
Vulnerability Management.

You can manually apply a tag to create a static group of assets. An asset tag is primarily composed
of a Category:Value pair. For example, if you want to group your assets by location, create a
Location category with the value Headquarters. For more information about tags, see Tags.

You can manage asset tags in any user role.

Tip: Applying or removing a tag generates an entry in the asset's activity log. You can view the activity log in
the Activity tab of the Asset Details page.

Note: Tenable Vulnerability Management applies dynamic tags to any assets, regardless of access group
scoping. As a result, it may apply tags you create to assets outside of access groups to which you belong.

Search Assets by Tag from the Assets Page

The following feature is only available in Tenable FedRAMP Moderate environments.

- 827 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can Use permission for applicable asset tags.

When you view an asset's tags, you can search by a specific tag to create a filter for assets with the
same tag. For more information on filters in the new interface, see Filter a Table.

You can also search for assets by the tags table, as described in Search for Assets by Tag from the
Tags Table.

Before you begin:

l Add tags to assets, as described in Add a Tag to an Asset.

To search assets by tag:

1. View asset details.

2. In the right panel, in the Tags section, click the tag you want to search by.

A drop-down list appears.

3. In the drop-down list, click Search Assets by Tag.

The Assets page appears. Tenable Vulnerability Management shows the Assets and filters the
table for assets where the selected tag is applied.

Remove a Tag from an Asset via the Asset View

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 828 -
 Required Access Group Permissions: Can View, Can Edit

This procedure describes how to remove tags from assets from the Assets page. You can also
remove asset tags from the Vulnerabilities by Assets page.

If an asset matches a dynamic tag's rules but you do not want the tag applied, you can manually
remove the tag from the asset. If you later want to re-apply the tag to the asset, you can remove
the asset from the excluded assets list, as described in Edit Tag Rules.

To remove a tag from a single asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

3. Do one of the following:

Location Action

Assets page a. In the assets table, select the check box for each asset from which
you want to remove a tag.

The action bar appears at the bottom of the page.

b. On the action bar, click Remove Tag.

Asset a. In the assets table, click the asset where you want to remove the
Details page tag.

The Asset Details page appears.

b. In the right panel, in the Tags section, click the name of the tag you
want to remove from the asset.

A menu appears.

c. Click Remove Tag.

The Remove Tags plane appears.

- 829 -
 4. Under Current Tags, click each tag you want to remove.

The tag appears in the Tags to be Removed box.

Tip: To remove a tag from Tags to be Removed, roll over the tag and click the button.

5. Click Remove.

Tenable Vulnerability Management removes the tags specified in Tags to be Removed from
the asset.

To remove tags from multiple assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

3. In the assets table, click the check box next to each asset for which you want to remove the
tag.

The action bar appears at the bottom of the page.

4. In the action bar, click Remove Tag.

The Remove Tags plane appears.

- 830 -
 5. Under Current Tags, click each tag you want to remove.

The tag appears in the Tags to be Removed box.

Tip: To remove a tag from Tags to be Removed, roll over the tag and click the button.

6. Click Remove.

Tenable Vulnerability Management removes the tags specified in Tags to be Removed from
the selected assets.

Export Asset Data

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To export asset data:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

- 831 -
 The Assets page appears.

3. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Tables.

4. (Optional) Apply a saved search to the table.

5. Select the assets you want to export:

Export
Action
Scope

All assets To export all assets, in the upper-right corner of the page, click the
Export button.

Selected To export selected assets:

assets
a. In the assets table, select the check box for each asset you want to
export.

The action bar appears at the bottom of the page.

b. In the action bar, click Export.

A single To export a single asset:

asset
a. In the assets table, in the row of the asset you want to export, click
the button.

A menu appears.

b. Click Export.

The Export plane appears.

- 832 -
 This plane contains:

l A brief description of the export scope you selected under the Export label. This
description specifies the number of assets you selected for the export.

l A list of available export formats.

6. Click the export format you want to use:

Format Description

CSV .csv text file.

A list of export fields appears. You can select which fields the export
includes by selecting the check box next to any field. To view only the
selected fields, click View Selected.

For more information, see CSV Asset Export Fields.

- 833 -
 Format Description

Note: When you export assets for the first time, Tenable Vulnerability
Management selects all fields. If you modify the field selection, Tenable
Vulnerability Management retains your selections as the default the next time
you generate an export file.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

7. Access the export file via your browser's downloads directory.

CSV Asset Export Fields

The following feature is only available in Tenable FedRAMP Moderate environments.

Each line in the .csv file is composed of the fields described in the following table. On the Assets
page, you can export assets as a .csv file.

Field Description

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

AWS Availability The name of the Availability Zone where AWS hosts the virtual machine
Zone instance. For more information, see Regions and Availability Zones in
the AWS documentation.

AWS EC2 Instance The unique identifier of the Linux AMI image in Amazon Elastic
AMI ID Compute Cloud (Amazon EC2). For more information, see the Amazon
Elastic Compute Cloud Documentation.

AWS EC2 Instance The virtual machine instance's group in AWS.

Group Name

- 834 -
AWS EC2 Instance The unique identifier of the Linux instance in Amazon EC2. For more
ID information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Instance The state of the virtual machine instance in AWS at the time of the
State Name scan. For possible values, see API Instance State in the Amazon Elastic
Compute Cloud Documentation.

AWS EC2 Instance The type of virtual machine instance in Amazon EC2. Amazon EC2
Type instance types dictate the specifications of the instance (for example,
how much RAM it has). For a list of possible values, see Amazon EC2
Instance Types in the AWS documentation.

AWS EC2 Name The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product The product code associated with the AMI used to launch the virtual
Code machine instance in Amazon EC2.

AWS Owner ID A UUID for the Amazon AWS account that created the virtual machine
instance. For more information, see AWS Account Identifiers in the
AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For
other asset types, this attribute is empty.

AWS Region The region where AWS hosts the virtual machine instance, for example,
us-east-1. For more information, see Regions and Availability Zones in
the AWS documentation.

AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine
instance was running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud User Guide.

Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance.
For more information, see Accessing and Using Azure VM Unique ID in
the Microsoft Azure documentation.

BigFix Asset ID The unique identifiers of the asset in IBM BigFix. For more information,

- 835 -
 see the IBM BigFix documentation.

BIOS UUID The BIOS UUID of the asset.

Created At The date and time when Tenable Vulnerability Management created the
asset record.

Deleted At The time and date when a user deleted the asset record. When a user
deletes an asset record, Tenable Vulnerability Management retains the
record until the asset ages out of the license count.

Deleted By The user who deleted the asset record.

Exposure Score The Asset Exposure Score (AES) calculated for the asset.

First Scan Time The time and date of the first scan run against the asset.

First Seen The date and time when a scan first identified the asset.

FQDN The fully-qualified domain name of the host that the vulnerability was
detected on.

GCP Instance ID The unique identifier of the virtual machine instance in Google Cloud
Platform (GCP).

GCP Project ID The customized name of the project to which the virtual machine
instance belongs in GCP. For more information, see Creating and
Managing Projects in the GCP documentation.

GCP Zone The zone where the virtual machine instance runs in GCP. For more
information, see Regions and Zones in the GCP documentation.

Has Agent Specifies whether a Tenable Nessus agent scan identified the asset.

Has Plugin Results Specifies whether the asset has plugin results associated with it.

Hostname The hostname of the asset. This string is determined by information

reported by target plugins, and is dependent on the user's environment
and configuration.

id The UUID of the asset in Tenable Vulnerability Management.

- 836 -
Installed Software A list of Common Platform Enumeration (CPE) values that represent
software applications a scan identified as present on an asset. This
field supports the CPE 2.2 format. For more information, see the
Component Syntax section of the CPE Specification documentation,
Version 2.2. For assets identified in Tenable scans, this field contains
data only if a scan using Tenable Nessus Plugin ID 45590 has evaluated
the asset.

Note: If no scan detects an application within 30 days of the scan that

originally detected the application, Tenable Vulnerability Management
considers the detection of that application expired. As a result, the next
time a scan evaluates the asset, Tenable Vulnerability Management
removes the expired application from the Installed Software attribute. This
activity is logged as a remove type of attribute change in the asset activity
log.

Interfaces The network interfaces that scans identified on the asset.

IPv4 An IPv4 address for the asset.

IPv6 An IPv6 address for the asset.

Last Authenticated The date and time of the last authenticated scan run against the asset.
An authenticated scan that only uses discovery plugins updates the
Last Authenticated Scan field, but not the Last Licensed Scan field.

Last Licensed Scan The date and time of the last scan in which the asset was considered
Date "licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For
more information on licensed assets, see Tenable Vulnerability
Management Licenses.

Last Scan Target The FQDN, IPv4 address, or IPv6 address that the scanner last used to
target the asset.

Last Scan Time The time and date of the last scan run against the asset.

- 837 -
Last Seen The date and time at which the asset was last observed as part of a
scan.

MAC Address A MAC address that a scan has associated with the asset record.

Manufacturer The manufacturer's unique identifiers of the Trusted Platform Module

TPM ID (TPM) associated with the asset.

McAfee Epo Agent The unique identifier of the McAfee ePO agent that identified the asset.
Guid For more information, see the McAfee documentation.

McAfee EpoGuid The unique identifier of the asset in McAfee ePolicy Orchestrator (ePO).
For more information, see the McAfee documentation.

Mitigations (Requires Tenable Lumin license) The mitigations that scans have
identified as present on the asset. Tenable Lumin defines mitigations
as endpoint protection agents, which include antivirus software,
Endpoint Protection Platforms (EPPs), or Endpoint Detection and
Response (EDR) solutions

NetBIOS Name The NetBIOS name for the asset.

Network Id The ID of the network object associated with scanners that identified
the asset. The default network ID is 00000000-0000-0000-0000-
000000000000. For more information about networks, see Networks.

Operating System The operating system that a scan identified as installed on the asset.

Qualys Asset ID The Asset ID of the asset in Qualys. For more information, see the
Qualys documentation

This field contains a value only for assets associated with Qualys
vulnerabilities you import via the Tenable Vulnerability Management API.
For more information, see the Tenable Developer Portal.

Qualys Host ID The Host ID of the asset in Qualys. For more information, see the Qualys
documentation.

This field contains a value only for assets associated with Qualys
vulnerabilities you import via the Tenable Vulnerability Management API.

- 838 -
 For more information, see Tenable Developer Portal.

Scan Frequency The number of times the asset was scanned within the past 90 days.

ServiceNow Sys ID Where applicable, the unique record identifier of the asset in
ServiceNow. For more information, see the ServiceNow documentation.

Sources The source of the scan that identified the asset. Possible values are:

l Agent (Tenable Nessus Agent)

l Nessus (Tenable Nessus scan)

l PVS/NNM (Tenable Nessus Network Monitor)

l WAS (Tenable Web App Scanning)

l AWS Connector

l Azure Connector

l GCP Connector

l Qualys Connector

SSH Fingerprint The SSH key fingerprints that scans have associated with the asset
record.

Symantec EP The hardware keys for the asset in Symantec Endpoint Protection.
Hardware Key

System Type The system types as reported by Plugin ID 54615. For more information,
see Tenable Plugins.

Tags Category tags assigned to the asset in Tenable Vulnerability

Management. For more information, see Tags.

Tenable UUID The UUID of the agent present on the asset. This attribute is empty if
no agent is present on the asset.

Terminated At The time and date when a user terminated the virtual machine instance
of the asset (for example, in AWS).

- 839 -
 Terminated By The user who terminated the virtual machine instance of the asset.

Updated At The time and date when the asset record was last updated.

Download an Asset's Inventory Debug Data (Assets View section)

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags

Required Access Group Permissions: Can View

When you open a support case related to a Tenable Vulnerability Management-managed asset, you
can download the asset's inventory data (a .zip file containing the asset's scan data) and attach it to
the support ticket.

You can download asset data in either of the following locations:

l Assets View > Assets

l Assets View > Assets > Asset Details > Actions drop-down menu

Note: The scan data included in the .zip file is only intended for support cases and may change without
notice.

Note: The Download Inventory Debug Data action is only available for assets that Tenable Vulnerability
Management scanned in the last 90 days and have one of the following source types: SSM, NESSUS_
AGENT, or AZURE_FA.

To download asset scan data from the Assets View > Assets page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

- 840 -
 The Assets page appears. By default, the assets dashboard and assets table are visible.

3. (Optional) Refine the asset table data. For more information, see Tenable Vulnerability
Management Workbench Tables.

4. In the assets table, in the Actions column, click the button in the row for the asset who's
scan data you want to download.

The action buttons appear in the row.

5. To download the asset data, click Download Inventory Debug Data.

The asset's scan data downloads as a .zip file.

Export Vulnerability Data for an Asset

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

To export vulnerability data for an asset:

1. View the asset details.

2. In the Asset Details page, click the Vulnerabilities tab.

3. (Optional) Refine the vulnerabilities table data. For more information, see Tenable Vulnerability
Management Tables.

4. Do one of the following:

l
Select an individual vulnerability to export.
a. In the vulnerabilities table, in the row for the vulnerability you want to export, click
the button.

b. Click Export.

- 841 -
 The Export plane appears.

l
Select multiple vulnerabilities to export.
a. In the vulnerabilities table, click the check box next to any vulnerability you want to
export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

The Export plane appears.

5. In the Export plane, click the export format you want to use:

Format Description

PDF - Current Adobe PDF file.

PDF -
Executive
Summary

HTML - Web-based HTML file.

Current

HTML -
Executive

- 842 -
 Format Description

Summary

Tenable Nessus file. Tenable Nessus exports are the only file format that you
Nessus can import into Tenable Vulnerability Management.

CSV Comma Separated Values text file.

Note: Tenable Vulnerability Management supports tag filters in the CSV

export format only.

6. Click Export.

Tenable Vulnerability Management begins processing the report. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
report.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

Delete Assets

The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can delete assets from the following locations:

l the Assets page

l the Asset Detail page

l the Vulnerability by Asset page

l the Explore Overview section

When you delete an asset, Tenable Vulnerability Management deletes the asset from the default
view of the assets table, deletes vulnerability data associated with the asset, and stops matching
scan results to the asset.

- 843 -
 Note: You can only delete 1,000 assets at a time.

If the asset is an Explore asset, then Tenable Vulnerability Management removes the asset from
your asset count within 24 hours. All other assets remain on your license count until 90 days after
Tenable Vulnerability Management last sees the asset in a scan.

Note: If an asset is part of a network with an Asset Age Out setting, this setting overrides these default
settings. For more information, see View or Edit a Network.

To delete a single asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. Do one of the following:

Location Action

Assets page a. View the assets table.

b. In the upper-left corner, in the drop-down menu,

c. In the assets table, roll over the asset you want to

delete.

The action buttons appear in the row.

d. In the row, click the button.

A menu appears.

e. Click Delete.

A confirmation window appears.

Asset Details page a. View the asset details.

b. In the upper-right corner, click the Actions button.

The actions menu appears.

c. In the actions menu, click Delete.

- 844 -
 A confirmation window appears.

Vulnerabilities by a. View vulnerabilities by asset.

Assets
b. In the assets table, roll over the asset you want to
delete.

The action buttons appear in the row.

c. In the row, click Delete.

A confirmation window appears.

Explore Overview See Delete Assets in the Explore section for more
information.

3. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the asset.

To delete multiple assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. Do one of the following:

l View your assets.

l View your vulnerabilities by asset.

3. In the assets table, click the check box next to each asset you want to delete.

The action bar appears at the bottom of the page.

- 845 -
 4. In the action bar, click the button.

A menu appears.

5. Click Delete.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the selected assets.

To delete all assets:

1. View your assets.

2. In the asset table header row, select the check box to select all assets on the current page.

The action bar appears at the top of the table.

3. In the action bar, click Delete.

A confirmation window appears.

4. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes all assets.

View Deleted Assets

- 846 -
 The following feature is only available in Tenable FedRAMP Moderate environments.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View

You can view information about deleted assets until they age out of your licensed assets count
after 14 days.

When you delete an asset, you cannot view the asset in the default view of the asset table.
However, you can apply a filter to the asset table to view deleted assets.

To view deleted assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

3. Click Filters.

4. Create a filter with the following settings:

- 847 -
 l Category: Is Licensed (VM)

l Operator: is equal to

l Value: true

5. Click Apply.

The assets table updates to show all assets with active licenses. Deleted assets appear
grayed out.

Asset Filters

The following feature is only available in Tenable FedRAMP Moderate environments.

Note: This topic describes filters available for assets within the legacy workbench Assets section. To view
filters available for assets in the Explore section, see Asset Filters.

You can use asset attributes to filter data in asset views and dashboards. For more information,
see:

l Tenable-provided Filters

l Guidelines for Tenable-provided Filters

l Tag Filters

In Tenable Vulnerability Management, you can use asset filters in tables and dashboards, and to
create tag rules, as follows:

Filter Filter Create Tag

Type Created By
Tables Dashboards Rules

Tenable-provided Tenable Yes Yes Yes

filters

Tag filters users Yes No Yes

- 848 -
Tenable-provided Filters
Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore >
Findings or Assets views (including Group By tables) to 18.

Supported in
Attribute Description
Tag Rules?

ACR Score (Requires Tenable Lumin license) The asset's No

ACR.

ACR Severity (Requires Tenable Lumin license) The ACR No

category of the ACR calculated for the asset.

AES (Requires Tenable Lumin license) The Asset No

Exposure Score (AES) calculated for the asset.

AES Severity (Requires Tenable Lumin license) The AES No

category of the AES calculated for the asset.

Asset Assessed Specifies whether the asset has been assessed Yes
for vulnerabilities. For a list of conditions that
cause an asset to be assessed, see How Assets
are Counted. Once assessed, the asset is always
categorized as assessed, even if it ages out of
the license count.

Asset ID The asset's UUID. No

AWS Availability Zone The name of the Availability Zone where Yes
AWS hosts the virtual machine instance. For
more information, see Regions and Availability
Zones in the AWS documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI image in Yes
Amazon Elastic Compute Cloud (Amazon EC2).
For more information, see the Amazon Elastic
Compute Cloud Documentation.

AWS EC2 Instance ID The unique identifier of the Linux instance in Yes

- 849 -
 Amazon EC2. For more information, see the
Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine instance in Yes
Amazon EC2.

AWS EC2 Product Code The product code associated with the AMI used Yes
to launch the virtual machine instance in
Amazon EC2.

AWS Instance State The state of the virtual machine instance in Yes
AWS at the time of the scan. For possible
values, see API Instance State in the Amazon
Elastic Compute Cloud Documentation.

AWS Instance Type The type of virtual machine instance in Amazon Yes
EC2. Amazon EC2 instance types dictate the
specifications of the instance (for example, how
much RAM it has). For a list of possible values,
see Amazon EC2 Instance Types in the AWS
documentation.

AWS Owner A UUID for the Amazon AWS account that Yes
created the virtual machine instance. For more
information, see AWS Account Identifiers in the
AWS documentation.

This attribute contains a value for Amazon EC2

instances only. For other asset types, this
attribute is empty.

AWS Region The region where AWS hosts the virtual Yes
machine instance, for example, us-east-1. For
more information, see Regions and Availability
Zones in the AWS documentation.

AWS Security Group The AWS security group (SG) associated with Yes
the Amazon EC2 instance.

- 850 -
AWS Subnet ID The unique identifier of the AWS subnet where Yes
the virtual machine instance was running at the
time of the scan.

AWS VPC ID The unique identifier of the public cloud that Yes
hosts the AWS virtual machine instance. For
more information, see the Amazon Virtual
Private Cloud User Guide.

Azure Location The location of the resource in the Azure

Resource Manager. For more information, see
the Azure Resource Manager Documentation.

Azure Resource Group The name of the resource group in the Azure
Resource Manager. For more information, see
the Azure Resource Manager Documentation.

Azure Resource ID The unique identifier of the resource in the Yes

Azure Resource Manager. For more information,
see the Azure Resource Manager
Documentation.

Azure Resource Type The resource type of the resource in the Azure
Resource Manager. For more information, see
the Azure Resource Manager Documentation.

Azure Subscription ID The unique subscription identifier of the

resource in the Azure Resource Manager. For
more information, see the Azure Resource
Manager Documentation.

Azure VM ID The unique identifier of the Microsoft Azure Yes

virtual machine instance. For more information,
see Accessing and Using Azure VM Unique ID in
the Microsoft Azure documentation.

Belongs to Access Group Specifies whether or not the asset belongs to an

Access Group.

- 851 -
BigFix Asset ID The unique identifiers of the asset in IBM BigFix. No
For more information, see the IBM BigFix
documentation.

Deleted Date The time and date when a user deleted the
asset record. When a user deletes an asset
record, Tenable Vulnerability Management
retains the record until the asset ages out of the
license count.

Device Type (Requires Tenable Lumin license) The device_ No

type key driver value that influenced the asset's
calculated ACR score.

DNS The fully-qualified domain name of the host that Yes

the vulnerability was detected on.

First Seen The date and time when a scan first identified No
the asset.

Google Cloud Instance ID The unique identifier of the virtual machine Yes
instance in Google Cloud Platform (GCP).

Google Cloud Project ID The customized name of the project to which Yes
the virtual machine instance belongs in GCP. For
more information, see Creating and Managing
Projects in the GCP documentation.

Google Cloud Zone The zone where the virtual machine instance Yes
runs in GCP. For more information, see Regions
and Zones in the GCP documentation.

Has Plugin Results Specifies whether the asset has plugin results Yes
associated with it.

Hostname/IP Address Use this filter to limit assets by the following No

asset identifiers:

l hostname

- 852 -
 l FQDN

l IPv4 address

This filter supports multiple asset identifiers as

a comma-separated list (for example,
hostname_example, example.com, 192.168.0.0).
For IP addresses, you can specify individual
addresses, CIDR notation (for example,
192.168.0.0/24), or a range (for example,
192.168.0.1-192.168.0.255).

Note: You cannot filter assets by IPv6 address.

Note: Ensure the search query does not end in a

period and does not include any hyphens.

Installed Software A list of Common Platform Enumeration (CPE) Yes

values that represent software applications a
scan identified as present on an asset. This field
supports the CPE 2.2 format. For more
information, see the Component Syntax section
of the CPE Specification documentation,
Version 2.2. For assets identified in Tenable
scans, this field contains data only if a scan
using Tenable Nessus Plugin ID 45590 has
evaluated the asset.

Note: If no scan detects an application within 30

days of the scan that originally detected the
application, Tenable Vulnerability Management
considers the detection of that application
expired. As a result, the next time a scan
evaluates the asset, Tenable Vulnerability
Management removes the expired application
from the Installed Software attribute. This
activity is logged as a remove type of attribute
change in the asset activity log.

- 853 -
IPv4 Address An IPv4 address that a scan has associated with Yes
the asset record.

This filter supports multiple asset identifiers as

a comma-separated list (for example,
hostname_example, example.com, 192.168.0.0).
For IP addresses, you can specify individual
addresses, CIDR notation (for example,
192.168.0.0/24), or a range (for example,
192.168.0.1-192.168.0.255).

Note: Tenable Vulnerability Management does not

support a CIDR mask of /0 for this parameter,
because that value would match all IP addresses.
If you submit a /0 value for this parameter,
Tenable Vulnerability Management returns a 400
Bad Request error message

Note: Ensure the search query does not end in a

period.

IPv6 Address An IPv6 address that a scan has associated with Yes
the asset record.

This filter supports multiple asset identifiers as

a comma-separated list. The IPV6 address must
be an exact match. (for example,
0:0:0:0:0:ffff:c0a8:0).

Note: Ensure the search query does not end in a

period.

Is Deleted Specifies whether the asset has been deleted. No

Is Licensed (Tenable Specifies whether the asset is included in the No

Vulnerability asset count for the Tenable Vulnerability
Management) Management instance.

- 854 -
Is Licensed (Tenable Web Specifies whether the asset is included in the No
App Scanning) asset count for the Tenable Web App Scanning
instance.

An asset is licensed if it meets the following

criteria:

l The scan results for the asset do not

include discovery plugin results.

l The scan results for the asset do not

include Tenable Web App Scanning
sources (e.g., results from Tenable Nessus
scanners, Agents, Tenable Nessus
Network Monitor).

l The asset has not been terminated.

Is Terminated Specifies whether the virtual instance of the No

asset has been terminated.

Last Assessed A Tenable-provided time period during which an No

assessment scan ran against the asset.
Supported values are:

l 7 Days Ago

l 14 Days Ago

l 30 Days Ago

l 90 Days Ago

Last Assessed Date The start date of a user-defined period during No

which an assessment scan ran against the
asset. The implicit end date is the current date.

Last Authenticated Scan The date and time of the last authenticated No
scan run against the asset. An authenticated
scan that only uses discovery plugins updates

- 855 -
 the Last Authenticated Scan field, but not the
Last Licensed Scan field.

Note: This filter supports the following

operators:
l Earlier than — Returns any asset that
meets either of the following conditions:
o Tenable Vulnerability Management
has never run a credentialed scan for
the asset.
o The most recent credentialed
scan of the asset ran earlier than
12 AM on the selected date.
For example, if, on June 15, you select
the date range 30 Days Ago, the
credentialed scan must have started to
run before 12 AM on May 16. In other
words, the filter returns assets from
May 15 or earlier.
l Earlier than (strict) — Returns the same
assets as Earlier than, except that it
excludes assets for which Tenable
Vulnerability Management has never run a
credentialed scan on.

l Later than — Returns the most recent

credentialed scan of the asset.
Includes only scans run later than 12
AM on the selected date.
For example, if, on June 15, you select
the date range 30 Days Ago, the
credentialed scan must have started
after 12 AM on May 16. In other words,
the filter returns assets from May 16 or
later.

Last Seen The date and time at which the asset was last No
observed as part of a scan.

- 856 -
MAC Address A MAC address that a scan has associated with Yes
the asset record.

Mitigation An umbrella filter that, when selected, filters on No

the following criteria:

l Mitigation - Detected: Specifies whether a

scan has identified a mitigation on the
asset.

l Mitigation - Last Detected: The date range

within which a scan identified a mitigation
on the asset. Possible values are earlier
than or later than:
o 7 Days ago
o 14 Days Ago
o 30 Days Ago
o 90 Days Ago

l Mitigation - Product Name: The name of

the mitigation software identified on the
asset. Tenable Lumin defines mitigations
as security agent software running on
endpoint assets, which include antivirus
software, Endpoint Protection Platforms
(EPPs), or Endpoint Detection and
Response (EDR) solutions.

l Mitigation - Vendor Name: The name of

the vendor for the mitigation that a scan
identified on the asset.

l Mitigation - Version: The version of the

mitigation that a scan identified on the
asset.

- 857 -
NetBIOS Name The NetBIOS name for the asset. Yes

Network Name The name of the network object associated with Yes
scanners that identified the asset. The default
name is Default. For more information, see
Networks.

Operating System The operating system that a scan identified as Yes

installed on the asset.

Qualys Asset ID The Asset ID of the asset in Qualys. For more Yes
information, see the Qualys documentation

This field contains a value only for assets

associated with Qualys vulnerabilities you
import via the Tenable Vulnerability
Management API. For more information, see the
Tenable Developer Portal.

Qualys Host ID The Host ID of the asset in Qualys. For more Yes
information, see the Qualys documentation.

This field contains a value only for assets

associated with Qualys vulnerabilities you
import via the Tenable Vulnerability
Management API. For more information, see
Tenable Developer Portal.

Scan Frequency The number of times the asset was scanned No

within the past 90 days.

Scan ID The unique scan identifier associated with the

asset.

ServiceNow Sys ID Where applicable, the unique record identifier of Yes

the asset in ServiceNow. For more information,
see the ServiceNow documentation.

Source The source of the scan that identified the asset. Yes

- 858 -
 Possible values are:

l Agent (Tenable Nessus Agent)

l Nessus (Tenable Nessus scan)

l PVS/NNM (Tenable Nessus Network

Monitor)

l WAS (Tenable Web App Scanning)

l AWS Connector

l Azure Connector

l GCP Connector

l Qualys Connector

Tag (Category: Value) A unique filter that searches tags No

(category: value) pairs. For more information,
see tags.

Target Group The target group to which the asset belongs. No

This attribute is empty if the asset does not
belong to a target group. For more information,
see Target Groups.

Tenable UUID The UUID of the agent present on the asset. Yes
This attribute is empty if no agent is present on
the asset.

Terminated Date The date on which the virtual instance of the No

asset was terminated.

Guidelines for Tenable-provided Filters

Tenable recommends using human-readable strings when using the contains or does not contain
operator for the following filters:

- 859 -
 l ACR Drivers

l DNS (FQDN)

l Hostname/IP Address

l Installed Software

l NetBIOS Name

l Operating System

Note: When using the contains or does not contain operators, do not use periods in your search values.
Also, the search values are case-sensitive.

For example, when filtering on Operating System, use "Windows" instead of "Win." Tenable also
recommends filtering on characters at the beginning of search strings, instead of characters in the
middle or end of search strings. For example, when trying to match on an asset with the hostname
"localhost", filtering on "local," instead of "host" or "h," returns better results.

Tag Filters
In Tenable Vulnerability Management, tags allow you to add descriptive metadata to assets that
helps you group assets by business context. For more information, see Tags.

On the Assets page, you can filter vulnerabilities by tags applied to the related assets.

In the Category drop-down box for a filter, your organization's tags appear at the bottom of the list,
after the Tenable-provided filters.

If you want to export vulnerabilities for assets filtered by tag, use the CSV export format. Tenable
Vulnerability Management does not support tag filters in other export formats.

Note: If you exceed the current asset query limitation of 25,000, a message appears in your interface.
Refine the query to a tag that returns fewer than 25,000 assets.

You can also use tag filters to create tag rules.

- 860 -
Act
The Act section allows you to view and manage:

l Reports within your container.

l Remediation efforts.

To access the Act menu and options:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, do one of the following:

l Click Reports.

The Reports page appears. For more information, see Reports.

Tip: Alternatively, click Act to navigate directly to the Reports page.

l Click Remediation.

The Remediation page appears. For more information, see Remediation.

Reports
Reports consist of two parts: the report, and the report results. On the Reports page, you can
create a report from a template, run existing reports, and view the results of those reports.

Note: Reports show data from the last 30 days. Tenable recommends scanning at least monthly to
maintain security hygiene and to keep report data up-to-date.

The Reports page includes the following folders:

- 861 -
 l The My Report Templates folder is the default folder that appears when you access the
Reports page. Reports that you create appear in this folder.

l The All Report Templates folder shows all reports that you have permission to interact with.
All reports are user-specific.

l The Report Results folder shows all the results from reports that you have permissions to
view. Results are displayed in chronological order based on when the reports were run. All
results from reports under Report Results are user-specific.

Using Tenable Vulnerability Management, you can generate thematic, informative reports to help
you find information that you might otherwise overlook. For example, the Credentialed Scan
Failures report delivers a straightforward, organized list of failed credentialed scans that analysts
can use to address scanning issues quickly, making it simpler to troubleshoot problems with
credentialed scans. For a complete list of report templates included with Tenable Vulnerability
Management, see Tenable Vulnerability Management Report Templates.

Note: PCI Quarterly External scan data is excluded from dashboards, reports, and workbenches
intentionally. This is due to the scan's paranoid nature, which may lead to false positives that would
otherwise not be detected. For more information, see Tenable PCI ASV Scans.

To view the Reports page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

Report Templates

- 862 -
Tenable Vulnerability Management provides a selection of report templates and customizable report
formats. You can configure a Tenable-provided report template or you can create a fully customized
report from one of the available formats.

For a complete index of Tenable-provided report templates, see Tenable Vulnerability Management
Report Templates.

Tip: For more information on the specific data included in each individual report, see View Report Details.

Note: The Cyber Insurance Report includes the following caveats:

l The report cannot be edited in any way. This ensures underwriters can be confident their metrics
are 100% accurate.

l This report only includes Explore data from the previous 180 days.
l This report is only available for customers with Explore reports enabled on their container.
l The report name does not change upon subsequent generations of the report. For
example, the date/time stamp in the report name does not update the next time you run
the report, however the report data itself includes the date on which the report was most
recently run.
l Severities are reported using CVSSv3 base scores only.
For more information, see the Cyber Insurance Report blog post.

Report Settings
When you create a new report or modify an existing report, the following options are available:

Option Description

General

Name This text box shows the name of the report template you selected. You
can edit this text box to rename the report.

Description This text box shows a default description based on the report template
you selected. You can edit this text box to modify the description of the
report.

Update Logo Click Update Logo to add a new logo to your report or select from a list of

- 863 -
 Option Description

recently uploaded logos.

Select the Set as default for all reports check box to set a logo as the
default.

Executive Summary

Click Widget Library to select from a list of Tenable-provided widgets to include in the
results of the report.

Additional Chapters

Click Chapter Library to select from a list of paragraphs and components to include in the
results of the report.

Create a Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To create a new report:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. In the upper-right corner, click Create New Report.

- 864 -
The Report Templates page appears, with reports organized by category.

Category Description

Center for CIS Benchmarks are best practices for the secure configuration of a
Internet target system. Be sure to use the proper audit file for scans. For
Security (CIS) example: CIS PostgreSQL 12 v1.1.0 Audit Details, CIS Debian 8 v2.0.2
Audit Details, CIS Amazon Web Services Three-tier Web Architecture
v1.0.0 Audit Details, and so on.

Defense The Defense Information Systems Agency (DISA) is a United States

Information Department of Defense combat support agency composed of
Systems military, federal civilians, and contractors. Security Technical
Agency (DISA) Implementation Guides (STIG) is a configuration standard that
consists of cybersecurity requirements for a specific product. Be
sure to use the proper audit file for scans.

Compliance Tenable allows you to audit configuration compliance with a variety

Framework of standards including GDPR, ISO 27000, HIPAA, NIST 800-53, PCI
DSS, and so on. These reports provide summary and detailed
information for all the supported frameworks. Be sure to use the
proper audit file for scans.

Host Audit Organizations such as CIS, DISA, and some vendors create golden
Plugin Type configurations standards, known as benchmarks. Tenable creates
audit files that perform a detailed configuration review. Scanning the
assets with the Host Audit Compliance Check plugins allows you to
do detailed configuration checks. These reports provide summary
and detailed information for all the Host Audit Compliance Check
plugins.

Tenable Best Allows you to implement best practice audits for new technologies.
Practice Audits Make sure that the proper audit file is used for scans.

Vendor Based Allows you to implement vendor-specific guidance for new

Audits technologies. Vendors include: Vendor, IBM, Juniper, Microsoft,

- 865 -
 NetApp, VMware and others. Be sure to use the proper audit file for
scans.

Vulnerability Tenable Vulnerability Management provides the most comprehensive

Management vulnerability coverage with real-time continuous assessment of the
organization. These built-in reports allow organizations to
communicate risk based on prioritization, threat intelligence and
real-time insights to proactively prioritize remediation actions. These
reports provide summary and detailed information data collected
using Tenable Vulnerability Management applications such as Tenable
Nessus.

Web App Web application security provides the ability to detect and mitigate
Scanning threats and vulnerabilities that may compromise the confidentiality,
integrity, and availability of web applications. These reports leverage
data from Tenable Web App Scanning, a comprehensive and
automated vulnerability scanning tool for modern web applications.

4. In the list that appears, select a template.

5. Click Generate Report.

The Report Details page appears.

6. On the Report Details page, do the following:

l In the Name box, type a name for the report.

l (Optional) In the Description box, type a description.

l In the Executive Summary section, select from the available widgets or click Add New
Widget and select a widget from the Widget Library.

l In the Additional Chapters section, select from the available chapters or click Add New
Chapter to select one from the Chapter Library.

l (Optional) Add a filter to the reports. For more information, see Filter Reports.

l (Optional) Update the report logo. For more information, see Report Settings.

7. Click Save.

- 866 -
 Tenable Vulnerability Management creates a new report and it appears on the My Report
Templates page.

Tip: Once created, you can generate an initial report and download a copy. For more information, see
Generate Reports.

Generate a Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Important: Disabling a user account does not disable scheduled reports for that user. Additionally, if the
disabled user shared a report with other users, these other users can still generate that report. For more
information, see Disable a User Account.

To generate a report:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Select the reports that you want to run:

Scope Action

Generate a To generate a single report:

single report
a. On the Report Results tab, right-click the row for the report you
want to generate.

- 867 -
 -or-

Select the check box next to the report you want to generate.

Tenable Vulnerability Management enables the action bar.

-or-

On the Report Results tab, in the Actions column, click the

button in the row for the report result you want to generate.

The action buttons appear in the row.

b. Click Generate Report.

Tenable Vulnerability Management starts to generate the report. You can track the report
status on the Report Results tab.

View Report Details

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Note: Non-administrator users can only view report details for reports that they created or that have been
shared with them by another user.

To view the Report Details page, do the following:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

- 868 -
 3. In the My Report Templates tab, click the row for the report for which you want to view the
details.

The Report Details page appears.

The Report Details page shows the following details about your report:

Section Description

Description This is a brief description of the report.

Targets This section shows that all assets are included in the report.

Report Logo The logo on the report.

History This section shows the time when the report was generated, the time of
report completion, and the current status of the report.

a. In the reports table, to download or delete the report, do one of the

following:

l Select the check box next to the report you want to download or
delete. Tenable Vulnerability Management enables Download and
Delete options in the action bar.

l In the Actions column, click the button. From the action options,
select one of the following:

l Download — Click this option to download the report. The report

downloads in the PDF format.

l Delete — Click this option to delete the report.

Report Details The report details include a brief summary of the report:

- 869 -
 l Status — The status of the report.

l Type — The type of report. For example: PDF.

l Created On — The date when the report was created.

l Start Time — The time when the report generation was started.

l End Time — The time when the report generation was complete.

l Created By — The user who created the report.

Share Report Templates

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can share report templates with other users within the organization.

To share report templates:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears. By default, the My Report Templates tab is visible.

3. Select the report templates that you want to share:

Scope Action

Share a To share report templates from the Reports page:

- 870 -
 single a. On the My Report Templates tab, right-click the row for the report
report template you want to share.

-or-

On the My Report Templates tab, in the Actions column, click the

button in the row for the report template you want to share.

The action buttons appear in the row.

-or-

On the My Report Templates tab, select the check box next to the
report template you want to share.

In the action bar, Tenable Vulnerability Management enables More >

Share.

b. Click Share.

The Share plane appears.

4. In the Select Users or Groups section, select All Users or search for specific user or groups.

5. Click Share.

- 871 -
 Tenable Vulnerability Management shares the report template with the users who can view
them in the Shared Report Templates tab. Each user receives an email notification with
details of the shared report, the email address of the sender, and a link to the shared report.

Edit an Existing Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Before You Begin

You can only modify a report if you are the owner, a user with an administrator account, or you have
been given the Can configure permission for that report.

To edit a report:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Select the report that you want to edit:

Scope Action

Edit a To edit a report from the Reports page:

single
a. On the My Report Templates or All Report Templates tab, right-click
report
the row for the report you want to edit.

- 872 -
 -or-

On the My Report Templates or All Report Templates tab, in the

Actions column, click the button in the row for the report you want
to edit.

The action buttons appear in the row.

b. Click Edit.

The Report Details page appears.

4. Modify the report settings.

5. Apply filters as needed.

6. Click Save.

Tenable Vulnerability Management saves the report and the Reports page appears.

Filter Reports

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

- 873 -
You can add filters to widgets when you create or edit a report. Filters allow you to display details
specific to filtered assets in the reports. You can filter by all assets, assets by tags, and custom
assets.

Note: Filtering for reports is currently available only for VM and Explore VM widgets.

Note: Tenable Web App Scanning does not support filtering vulnerabilities by tags.

To create a filter for a new report or an existing report:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Create a new report or edit an existing report.

4. In the Report Details page, click Edit Filters.

The Filters plane appears.

5. From the Select Filter Type drop-down box, select one of the filters:

l All Assets — Select this to include the data for all assets in the reports. The All Assets
filter is selected by default.

l Tags — Select multiple tags to filter your reports.

l Custom Assets — Type the IP addresses to filter the data by custom assets.

- 874 -
 Note: When using the Custom Assets filter, you can filter by no more than 100 individual
IP addresses.

6. Click Confirm.

Tenable Vulnerability Management applies the filters to all widgets. You can hover over the
filter icon to view the applied filters.

Note: Tenable Vulnerability Management disables the filter icon when there are no associated
filters.

7. (Optional) To edit a filter for a widget, click the icon in the widget, then click Configure to
open the Filters plane.

8. (Optional) To remove a filter for a widget:

a. In the widget for which you want to remove the filter, click the icon, then click Delete.

b. In the confirmation window, click Delete to delete the filter.

9. Click Save.

Tenable Vulnerability Management applies the filters to the report templates.

Schedule a Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Before You Begin

You can only schedule a report if you are the owner, a user with an administrator account, or you
have been given the Can configure permission for that report.

Important: Disabling a user account does not disable scheduled reports for that user. Additionally, if the
disabled user shared a report with other users, these other users can still generate that report. For more
information, see Disable a User Account.

To schedule a report:

- 875 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Select the report that you want to schedule:

Scope Action

Schedule a To schedule a report from the Reports page:

single report
a. On the My Report Templates or All Report Templates tab, right-
click the row for the report you want to schedule.

-or-

On the My Report Templates or All Report Templates tab, in the

Actions column, click the button in the row for the report you
want to schedule.

The action buttons appear in the row.

b. Click Schedule.

The Schedule Report plane appears.

- 876 -
4. Modify the report schedule settings.

- 877 -
Setting Default Description

Schedule On off A toggle that specifies whether the report is scheduled.

By default, reports are not scheduled.

When you disable the Schedule toggle, the other

schedule settings remain hidden.

Click the toggle to enable the schedule and view the

remaining Schedule settings.

Start Date varies Specifies the exact date and time when Tenable
and Time Vulnerability Management launches the report.

The starting date defaults to the date when you create

the schedule. The starting time is the nearest half-hour
interval. For example, if you create the report schedule
on 09/31/2022 at 9:12 AM, Tenable Vulnerability
Management sets the default starting date and time to
09/31/2022 and 09:30.

Time Zone varies The time zone of the value set for Start Date and Time.

Repeat Once Specifies how often Tenable Vulnerability Management

launches the report. Reports run at the time specified in
Start Date and Time.

l Once: Schedule the report to run once.

l Daily: Schedule the report to run daily.

l Weekly: Schedule the report to run on a weekly

basis.

Note: The report runs on the day of the week that

the schedule begins. For example, if you schedule
the report to first run on Monday, 2/14/2021, the
report runs on Monday every week.

- 878 -
 l Monthly: Schedule the report to run on a monthly
basis.

Note: The report runs on the day of the week that

the schedule begins. For example, if you schedule
the report to first run on Monday, 2/14/2021, the
report runs on the second Monday of every month.

l Custom: Schedule the report to run on a custom

interval, based on a specific number of days,
weeks, or months.

l Yearly: Schedule the report to run on a yearly

basis.

Repeat Ends Never l On: If you select this option, the End Date setting
appears, where you can select the date you want
the report schedule to end.

l Never: The report runs on the schedule until you

modify the report schedule.

Password Off A toggle that specifies whether the report schedule is

Protection password protected.

To set a password for the report:

a. Click the Password Protection toggle to enable

password protection for the report.

b. In the Encryption Password box, type the

password for the report.

Note: Make sure that you provide this password to the

recipients to open the report.

Add In this box, type one or more email addresses with whom
Recipients you want to schedule the report.

5. Click Schedule.

- 879 -
 Tenable Vulnerability Management schedules the report and the recipients receive the report
as an email. If you enable the password protection toggle, the recipient must provide the
password when prompted.

Email Report Results

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To share report results:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Select the report results that you want to share:

Scope Action

Share a To share report results from the Reports page:

single
a. On the Report Results tab, right-click the row for the report results
report
you want to share.

-or-

On the Report Results tab, in the Actions column, click the button
in the row for the report results you want to share.

- 880 -
 The action buttons appear in the row.

b. Click Email.

The Email Report plane appears.

4. In the Add Recipients box, select from the list of existing email addresses or type one or more
email recipients for the report results.

The recipients you select receive an email with a PDF of the report results.

5. In the Encryption Password box, type the password for the generated report.

Important: Make sure that you provide this password to the recipients to open the report.

- 881 -
 Note: If you provide a password at the time of scheduling the report, Tenable Vulnerability
Management applies the same password when emailing the report. For reports for which passwords
are applied at the time of scheduling, the Encryption Password box appears disabled with a
message at the bottom that states that the password is the same as one created during the
schedule process.

6. Click Email.

The report results are shared as an email and the Reports page appears. If you add a
password for the report, the recipient must enter the password when prompted.

Edit a Report Schedule

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Before You Begin

You can only edit a report schedule if you are the owner, a user with an administrator account, or
you have been given the Can configure permission for that report.

To edit a report schedule:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Select the report for which you want to edit the schedule:

- 882 -
 Scope Action

Edit a single To edit a report schedule from the Reports page:

report
a. On the My Report Templates or All Report Templates tab, right-
schedule
click the row for the report you want to edit.

-or-

On the My Report Templates or All Report Templates tab, in the

Actions column, click the button in the row for the report you
want to edit.

The action buttons appear in the row.

b. Click Schedule.

The Schedule Report pane appears.

4. Modify the report schedule settings.

5. Click Schedule.

Tenable Vulnerability Management saves the report schedule and the Reports page appears.

Delete a Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can only delete a report if you are the owner or a user with an administrator account.

To delete a report:

- 883 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Reports.

The Reports page appears with the My Report Templates tab selected.

3. Select the reports you want to delete.

Note: This procedure is applicable for both Report Results and Report Templates.

Scope Action

Delete multiple To delete reports:

reports
a. Select the check box for each report you want to delete.

The action bar appears at the top of the list.

b. In the action bar, click Delete.

Delete a single To delete a single report:

report
a. Right-click the row for the report you want to delete.

-or-

Select the check box next to the report you want to delete.

Tenable Vulnerability Management enables More in the action

bar.

-or-

- 884 -
 In the Actions column, click the button in the row for the
report you want to delete.

The action buttons appear in the row.

b. Click Delete.

The Delete Reports dialog box appears.

4. Click Delete.

Tenable Vulnerability Management deletes the report permanently.

Remediation
Tracking all the items that need remediation can be a major effort. To facilitate the tracking of
items to remediate, you can use the Remediation page to create two different methods to
prioritize, distribute, and track vulnerability tasks in the environment.

View Remediations

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

On the Remediation page, you can view your remediation projects or remediation goals.

To view your remediation projects or goals:

- 885 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Do one of the following:

l
View your remediation projects.
The Remediation Projects tab is shown by default. The following table defines its
columns:

Column Description

Name The name of the remediation project.

Assignee The username of the user assigned to the remediation project.

Asset Tags Asset tag(s) associated with the remediation project, which are
added at project creation.

Start Date The date and time on which the assigned user started the
remediation project.

Due Date The date and time on which the assigned user is expected to
complete the remediation project.

Status The status of the remediation project.

- 886 -
 Actions The actions you can take with the remediation project.

l
View your remediation goals.
To view your remediation goals, click the Remediation Goals tab. The following table
defines its columns:

Column Description

Name The name of the remediation goal.

Type Whether the goal is static or dynamic. The goal type depends on the
due date option configured when you created the remediation goal.

Start Date The date and time on which the remediation goal was started.

Due Date The date and time on which the remediation goal must be complete.

Status The status of the remediation goal.

Asset Tags Asset tag(s) associated with the remediation project, which are
added at project creation.

Actions The actions you can take with the remediation goal.

4. (Optional) Refine your view with filters, as described in Remediation Filters.

Remediation Filters

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

On the Remediation page, you can use filters to refine the remediation projects goals displayed.

Remediation Projects
The following table defines the Remediation Project filters:

Filter Description

Asset Tags Asset tag(s) associated with the project, which are added at project creation.
Tenable Vulnerability Management only returns tags with a positive match,

- 887 -
 such as Asset Tag is equal to Operating System: Windows.

Assignees The user(s) assigned to the remediation project.

Project Name The name of the remediation project.

Project The status of the remediation project.

Status

Remediation Goals
The following table defines the Remediation Goals filters:

Filter Description

Asset Asset tag(s) associated with the project, which are added at project creation.
Tags Tenable Vulnerability Management only returns tags with a positive match, such
as Asset Tag is equal to Operating System: Windows.

Goal The name of the remediation goal.

Name

Goal The status of the remediation goal.

Status

Goal Type Whether the goal is static or dynamic. The goal type depends on the due date
option configured when you created the remediation goal.

Remediation Projects
A remediation project helps you organize and manage your remediation program. Remediation
projects allow you to define the scope of work, prioritize your findings, assign projects to owners,
and track the progress of your remediation tasks. The status of your remediation project lets you
quickly visualize all your in-progress or closed remediation activities.

You can create the following types of remediation projects:

l By fixed date — A remediation project with a fixed scope that must be completed by the
specified date.

- 888 -
 l Within number of days — An open-scope or ongoing remediation project that must be
completed within a specific period. This type of remediation project ensures that you always
assign and track a certain type of critical vulnerability.

For more information, see Fixed-Scope and Ongoing Remediation Goals.

On the Remediation Projects page, you can perform the following tasks:

l Create a New Remediation Project

l Create a New Remediation Project From Findings

l View Remediation Project Details

l Activate a Remediation Project

l Edit a Remediation Project

l Suspend a Remediation Project

l Close a Remediation Project

l Export Remediation Projects

l Delete a Remediation Project

Create a New Remediation Project

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

Note: You can also create a remediation project from Explore > Findings. For more information, see Create
a remediation project from Findings.

You can create remediation projects to define the scope of work, prioritize your findings, assign
projects to owners, and track the progress of your remediation tasks.

To create a new remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

- 889 -
 The Remediation page appears. By default, the Remediation Projects tab is active.

3. In the upper-right corner, click Create Remediation Project.

The Create a Remediation Project page appears.

On the left side of the page, you can select from the following and click Next after each
selection:

Option Action

Name l In the Project Name box, type a name for the project.

l (Optional) In the Description box, type a description for the

remediation project.

Scope In the Findings Filters section, the following filters are selected by
default.

l Risk Modified is not equal to Accepted

l Severity: is not equal to Info

l State: is not equal to Fixed

Note: When the State: is not equal to Fixed filter is applied, the
progress bar shows 0%. To view the progress percentage of the
remediation project, remove this filter.

Note: You can select up to a maximum of five filters.

- 890 -
 You can modify the existing filters or add new filters to the list with AND
and OR options.

Tip: Tenable Vulnerability Management shows the findings count based on

the filters in the Scope.

For each filter you want to use to specify the project scope, do the
following:

1. Under Findings Filters, click Select Filters.

The Select Filters drop-down box appears.

2. Click the filter you want to apply.

The filter appears in the Finding Filters box.

3. In the filter, click the ˅ button.

A list of filter value and operator options appears.

4. In the first drop-down box, select the operator you want to apply to
the filter.

5. In the second drop-down box, select one or more values to apply to

the filter.

6. Select Match All from the drop-down box. By default, Tenable

Vulnerability Management sets the filter to Match All.

Assign In the Select Users or User Groups drop-down box, select the users or
groups to which you want to assign the remediation project.

Schedule l In the Start Date box, select the date on which you want the
assigned users and groups to be in the remediation project.

l In the Due Date section, select one of the following:

l Within number of days — The number of days within which

the project must be complete.

- 891 -
 Note: For any remediation project with this option selected, the
right-hand progress bar does not appear on the Project Details
page.

l By fixed date — The date by when you must complete the

project.

For more information, see Fixed-Scope and Ongoing Remediation

Goals

4. Click Save.

Tenable Vulnerability Management creates the remediation project.

Note: Remediation projects do not automatically close even if all the tasks are complete or if the
projects reach their due date. You have to close the project manually by changing the project status
to Closed once it is complete.

Create a New Remediation Project From Findings

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To create a new remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Findings.

The Findings page appears, showing a table that lists your findings. By default, the
Vulnerabilities tab is active.

3. To create a remediation project, do one of the following:

Note: The Create Remediation Project option is available when you have three or less than three
selected filters. If you select more than three filters, Tenable Vulnerability Management does not
show the Create Remediation Project option.

- 892 -
 Create Action

Remediation project a. Do one of the following:

for a single finding l Right-click the row of the finding for which you
want to create the remediation project.

The action options appear next to your cursor.

l Select the check box for the finding for which you
want to create the remediation project.

In the action bar, Tenable Vulnerability

Management enables More > Create
Remediation Project.

l In the Actions column, click the button in the

row for which you want to create the remediation
project.

The action button appears in the row.

b. Click Create Remediation Project.

Remediation project a. Select the check box for the findings for which you want
for multiple findings to create the remediation project.

In the action bar, Tenable Vulnerability Management

enables Create Remediation Project.

b. Click Create Remediation Project.

4. The Create a Remediation Project page appears.

On the left side of the page, you can select from the following and click Next after each
selection:

Option Action

Name l In the Project Name box, type a name for the project.

- 893 -
 l (Optional) In the Description box, type a description for the
remediation project.

Scope In the Findings Filters section, the following filters are selected by
default. You can modify the existing filters or add new filters to the list
with AND and OR options.

l Asset ID: is equal to <asset ID>

l Plugin ID: is equal to <plugin ID

l Filters selected on the Findings page

Tip: Tenable Vulnerability Management shows the findings count based on

the filters in the Scope.

For each filter you want to use to specify the project scope, do the
following:

1. Under Findings Filters, click Select Filters.

The Select Filters drop-down box appears.

2. Click the filter you want to apply.

The filter appears in the Finding Filters box.

3. In the filter, click the ˅ button.

A list of filter value and operator options appears.

4. In the first drop-down box, select the operator you want to apply to
the filter.

5. In the second drop-down box, select one or more values to apply to

the filter.

6. Select Match All from the drop-down box. By default, Tenable

Vulnerability Management sets the filter to Match All.

Assign In the Select Users or User Groups drop-down box, select the users or

- 894 -
 groups to which you want to assign the remediation project.

Schedule l In the Start Date box, select the date on which you want the
assigned users and groups to be in the remediation project.

l In the Due Date section, select one of the following:

l Within number of days — The number of days within which

the project must be complete.

l By fixed date — The date by when you must complete the

project.

5. Click Save.

Tenable Vulnerability Management creates the remediation project.

Note: Remediation projects do not automatically close even if all the tasks are complete or if the
projects reach their due date. You have to close the project manually by changing the project status
to Closed once it is complete.

View Remediation Project Details

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

To view remediation project details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

- 895 -
 3. In the Remediation Project table, click the row for the remediation project whose details you
want to view.

The Remediation Project Details page appears.

Remediation Project Details

The Project Details page for remediations shows a high-level view of your remediation projects,
details about the vulnerability findings specified in the remediation project configurations, and the
current progress for each remediation project.

- 896 -
 Note: Data on the Project Details page updates when you navigate away from or refresh the page.

Project Details
The Project Details page shows the following details about your remediation project:

Section Description

Project This section provides basic information about the remediation project
Information including the Start Date and Due Date of the project.

Scope This section shows the active filters applied to the remediation project. For
more information, see Remediation Filters.

Assigned A list of users assigned to the remediation project.

Users

Findings This section includes a table that lists all of your findings related to the
remediation project. In this table, you can view the following information:

l Severity — The vulnerability's CVSS-based severity. For more

information, see CVSS vs. VPR.

l Name — The name of the remediation finding.

l Plugin ID — The ID of the plugin that identified the vulnerability.

l Port — The port that the scanner used to connect to the asset where
the scan detected the vulnerability.

l Protocol — The protocol the scanner used to communicate with the

asset where the scan detected the vulnerability.

l VPR — The VPR Tenable calculated for the vulnerability.

l State — The state of the vulnerability.

l Last Updated — The date when a scan last found the vulnerability on
an asset.

l Asset Name — The name of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability

- 897 -
 Management.

l Actions — In this column, click the button to view a drop-down

where you can:
o Export — Export to CSV or JSON, as described in Export from
Explore Tables.

In the Findings table you can also:

l Refine the table data.

l View your vulnerability details on the Findings page by clicking Open in

Findings.

l Export one or more findings:

1. Select the check box next to the Finding(s) you want to export.

The action bar appears at the top of the table.

2. In the action bar, click Export. For more information on

configuring the export, see Export Remediation Projects.

Edit a Remediation Project

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

To edit a remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

- 898 -
 3. To edit a remediation project:

a. On the Remediation Projects page, do one of the following:

l In the Remediation Projects table, right-click the row for the remediation project
you want to edit.

The action options appear next to your cursor.

l In the Remediation Projects table, select the check box for the remediation
project that you want to edit.

The actions bar appears at the top of the table.

l In the Remediation Projects table, in the Actions column, click the button in
the row for the project that you want to edit.

The action button appears in the row.

4. Click Edit.

The Edit a Project page appears.

5. Modify the remediation project settings.

6. Click Save.

Tenable Vulnerability Management saves the remediation project and the Remediation
Projects page appears.

Activate a Remediation Project

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

- 899 -
When you create a remediation project, it is in the Pending state. You must activate the project for
it to start tracking the progress of the remediation project.

Note: To activate a project, you must define the scope and assignee.

To activate a remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. In the Remediation Projects table, do one of the following:

l In the Remediation Projects table, right-click the row for the remediation project you
want to activate.

The action options appear next to your cursor.

l In the Remediation Projects table, select the check box for the remediation project that
you want to activate.

The actions bar appears at the top of the table.

l In the Remediation Projects table, in the Actions column, click the button in the row
for the project that you want to activate.

The action button appears in the row.

4. Click Activate.

- 900 -
 Tenable Vulnerability Management activates the remediation project.

The Remediation Projects page appears and the Status column shows the project as Active.

Suspend a Remediation Project

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

Suspending a remediation project temporarily stops the project from tracking the progress of the
project. When you suspend a project, the status of the project remains the same until the project is
activated.

To suspend a remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Do one of the following:

l In the Remediation Projects table, right-click the row for the remediation project you
want to suspend.

The action options appear next to your cursor.

- 901 -
 l In the Remediation Projects table, select the check box for the remediation project that
you want to suspend.

In the action bar, Tenable Vulnerability Management enables More > Suspend.

l In the Remediation Projects table, in the Actions column, click the button in the row
for the project that you want to suspend.

The action buttons appear in the row.

4. Click Suspend.

Tenable Vulnerability Management suspends the remediation project.

The Remediation Projects page appears and the Status column shows the project as
Suspended.

Close a Remediation Project

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

A closed remediation project means that it has ended. But you can activate a closed project, if
needed. Projects do not automatically close even if all the tasks are complete or if the projects
reach their due date. You have to close the project manually by changing the project status to
Closed once it is complete.

To close a remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

- 902 -
 3. Do one of the following:

l In the Remediation Projects table, right-click the row for the remediation project you
want to close.

The action options appear next to your cursor.

l In the Remediation Projects table, select the check box for the remediation project that
you want to close.

In the action bar, Tenable Vulnerability Management enables More > Close.

l In the Remediation Projects table, in the Actions column, click the button in the row
for the project that you want to close.

The action button appears in the row.

4. Click Close.

Tenable Vulnerability Management closes the remediation project.

The Remediation Projects page appears and the Status column shows the project as Closed.

Export Remediation Projects

On the Remediation page, you can export your remediation projects in CSV format.

To export your remediation projects:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

- 903 -
 The Remediation page appears. By default, the Remediation Projects tab is active.

3. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

4. Do one of the following:

To export a single remediation project:

a. In the remediation projects table, right-click the row for the remediation project you
want to export.

The action options appear next to your cursor.

-or-

In the remediation projects table, in the Actions column, click the button in the row
for the remediation project you want to export.

The action buttons appear in the row.

b. Click Export.

To export multiple remediation projects:

a. In the remediation projects table, select the check box for each remediation project you
want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

- 904 -
 Note: You can individually select and export up to 200 remediation projects. If you want to
export more than 200 remediation projects, you must select all the remediation projects on
your Tenable Vulnerability Management instance by selecting the check box at the top of the
Projects table and then click Export.

The Export plane appears.

5. In the Name box, type a name for the export file.

6. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of tag categories or values.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of tag categories or values.

Tenable Vulnerability Management does not include empty fields in the

JSON file.

7. (Optional) Deselect any fields you do not want to appear in the export file.

8. In the Expiration box, type the number of days before the export file ages out.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

9. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

- 905 -
 l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

10. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

11. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

12. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a Remediation Project

- 906 -
 Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

To delete a remediation project:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

- 907 -
 3. To delete one or more remediation projects:

Delete Action

A single a. To delete a single remediation project:

remediation l In the Remediation Projects table, in the Actions column,
project
click the button in the row for the project that you want
to delete.

The action buttons appear in the row.

l In the Remediation Projects table, select the check box

next to the remediation project that you want to delete.

In the action bar, Tenable Vulnerability Management

enables More > Delete.

l In the Remediation Projects table, right-click the row for

the project that you want to delete.

The action options appear next to your cursor.

b. Click Delete.

Delete multiple a. In the Remediation Projects table, select more than one
remediation remediation projects that you want to delete.
projects
Tenable Vulnerability Management enables the Delete button in
the action bar.

b. Click Delete.

Tenable Vulnerability Management deletes the selected remediation projects.

Remediation Goals
A remediation goal allows you to measure the effectiveness of your remediation program. By
setting a remediation goal, you can track whether your remediation projects are aptly tracking and
closing critical findings within a specific period.

You can create the following types of remediation goals:

- 908 -
 l By fixed date — A remediation goal that must be met by the specified date. Otherwise, the
goal fails.

l Within the number of days — A remediation goal that must be met within a specific number of
days. Tenable Vulnerability Management classifies this type of goal as a dynamic goal or a
continuous goal.

l Ongoing — A continuous or dynamic goal that remains open until all findings of a specific
scope are fixed.

On the Remediation Goals page, you can perform the following tasks:

l Create a New Remediation Goal

l View Remediation Goal Details

l Activate a Remediation Goal

l Edit a Remediation Goal

l Suspend a Remediation Goal

l Close a Remediation Goal

l Export Remediation Goals

l Delete a Remediation Goal

Fixed-Scope and Ongoing Remediation Goals

Required Tenable Vulnerability Management User Role:Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

When creating a remediation goal, you can set the scope to be fixed or ongoing.

Fixed-scope goals — Applies to scenarios where a group of vulnerabilities or even just one
vulnerability needs remediation in a certain period of time.

Ongoing (open-scope) goals — Applies to a scenario where you have to ensure that there is always
an assigned owner to track a certain type of vulnerability, such as assigning all critical Tenable PCI
ASV vulnerabilities needing remediation to owners.

To create remediation goals, see Create a New Remediation Goal.

Create a New Remediation Goal

- 909 -
 Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

Remediation goals can be static or dynamic. Static remediation goals have a fixed due date,
whereas dynamic goals do not have a fixed due date, but you must meet the goal within a specified
time period or must be in an ongoing state.

For example, configure a dynamic remediation goal to ensure that Log4J findings must not exist in
the system. You can configure this remediation goal as Ongoing and if the count of Log4J findings
becomes greater than zero, then the goal fails.

To create a new remediation goal:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Click the Remediation Goals tab.

The Remediation Goals page appears.

- 910 -
4. In the upper-right corner, click Create Remediation Goal.

The Create a Remediation Goal page appears.

On the left side of the page, you can select from the following and click Next after each
selection:

Option Actions

Name l In the Goal Name box, type a name for the remediation goal.

l In the Description box, type a description for the remediation

goal.

Conditions In the Findings Filters section, the following filters are selected by
default.

l Severity is not equal to Info

l State is not equal to Fixed

Note: You can select up to a maximum of five filters.

You can modify the existing filters or add new filters to the list with
AND and OR options.

Tip: Tenable Vulnerability Management shows the findings count based on

the filters in the Scope.

- 911 -
 1. Under Findings Filters, click Select Filters.

The Select Filters drop-down box appears.

2. Click the filter you want to apply.

The filter appears in the Finding Filters box.

3. In the filter, click the button.

A list of filter value and operator options appears.

4. In the first drop-down box, select the operator you want to apply
to the filter.

5. In the second drop-down box, select one or more values to apply

to the filter.

6. Select Match All from the drop-down box. By default, Tenable

Vulnerability Management sets the filter to Match All.

Goal Due Date Select and configure one of the following options:

Note: Tenable Vulnerability Management determines the remediation goal

type based on the due date option you configure. If you configure options
for Within number of days or Ongoing,Tenable Vulnerability Management
creates the goal as a dynamic goal. If you select By fixed date, Tenable
Vulnerability Management creates the goal as a static type.

l Within number of days — The number of days within which the

goal must be complete.

l By fixed date — The date by when you must complete the goal.

l Ongoing — An ongoing goal is a remediation goal always in

progress and must always be met. This option is selected by
default.

For more information, see Fixed-Scope and Ongoing Remediation

Goals.

5. Click Save.

- 912 -
 Tenable Vulnerability Management saves the remediation goal.

View Remediation Goal Details

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

To view remediation goal details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Click the Remediation Goals tab.

The Remediation Goals page appears.

- 913 -
 4. In the Remediation Goals table, click any row for which you want to view the details.

The Goal Details page appears.

The Goal Details page shows the following details about your remediation goal:

Section Description

Goal The type, start date, and due date of the remediation goal.
Information

Measure of The filters assigned for findings. If the number of instances that match the
Success filter is zero, it indicates that the remediation goal is a success.

Findings l Refine the table data.

l Export your host vulnerability findings.

l View your vulnerability details on the Findings page by clicking Open in

Findings.

Progress The overall progress of the remediation goal. You can view the following
information in this section:

Note: These parameters are applicable only for goals that have a fixed due date
(Static goals). For dynamic remediation goals, Tenable Vulnerability Management
does not show the progress bar.

l Created on — The date and time on which the remediation goal is

created.

l Remediated — The number of remediated findings.

l Resurfaced — The number of findings that have reappeared after

remediation.

Edit a Remediation Goal

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

To edit a remediation goal:

- 914 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Click the Remediation Goals tab.

The Remediation Goals page appears.

4. Do one of the following:

l In the Remediation Goals table, right-click the row for the remediation goal you want to
edit.

The action options appear next to your cursor.

- 915 -
 l In the Remediation Goals table, select the check box for the remediation goal you want
to edit.

The action bar appears at the top of the table.

l In the Remediation Goals table, in the Actions column, click the button in the row for
the goal you want to edit.

The action button appears in the row.

5. Click Edit.

The Edit a Goal page appears.

6. Modify the remediation goal settings.

7. Click Save.

Tenable Vulnerability Management saves the remediation goal.

The Remediation Goals page appears.

Activate a Remediation Goal

Required Tenable Vulnerability Management User Role:Scan Operator, Standard, Scan Manager, or
Administrator

To activate a remediation goal:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

- 916 -
 3. Click the Remediation Goals tab.

The Remediation Goals page appears.

4. Do one of the following:

l In the Remediation Goals table, right-click the row for the remediation goal you want to
activate.

The action options appear next to your cursor.

l In the Remediation Goals table, select the check box for the remediation goal you want
to activate.

The action bar appears at the top of the table.

l In the Remediation Goals table, in the Actions column, click the button in the row for
the goal you want to activate.

The action button appears in the row.

5. Click Activate.

Tenable Vulnerability Management activates the remediation goal.

- 917 -
The Remediation Goals page appears and the Status column shows the project as Active.

Suspend a Remediation Goal

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

You can temporarily suspend a goal and reactivate it any point of time.

To suspend a remediation goal:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Click the Remediation Goals tab.

The Remediation Goals page appears.

- 918 -
 4. Do one of the following:

l In the Remediation Goals table, right-click the row for the remediation goal you want to
suspend.

The action options appear next to your cursor.

l In the Remediation Goals table, select the check box for the remediation goal you want
to suspend.

In the action bar, Tenable Vulnerability Management enables More > Suspend.

l In the Remediation Goals table, in the Actions column, click the button in the row for
the goal you want to suspend.

The action button appears in the row.

5. Click Suspend.

Tenable Vulnerability Management suspends the remediation goal.

The Remediation Goals page appears and the Status column shows the goal as Suspended.

Close a Remediation Goal

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

A closed remediation goal means that it has ended. But you can activate a closed goal, if needed.

To close a remediation goal:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

- 919 -
3. Click the Remediation Goals tab.

The Remediation Goals page appears.

4. Do one of the following:

l In the Remediation Goals table, right-click the row for the remediation goal you want to
close.

The action options appear next to your cursor.

l In the Remediation Goals table, select the check box for the remediation goal you want
to close.

In the action bar, Tenable Vulnerability Management enables More > Close.

l In the Remediation Goals table, in the Actions column, click the button in the row for
the goal you want to close.

The action button appears in the row.

5. Click Close.

- 920 -
 Tenable Vulnerability Management closes the remediation goal.

The Remediation Goals page appears and the Status column shows the project as Closed.

Export Remediation Goals

On the Remediation page, you can export your remediation goals in CSV format.

To export your remediation goals:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Click the Remediation Goals tab.

The Remediation Goals page appears.

- 921 -
4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. Do one of the following:

To export a single remediation goal:

a. In the remediation goals table, right-click the row for the remediation goal you want to
export.

The action options appear next to your cursor.

-or-

In the remediation goals table, in the Actions column, click the button in the row for
the remediation goal you want to export.

The action buttons appear in the row.

b. Click Export.

To export multiple remediation goals:

a. In the remediation goals table, select the check box for each remediation goal you want
to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: You can individually select and export up to 200 remediation goals. If you want to export
more than 200 remediation goals, you must select all the remediation goals on your Tenable
Vulnerability Management instance by selecting the check box at the top of the Goals table
and then click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

- 922 -
 Note: By default, Tenable Vulnerability Management selects all fields.

l A text box to set the number of days before the export age outs.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

6. In the Name box, type a name for the export file.

7. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of tag categories or values.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

8. (Optional) Deselect any fields you do not want to appear in the export file.

9. In the Expiration box, type the number of days before the export file age outs.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

- 923 -
 l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a Remediation Goal

Required Tenable Vulnerability Management User Role: Basic User, Scan Operator, Standard, Scan
Manager, or Administrator

To delete a remediation goal:

- 924 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Act section, click Remediation.

The Remediation page appears. By default, the Remediation Projects tab is active.

3. Click the Remediation Goals tab.

The Remediation Goals page appears.

4. To delete one or more remediation goals:

Delete Action

A single a. Do one of the following:

remediation l In the remediation goals table, in the Actions column, click
goal
the button in the row for the goal you want to delete.

- 925 -
 The action buttons appear in the row.

l In the remediation goals table, select the check box next to

the remediation goal that you want to delete.

In the action bar, Tenable Vulnerability Management

enables More > Delete.

l In the remediation goals table, right-click the row for the

goal you want to delete.

The action options appear next to your cursor.

b. Click Delete.

Multiple a. In the Remediation Goals table, select more than one

remediation remediation goals that you want to delete.
goals
Tenable Vulnerability Management enables the Delete button in
the action bar.

b. Click Delete.

Tenable Vulnerability Management deletes the selected remediation goals.

Solutions
Tenable provides recommended solutions for all vulnerabilities on your network. You can sort
recommended solutions by VPR to identify your highest priority solutions, then drill into the solution
details to understand the steps to address the vulnerability on your network.

Note: You cannot view solution details without a Tenable Lumin license. For more information, see
Welcome to Tenable Lumin.

View Solutions

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 926 -
Tenable provides recommended solutions for all vulnerabilities on your network. You can sort
recommended solutions by Vulnerability Priority Rating (VPR) to identify your highest priority
solutions, then drill into the solution details to understand the steps to address the vulnerability on
your network.

Addressing a vulnerability instance lowers your CES and AES metrics.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely
by plugin ID, port, and protocol.

To view solutions in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Solutions.

The Solutions page appears.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability
Management instance.

On this page, you can:

Section Action

Filters Filter the data displayed in the table.

Saved l Load or edit an existing saved search.

Searches l Save a new saved search.
drop-down
box

Export Export a solution as a .csv file.

Solutions l View information about each solution.

table l Solution — A description for the solution.

l Assets Affected — The total number of assets affected by

the vulnerabilities addressed by the solution.

- 927 -
 l CVE Count — The CVEs included in the solution.

l VPR — The highest VPR for the vulnerabilities addressed by

the solution.

l CVSS — The highest CVSSv2 score (or CVSSv3 score, when

available) for the vulnerabilities addressed by the solution.

l To view details for a solution, click a solution row.

The Solution Details page appears. For more information, see

Solution Details.

l To sort, increase or decrease the number of rows per page, or

navigate to another page of the table, see Tenable Vulnerability
Management Tables.

Solutions Filters

Required Additional License: Tenable Lumin

On the Solutions page, you can filter vulnerabilities using Tenable-provided filters and filters based
on asset tags.

Tenable-provided Filters
Tenable Vulnerability Management provides the following solutions filters:

Filter Description

ACR Score The ACR of assets associated with the solution.

ACR Severity The ACR severity of assets associated with the solution.

AES Severity The AES severity of assets associated with the solution.

Asset Count The number of assets impacted by the solution.

Asset ID The UUID of assets associated with the solution. This value is unique to
Tenable Vulnerability Management.

CVE Count The Common Vulnerability and Exposure (CVE) count associated with the

- 928 -
 solution.

CVSS The Common Vulnerability Scoring System (CVSS) score of vulnerabilities

associated with the solution.

CVSS Severity The Common Vulnerability Scoring System (CVSS) severity of vulnerabilities
associated with the solution.

Family The plugin family associated with the solution.

Hostname The hostname of the asset associated with the solution.

Note: Ensure the search query does not end in a period.

License Status The licensing status of assets associated with the solution.

Solution A brief summary of how you can remediate the vulnerability.

VPR The Vulnerability Priority Rating (VPR) of vulnerabilities associated with the
solution.

VPR Severity TheVulnerability Priority Rating (VPR) severity of vulnerabilities associated

with the solution.

Tag Filters
In Tenable Vulnerability Management, tags allow you to add descriptive metadata to assets that
helps you group assets by business context. For more information, see Tags.

In the Category drop-down box for a filter, your organization's tags appear at the bottom of the list,
after the Tenable-provided filters.

Export Solutions

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In the new interface, the export feature allows you to export solution data .csv file format.

- 929 -
To export solutions as a .csv file:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Solutions.

The Solutions page appears.

3. In the upper-right hand corner, click Export.

The Export plane appears.

4. View the selected format for the export: CSV.

5. Click the check box next to the Data option you want included in the export file.

Data Description

Solutions Includes solutions data.

Details Includes solutions data and data for assets affected where Tenable
recommends the solutions.

6. Click Export.

Tenable Vulnerability Management begins processing the report. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
report.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

7. Access the export file via your browser's downloads directory.

View Solution Details

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 930 -
You can use this page to view details for a solution, including asset and vulnerability information.

To view solution details in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Solutions.

The Solutions page appears.

3. Click a solution row.

The Solution Details page appears.

On this page, you can:

Section Action

Summary panel

Metrics summary View summary statistics for the recommended solution.

l Assets Affected — The total number of assets affected by the

vulnerabilities addressed by the solution.

l CVE Count — The total number of CVEs included in the

solution.

l CVE Instances — The total number of vulnerabilities

addressed by the solution.

l VPR — The highest VPR for a vulnerability included in the

solution.

l CVSS V2/V3 Base Score — The highest CVSSv2 score (or

CVSSv3 score, when available) for the vulnerabilities
addressed by the solution.

Vulnerabilities l View all vulnerabilities addressed by the solution.

Included (#) table l Identifier — The vulnerability identifier: the CVE (if
available), the TVI, or the plugin ID.

- 931 -
 l VPR — The VPR for the vulnerability.

l CVSS — The CVSSv2 score (or CVSSv3 score, when

available) for the vulnerability.

l Assets Affected — The total number of assets affected

by the vulnerability.

l To view details about a vulnerability, click a vulnerability row.

The vulnerability details plane appears. On this plane, you can:

l View a summary of the vulnerability.

l View information about the key drivers Tenable used to

calculate the VPR for this vulnerability.

l View a graph that shows the VPR adjustments over the

past 30 days, compared to the static CVSSv2 score (or
CVSSv3 score, when available).

l View additional information about the vulnerability,

including the TVI.

l To navigate to another page of the table, see Tenable

Vulnerability Management Tables.

Assets Affected tab

ACR tiles View the ACR severity tiles, which summarize the number of
affected assets in the Low, Medium, High, or Critical, or
Unclassified ACR category.

Assets Affected l View asset information.

table l Asset —

Indicates the asset identifier, assigned based on the

availability of specific attributes in logical order.

l IP — The asset's IP address.

- 932 -
 l ACR — The asset's ACR.

l CVE Count — The total number of CVEs on the asset.

l OS — The asset's operating system.

l Detection Source — The scanner type that first scanned

the asset.

l To view details for an asset, click an asset row.

The Asset Details page appears. For more information, see

View Asset Details.

l To filter the assets displayed in the table, see Filter a Table.

Tenable Vulnerability Management refreshes the table.

l To sort, increase or decrease the number of rows per page, or

navigate to another page of the table, see Tenable
Vulnerability Management Tables.

- 933 -
Tenable Container Security Dashboard

Important: Tenable has announced the End of Life for Legacy Container Security. You can continue to
access the application and receive support through September 30, 2024. Tenable recommends that you
move to the current version of Container Security immediately (available through the new Cloud Security
tile). For more information, see the End of Life bulletin.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Container Security dashboard acts as landing page for Tenable Container Security. This
dashboard contains widgets that show high-level information about your containers, images and
image repositories, and policies. Click a widget on the dashboard to view details about the item
type or to import data items (for example, images) into Tenable Container Security.

Note: For information about how Tenable Container Security evaluates risks for your assets, see Risk
Metrics in Tenable Container Security.

From the Container Security dashboard you can:

Tenable Container Security Scanner Scanning Overview

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Configure Tenable Container Security scans to collect data about your containers for analysis.
Depending on your organization, one person may perform all the steps, or several people may share
the steps.

To configure Tenable Container Security scans:

1. Import and scan your container images.

l If you want to upload a specific image to Tenable Container Security for scanning,
download the image from your external registry and push the image to Tenable

- 934 -
 Container Security.

l If you want to import all the images from a registry to Tenable Container Security for
scanning, configure a connector to import images from a registry.

Note: If you use a connector to import and scan your images, Tenable Container
Security may take up to several hours to display your images on the dashboard.
If your images do not appear on the dashboard within 24 hours of when you begin
the import, contact Tenable Support.

l If you want to scan an image directly from your organization's local registry, or from your
machine, download and run the Tenable Container Security Scanner.

The amount of time Tenable Container Security takes to scan the images in your registry and
display the results depends on the size and number of images you scan.

Note: The data Tenable Container Security retains when you import an image depends on the import
method you use.
l Docker command or connector — Tenable Container Security retains the image itself, as
well as all metadata associated with the image (e.g., image layers, software packages on the
image., etc.).
l Container Security Scanner — Tenable Container Security retains only the metadata
associated with the image.
When you delete the image, Tenable Container Security removes the entire image and all
image metadata.

2. Navigate the Tenable Container Security dashboard to view and manage your scan data.

Note: Tenable Container Security imports and rescans your images at regular intervals, beginning when
you first import and scan the images.

Log in to Tenable Container Security via the Docker CLI

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

- 935 -
You can use a Docker command to log in to Tenable Container Security Scanner to push images via
the Docker command-line interface (CLI).

To navigate the interface and use other features, log in via the Tenable Vulnerability Management
interface. For more information, see Log in to Tenable Vulnerability Management.

Before you begin:

l Obtain credentials for your Tenable Vulnerability Management user account.

Note: If you are an administrator logging in to your Tenable Vulnerability Management instance for
the first time, Tenable provides your first-time credentials during setup. After you log in for the first
time, you can set your new password. If you are logging in to Tenable Vulnerability Management after
initial setup, your username is the email address you used to register for your Tenable Vulnerability
Management account.

l Review the System Requirements in the General Requirements User Guide and confirm that
your computer and browser meet the requirements.

To log in to Tenable Container Security via a Docker command:

1. Generate your API access and secret keys.

2. In the Docker CLI, run the following command:

docker login registry.cloud.tenable.com

The CLI prompts you to provide a username.

3. Type your API access key.

4. Press Enter.

The CLI prompts you to provide a password.

5. Type your API secret key.

6. Press Enter.

The Docker CLI logs you in to the Tenable Container Security registry.

Push a Container Image to Tenable Container Security

- 936 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Use Docker commands to download the image from the external registry where it resides and
import it to Tenable Container Security.

The amount of time Tenable Container Security takes to scan the images in your registry and
display the results depends on the size and number of images you scan.

Before you begin:

l Log in to Tenable Vulnerability Management Container Security via the Docker command.

To push container image to Tenable Container Security:

1. In the CLI, run the following command to download the image from an external registry:

docker pull alpine:latest

2. In the CLI, run the following command to add the registry.cloud.tenable.com tag.

docker tag alpine:latest registry.cloud.tenable.com/alpine:latest

Note: The registry.cloud.tenable.com tag prompts Docker to push the image to Tenable
Container Security. If you do not add the registry.cloud.tenable.com tag, Docker automatically
pushes the image to the Docker central repository.

3. In the CLI, run the following command to push the tagged image to Tenable Container
Security.

docker push registry.cloud.tenable.com/alpine:latest

- 937 -
 Docker pushes the image to Tenable Container Security. Tenable Container Security scans the
images for vulnerabilities.

Note: When you import container images to scan, Tenable Container Security may abort
the scan if the scan has been running for 60 minutes. If this happen, Scan Failed appears
on the Images page in the Vulnerabilities and Malware columns for the aborted images.
If Tenable Container Security aborts your scan, try simplifying your images before you
import them, as described in the Docker Documentation. Alternatively, you can use the
Tenable Container Security Scanner to scan your images without importing them to
Tenable Container Security.
If Tenable Container Security still aborts your scan, contact Tenable Support.

What to do next:
l View the results of your scan, as described in View Scan Results for Container Images.

Push from Bamboo to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Bamboo to Tenable Container
Security.

These steps assume you are already comfortable using Bamboo and are already pushing Docker
images to a public or private registry. If you are already using Bamboo, but have not built Docker
container images, familiarize yourself with the Bamboo documentation Configuring the Docker task
in Bamboo.

Steps
1. Create a new Docker task for the relevant job.

2. In the Task box, type a description for the task.

- 938 -
 3. Depending on whether you want the task to run, select or clear the Disable this task check
box.

4. Select Push a Docker image to a Docker registry command and complete the settings.

Tenable Vulnerability Management sends the Bamboo builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Push from CircleCI to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from CircleCI to Tenable Container
Security.

These steps assume you are already comfortable using CircleCI and are already pushing Docker
images to a public or private registry. If you are already using CircleCI, but have not built Docker
container images, familiarize yourself with the CircleCI documentation Continuous Integration and
Delivery with Docker.

Click here for information about the circle.yml file.

If you are using CircleCI to build Docker container images, you should have a circle.yml file in
your project source control repository that looks similar to the following example:

machine:
services:
- docker

dependencies:
override:
- docker info
- docker build -t circleci/elasticsearch .

test:

- 939 -
 override:
- docker run -d -p 9200:9200 circleci/elasticsearch; sleep 10
- curl --retry 10 --retry-delay 5 -v http://localhost:9200

deployment:
hub:
branch: master
commands:
- docker push circleci/elasticsearch

The following lines in circle.yml instruct CircleCI to use Docker for the build process:

machine:
services:
- docker

The following lines in circle.yml instruct CircleCI to build the elasticsearch image in the
circleci/ repository:

dependencies:
override:
- docker info
- docker build -t circleci/elasticsearch .

The following are the most important lines for adding Tenable Container Security integration to
CircleCI environments. These lines instruct CircleCI to use Docker to log in to the registry (in this
case to Docker Hub, since no private registry is specified) and push cicleci/elasticsearch to
the registry:

deployment:
hub:
branch: master
commands:
- docker login -u $DOCKER_USER -p $DOCKER_PASS
- docker push circleci/elasticsearch

Steps

- 940 -
1. To add environment variables for the project in the CircleCI console, open the project, click
Project Settings, then click Environment Variables.

2. Define the following variables:

Variable Description

TENABLE_IO_ The email that you use to log in to Tenable Container Security.
CONTAINER_
SECURITY_EMAIL

TENABLE_IO_ The username that you use to log in to Tenable Container

CONTAINER_ Security. You can find this on the Settings page in Tenable
SECURITY_USER Container Security.

TENABLE_IO_ For hosted cloud users of Tenable Container Security, this value
CONTAINER_ is registry.cloud.tenable.com.
SECURITY_ENDPOINT

3. To add support for Tenable Container Security, update the circle.yml file as follows:

machine:
environment:
VERSION: 2.1.1
TAG: ${VERSION}
services:
- docker

dependencies:
override:
- docker info
- docker version
- docker build -t $TENABLE_IO_CONTAINER_SECURITY_ENDPOINT/circleci/elasticsearch .

test:
override:
- docker run -d -p 9200:9200 $TENABLE_IO_CONTAINER_SECURITY_
ENDPOINT/circleci/elasticsearch; sleep 10
- curl --retry 10 --retry-delay 5 -v registry.cloud.tenable.com

- 941 -
 deployment:
hub:
branch: master
commands:
- docker login -u $TENABLE_IO_ACCESS_KEY -p $TENABLE_IO_SECRET_KEY
- docker tag $TENABLE_IO_CONTAINER_SECURITY_ENDPOINT/circleci/elasticsearch
$TENABLE_IO_CONTAINER_SECURITY_ENDPOINT/circleci/elasticsearch:${TAG}
- docker push $TENABLE_IO_CONTAINER_SECURITY_
ENDPOINT/circleci/elasticsearch:${TAG}
- docker logout

Tenable Vulnerability Management sends the CircleCI builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Codeship to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Codeship to Tenable Container
Security.

These steps assume you are already comfortable using Codeship and are already pushing Docker
images to a public or private registry. If you are already using Codeship, but have not built Docker
container images, familiarize yourself with the Codeship documentation Pushing to a remote
registry.

Steps
1. Edit the codeship-services.yml file to use the repository name and image name specified
in Tenable Container Security.

- 942 -
 app:
build:
image: repository_name/image_name
dockerfile_path: Dockerfile

Note: If this is the first time you are pushing an image into the repository, there is not a
preconfigured image name. The image name is added automatically after the push from Codeship.

2. Edit the service section of the codeship-steps.yml file to look similar to the following
example:

service:
app type: push
image_name: repository_name/image_name
registry: registry.cloud.tenable.com
encrypted_dockercfg_path: dockercfg.encrypted

Tenable Vulnerability Management sends the Codeship builds to Tenable Container Security
for storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Distelli to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Distelli to Tenable Container Security
using the Distelli WebUI Manifest.

These steps assume you are already comfortable using Distelli and are already pushing Docker
images to a public or private registry. If you are already using Distelli, but have not built Docker
container images, familiarize yourself with the Distelli documentation on the Distelli Manifest. You
can use the Distelli manifest file by either using the Distelli WebUI Manifest, or by editing the
distelli-manifest.yml file directly.

- 943 -
Steps
1. Log in to Distelli and navigate to an application.

2. Click the Manifest tab.

The Build section shows content similar to the following example:

docker build --quiet=false -t $DOCKER_REPO:$DISTELLI_BUILDNUM .

docker login -u $DOCKER_USERNAME -p $DOCKER_PW
docker push $DOCKER_REPO:$DISTELLI_BUILDNUM

3. To add support for Tenable Container Security, modify the Build section to look like the
following example:

bash docker build --quiet=false -t $TENABLE_IO_CONTAINER_SECURITY_REPO:$DISTELLI_

BUILDNUM . docker login -u $TENABLE_IO_ACCESS_KEY -p $TENABLE_IO_SECRET_KEY
registry.cloud.tenable.com docker push $TENABLE_IO_CONTAINER_SECURITY_
REPO:$DISTELLI_BUILDNUM

This modification adds the Tenable Container Security URI to docker login.

Tenable Vulnerability Management sends Distelli builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Drone.io to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Drone.io to Tenable Container
Security.

- 944 -
These steps assume you are already comfortable using Drone.io and are already pushing Docker
images to a public or private registry. For more information about Drone.io, see the Drone.io
Documentation.

If you use Drone.io to build Docker container images, you should already have a build script (usually
a build.sh file) that looks like the following:

$ docker build -t docker-registry/image-name .

$ docker push docker-registry/image-name

Steps
1. Open the build.sh file.

2. Append a docker login directive before the docker push directive in the script, as in the
following example:

$ docker build -t docker-registry/image-name .

$ docker login -u $TENABLE_IO_ACCESS_KEY -p $TENABLE_IO_SECRET_KEY
registry.cloud.tenable.com
$ docker push docker-registry/image-name

Tenable Vulnerability Management sends Drone.io builds for this project to Tenable Container
Security for storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Jenkins to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Jenkins to Tenable Container
Security.

- 945 -
These steps assume you are already comfortable using Jenkins and are already pushing Docker
images to a public or private registry. If you are already using Jenkins, but have not built Docker
container images, familiarize yourself with the documentation for the Jenkins CloudBees Docker
Build and Publish plugin.

Click here for instructions on how to install the CloudBees Docker Build and Publish
plugin.
1. Log in to Jenkins.

2. Click Manage Jenkins, then click Manage Plugins.

3. Click Installed.

A list of installed plugins appears.

4. Click Available.

5. In the Filter box, type CloudBees Docker Build and Publish plugin.

6. Select the check box that corresponds to the plugin.

7. Install the plugin.

The CloudBees Docker Build and Publish plugin is installed and ready for use by Jenkins jobs.

Steps
1. On the Jenkins dashboard, select the job you want to modify.

2. Click Configure.

3. In the Build section, click Add build step.

4. In the drop-down box, select Docker Build and Publish.

5. Type the details for the following configuration parameters:

l Repository Name: The repository name and image name. For example, if you build a
rabbitmq container image, you can name the repository rabbitmq and the image
rabbitmq. In this example, in the Repository Name box, type rabbitmq/rabbitmq.

l Tag: The tag name. The simplest tag name to use is latest.

- 946 -
 l Docker Host URI: The Jenkins path to the Docker Host. If the Docker Host is running on
localhost, then in the Docker Host URI box, type tcp://127.0.0.1:4243.

l Docker registry URL: The Tenable Container Security API endpoint, which in this case is
registry.cloud.tenable.com.

l Registry credentials: The registry credentials that you select from the box.

Adding registry credentials

1. Click Add.

2. Click Username with password.

3. In the Username box, type your Tenable Container Security username.

4. In the Password box, type your Tenable Container Security password.

5. Click Add.

The credentials are added.

6. Click Save.

Tenable Vulnerability Management sends the Jenkins builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Shippable to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Shippable to Tenable Container
Security.

These steps assume you are already comfortable using Shippable and are already pushing Docker
images to a public or private registry. If you are already using Shippable, but have not built Docker
container images, familiarize yourself with the Shippable documentation.

- 947 -
Steps
1. Log in to Shippable.

2. In the upper-right corner of the screen, click the Account Settings button.

3. Click Integrations, and then click Add Integration.

4. In the Master Integration section, click Private Docker Registry.

5. In the Name box, type Tenable Container Security.

6. In the URL box, type registry.cloud.tenable.com.

7. In the Username box, type your Tenable Container Security username.

8. In the Password box, type your Tenable Container Security password.

9. In the Email box, type the email address associated with your Tenable Container Security
account.

10. Click Save.

Your Tenable Container Security account is now available for hosting container images built
by Shippable.

11. Access your project page, and click Settings.

12. Click Hub, and select the Tenable Container Security integration that you created.

13. In the Push Build field, click Yes.

14. In the Push image to box, type the name of your repository and image in Tenable Container
Security (for example, testrepo/nodejs).

15. In the Push Image Tag box, select from the following options: default, commitsha, or latest.

16. Click Save.

Tenable Vulnerability Management sends Shippable builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Solano Labs to Tenable Container Security

- 948 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Solano Labs to Tenable Container
Security.

These steps assume you are already comfortable using Solano Labs and are already pushing Docker
images to a public or private registry. If you are already using Solano Labs, but have not built Docker
container images, familiarize yourself with the Solano Labs documentation.

Note: Solano Labs support for building Docker container images is in private beta. For customers
interested in participating, Solano Labs recommends contacting Solano Labs support.

Steps
1. Open the solano.yml file, which should look similar to the following example:

# Use docker-enabled workers (currently private beta - contact

[email protected])
system:
docker: true
python:
python_version: 2.7
hooks:
pre_setup: |
set -ex
sudo apt-get update -qq
sudo docker pull jenkins
sudo docker build -t myrepo/jenkins-dsl-ready:my .
tests:
- python -m doctest build/resolve_jenkins_plugins_dependencies.py

2. Add a post_build phase with your Tenable Container Security username.

- 949 -
 # Use docker-enabled workers (currently private beta - contact
[email protected])
system:
docker: true
python:
python_version: 2.7
hooks:
pre_setup: |
set -ex
sudo apt-get update -qq
sudo docker pull jenkins
sudo docker build -t myrepo/jenkins-dsl-ready .
post_build: |
docker login -u $TENABLE_IO_ACCESS_KEY -p $TENABLE_IO_SECRET_KEY
registry.cloud.tenable.com
docker push myrepo/jenkins-dsl-ready
tests:
- python -m doctest build/resolve_jenkins_plugins_dependencies.py

Tenable Vulnerability Management sends the Solano Labs builds to Tenable Container Security
for storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Travis CI to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Travis CI to Tenable Container
Security.

These steps assume you are already comfortable using Travis CI and are already pushing Docker
images to a public or private registry. If you are already using Travis CI, but have not built Docker
container images, familiarize yourself with the Travis CI documentation Using Docker in Builds.

Click here for information about the travis.yml file.

- 950 -
If you are using Travis CI to build Docker container images, you should have a travis.yml file in
your project source control repository that looks similar to:

sudo: required
language: ruby
services:
- docker
before_install:
- docker build -t carlad/sinatra .
- docker run -d -p 127.0.0.1:80:4567 carlad/sinatra /bin/sh -c "cd /root/sinatra; bundle exec
foreman start;"
- docker ps -a
- docker run carlad/sinatra /bin/sh -c "cd /root/sinatra; bundle exec rake test"
script:
- bundle exec rake test

The following lines in travis.yml instruct Travis CI to use Docker for the build process:

sudo: required
services:
- docker

The following lines in travis.yml instruct Travis CI to build the sinatra image in the carlad/
repository:

before_install:
- docker build -t carlad/sinatra .

Steps
1. Open the travis.yml file.

2. Add your Tenable Container Security credentials.

$ travis encrypt [email protected]

$ travis encrypt TENABLE_IO_CONTAINER_SECURITY_USER=username
$ travis encrypt TENABLE_IO_CONTAINER_SECURITY_PASSWORD=password

3. Add your environment variables.

env:
global:

- 951 -
 - secure: "UkF2CHX0lUZ...VI/LE=" # TENABLE_IO_CONTAINER_SECURITY_EMAIL
- secure: "Z3fdBNPt5hR...VI/LE=" # TENABLE_IO_CONTAINER_SECURITY_USER
- secure: "F4XbD6WybHC...VI/LE=" # TENABLE_IO_CONTAINER_SECURITY_PASSWORD
- COMMIT=${TRAVIS_COMMIT::8}

4. Add your connection information.

after_success:
- docker login -u $TENABLE_IO_CONTAINER_SECURITY_EMAIL -p $TENABLE_IO_CONTAINER_SECURITY_
PASSWORD registry.cloud.tenable.com
- export REPO=web-login-site/web-login-site
- export TAG=`if [ "$TRAVIS_BRANCH" == "master" ]; then echo "latest"; else echo $TRAVIS_
BRANCH; fi`
- docker build -f Dockerfile -t $REPO:$COMMIT .
- docker tag $REPO:$COMMIT registry.cloud.tenable.com/$REPO:$TAG
- docker tag $REPO:$COMMIT registry.cloud.tenable.com/$REPO:travis-$TRAVIS_BUILD_NUMBER
- docker push registry.cloud.tenable.com/$REPO:travis-$TRAVIS_BUILD_NUMBER
- docker push registry.cloud.tenable.com/$REPO:$TAG

Tenable Vulnerability Management sends the Travis CI builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Push from Wercker to Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Before You Begin

These instructions describe how to push a Docker image from Wercker to Tenable Container
Security.

These steps assume you are already comfortable using Wercker and are already pushing Docker
images to a public or private registry. If you are already using Wercker, but have not built Docker
container images, familiarize yourself with the Wercker documentation.

Steps
1. In your project source control repository, open the wercker.yml file.

2. Add support for Tenable Container Security by changing the deploy directive as follows:

- 952 -
 deploy:
steps:
- internal/docker-push:
username: $USERNAME
password: $PASSWORD
tag: my-amazing-tag
repository: turing/bar
registry: registry.cloud.tenable.com

Tenable Vulnerability Management sends the Wercker builds to Tenable Container Security for
storage, distribution, vulnerability scanning, and malicious code scanning.

Tenable Container Security Scanner with Kubernetes

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can run the Tenable Container Security Scanner with Kubernetes to scan container images
securely without sending the images outside your organization's network. For more information, see
Tenable Container Security Scanner.

l Tenable Container Security Scanner System Requirements for Kubernetes

l Prepare Kubernetes Objects to Configure and Run the Tenable Container Security Scanner

l Configure and Run the Tenable Container Security Scanner in Kubernetes

Tenable Container Security Scanner System Requirements for Kubernetes

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The machine where you want to run the Tenable Container Security Scanner with Kubernetes must
meet the following requirements:

Software and Hardware Requirements

Software Requirements RAM Temporary Storage CPU

Able to run Linux containers 2 GiB 15 GB 1.5 GHz

- 953 -
Internet
The machine where you want to run the Container Security Scanner must have access when you
download and run the scanner.

SSL Certificate Requirements

If the registry that hosts your images requires the HTTPS protocol, you must have an SSL
certificate signed by a trusted Certificate Authority (CA) installed on the registry. Refer to your
registry's documentation for installing an SSL certificate.

Note: Mozilla's CA Certificate Store is the Tenable Container Security Scanner's trusted certificate
authority.

Note: If you want the Container Security Scanner to scan the registry without verifying that a trusted CA
signed the certificate, you must include the ALLOW_INSECURE_SSL_REGISTRY variable when you run the
scanner. For more information, see Environment Variables.

Prepare Kubernetes Objects to Configure and Run the Tenable Container Security Scanner

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You must prepare your Kubernetes namespace and secret objects before you can configure and run
the Container Security Scanner in Kubernetes. The Container Security Scanner refers to these
objects when it scans an image in Kubernetes.

Secrets contain sensitive information associated with the TENABLE_ACCESS_KEY, TENABLE_

SECRET_KEY, REGISTRY_USERNAME, and REGISTRY_PASSWORD environment variables described
in Environment Variables. To run the Container Security Scanner in Kubernetes, you must configure
these secrets and deploy them to the registry where the image you want to scan is stored.

For more information about how to create objects in Kubernetes, see the Kubernetes
documentation at kubernetes.io.

- 954 -
Before you begin:
l Download the Container Security Scanner, as described in Download the CS Scanner.

To prepare Google Kubernetes Engine (GKE) to configure and run the Container
Security Scanner:

1. Log in to the CLI on the machine where you want to configure and run the Container
Security Scanner.

2. In a text editor, create a namespace file (tiocsscanner-namespace.yaml) for your CS

Scanner (see the following tiocsscanner-namespace.yaml file).

tiocsscanner-namespace.yaml

apiVersion: v1
kind: Namespace
metadata:
name: tiocsscanner
labels:
name: tiocsscanner

3. Save and close the file.

4. In the CLI, run the following command to deploy the tiocsscanner-namespace.yaml file to
GKE:

kubectl apply -f tiocsscanner-namespace.yaml

Tenable Vulnerability Management configures and deploys your namespace.

Note: The above command works only if you save the file to the current working directory.
If you save the file somewhere other than the working directory, include the full path
directory in the command. For example:
kubectl apply -f /home/jsmith/images/tiocsscanner-namespace.yaml

5. Configure secrets for your Tenable Vulnerability Management access and secret keys. For
example:

- 955 -
 kubectl create secret generic tio \
--from-literal=username=<Your Tenable Vulnerabiltiy Management access key> \
--from-literal=password=<Your Tenable Vulnerability Management secret key> \
--namespace=tiocsscanner

6. Configure secrets for your Google Container Registry (GCR) registry username and password
(obtained from step 3 and 4 in Prepare your GCP GCR) for the image you want the scanner to
pull. For example:

kubectl create secret generic gcr-registry \

--from-literal=username=<Your gcr registry username> \
--from-literal=password=<Your gcr registry password> \
--namespace=tiocsscanner

7. Deploy your secrets to the registry where the image you want to scan is stored. For example:

Configure secrets for the registry where the Tenable Container Security scanner image is
stored. For example:

kubectl create secret docker-registry jfrog-tio \

--docker-server=https://tenableio-docker-consec-local.jfrog.io \
--docker-username=<tenable jfrog userrname obtained from the Tenable Container Security
console> \
--docker-password=<tenable jfrog password obtained from the Tenable Container Security console>
\
--docker-email=<Your email address> \
--namespace=tiocsscanner

Your secrets are deployed to the registry.

What to do next:
l Configure and run the Container Security Scanner in Kubernetes, as described in Configure
and Run the CS Scanner in Kubernetes.

Configure and Run the Tenable Container Security Scanner in Kubernetes

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

- 956 -
 Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To scan images with the Container Security Scanner in Kubernetes, create a Kubernetes
deployment file and deploy the file via the CLI on the machine where you want to run the scan.

Before you begin:

l Confirm your machine meets the system requirements, as described in Tenable Container
Security Scanner System Requirements.

l Download the Container Security Scanner, as described in Download the Tenable Container
Security Scanner.

l Prepare Kubernetes to configure and run the Container Security Scanner, as described in the
Prepare Kubernetes Objects to Configure and Run the Tenable Container Security Scanner.

To deploy Container Security Scanner to Google Kubernetes Engine (GKE):

1. In a text editor, open a new file.

2. Save the file as tiocsscanner-deployment.yaml.

3. Copy and paste the following text into the tiocsscanner-deployment.yaml file, typing your
specific variables where applicable. For information about the following variables, see
Environment Variables.

Note: The following sample tiocsscanner-deployment.yaml file generally works for Google
Kubernetes Engine (GKR) with Google Cloud Registry (GCR). You may need to change the value of
apiVersion, depending on which version of Kubernetes you are using.

tiocsscanner-deployment.yaml

apiVersion: v1
kind: Service
metadata:
name: tiocsscanner
namespace: tiocsscanner
labels:
app: tiocsscanner
spec:
selector:

- 957 -
 app: tiocsscanner
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 5000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: tiocsscanner
name: tiocsscanner
namespace: tiocsscanner
spec:
minReadySeconds: 10
replicas: 1
selector:
matchLabels:
app: tiocsscanner
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: tiocsscanner
spec:
imagePullSecrets:
- name: jfrog-tio
containers:
- image: "tenableio-docker-consec-local.jfrog.io/cs-scanner:latest"
name: tiocsscanner
resources:
limits:
cpu: "3"
requests:
cpu: "1.5"
memory: "2Gi"
args:
- import-registry
env:
- name: TENABLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: tio
key: username
- name: TENABLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: tio
key: password
- name: REGISTRY_USERNAME
valueFrom:

- 958 -
 secretKeyRef:
name: gcr-registry
key: username
- name: REGISTRY_PASSWORD
valueFrom:
secretKeyRef:
name: gcr-registry
key: password
- name: IMPORT_REPO_NAME
value: "<variable>"
- name: REGISTRY_URI
value: "https://[gcr-domain]/[project]"
- name: IMPORT_INTERVAL_MINUTES
value: "<variable>"

Note: If your project name in GCP is myapigw and the registry is in the gcr.io domain, the value of
REGISTRY_URI is "https://gcr.io/myapigw".

4. Save and close the file.

5. In the command-line interface on the machine where you want to run the scan, run the
following command to deploy the file:

kubectl apply -f tiocsscanner-deployment.yaml

Note: The above command works only if you save the file to the current working directory.
If you save the file somewhere other than the working directory, include the full path
directory in the command. For example:
/home/jsmith/images/tiocsscanner-namespace.yaml

6. Press Enter.

The Container Security Scanner runs on Kubernetes.

7. In the command-line interface, run the following command to confirm the scan ran
successfully:

kubectl get pods --namespace=tiocsscanner

The scan status log appears.

Note: If you receive error messages in the scan data, follow the error prompts to correct the issue.

- 959 -
What to do next:
l View the results of your scan, as described in View Scan Results for Container Images.

Tenable Container Security Scanner

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Tenable Container Security Scanner (Container Security Scanner) allows you to scan container
images securely without sending the images outside your organization's network. The Container
Security Scanner takes an initial inventory, or snapshot, of the images you want to scan and sends
the inventory to Tenable Vulnerability Management for analysis. You can then view scan data for the
images alongside data for images imported normally to Tenable Vulnerability Management. With the
Container Security Scanner, you can scan:

l A specific image exported from a registry and stored locally on the machine where you install
the scanner.

l All images hosted in a specific registry (for example, a Docker registry).

You can configure and run the Container Security Scanner on any machine that meets the system
requirements.

First, download the Container Security Scanner to your machine. Then, configure and run the
Container Security Scanner. After your scan completes, you can view the scan results in the
Tenable Container Security dashboard.

Tenable Container Security Scanner System Requirements

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The machine where you want to run the Tenable Container Security Scanner must meet the
following requirements.

Software and Hardware Requirements

Deployment Software RAM Temporary CPU

- 960 -
 Type Requirements Storage

Local Able to run Linux 2 GB 15 GB 64-bit multi-core,

containers x86 compatible

Internet
The machine where you want to run the Container Security Scanner must have access to the
Internet when you download and run the scanner. The machine must allow outbound HTTPS traffic
for communications with the cloud.tenable.com server.

SSL Certificate Requirements

If the registry that hosts your images requires the HTTPS protocol, you must have an SSL
certificate signed by a trusted Certificate Authority (CA) installed on the registry. Refer to your
registry's documentation for installing an SSL certificate.

Note: Mozilla's CA Certificate Store is the Tenable Container Security Scanner's trusted certificate
authority.

Note: If you want the Container Security Scanner to scan the registry without verifying that a trusted CA
signed the certificate, you must include the ALLOW_INSECURE_SSL_REGISTRY variable when you run the
scanner. For more information, see Environment Variables.

Supported Container Image Formats

The Container Security Scanner supports the following image formats:

l Docker images

l Open Containers Initiative (OCI) images

Download the Tenable Container Security Scanner

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

- 961 -
 Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Download the Container Security Scanner Docker image to the machine where you want to
configure and run the Container Security Scanner.

Before you begin:

l Confirm your machine meets the system requirements, as described in CS Scanner System
Requirements.

To download the CS Scanner:

1. In the Connectors section of the Container Security dashboard, click Create.

The Select a Connector plane appears.

2. Under CONTAINER SECURITY, click CS Scanner.

The CS Scanner plane appears with login credentials.

3. Copy or take a screenshot of the credentials to use later in the download process.

4. In the command-line interface (CLI) on the machine where you want to download the
Container Security Scanner, run the following command:

docker login tenableio-docker-consec-local.jfrog.io

5. Press Enter.

The CLI prompts you to provide a username and password.

6. Update the fields using the credentials provided on the CS Scanner plane.

7. Press Enter.

Tenable Vulnerability Management logs you in to the Container Security Scanner.

- 962 -
 8. Type the following to pull the latest version of the Container Security Scanner image:

docker pull tenableio-docker-consec-local.jfrog.io/cs-scanner:latest

9. Press Enter.

What to do next:
l Configure and run the Container Security Scanner, as described in Configure and Run the
Tenable Container Security Scanner.

Tenable Container Security Scanner Environment Variables

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You must use the CLI on your computer to configure your environment variables and run the
Container Security Scanner.

You can configure and run the Container Security Scanner as many times as necessary, using any
combination of registries and registry sources.

Environment Variables
Require Supporte
Variable Description Type
d d Mode

TENABLE_ Your Tenable Vulnerability Management String Yes Image

ACCESS_ API access key. Inspect
KEY
or

Registry
Import

TENABLE_ Your Tenable Vulnerability Management String Yes Image

SECRET_ API secret key. Inspect
KEY
or

- 963 -
 Registry
Import

IMPORT_ The name of the Container String Yes Image

REPO_NAME Security Scanner repository where you Inspect
want to import the image. This name
or
cannot contain spaces.
Registry
The repository name must meet the
Import
following requirements:

l Contains 64 characters or fewer.

l Contains only alphanumeric

characters, dashes (-), underscores
(_), or periods (.).

l Begins with an alphanumeric

character.

l Contains no uppercase letters.

REGISTRY_ The URI of the registry from which you String No Registry
URI want to import the image. Import

REGISTRY_ Your username for authenticating to the String No Registry

USERNAME registry you want to scan. Import

Set this variable if you want to

authenticate to the registry.

Your username variable depends on the

registry you want to scan:

l Amazon Web Services (AWS)

Elastic Container Registry (ECR) —
Type your AWS access key ID as
your username. For information
about how to obtain your access
key ID, see the AWS Documentation.

- 964 -
 l Azure registry — Type your service
principal ID for the registry. For
more information about how to
create a service principal, see
Azure Documentation.

l Google Cloud Platform (GCP) Google

Container Registry (GCR) — Type
your GCR account client email as it
appears in the client_email field
in the service account private key
JSON file. For information about
how to create and download your
service account private key, see
the Google Container Registry
Documentation.

l All other registries — Type the

username you use to authenticate
to the registry.

REGISTRY_ Your password for authenticating to the String No Registry

PASSWORD registry from which you want to import Import
the image.

Set this variable if you want to

authenticate to the registry.

Your password depends on the registry

you want to scan.

l Amazon Web Services (AWS)

Elastic Container Registry (ECR) —
Type your AWS access secret key
as your password. For information
about how to obtain your access
secret key, see the AWS

- 965 -
 Documentation.

l Azure registry — Type your service

principal password for the registry.
For more information about how to
create a service principal, see
Azure Documentation.

l Google Cloud Platform (GCP) Google

Container Registry (GCR) — Type
your GCR service account private
key as it appears in the private_
key field in the service account
private key JSON file. For
information about how to create
and download your service account
private key, see the Google
Container Registry Documentation.

l All other registries — Type the

password you use to authenticate
to the registry.

TENABLE_ The URL for the HTTP proxy the String No Image
PROXY Container Security Scanner uses to Inspect
connect to Tenable Vulnerability
or
Management.
Registry
Set this variable if the machine where
Import
you deployed the Container
Security Scanner requires a proxy server
to connect to Tenable Vulnerability
Management.

Note: If the machine where you deployed

the Container Security Scanner requires
proxy connections to your registry and to

- 966 -
 Tenable Vulnerability Management, you
can apply both the REGISTRY_PROXY
variable and the TENABLE_PROXY
variable to your configuration. Run the
Container Security Scanner in Registry
Import mode if you apply both variables.

Your TENABLE_PROXY variable depends

on whether your proxy requires username
and password authentication.

l Authentication required — Type

your proxy URL in the following
format:

<username>:<password>@<ho-
st>:<port>

l Authentication not required — Type

your proxy URL in the following
format:

<host>:<port>

Note: You can specify the host using the

hostname (for example, example.com) or
IP address (for example 192.0.2.202).

REGISTRY_ The URL for the HTTP proxy the String No Registry
PROXY Container Security Scanner uses to Import
connect to your registry.

Set this variable if the machine where

you deployed the Container
Security Scanner requires a proxy server
to connect to the registry you want to

- 967 -
 scan.

Note: If the machine where you deployed

the Container Security Scanner requires
proxy connections to your registry and to
Tenable Vulnerability Management, you
can apply both the REGISTRY_PROXY
variable and the TENABLE_PROXY
variable to your configuration.

Your REGISTRY_PROXY variable depends

on whether your proxy requires username
and password authentication.

l Authentication required — Type

your proxy URL in the following
format:

<username>:<password>@<ho-
st>:<port>

l Authentication not required — Type

your proxy URL in the following
format:

<host>:<port>

Note: You can specify the host using the

hostname (for example, example.com) or
IP address (for example 192.0.2.202).

IMAGE_ Image name or tag assigned to images String No Registry

NAME_ that you want the Tenable Container Import
WHITELIST Security Scanner to include in your
registry scan.

Include this variable if you want to run

- 968 -
the Tenable Container Security Scanner
in Registry Import mode and you want
the scanner to include only images with a
certain name or tag in the scan.

If you do not set this variable, Tenable

Container Security Scanner scans all the
images in your registry.

Note: You cannot include an IMAGE_

NAME_WHITELIST variable and an IMAGE_
NAME_BLACKLIST variable in the same
scan configuration.

Your allow list variable depends on

whether you want to include images
based on name, tag, or both.

l Name — Type the name assigned to

images that you want included in
the scan.

For example, if you type -e IMAGE_

NAME_WHITELIST=alpine, the
Tenable Container Security Scanner
scans only images named alpine.

l Tag — Type the tag assigned to

images that you want included in
*:<tag> format.

For example, if you type -e IMAGE_

NAME_WHITELIST=*:latest, the
Tenable Container Security Scanner
scans only images with the latest
tag.

l Both — Type the image name and

- 969 -
 tag set assigned to images that you
want included in <image>:<name>
format.

For example, if you type -e IMAGE_

NAME_WHITELIST=alpine:latest,
only images named alpine that also
have the latest tag are included in
the scan.

Tip: You can use an asterisk (*) wild card

character when specifying image name
and tag values.

Tip: You can specify multiple allow list

variables by separating each with a
comma (for example, -e IMAGE_NAME_
WHITELIST=alpine1,alpine2,alpine3
,*:latest).

IMAGE_ Image name or tag assigned to images image_ No Registry

NAME_ that you want the Tenable Container name_ Import
BLACKLIST Security Scanner to exclude from your
registry scan.

Include this variable if you want to run

theTenable Container Security Scanner in
Registry Import mode and you want the
scanner to exclude certain images from
the scan. If you do not set this variable,
Tenable Container Security Scanner
scans all the images in your registry.

If you do not set this variable, Tenable

Container Security Scanner scans all the
images in your registry.

- 970 -
 Note: You cannot include an IMAGE_
NAME_BLACKLIST variable and an IMAGE_
NAME_WHITELIST variable in the same
scan configuration.

Your block list variable depends on

whether you want to exclude images
based on name, tag, or both.

l Name — Type the name assigned to

images that you want excluded
from the scan.

For example, if you type -e IMAGE_

NAME_BLACKLIST=alpine, the
Tenable Container Security Scanner
excludes only images named alpine.

l Tag — Type the tag assigned to

images that you want excluded
from the scan in *:<tag> format.

For example, if you type -e IMAGE_

NAME_BLACKLIST=*:latest, the
Tenable Container Security Scanner
excludes only images with the
latest tag.

l Both — Type the image name and

tag set assigned to images you
want excluded in <image>:<name>
format.

For example, if you type -e IMAGE_

NAME_
BLACKLIST=alpine:latest, only
images named alpine that also have

- 971 -
 the latest tag are excluded from the
scan.

Tip: You can use an asterisk (*) wild card

character when specifying image name
and tag values.

Tip: You can specify multiple block list

variable sets by separating each set with
a comma (for example, -e IMAGE_NAME_
BLACKLIST=alpine1,alpine2,alpine3
,*:latest).

CHECK_ If true, the Tenable Container Security Boolea No Image

POLICY Scanner sends a request to Tenable n Inspect
Vulnerability Management to verify
whether the results of the scan include a
violation of one or more compliance
policies.

The message that Tenable Container

Security Scanner provides in the output
log depends on the results of the policy
check.

l Policy violation detected — Tenable

Container Security Scanner
provides the following message:
This image does not pass
your compliance policy.

l No policy violation detected —

Tenable Container Security Scanner
provides the following message:
image has passed your policy
compliance.

- 972 -
 l Policy check timed out — Tenable
Container Security Scanner
provides the following message:
Fatal error: Timed out
trying to retrieve report.

If the policy check fails for any reason

other than a policy violation or a policy
check timeout, the Container
Security Scanner generates a message
specific to the error that caused the
failure.

Tip: If you write custom code to automate

image scanning via the Container
Security Scanner, you can refer to the
following exit codes to determine whether
the image passed the policy check:

l 0 — The image passed the policy

check.
l 1 — The policy check failed, due to
timeout or some other error.
l 2 — The image failed the policy
check and is in violation or one or
more compliance policies.

For information about Tenable Container

Security Scanner policies, see Manage
Tenable Container Security Policies.

CHECK_ The amount of time, in seconds, that the Integer No Image

POLICY_ Tenable Container Security Scanner Inspect
TIMEOUT waits for Tenable Vulnerability
Management to finish scanning the image
and complete the vulnerability detection
analysis.

- 973 -
 By default, the Container
Security Scanner times out unanswered
request for a policy after 600 seconds.

Note: Container Security Scanner does

not set a maximum limit for the policy
timeout value.

IMPORT_ The frequency, in minutes, you want the Integer No Registry

INTERVAL_ Container Security Scanner to import and Import
MINUTES scan images from the selected registry.

Set this variable if you want the scanner

to run repeatedly at set intervals.

If you do not set this variable, the

Container Security Scanner imports and
scans images from the selected registry
only the first time you scan your registry.

If you do not set this variable, the

Container Security Scanner imports and
scans images from the selected registry
only once, and ends after the scan has
finished.

Note: You can schedule the scanner to

run at set intervals only when you scan a
registry. You cannot set a schedule when
you configure and run the scanner in
Image Inspect mode.

DEBUG_ If true, the Container Security Scanner Boolea No Image

MODE adds additional information to the scan's n Inspect
log to assist with debugging.
or
Note: Tenable recommends that you Registry
include this variable only if Tenable
Import

- 974 -
 Support requests it.

ALLOW_ If true, the Container Security Scanner Boolea No Registry

INSECURE_ accepts the registry's SSL certificate n Import
SSL_ without verifying that a trusted
REGISTRY Certificate Authority (CA) issued the
certificate.

Caution: If Tenable accepts an SSL

certificate without verifying that a trusted
CA issued the certificate, your certificate
may not be valid and your connections
may not be secure. Therefore, Tenable
recommends that you include this
variable only during testing or debugging
procedures.

HTTP_ The amount of time, in seconds, that the Integer No Image

CONNECTIO Container Security Scanner waits for a Inspect
N_ response after sending a connection
or
TIMEOUT_ request to the registry. If the registry
SECONDS does not accept the connection request Registry
within this time span, Container Import
Security Scanner cancels (times out) the
request.

By default, the Container

Security Scanner times out unanswered
connection requests after 10 seconds.

HTTP_IDLE_ The amount of time, in seconds, that the Integer No Image

TIMEOUT_ Container Security Scanner waits for a Inspect
SECONDS response after sending a request for
or
image data to the registry. If the registry
does not respond within this time limit, Registry
the Container Security Scanner cancels Import

- 975 -
 (times out) the request.

By default, the Container

Security Scanner times out unanswered
requests after 60 seconds.

HTTP_ The amount of time, in seconds, that the Integer No Image

REQUEST_ Container Security Scanner allows a Inspect
TIMEOUT_ request to remain active (that is, the
or
SECONDS amount of time the Container
Security Scanner waits for the registry to Registry
accept a connection request and respond Import
to a request for image data). If a request
is still active after this time limit has
passed, the Container Security Scanner
cancels (times out) the request.

By default, the Container

Security Scanner times out active
requests after 60 seconds.

Configure and Run the Tenable Container Security Scanner

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

When you run the Tenable Container Security Scanner, you can configure it to scan a single image
or all images hosted in a repository.

l To scan a single image, configure and run the Container Security Scanner in Image Inspect
mode.

l To scan all images in a registry, configure and run the Container Security Scanner in Registry
Import mode.

Scan an Image via the Tenable Container Security Scanner

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

- 976 -
 Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Run the Container Security Scanner in Image Inspect mode to scan a single image.

Before you begin:

l Download the image you want to scan to your local machine.

l Confirm your local machine meets the system requirements, as described in CS Scanner
System Requirements.

l Download the Container Security Scanner, as described in Download the CS Scanner.

l Prepare your environment variable value, as described in the Environment Variables.

To run the Container Security Scanner in Image Inspect mode:

1. In the command-line interface of the machine where you want to run the scanner, run the
customized configuration and command for your deployment type using the following
parameters:

Note: Some of the following variables are not required to run the scanner. For information about
these variables and their definitions, see Environment Variables.

docker save <your image name as it appears in the repository> | docker run \
-e TENABLE_ACCESS_KEY=<variable> \
-e TENABLE_SECRET_KEY=<variable> \
-e IMPORT_REPO_NAME=<variable> \
-i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest inspect-image <Image name as you
want it to appear in Tenable Vulnerability Management

2. Press Enter.

The Container Security Scanner scans the image.

What to do next:
l View the results of your scan, as described in View Scan Results for Container Images.

Scan a Registry via the Tenable Container Security Scanner

- 977 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Run the Container Security Scanner in Registry Import mode to scan all images in a registry.

Before you begin:

l Confirm your machine meetings the system requirements described in Tenable Container
Security Scanner System Requirements.

l Download the Container Security Scanner, as described in Download the CS Scanner.

l Prepare your environment variable values, as described in the Environment Variables.

l (Optional) To scan images hosted in an Amazon Web Services (AWS) Elastic Container Registry
(ECR), an Azure registry, or a Google Container Registry (GCR), prepare your registry as
described in Prepare your Registry.

To run the Container Security Scanner in Registry Import mode:

1. In the command-line interface of the machine where you want to run the scanner, run the
customized configuration and command for your deployment type using the following
parameters:

Note: Some of the following variables are not required to run the scanner. For information about
these variables and their definitions, see Environment Variables.

docker run \
-e TENABLE_ACCESS_KEY=<variable> \
-e TENABLE_SECRET_KEY=<variable> \
-e IMPORT_REPO_NAME=<variable> \
-e REGISTRY_URI=<variable> \
-e REGISTRY_USERNAME=<variable> \

- 978 -
 -e REGISTRY_PASSWORD=<variable> \
-e IMPORT_INTERVAL_MINUTES=<variable> \
-i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry

2. Press Enter.

The Container Security Scanner scans all images in the registry.

What to do next:
l View the results of your scan, as described in View Scan Results for Container Images.

Prepare your Registry

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You must prepare the following registries before you scan the registries via the Container
Security Scanner.

l Amazon Web Service (AWS) Elastic Container Registry (ECR)

l Azure Registry

l Google Cloud Platform (GCP) Google Container Registry (GCR)

You do not need to prepare other registry types before scanning.

Amazon Web Service (AWS) Elastic Container Registry (ECR)

For information about how to make specific configurations to your AWS ECR, see the AWS
Documentation.

To prepare your AWS ECR:

- 979 -
 1. Obtain your AWS access keys.

Note: Your AWS access keys consist of two parts: an access key ID and an access secret key. The
access key ID is your registry username variable, and the secret access key is your registry password
variable. For more information, see Tenable Container Security Scanner Environment Variables.

What to do next:
l Scan your repository, as described in Scan a Registry via the Tenable Container Security
Scanner.

Azure Registry
For information about how to make specific configurations to your Azure registry, see the Azure
Documentation.

To prepare your Azure registry:

1. Create a service principal for your Azure registry and assign the AcrPull role to the service
principal.

What to do next:
l Scan your repository, as described in Scan a Registry via the Tenable Container Security
Scanner.

Google Cloud Platform (GCP) Google Container Registry (GCR)

For information about how to make specific configurations to your GCP GCR, see the Google
Container Registry Documentation.

To prepare your GCP GCR:

1. Create a service account in GCR with the Project Viewer role.

2. Authenticate to your registry by creating and downloading a service account key as a JSON
file (see the following example).

- 980 -
 {
"type": "service_account",
"project_id": "my-gcp-lab",
"private_key_id": "d21bbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"private_key": "-----BEGIN PRIVATE KEY-----
\nMIIEvAAAAAAAA\nBBBBBBBB\nCCCCCCCC\nDDDDDDDD\nEEEEEEEE\nFFFFFFFF\nGGGGGGGG==\n-----END PRIVATE
KEY-----\n",
"client_email": "[email protected]",
"client_id": "111111111111111111111",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cs-scanner%40dh-
lab.iam.gserviceaccount.com"
}

3. Mount the service account JSON file to the path /serviceAccount.json using the docker -v
flag:

docker run -e TENABLE_ACCESS_KEY=<redacted> \

-e TENABLE_SECRET_KEY=<redacted> \
-e IMPORT_REPO_NAME=<repo-name>
-e REGISTRY_URI=https://gcr.io/<gcp-project-name> \
-v <path-to-file>:/serviceAccount.json \
-it tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry

What to do next:
l Scan your repository, as described in Scan a Registry via the Tenable Container Security
Scanner.

Glossary of Tenable Container Security Terms

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Container Security product documentation uses the following terms:

Term Description

CD System A Continuous Deployment system. Typically used to monitor for successful

builds that have passed tests, and to take those successful builds and push
them to production environments, thus automating the deployment of the
successful builds.

- 981 -
Term Description

CI System A Continuous Integration system. Typically used to monitor source control

commits, such as merged pull requests in GitHub, to trigger a build (to test)
as the change in source control is detected.

CI/CD System A Continuous Integration and Continuous Deployment system. Typically

used to monitor source control commits, such as merged pull requests in
GitHub, to trigger a build (to test) as the change in source control is
detected, and upon successful completion of the build and test phase, to
take those successful builds and push them to production environments,
thus automating the deployment of the successful build.

Container A running instance of a container image. A container image that has been
started or otherwise executed.

Container An application hosted inside a container image file (for example,

Image ubuntu:14.04).

Container A specific release or version of an application hosted inside a container (for

Image Tag example, 14.04).

Container A storage location for Container Images. Provides developers and

Registry continuous integration systems the ability to store containers that are
pushed.

Continuous A development practice where operations (or DevOps) automatically push

Deployment successfully tested builds to production environments, making them
immediately available.

Continuous A development practice where developers integrate code into a shared

Integration source control repository, regularly, as changes are made.

Image An application hosted inside a container image file (for example,

ubuntu:14.04).

Image Tag A specific release or version of an application hosted inside a container (for
example, 14.04).

Organization The role assigned to the first user registering for Tenable Container

- 982 -
 Term Description

Admin Security, at the time the Organization is created. If you have registered
without an invitation, you were automatically assigned the role of
Organization Admin and a new Organization was created for your account.

Registry A storage location for Container Images. Provides developers and

continuous integration systems the ability to store containers that are
pushed.

Repository A storage location or namespace, within the registry, for an image (for
example, /org/tenable_io_container_security/approved/).

Tag A specific release or version of an application hosted inside a container (for

example, 14.04).

User The role assigned to invited users registering for Tenable Container
Security, for pre-existing Organizations. If you have registered via an
invitation, you were automatically assigned the role of User and you were
added to the same Organization of the user who invited you.

Configure Tenable Container Security Connectors to Import and Scan

Images
The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Connectors act as links to local or third-party registries. You can use connectors to access these
registries and then import image data from them to Tenable Container Security.

To import and analyze container images, you must configure a connector to a registry or, in certain
cases, to the registry's own connector.

After you configure your connectors, you can view and manage your connectors from the Settings
page in Tenable Vulnerability Management. For more information about connectors, see Connectors
in the Tenable Vulnerability Management User Guide.

The amount of time Tenable Container Security takes to scan the images in your registry and
display the results depends on the size and number of images you scan.

- 983 -
 Note: If you use a connector to import and scan your images, Tenable Container Security may
take up to several hours to display your images on the dashboard.
If your images do not appear on the dashboard within 24 hours of when you begin the import,
contact Tenable Support.

Tenable Container Security Connectors

Note: Tenable Container Security does not support connector configurations for Azure Container
Registries (ACR). To import images from an ACR registry, use the Tenable Container Security Scanner.

Tenable Container Security supports image imports via the following connectors.

Connector Description

Tenable Command line operated, on-premises scanning tool that allows you to
Container scan images without importing them into Tenable Container Security. To
Security Scanner configure the Tenable Container Security Scanner, see Tenable Container
Security Scanner.

Amazon Web Connector for assets hosted in an AWS Elastic Container Registry. To
Service (AWS) configure an AWS ECR connector and import assets, see Configure an
Elastic Container AWS ECR Connector to Import Images in Tenable Container Security.
Registry (ECR)
Note: To import assets from an AWS ECR, Tenable Container Security requires
read-only access to your AWS account.

Docker Connector for assets hosted in a Docker-compatible registry. To configure

a connector for a Docker EE registry, see Configure a Local Connector to
Import Images in Tenable Container Security.

Note: If your registry is not listed but is compatible with Docker Registry API
version 2.0, select this connector. For information about Docker-compatible
connectors, see the Docker Documentation.

Docker EE Connector for assets hosted in a Docker Enterprise Edition (EE) registry.
To configure a connector for a Docker EE registry, see Configure a Local
Connector to Import Images in Tenable Container Security.

- 984 -
 JFrog Artifactory Connector for assets hosted in a JFrog Artifactory registry. To configure a
connector for a JFrog Artifactory registry, see Configure a Local
Connector to Import Images in Tenable Container Security.

Configure an AWS ECR Connector to Import Images in Tenable Container

Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required User Role: Administrator

To import and analyze images hosted in an Amazon Web Service (AWS) Elastic Container Registry
(ECR), you must configure your AWS ECR connector. Tenable Container Security then imports the
images from your registry and scans the images for vulnerabilities.

The amount of time Tenable Container Security takes to scan the images in your registry and
display the results depends on the size and number of images you scan.

Note: If you use a connector to import and scan your images, Tenable Container Security may
take up to several hours to display your images on the dashboard.
If your images do not appear on the dashboard within 24 hours of when you begin the import,
contact Tenable Support.

Before you begin:

l Activate your account and log in to Tenable Container Security, as described in Log in to
Tenable Container Security via the Docker CLI.

l Confirm the images you want to import are stored in your organization's container registry.

To configure a connector to an AWS Elastic Container Registry:

- 985 -
 1. In the Connectors section of the Container Security dashboard, click Create.

Tenable Vulnerability Management opens the Cloud Connectors page, and the Cloud
Connectors plane appears.

2. In the Container Security section, click AWS Elastic Container Registry.

3. In the URL box, type the fully qualified domain name of your ECR deployment (for example,
https://579133718396.dkr.ecr.us-east-2.amazonaws.com).

4. In the User Name box, type AWS.

5. In the Password box, type the base 64-encoded password used in the docker login
command generated by the AWS CLI.

Tip: If your ECR is in the us-east-2 region, you can run the aws ecr get-login-password --
region us-east-2 command to get the docker login command.

6. Do one of the following:

l To save the connector, click Save.

Note: If you click Save, Tenable Container Security saves your configured connector but does
not import your assets. To launch a manual import for the connector, see Launch a Connector
Import Manually.

l To save the connector and import your assets from the registry, click Save & Import.

Note: When you import container images to scan, Tenable Container Security may
abort the scan if the scan has been running for 60 minutes. If this happen, Scan
Failed appears on the Images page in the Vulnerabilities and Malware columns for
the aborted images.
If Tenable Container Security aborts your scan, try simplifying your images before
you import them, as described in the Docker Documentation. Alternatively, you can
use the Tenable Container Security Scanner to scan your images without importing
them to Tenable Container Security.
If Tenable Container Security still aborts your scan, contact Tenable Support.

7. (Optional) Click Back to configure another connector.

What to do next:

- 986 -
 l View the results of your scan, as described in View Scan Results for Container Images.

Configure a Local Connector to Import Images in Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required User Role: Administrator

To import and analyze images hosted in a local registry, you must configure your registry's
connector. Tenable Container Security then imports the images from your registry and scans the
images for vulnerabilities.

The amount of time Tenable Container Security takes to scan the images in your registry and
display the results depends on the size and number of images you scan.

Note: If you use a connector to import and scan your images, Tenable Container Security may
take up to several hours to display your images on the dashboard.
If your images do not appear on the dashboard within 24 hours of when you begin the import,
contact Tenable Support.

Before you begin:

l Activate your account and log in to the web portal, as described in Log in to Tenable Container
Security via the Docker CLI.

l Confirm the images you want to import are stored in your organization's container registry.

To configure a connector to a local container registry:

1. In the Connectors section of the Container Security dashboard, click Create.

Tenable Vulnerability Management opens the Cloud Connectors page, and the Cloud
Connectors plane appears.

- 987 -
2. In the Container Security section, click the type of container registry you want to use and
type a Connector Name. Alternatively, type the name of the registry in the search box.

Note: If you want to connect to a registry that is not listed, contact Tenable Support and let them
know that you want your container registry to be officially supported. If your registry is not listed but
is Docker-compatible, select Docker. For information about Docker-compatible connectors, see the
Docker Documentation.

3. In the URL box, type your registry's URL.

4. In the Port box, type your registry's port ID.

5. In the Username box, type the registry username.

6. In the Password box, type the registry password.

7. Use the Schedule Import toggle to enable or disable scheduled imports.

Note: By default, Tenable Container Security requests new and updated asset records every 12
hours.

If enabled, in the Import drop-down box, select Day or Week as the frequency with which
Tenable Container Security sends data requests to the registry.

8. Do one of the following:

l To save the connector, click Save.

Note: If you click Save, Tenable Container Security saves your configured connector but does
not import your assets. To launch a manual import for the connector, see Launch a Connector
Import Manually in the Tenable Vulnerability Management User Guide.

l To save the connector and import your assets from the registry, click Save & Import.

Note: When you import container images to scan, Tenable Container Security may
abort the scan if the scan has been running for 60 minutes. If this happen, Scan
Failed appears on the Images page in the Vulnerabilities and Malware columns for
the aborted images.
If Tenable Container Security aborts your scan, try simplifying your images before
you import them, as described in the Docker Documentation. Alternatively, you can

- 988 -
 use the Tenable Container Security Scanner to scan your images without importing
them to Tenable Container Security.
If Tenable Container Security still aborts your scan, contact Tenable Support.

9. (Optional) Click Back to configure another connector.

What to do next:
l View the results of your scan, as described in View Scan Results for Container Images.

View Container Details

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

A container is a running instance of an image. You create containers from an image each time you
run the image on your application. You can create multiple containers from a single image, and you
can change those containers without affecting the image from which you created them.

After you perform a credentialed Tenable Nessus scan on your system, Tenable Container Security
uses the scan results to identify images and containers and analyze each container for risk.

Tenable Container Security then shows the containers by scan status and risk level in the Identified
Containers widget on the Tenable Container Security dashboard based on the results of the most
recent scan.

Note: Tenable Container Security identifies and analyzes only the images and containers found via
credentialed Tenable Nessus scans.

Note: Tenable Container Security imports and rescans your images at regular intervals, beginning when
you first import and scan the images.

Before you begin:

- 989 -
 l If Tenable Container Security has not yet scanned the source image used to create the
container you want to analyze, use one of the following methods to import the image for
scanning:

l Push an individual image to Tenable Container Security.

l Configure Tenable Container Security Connectors to Import and Scan Images stored in
your organization's local registry.

l Use the Tenable Container Security Scanner to scan your images directly from your
organization's local registry or your machine.

l Run a Tenable Nessus scan on the network where your containers run, selecting the Basic
Network Scan template and providing your network authentication credentials. For more
information about Tenable Nessus scan templates, see Scan and Policy Templates in the
Tenable Nessus User Guide.

Note: Tenable Container Security imports data from Tenable Nessus to determine if there have ever
been any changes made to files on the container. If Tenable Nessus detects file changes, Tenable
recommends that you check your images and repositories and confirm that no one has accessed
them without authorization.

Tip: Alternatively, you can run a Tenable Nessus Agent scan on the network where the container
runs. For more information, see the Tenable Nessus Agent User Guide.

To view container details:

1. In the Container Security dashboard, find the Identified Containers widget. This widget
categorizes your containers by risk and scan status.

Note: For information about how Tenable Container Security calculates container risk, see Container
Risk.

2. Click the Identified Containers widget.

The Identified Containers page appears. The identified containers table lists all the
containers created from images scanned by Tenable Container Security.

3. In the identified containers table, you can:

- 990 -
l Filter the identified containers table.

l Search the identified containers table.

l View the summary for your identified containers in the identified containers table.

Column Description

Container ID The ID that the software your container runs on

assigned to the container.

Repository/Image:Tag The repository name, image name, and image tag (for
example, latest).

Risk Score The risk score on a scale of 1-10.

Scan Status Indicates whether Tenable Container Security has

scanned the container's source image.

l — Tenable Container Security has scanned

the source image.

l — Tenable Container Security has never

scanned the source image.

Note: When you initiate an image import,

Tenable Container Security immediately queues
the image to scan. However, Tenable Container
Security does not always complete the scan
immediately. To prevent undetected
vulnerabilities, Tenable recommends that you
confirm any images marked as not scanned are
imported for scanning.

File Changed Indicates whether the Tenable Nessus scan detected

any changes to container files.

Note: If Tenable Vulnerability Management detects any

file changes, Tenable recommends that you check your
images and repositories and confirm that no one has

- 991 -
 accessed them without authorization.

l — Tenable Nessus did not detect file

changes during its scan.

l — Tenable Nessus detected file changes

during its scan.

Vulnerabilities The number of vulnerabilities detected in the

container.

Malware The number of malware items detected in the

container.

Host IP The IP address for the server where the container

runs.

l View details for a specific container.

a. In the identified containers table, click the row for the container you want to view.
The identified containers details page appears.

b. On the identified containers details page, you can:

Tab Action

Vulnerabilities l View details for each vulnerability identified in the

image your identified container links to:

l In the Severity column, view the severity

rating Tenable Container Security assigned
the image.

Note: For information about how Tenable

Container Security determines image risk, see
Image Risk.

l In the Exposure ID column, view the

vulnerability's ID.

- 992 -
 Note: The authority that identifies a given
vulnerability determines the vulnerability’s ID
format.

l In the Risk Score column, view the CVSSv2

score.

l In the Release Date column, view the date

when the software on which the container
runs released the vulnerability.

l Click a row in the vulnerabilities table.

The vulnerability details plane appears, containing

details and remediation recommendations for the
vulnerability.

Malware l View details about malware detected in the

identified container:

l In the Infected File column, view the name

of each infected file as it appears on the
container.

l In the Risk Score column, view the CVSSv2

score for each infected file.

Images l View details about the image your container links

to.

l In the Image ID column, view the image ID.

Note: The image ID automatically generates

when the software that hosts your image (for
example, Docker) creates the image.

l In the Repository column, view the local

repository where the image resides.

- 993 -
 l In the Image Name column, view the image
name as it appears in the repository.

l In the Tag column, view the tag associated

with the image (for example, latest).

l Click a row in the image table.

The details page appears for the image your

identified container links to. For information about
the image details, see View Scan Results for
Container Images.

Package View details about the package in the image your

Inventory identified container links to, including the package
name, version, license, and type.

View Scan Results for Container Images

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

After Tenable Container Security scans your container images, you can view the detailed scan
results on the Tenable Container Security dashboard.

Before you begin:

l Scan the container image you want to analyze using any of the following processes:

l Push an individual image to Tenable Container Security.

l Configure your connectors to import and scan images stored in your organization's local
registry.

- 994 -
 l Use the Tenable Container Security Scanner to scan your images directly from your
organization's local registry or your machine.

To view scan results for container images:

1. In the Statistics section of the Container Security dashboard, click the Images widget.

The Images page appears.

2. In the images table, you can:

l Filter the images table.

l Search the images table.

l View details for the image:

a. In the images table, click an image row.

The Image Details page appears.

b. On the Image Details page, you can:

Tab Action

Vulnerabilities l View vulnerability details for each vulnerability

identified in the image:

l In the Severity column, view the severity

rating Tenable Container Security assigned
the image.

Note: For information about how Tenable

Container Security determines image risk, see
Image Risk.

l In the Vulnerability column, view the

vulnerability ID.

Note: The authority that identifies a given

vulnerability determines the vulnerability’s ID
format.

- 995 -
 l In the Risk Score column, view the CVSSv2
score.

l In the Release Date column, view the date

when the software on which the image is
hosted released the vulnerability.

l Click a row in the vulnerabilities table.

A vulnerability details plane appears, containing

details and remediation recommendations for the
vulnerability.

Malware View details about malware identified in the image,

including a list of infected files, the file types, and the
MD5 and SHA256 digests of the file.

Package View details about the package in the image your

Inventory identified container links to, including the package
name, version, license, and type.

Layer Digest View the digest IDs for each layer in the image.

Identified l In the Container ID column, view the ID that the

Containers software your container runs on assigned to each
container.

l In the Hostname column, view the name of the

network on which each container runs.

Note: Not all networks have a hostname; some only

have an IP address.

l In the Host IP column, view the IP address for the

network on which each container runs.

l In the Start Date column, view the date when the

container most recently started running.

Manage Tenable Container Security Image Repositories

- 996 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

You automatically create an image repository when you push an image to the registry.

To manage image repositories in Tenable Container Security:

1. In the Statistics section of the Container Security dashboard, click the Repositories widget.

The Repositories page appears, displaying an overview description of the repository.

2. In the repositories table, you can:

l
Search the table.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

a. In the text box, type your search term or terms.

b. Click the button.

Tenable Vulnerability Management filters the table by your search criteria.

Tip: In the top navigation bar, click a link in the breadcrumb trail to return to a previous
page.

l
View details for an image in the repository.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

a. In the repositories table, click the row of the repository that contains the image
you want to view.

The Repository Details page appears with an overview description of the

repository. On the Repository Details page, the Container Images table appears,
listing each image stored in the repository.

- 997 -
 b. In the Container Images table, click an image row to view more details.

The Tags page appears.

c. In the Container Tag table, click a row to expand the Activity Log details plane for
that tag.

Tip: In the top navigation bar, click a link in the breadcrumb trail to return to a previous
page.

l
Delete an image repository.

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan
Manager, or Administrator

a. In the repositories table, click the row of the repository you want to delete.

The Repository Details page appears.

b. In the details section, next to ACTIONS, click the button.

A confirmation window appears.

c. Click Delete to confirm.

Tip: In the top navigation bar, click a link in the breadcrumb trail to return to a previous
page.

Delete an Image in Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Note: The data Tenable Container Security retains when you import an image depends on the import
method you use.

- 998 -
 l Docker command or connector — Tenable Container Security retains the image itself, as well as
all metadata associated with the image (e.g., image layers, software packages on the image., etc.).
l Container Security Scanner — Tenable Container Security retains only the metadata associated
with the image.
When you delete the image, Tenable Container Security removes the entire image and all image
metadata.

To delete an image:

1. In the Statistics section of the Container Security dashboard, click the Images widget.

The Images page appears. This page contains a table that lists the images Tenable Container
Security has imported and scanned.

2. In the images table, click the button next to the image you want to delete.

A Confirm Deletion window appears.

3. Click Delete to confirm the deletion.

Tenable Container Security removes the image and all the vulnerabilities associated with that
image.

Manage Tenable Container Security Policies

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Container Security policies allow you to configure the rules that Tenable Container Security
refers to when it identifies the severity of vulnerabilities in your container images.

When you set a policy in Tenable Container Security, the scanner detects any images that meet the
conditions set in that policy and labels those images as false.

Add a Tenable Container Security Policy

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

- 999 -
 Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To add a policy in Tenable Container Security:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Container Security section, click Policies.

The Policies page appears and displays the policies table.

Note: The policies table lists your policies in order of priority, as determined by Tenable Container
Security.

3. In the upper-right corner, click Create Policy.

The New Policy plane appears.

4. In the policy name text box, type a meaningful name for the policy.

5. In the Repositories section, select the repositories where Tenable Container Security applies
the policy:

l To apply the policy to all repositories, select All Repositories.

l To apply the policy to one repository:

a. Select Specific Repository.

b. In the drop-down box, type the name of the repository where you want to apply the
policy.

c. Select the repository.

6. In the Conditions section, set the condition that triggers the policy.

7. Click Create Policy.

The new policy appears on the Policies page in the policies table.

Note: By default, the system assigns the policy the highest priority (1). If you want to modify the

- 1000 -
 priority setting, edit the policy.

Tip: In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Edit a Tenable Container Security Policy

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To edit a policy in Tenable Container Security:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Container Security section, click Policies.

The Policies page appears and displays the policies table.

Note: The policies table lists your policies in order of priority, as determined by Tenable Container
Security.

3. Click the policy you want to edit.

The Edit Policy plane appears.

4. In the Priority box, type a number representing the priority for the policy.

Tenable Container Security evaluates container images against policies in the priority order
you specify.

If you type a priority number that is already associated to another policy, the system accepts
the new priority number and lowers the priority numbers for all policies below it.

- 1001 -
 5. In the Repositories section, select the repositories where Tenable Container Security applies
the policy:

l To apply the policy to all repositories, select All Repositories.

l To apply the policy to one repository:

a. Select Specific Repository.

b. In the drop-down box, type the name of the repository where you want to apply the
policy.

c. Select the repository.

6. In the Conditions section, set the condition that triggers the policy.

7. Click Save.

Tenable Container Security saves your changes and shows the updated information on the
Policies page.

Tip: In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Delete a Tenable Container Security Policy

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To delete a policy in the policies table:

1. In the Statistics section of the Container Security dashboard, click the Policies widget.

The Policies page appears. This page contains a table that lists the policies Tenable Container
Security uses to evaluate container images.

The table lists the policies in order of priority, as determined by Tenable Container Security.

2. In the policies table, click the button next to the policy you want to delete.

- 1002 -
 Tip: Roll over the policy row to reveal the button for that policy.

3. Click Delete to confirm the deletion.

To delete a policy while viewing the policy configuration:

1. In the Statistics section of the Container Security dashboard, click the Policies widget.

The Policies page appears. This page contains a table that lists the policies Tenable Container
Security uses to evaluate container images.

The table lists the policies in order of priority, as determined by Tenable Container Security.

2. In the policies table, click the row of the policy you want to delete.

The Edit Policy plane appears.

3. In the Actions section, click the button.

4. Click Delete to confirm the deletion.

Tip: In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Tenable Container Security Policy Condition Settings

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

You can set one of the following conditions to trigger a policy in Tenable Container Security:

Option Description

CVSS To set the maximum CVSS value that triggers the policy:

1. Click Max CVSS Value.

2. Select an operator from the drop-down box.

3. Type the CVSS trigger value.

- 1003 -
 CVE To set a CVE or CVEs that trigger the policy:

1. Click CVE.

2. In the text box, type one or more CVE values in decimal format (0.0) in a
comma-separated list.

Malware To set the policy to trigger on malware:

1. Click Malware.

2. Select True in the drop-down box.

Risk Metrics in Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Container Security uses the metrics described in the following topic to categorize your
images and containers on the Tenable Container Security dashboard.

Image Risk
Tenable Container Security assigns all vulnerabilities in an image a static severity category based on
the vulnerability's CVSSv2 score.

Severity Description

Critical The vulnerability's CVSSv2 score is between 9.0 and 10.0.

High The vulnerability's CVSSv2 score is between 7.0 and 8.9.

Medium The vulnerability's CVSSv2 score is between 4.0 and 6.9.

Low The vulnerability's CVSSv2 score is between 0.1 and 3.9.

Unscored Tenable Container Security has not yet determined the vulnerability's risk
score.

Container Risk

- 1004 -
Tenable Container Security calculates a container's overall risk score by determining which
vulnerability on the container has the highest CVSSv2 score, then rounding that score to the
nearest whole number.

For example, if the highest risk score for a vulnerability on a container is 9.2, Tenable Container
Security assigns the entire container a risk score of 9.

Category Description

Unscanned The container was created from an image that Tenable Container Security
has never scanned for vulnerabilities.

Low/Medium Tenable Container Security scanned the image and container and assigned
Risk a risk score of 0–7.

High Risk Tenable Container Security scanned the image and container and assigned
a risk score of 8–10.

View Tenable Container Security Data Usage

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Container Security shows your data capacity by used and available data in the Usage
widget on the Container Security dashboard.

Note: The Usage widget is not available if you have Tenable Cloud Security license. To view your license
usage, go to the Settings > License page and view the Container Images under Cloud Security Resources.
For more information, see View your License Information.

The Usage widget categorizes your data by licensed container images or gigabytes (GB), depending
on which metric your license specifies. For more information about your license metrics, contact
your Tenable representative.

- 1005 -
To view your data usage:
1. In the Container Security dashboard, locate the Usage widget.
2. View the following details about your data usage:
Widget Section
Licensed Space or Licensed
Images, depending on your
licensing scheme
Licensed Space Limit or
Licensed Images Limit,
depending on your licensing
scheme
Space used or Licensed Images
used, depending on your
licensing scheme
Description
The amount of data licensed to your account.
The amount of licensed data still available.
The amount of licensed data already in use, displayed
as a percentage of your licensed data limit.
To calculate the data in use, Tenable Container
Security:
l Identifies each image by the combination of
container name, image registry, and version
tag.
l Includes only the three most recent tags of the
image against your licensed usage.
As a result, the Image widget may show an
image count that does not match the amount of
used licensed data the Usage widget shows.
For example, if your licensed image limit is 20, and
you have 10 images already in use, your Licensed
Images used percentage is 50%.
- 1006 -
Tenable PCI ASV

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable PCI ASV is now an independent application available on the Workspace page. Tenable
PCI ASV allows you to take comprehensive scans of your networks so you can identify and address
vulnerabilities and ensure your organization complies with Payment Card Industry Data Security
Standards (PCI DSS). For more information about Tenable PCI ASV, see the Tenable PCI ASV User
Guide.

- 1007 -
Settings
On the Settings page, you can manage settings that affect your Tenable Vulnerability Management
experience across a range of categories.

For example, in My Account, you can enable two-factor authentication or change your
organization's user groups and permissions. In Tags, you can view and edit Tenable Vulnerability
Management tags and tagging rules. Finally, in Cloud Connectors, you can manage the third-party
data connectors that integrate Tenable Vulnerability Management with other platforms.

This section contains complete documentation for the Settings page and is organized to match the
Tenable Vulnerability Management interface. It contains the following topics:

General Settings

My Account

SAML

License Information

Access Control

Activity Logs

- 1008 -
 Access Groups

Language

Exports

Recast/Accept Rules

Tags

Sensors

Credentials

Exclusions

Connectors

General Settings

Required User Role: Administrator

On the General page, you can configure general settings for your Tenable Vulnerability Management
instance.

To access general settings:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the General tile.

The General page appears. By default, the Severity tab is active.

Here, you can configure the following options:

Severity

By default, Tenable Vulnerability Management uses CVSSv2 scores to calculate severity for
individual vulnerability instances. If you want Tenable Vulnerability Management to calculate the

- 1009 -
severity of vulnerabilities using CVSSv3 scores (when available), you can configure your severity
metric setting.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely
by plugin ID, port, and protocol.

For information about severity and the ranges for CVSSv2 and CVSSv3, see CVSS vs. VPR.

Note: This setting does not affect the following:

l Tenable Web App Scanning vulnerabilities.

l Tenable Container Security vulnerabilities.
l The calculations displayed in the SLA Progress: Vulnerability Age widget. To modify your SLA
severity, navigate to the Service-Level Agreement (SLA) tab on the General page.

Caution: When changing your CVSS severity metric setting, the new setting is only reflected in new
findings that come into your system. Any existing findings only reflect the previous severity setting (unless
otherwise recasted). For more information on recast rules, see Recast/Accept Rules.

To configure your severity setting:

1. On the Severity tab, select the metric that you want Tenable Vulnerability Management to use
for severity calculations.

- 1010 -
 l CVSSv2 — Use CVSSv2 scores for all severity calculations.

l CVSSv3 — Use CVSSv3 scores, when available, for all severity calculations. Use CVSSv2
only if a CVSSv3 score is not available.

2. Click Save.

3. The system saves your change and begins calculating severity based on your selection.

All vulnerabilities seen before the change retain their severity. After the change, all
vulnerabilities seen during scans receive severities based on your new selection. Because of
this, you could see two sightings of the same vulnerability have two different CVSS scores and
severities.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified

uniquely by plugin ID, port, and protocol.

Service-Level Agreement (SLA)

You can configure Service Level Agreement (SLA) settings to modify how Tenable calculates your
SLA data.

You can view this data in the SLA Progress: Vulnerability Age widget on the Vulnerability
Management Overview dashboard. For more information, see Vulnerability Management Dashboard.

To configure your SLA settings:

1. Click the Service-Level Agreement (SLA) tab.

The SLA options appear.

- 1011 -
2. Configure the following options:

Option Default Description/Actions

Vulnerability l Critical 7 To modify the number of days included for each

Age SLA days severity, type an integer in the box next to
Critical, High, Medium, or Low.
l High 30
days

l Medium 60
days

- 1012 -
 l Low 180
days

Override VPR Specifies whether Tenable uses VPR severity,

Vulnerability CVSSv2 severity, or CVSSv3 severity to calculate
Severity Metric SLA data.

For more information about these metrics, see

CVSS vs. VPR.

Note: This option affects only the calculations

displayed in the SLA Progress: Vulnerability Age
widget. To modify the severity metric for all other
areas of the product, navigate to the Severity tab
on the General page.

Vulnerability First Seen Specifies whether Tenable uses First Seen or

Age Metric Published Date to calculate SLA data.

3. Click Save.

Tenable Vulnerability Management saves your SLA settings.

Language

On the General page, you can change the plugin language in your Tenable Vulnerability Management
container to English, Japanese, Simplified Chinese, or Traditional Chinese. This setting affects all
users in the container.

To change the plugin language:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the General tile.

The General tile appears. By default, the Severity tab is active.

- 1013 -
 4. Click the Language tab.

The Language tab appears.

5. Under Language, select a new language.

Tenable Vulnerability Management updates the plugin language for your container.

Exports

To configure your default export expiration:

When you create an export, you can set an expiration delay for the export file up to 30 calendar
days, which is the maximum number of days that Tenable Vulnerability Management allows before
your export files expire.

By default, any exports you create in Tenable Vulnerability Management have an expiration date of
30 days. If you want to decrease the number of days that Tenable Vulnerability Management allows
before your export files expire, you can configure your default export expiration days.

1. Click the Exports tab.

The Export Expiration options appear.

2. In the Default Expiration box, type the number of days you want to Tenable Vulnerability
Management to allow before your exports expire.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

- 1014 -
 Note: You must type the number of days as an integer between 1 and 30.

3. Click Save.

Tenable Vulnerability Management saves your settings and updates the number of allowable
days before your exports expire.

Search

Enabling plugin output data retention allows Tenable Vulnerability Management to store your plugin
output data each time you launch a scan. You can then filter your vulnerability findings by plugin
output. For more information, see Findings Filters.

Note: Tenable automatically disables this setting if it is unused for 35 days. Re-enable the setting to
conduct a search on plugin output for all scans from that point onward. Only use this setting if you need to
perform regular searches within the Explore user interface.

Once you have enabled plugin output data retention, you must launch a scan so that Tenable
Vulnerability Management can identify and store your plugin output data.

Caution: You cannot disable plugin output data retention once you have enabled it.

To enable plugin output data retention:

1. In the left navigation plane, click the Search tab.

The search options appear.

- 1015 -
 2. Click the Enable Regex Search on Plugin Output toggle.

3. Click Save.

Tenable Vulnerability Management enables plugin output data retention on your account.

What to do next:
l Launch a scan for your host assets.

My Account
From the My Account page, you can make changes to your own user account.

- 1016 -
You can navigate to the My Account page via one of the following methods:

l To access the My Account page from the Settings page:

a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click Settings.

The Settings page appears.

c. Click the My Account tile.

The My Account page appears, where you can view and update your account details.

l To access the My Account page from the top navigation menu of any page:

- 1017 -
 a. In the upper-right corner, click the blue user circle.

The user account menu appears.

b. Click My Profile.

The My Account page appears.

View Your Account Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the My Account page, you can view details about your account, including your log in
details, user role, and the groups and permissions assigned to you.

To view your account details:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

- 1018 -
 a. In the left navigation plane, click Settings.

The Settings page appears.

b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

l In the upper-right corner, click the blue user circle.

The user account menu appears.

a. Click My Profile.

The My Account page appears.

- 1019 -
2. On the left side of the page, you can select from the following:

Option Action

Update l Click Update Account.

Account
The Update Account section appears, showing the following
details for your account:
o Full Name
o Email
o Username
o Role

l (Optional) Update your basic account information, including

name and email address.

- 1020 -
 Note: You cannot change your username or role.

l (Optional) Change your password.

l (Optional) Configure or disable two-factor authentication on

your account.

l (Optional) Enable or disable Explore beta features on your

account.

Groups l Click Groups.

Note: You cannot change your groups settings on the My Accounts

page. For more information, see User Groups.

l In the Groups table, view:

o The user groups you are assigned to.
o The number of members in each user group.

Permissions l Click Permissions.

Note: Permissions, when applied a user, allow that user to perform

certain actions to specified asset tags (i.e., objects) and the assets
to which those objects apply. Permissions can be applied to
individual users or to all members of a user group. For more
information, see Permissions.

Note: You cannot change your permissions settings on the My

Accounts page.

l In the Permissions table, view:

o The names of the permissions assigned to your account.
o The actions those permissions allow you to perform.
o The objects each permission applies to.

API Keys l Click API Keys.

- 1021 -
 l View a description of API keys.

l Generate API Keys.

Caution: Any existing API keys are replaced when you click the
Generate button. You must update the applications where the
previous API keys were used.

Caution: Be sure to copy the access and secret keys before you
close the API Keys tab. After you close this tab, you cannot retrieve
the keys from Tenable Vulnerability Management.

Note: User accounts expire according to when the Tenable Vulnerability Management container they
belong to was created. Tenable controls this setting directly. For more information, contact Tenable
Support.

Update Your Account

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To update your account:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

a. In the left navigation plane, click Settings.

The Settings page appears.

b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

- 1022 -
 l In the upper-right corner, click the blue user circle.

The user account menu appears.

a. Click My Profile.

The My Account page appears.

2. (Optional) Edit your Name.

3. (Optional) Edit your Email.

A valid email address must be in the format:

name@domain

where domain corresponds to a domain approved for your Tenable Vulnerability Management
instance.

This email address overrides the email address set as your Username. If you leave this option
empty, Tenable Vulnerability Management uses the Username value as your email address.

Note: During initial setup, Tenable configures approved domains for your Tenable Vulnerability
Management instance. To add domains to your instance, contact Tenable Support.

4. Click Save.

Tenable Vulnerability Management saves the changes to the account.

- 1023 -
 5. (Optional) Change your password.

6. (Optional) Configure two-factor authentication.

7. (Optional) Generate an API key.

Change Your Password

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can change the password for your own account as any type of user. The method of changing
your password varies slightly based on the role assigned to your user account.

To change another user's password, see Change Another User's Password.

To change your password:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

a. In the left navigation plane, click Settings.

The Settings page appears.

b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

l In the upper-right corner, click the blue user circle.

The user account menu appears.

- 1024 -
 a. Click My Profile.

The My Account page appears.

2. In the Current Password box, type your current password.

3. In the New Password box, type a new password. See Tenable Vulnerability Management
Password Requirements for more information.

4. Click the Save button.

Tenable Vulnerability Management saves the new password and terminates any currently
active sessions for your account. Tenable Vulnerability Management then prompts you to re-
authenticate.

5. Log in to Tenable Vulnerability Management using your new password.

Configure Two-Factor Authentication

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the My Account page, you can configure two-factor authentication for your account.

- 1025 -
 Tip: Administrators can also enforce two-factor authentication for other accounts when creating or editing
a user account.

Note: Before configuring two-factor authentication, check the International Phone Availability list to ensure
you are able to receive text messages from Tenable Vulnerability Management.

To add or modify two-factor authentication:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

a. In the left navigation plane, click Settings.

The Settings page appears.

b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

l In the upper-right corner, click the blue user circle.

The user account menu appears.

- 1026 -
 a. Click My Profile.

The My Account page appears.

2. In the Enable Two Factor Authentication section, do one of the following:

l To enable SMS two factor authentication:

a. Click Enable SMS Two Factor Authentication.

The Two-Factor Setup plane appears.

b. In the Current Password box, type your Tenable Vulnerability Management

password.

c. In the Phone Number box, type your mobile phone number.

Note: By default, Tenable Vulnerability Management treats mobile numbers as U.S.

numbers and prepends the +1 country code. If your mobile phone number is a non-U.S.
number, be sure to prepend the appropriate country code.

d. Click Next.

The Verification Code plane appears and Tenable Vulnerability Management sends
a text message with a verification code to the phone number.

e. In the Verification Code box, type the verification code you received.

f. Click Next.

A Two-Factor Setup Successful message appears and Tenable Vulnerability

Management applies your settings to your Tenable Vulnerability Management
account.

g. (Optional) To configure whether Tenable Vulnerability Management sends a

verification code to the email associated with your user account:

a. Select or clear the Send backup email check box.

b. Click Update.

Tenable Vulnerability Management updates your backup email settings.

- 1027 -
 Note: Once you save the phone number for this configuration, you cannot edit or change the
phone number. You must configure a new authentication setup for any additional phone
numbers you want to use.

l To enable authenticator application based authentication:

a. Click Enable Authenticator App.

The Two-Factor Setup plane appears.

b. In the Current Password box, type your Tenable Vulnerability Management

password.

c. Click Next.

The Time-based One-Time Password plane appears.

d. In the authenticator application of your choice, scan the QR code.

In the authenticator application, a Tenable Vulnerability Management verification

code appears.

e. In the Verification Code box, type the code provided by your authenticator
application.

Note: If you do not type the correct verification code, Tenable Vulnerability
Management locks the QR code. Delete the setup from your authenticator application
and scan a new QR code.

f. Click Next.

A Two-Factor Setup Successful message appears and Tenable Vulnerability

Management applies your settings to your Tenable Vulnerability Management
account.

To disable two-factor authentication in the new interface:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

- 1028 -
 a. In the left navigation plane, click Settings.

The Settings page appears.

b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

l In the upper-right corner, click the blue user circle.

The user account menu appears.

a. Click My Profile.

The My Account page appears.

2. In the Change Password section, in the Current Password box, type your current password.

3. In the Enable Two Factor Authentication section, click Disable.

A Disable Two-Factor confirmation message appears.

4. Read the warning message, then click Continue.

Tenable Vulnerability Management disables two-factor authentication for your account.

Generate API Keys

- 1029 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The API keys associated with your user account enable you to access the API for all Tenable
Vulnerability Management products for which your organization is licensed.

Note: Tenable Vulnerability Management API access and secret keys are required to authenticate with the
Tenable Vulnerability Management API.

Note: The API keys associated with your user account enable you to access the API for all Tenable
Vulnerability Management products for which your organization is licensed. You cannot set separate keys
for individual products. For example, if you generate API keys in Tenable Vulnerability Management, this
action also changes the API keys for Tenable Web App Scanning and Tenable Container Security.

Note: Be sure to use one API key per application. Examples include, but are not limited to:
l Tenable Vulnerability Management integration
l Third-party integration
l Other custom applications, including those from Tenable Professional Services

The method to generate API keys varies depending on the role assigned to your user account.
Administrators can generate API keys for any user account. For more information, see Generate
Another User's API Keys. Other roles can generate API keys for their own account.

To generate API keys for your own account:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

a. In the left navigation plane, click Settings.

The Settings page appears.

- 1030 -
 b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

l In the upper-right corner, click the blue user circle.

The user account menu appears.

a. Click My Profile.

The My Account page appears.

2. Click the API Keys tab.

The API Keys section appears.

3. Click Generate.

The Generate API Keys window appears with a warning.

Caution: Any existing API keys are replaced when you click the Generate button. You must update
the applications where the previous API keys were used.

4. Review the warning and click Generate.

- 1031 -
 Tenable Vulnerability Management generates new access and secret keys, and displays the
new keys in the Custom API Keys section of the page.

Tip: If the Generate button is inactive, contact your administrator to ensure they've enabled
API access for your account. For more information, see Edit a User Account.

5. Copy the new access and secret keys to a safe location.

Caution: Be sure to copy the access and secret keys before you close the API Keys tab. After you
close this tab, you cannot retrieve the keys from Tenable Vulnerability Management.

Unlock Your Account

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management locks you out if you attempt to log in and fail 5 consecutive
times.

Note: If you no longer no longer have access to the email address specified in your account, an
administrator for your Tenable Vulnerability Management instance can reset your password instead.

Note: A user can be locked out of the user interface but still submit API requests if they are assigned the
appropriate authorizations (api_permitted). For more information, see the Tenable Developer Portal.

To unlock your account:

1. On the Tenable Vulnerability Management login page, click the Forgot your password? link.

The password reset page appears.

2. In the Username box, enter your Tenable Vulnerability Management username.

3. In the CAPTCHA box, type your answer to the question.

4. Click Send.

- 1032 -
 Tenable Vulnerability Management sends password recovery instructions to the email address
specified in your user account.

5. Reset your password using the instructions in the email message. See Password
Requirements for more information.

SAML
You can configure Tenable Vulnerability Management to accept credentials from your SAML identity
provider (for example, Okta). This allows for an additional layer of security, where the SAML
credentials are certified for use within Tenable Vulnerability Management. Once you enable
SAML for a user, they can log in to Tenable Vulnerability Management directly through their identity
provider, which automatically signs them in and redirects them to the Tenable Vulnerability
Management landing page.

On the SAML page, you can view and manage your SAML credentials. You can also enable, disable,
and add new configurations for users within your Tenable Vulnerability Management instance.

Tip: Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to
configure SAML for use with Tenable Vulnerability Management.

Note: Tenable Vulnerability Management supports SAML 2.0 configurations.

Note: Once SAML is configured for a user, they must log in using the IdP Tile or the URL provided in the SP
metadata file (for example, cloud.tenable.com/SAML/XXXXXX) and log back out before they can access the
Sign in via SSO link on the Tenable Vulnerability Management login page.

SAML Details
On the SAML page, you can view a table that includes the following details about your
SAML configurations:

Column Description

UUID The UUID that Tenable Vulnerability Management automatically generates

when you create a new SAML configuration.

Description A description for the SAML configuration.

- 1033 -
 Last Login The date and time on which a user on your instance last successfully logged
in via the SAML configuration.

Note: The Last Login column shows a value only if Tenable Vulnerability
Management has login data for the SAML identity provider.

Last The date and time on which a user on your instance last attempted to log in
Attempted via the SAML configuration.
Login
Note: The Last Attempted Login column shows a value only if Tenable
Vulnerability Management has attempted login data for the SAML identity
provider.

Certificate The certificate for the SAML configuration.

In the certificate column, you can complete the following tasks.

l Click the button to copy the certificate to your clipboard.

l Hover over the button to view the certificate expiration date.

Note: Your identity provider determines the expiration date for your
certificate.

Actions An interactive column from which you can download the metadata.xml file
that contains one or more security certificates for the configuration.

To download the metadata.xml file:

a. In the Actions column for the configuration from which you want to
download a metadata.xml file, click the button.

An options menu appears.

b. In the menu, click Download SP Metadata.

Tenable Vulnerability Management downloads the metadata.xml file to

your computer.

View SAML Configurations

Required User Role: Administrator

- 1034 -
To view your SAML configurations:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

Tip: Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to
configure SAML for use with Tenable Vulnerability Management.

4. (Optional) Refine the table data. For more information, see Tables.

The SAML table contains the following columns:

Column Description

UUID The UUID that Tenable Vulnerability Management automatically

generates when you create a new SAML configuration.

Description A description for the SAML configuration.

Last Login The date and time on which a user on your instance last successfully
logged in via the SAML configuration.

Note: The Last Login column displays a value only if Tenable Vulnerability
Management has login data for the SAML identity provider.

Last The date and time on which a user on your instance last attempted to
Attempted log in via the SAML configuration.
Login
Note: The Last Attempted Login column displays a value only if Tenable
Vulnerability Management has attempted login data for the SAML identity
provider.

Certificate The certificate for the SAML configuration.

- 1035 -
 In the certificate column, you can complete the following tasks.

l Click the button to copy the certificate to your clipboard.

l Hover over the button to view the certificate expiration date.

Note: Your identity provider determines the expiration date for your
certificate.

Actions An interactive column from which you can download the metadata.xml
file that contains one or more security certificates for the
configuration.

To download the metadata.xml file:

1. In the Actions column for the configuration from which you

want to download a metadata.xml file, click the button.

An options menu appears.

2. In the menu, click Download SP Metadata.

Tenable Vulnerability Management downloads the metadata.xml

file to your computer.

Add a SAML Configuration

Required User Role: Administrator

You can manually enter the details for your SAML configuration or you can upload a metadata.xml
file that you download from your identity provider (IdP).

Note: Once SAML is configured for a user, they must log in using the IdP Tile or the URL provided in the SP
metadata file (for example, cloud.tenable.com/SAML/XXXXXX) and log back out before they can access the
Sign in via SSO link on the Tenable Vulnerability Management login page.

Before you begin:

Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to
configure SAML for use with Tenable Vulnerability Management. This includes the following high-
level steps:

- 1036 -
 l Follow the steps described in your IdP's documentation to set up a SAML application for
Tenable Vulnerability Management on your IdP account. Your IdP requires an entity ID and a
reply URL for Tenable Vulnerability Management to set up the SAML application:
o Entity ID/Audience URI— TENABLE_IO_PLACEHOLDER.
o ACS/SSO URL/Login URL/Reply URL—
https://cloud.tenable.com/SAML/login/placeholder.com.

l In your IdP account, download your metadata.xml file.

Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the
Identity Provider side, navigating directly to https://cloud.tenable.com does not allow SSO.

Important! All users must have an account configured in Tenable Vulnerability Management that matches
their SSO login. You must ensure the SSO login matches the FULL Tenable account name (i.e.,
[email protected]).

To add a new SAML configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

4. In the action bar, click Create.

The SAML Settings page appears.

5. Do one of the following:

To provide configuration details by uploading the metadata.xml file from your

IdP:

- 1037 -
 a. In the first drop-down box, select Import XML.

Note: Import XML is selected by default.

b. The Type drop-down box specifies the type of identity provider you are using. Tenable
Vulnerability Management supports SAML 2.0 (for example, Okta, OneLogin, etc.).
This option is read-only.

c. Under Import, click Add File.

A file manager window appears.

d. Select the metadata.xml file.

The metadata.xml file is uploaded.

To manually create your SAML configuration using data from the metadata.xml
file from your IdP:
a. In the first drop-down box, select Manual Entry.

A SAML configuration form appears.

b. Configure the settings described in the following table:

Settings Description

Enabled toggle A toggle in the upper-right corner that indicates whether the
SAML configuration is enabled or disabled.

By default, the Enable setting is set to Enabled. Click the toggle

to disable SAML configuration.

Type Specifies the type of identity provider you are using. Tenable
Vulnerability Management supports SAML 2.0 (for example,
Okta, OneLogin, etc.).
This option is read-only.

Description A description for the SAML configuration.

- 1038 -
 IdP Entity ID The unique entity ID that your IdP provides.

Note: If you want to configure multiple IdPs for a user account,

create a new configuration for each identity provider with separate
identity provider URLs, entity IDs, and signing certificates.

IdP URL The SAML URL for your IdP.

Certificate Your IdP security certificate or certificates.

Note: Security certificates are found in a metadata.xml file that

your identity provider provides. You can copy the content of the file
and paste it in the Certificate box.

User Auto A toggle that indicates whether automatic user account

Provisioning creation is enabled or disabled.
Enabled

IdP Assigns To assign a user role during provisioning, enable this toggle. In
User Role at your SAML identity provider, add an attribute statement with
Provisioning userRoleUuid as the attribute name and the user role UUID as
the attribute value.

To obtain the UUID for a user role, go to Settings > Access

Control > Roles.

IdP Resets User To assign a role each time a user logs in, overwriting the current
Role at Each role with the one chosen in your IdP, enable this toggle. In your
Login SAML identity provider, add an attribute statement with
userRoleUuid as the attribute name and the user role UUID as
the attribute value.

To obtain the UUID for a user role, go to Settings > Access

Control > Roles.

6. Click Save.

Tenable Vulnerability Management saves your SAML configuration.

What to do next:

- 1039 -
 l Download the metadata.xml from Tenable Vulnerability Management using the Download
SP Metadata option in the SAML Configurations table.

l Upload this file to the SAML application you created for Tenable Vulnerability Management
with your SAML provider.

Tip: If you are having trouble configuring SAML, Tenable recommends trying one of the various third-party
SAML debugging tools available online. You can also reach out to Tenable Support for further
troubleshooting assistance.

Edit a SAML Configuration

Required User Role: Administrator

You can edit a SAML configuration on the SAML page.

To edit a SAML configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

4. In the SAML table, click the SAML configuration that you want to edit.

The SAML Settings page appears.

5. (Optional) In the first drop-down box, select a different method to provide basic configuration
details.

l Import XML — Configure SAML authentication by uploading the metadata file your IdP
provided, as described in Add a New SAML Configuration.

l Manual Entry — Configure SAML authentication by manually configuring SAML options

using data from the metadata.xml file your IdP provided, as described in Add a New

- 1040 -
 SAML Configuration.

Tenable Vulnerability Management updates the configuration options based on your

selected source.

6. Update any of the configurable SAML settings described in the following table.

Note: Some settings are read-only and cannot be modified.

Note: The configuration options you can update depend on the source you select in the first drop-
down box.

Settings Source Description

Enabled toggle Manual Indicates whether the SAML configuration is

Entry enabled or disabled.

By default, the Enable setting is set to Enabled. In

the upper-right corner, click the toggle to disable
SAML configuration.

Type Manual Specifies the type of identity provider you are

Entry , using. Tenable Vulnerability Management supports
Import SAML 2.0 (e.g., Okta, OneLogin, etc.).
XML

UUID Entry, A unique identifier for your identity provider that

Import Tenable Vulnerability Management automatically
XML generates when you create a new
SAML configuration.

This box is read-only.

URL Manual The login URL that Tenable Vulnerability

Entry , Management generates when you create a
Import configuration.
XML
This box is read-only.

- 1041 -
Entity ID Manual A unique identifier that Tenable Vulnerability
Entry , Management generates when you create a
Import configuration.
XML
This box is read-only.

Created Manual The time and date on which an administrator user

Entry , created the configuration.
Import
This box is read-only.
XML

Last Updated Manual The time and date on which an administrator user
Entry , last updated the configuration.
Import
This box is read-only.
XML

Description Manual A description for the SAML configuration.

Entry

IdP Entity ID Manual Your identity provider’s unique entity ID.

Entry
Note: If you want to configure multiple IdPs for a
user account, create a new configuration for each
identity provider, with separate identity provider
URLs, entity IDs, and signing certificates.

IdP URL Manual The SAML URL for your identity provider.
Entry

Certificate Manual Your identity provider's security certificate or

Entry certificates.

Note: Security certificates are found in a

metadata.xml file that your identity provider
provides. You can copy the content of the file and
paste it in the Certificate box.

User Manual A toggle that indicates whether automatic

- 1042 -
Autoprovisioning Entry account user creation is enabled or disabled
Enabled

IdP Assigns User Manual To assign a user role during provisioning, enable
Role at Provisioning Entry this toggle. In your SAML identity provider, add an
attribute statement with userRoleUuid as the
attribute name and the user role UUID as the
attribute value.

To obtain the UUID for a user role, go to Settings

> Access Control > Roles.

IdP Resets User Role Manual To assign a role each time a user logs in,
at Each Login Entry overwriting the current role with the one chosen
in your IdP, enable this toggle. In your SAML
identity provider, add an attribute statement with
userRoleUuid as the attribute name and the user
role UUID as the attribute value.

To obtain the UUID for a user role, go to Settings

> Access Control > Roles.

Import Import A metadata.xml file from your identity provider

XML that contains one or more SAML certificates.

To import a new metadata.xml file from your

identity provider:

a. Under Import, click Add File.

A file explorer window appears.

b. Select the metadata.xml file.

The metadata.xml file is uploaded.

Note: If your metadata.xml file contains multiple

certificates, only the first one appears in the

- 1043 -
 Certificate column for the configuration on the
SAML page.

7. Click Save.

Tenable Vulnerability Management saves the configuration.

The SAML page appears with the updated configuration.

Disable a SAML Configuration

Required User Role: Administrator

Disabling a SAML configuration prevents users on your instance from using the SAML credentials in
the configurations to log in to Tenable Vulnerability Management. You can enable a disabled SAML
configuration as described in Enable a SAML Configuration.

Caution: When you disable a SAML configuration, users can no longer log in to Tenable Vulnerability
Management using their SAML credentials. Make sure all users on your instance have an alternative method
to log in to Tenable Vulnerability Management before you disable a SAML configuration.

To disable a SAML configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

4. In the SAML table, click the SAML configuration that you want to disable.

The SAML Settings page appears.

5. At the bottom of the page, click the SAML Enable toggle to disable the configuration.

6. Click Save.

- 1044 -
 Tenable Vulnerability Management disables the SAML configuration. On the SAML page, the
disabled configuration appears in light gray.

Note: You cannot disable a SAML configuration that is already disabled.

Enable a SAML Configuration

Required User Role: Administrator

You can enable a disabled a SAML configuration. For more information about SAML authentication
in Tenable Vulnerability Management, see SAML.

Tip: Review the Tenable SAML Configuration Quick Reference Guide for a step-by-step guide of how to
configure SAML for use with Tenable Vulnerability Management.

Note: Once SAML is configured for a user, they must log in using the IdP Tile or the URL provided in the SP
metadata file (for example, cloud.tenable.com/SAML/XXXXXX) and log back out before they can access the
Sign in via SSO link on the Tenable Vulnerability Management login page.

Before you Begin:

Configure your IdP to authenticate with Tenable Vulnerability Management. For more information,
see the Tenable SAML Configuration Quick Reference Guide.

To enable a SAML configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

4. In the SAML table, click the SAML configuration that you want to enable.

Tip: Disabled configurations appear in light gray.

- 1045 -
 The SAML Settings page appears.

5. At the bottom of the page, click the SAML Enable toggle to enable the configuration.

6. Click Save.

Tenable Vulnerability Management enables the SAML configuration. On the SAML page, the
enabled configuration appears in black.

Enable Automatic Account Provisioning

Required User Role: Administrator

When you manually configure or edit a SAML configuration, you can enable automatic user account
provisioning. Automatic account provisioning allows users with credentials for the IdP named in the
SAML configuration to create a Tenable Vulnerability Management account the first time they log in
via the IdP.

Tip: Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to
configure SAML for use with Tenable Vulnerability Management.

Tenable Vulnerability Management creates automatically provisioned accounts with the following
defaults:

l Full name — NameID

l Username — NameID

l Email — NameID

l User role — Basic

Tenable Vulnerability Management does not currently support any other claim types.

Before you Begin:

Configure your IdP to authenticate with Tenable Vulnerability Management. For more information,
see the Tenable SAML Configuration Quick Reference Guide.

To enable automatic user account provisioning:

- 1046 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

4. In the SAML table, click the SAML configuration for which you want to enable automatic
account provisioning.

The SAML Settings page appears.

5. At the bottom of the page, click the User Autoprovisioning Enabled toggle to enable
automatic account provisioning.

6. Click Save.

Tenable Vulnerability Management enables automatic account provisioning in the SAML

configuration.

Disable Automatic Account Provisioning

Required User Role: Administrator

Disabling automatic account provisioning prevents users from automatically creating Tenable
Vulnerability Management account the first time they access the platform via their IdP. You can
enable automatic account provisioning on a SAML configuration, as described in Enable Automatic
Account Creation.

To disable automatic user account provisioning:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1047 -
 3. Click the SAML tile.

The SAML page appears.

4. In the SAML table, click the SAML configuration for which you want to disable automatic
account provisioning.

5. The SAML Settings page appears.

6. At the bottom of the page, click the User Autoprovisioning Enabled toggle to disable
automatic account provisioning.

7. Click Save.

Tenable Vulnerability Management disables automatic account provisioning in the SAML

configuration.

Delete a SAML Configuration

Required User Role: Administrator

You can delete a SAML configuration on the SAML page. For more information about SAML
authentication in Tenable Vulnerability Management, see SAML .

To enable a SAML configuration:

Before you begin:

l Disable the SAML configuration you want to delete.

To delete a SAML configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the SAML tile.

The SAML page appears.

- 1048 -
 4. In the SAML table, select the check box for the SAML configuration that you want to delete.

5. In the action bar, click the Delete button.

Tenable Vulnerability Management deletes the SAML configuration.

Note: Ensure that when you delete a SAML configuration, you also remove the related configuration
in your IdP.

What to do next:
l Remove the related configuration from your identity provider's application.

License Information
On the License Information page, you can view a complete breakdown of your Tenable products
and their license usage. You can view this information in multiple ways, including visual overviews
by product or time period that enable you to spot trends such as temporary usage spikes or product
misconfigurations.

Tip: For details on how Tenable licenses work in each product that appears on the License Information
page, see Licensing Tenable Products. To learn about license overages, see Tenable Cloud Overage Process.

View the License Information Page

To view the License Information page, in the top navigation bar, click the gear icon. Then,
on the page that appears, click License Information. The License Information page
appears.

- 1049 -
The License Information page shows license usage for all products in your current
Tenable container.

Section Description

Purchased On the left, click a product tile to view details. If a product is still being
Products evaluated or has expired, a label appears.

l Used — The total number of licenses used or assessed from your

product subscription.

l Purchased — The number of licenses you have purchased for that

product.

l Available — The remaining available licenses from your subscription

that have not yet been assessed.

Product At the top of the page, view a summary of the selected product:
Summary
l Product Name — The name of the product.

l Container UUID — The unique ID for the container.

l Last Updated — The date and time the product was last updated.

- 1050 -
 l Site Name — The cluster containing your installed products in
Tenable's cloud.

l Region — The geographic region in which your cluster is located.

l Plugin Set — The version for the product's Nessus plugin set.

l Plugin Updated — The date and time the Nessus plugin set was last
updated.

l Total License Subscription — The total number of licenses

purchased as part of your product subscription.

l Assets Consumed — The total number of licenses used or assessed

from your product subscription.

l Available Assets — The remaining available licenses from your

subscription that have not yet been assessed.

l Utilization — The percentage of your licenses that have been used.

This value is calculated as the number of licenses consumed divided
by the total license subscription.

l Expires On — The date your Tenable subscription expires.

Usage See visual breakdowns of your asset usage:

Breakdown
l Bar Chart — (Tenable One only) View your total license use by Tenable
& Trend
One component in a bar chart.

Note: If you have the new version of Tenable Cloud Security, your
licensed asset count is calculated by multiplying your Compute,
Serverless, and Container Repositories assets against any ratio and
adding your Container Images (if you have Tenable Container Security). If
your organization has a ratio, it appears in the Cloud Security section, in
the License Ratio field. To learn more about the ratio Tenable may apply
to your cloud resources, contact your Tenable representative.

l Usage Over Time – View your license use over time in a line chart
where the X-axis is the time period and the Y-axis is the number of
assets used. With the filters at the top of the chart, switch between

- 1051 -
 time periods on the left, or specify a custom date range on the right.

Tip: (Tenable One-only) Click the tiles above the chart to select or
deselect products.

Vulnerability View the number of Tenable Vulnerability Management assets that count
Management towards your license:
Hosts
l Hosts — The number of hosts that count towards your license.

Cloud Security View the number of cloud resources in your environment identified by
Resources Tenable Cloud Security.

Note Tenable Cloud Security has two versions. If you have the latest version,
your licensed cloud asset counts appear in the Compute, Serverless, and
Container Repositories fields, as well as the Container Images field if you have
Tenable Container Security. To view your total licensed cloud assets, see the
Usage Breakdown & Trend section.

l License Ratio — (New version only) Any ratio applied to your

Compute, Serverless, and Container Repositories resources. For
example, if your organization has a ratio of 3, 10 Compute resources
equals 30 licensed Tenable assets. To learn more about the ratio
Tenable may apply to cloud resources, contact your Tenable
representative.

l Compute — (New version only) Cloud computing resources such as

AWS EC2 instances or Azure virtual machines. Hover on this field to
view your billable resources, or the total number of resources before
any ratio is applied.

l Serverless — (New version only) Cloud serverless resources such as

AWS Lambda or Azure Functions. Hover on this field to view your
billable resources, or the total number of resources before any ratio
is applied.

l Container Repositories — (New version only) Cloud container

repositories scanned by Tenable Cloud Security. Hover on this field to
view your billable resources, or the total number of resources before

- 1052 -
 any ratio is applied.

l Container Images (Legacy Container Security) — The number of

packaged applications that count towards your license. Only used if
you have Tenable Container Security.

l Billable — (Legacy only) A subset of cloud assets that are considered

licensed, typically cloud compute, storage, or network resources
scanned in the past 90 days.

Tip: If you have the new version of Tenable Cloud Security, these assets
do not count towards your license.

l Non-Billable — (Legacy only) Infrastructure as code (IaC) assets

scanned locally, in a repository or a pipeline. These are not
considered licensed.

Web App View the number of Tenable Web App Scanning resources that count
Scanning FQDNs towards your license:

l FQDNs — The number of fully qualified domain names that count

towards your license.

Note: Tenable Web App Scanning determines asset count by the number of
fully qualified domain names (FQDNs) that are scanned for your user account. An
asset does not count against your license limit until it has been successfully
scanned for vulnerabilities.

Attack Surface View your Tenable Attack Surface Management resources:

Management
l Observable Objects — The number of assets discovered and added to
Assets
your inventory in Tenable Attack Surface Management.

Note: If you are a Tenable One Standard customer, these resources do not
count towards your asset license.

Active Directory View the number of Tenable Identity Exposure resources that count
Users towards your license:

l Users — The number of enabled active users.

- 1053 -
Access Control

Required User Role: Administrator

From the Access Control page, you can view and configure the list of users and groups on your
account and the permissions assigned to them.

Users

Topics in this section have been modified to reflect feature updates in Tenable Vulnerability Management
Key Enhancements. For more information, see Tenable Vulnerability Management Key Enhancements.

On the Access Control page, in the Users tab, administrator users can create and manage user
accounts for an organization's resources in Tenable Vulnerability Management.

Users Table
Column Description

Name The username for the account.

- 1054 -
 Full Name The full name of the user.

Last Login The date on which the user last successfully logged in to the Tenable
Vulnerability Management interface.

Last Failed The date on which the user failed to log in to the Tenable Vulnerability
Management interface.

Total The total number of failed login attempts for the user.
Failed
This number resets when either an administrator or the user resets the
password for the user account.

Last API The date on which the user last generated API keys.
Access

Role The role assigned to the user. For more information, see Roles.

Actions The actions an administrator user can take with the user (e.g. export a user).

On the Users page, you can perform the following actions:

l Create a User Account

l View Your List of Users

l Edit a User Account

l Change Another User's Password

l Assist a User with Their Account

l Generate Another User's API Keys

l Unlock a User Account

l Disable a User Account

l Enable a User Account

l Manage User Access Authorizations

l Audit User Activity

- 1055 -
 l Export Users

l Delete a User Account

Create a User Account

Required User Role: Administrator

On the Users page, you can create an account for a new user.

Tip: Looking for account creation via a SAML IdP? See the SAML documentation.

Note: User accounts expire according to when the Tenable Vulnerability Management container they
belong to was created. Tenable controls this setting directly. For more information, contact Tenable
Support.

To create a user account:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Create User button.

The Create User page appears.

- 1056 -
5. Configure the following options:

Note: To view and configure options in each section, you must select the section in the left menu.

Option Action

General Section

Full Name Type the first and family name of the user.

Username Type a valid username.

A valid username must be in the format:

name@domain

where domain corresponds to a domain approved for

your Tenable Vulnerability Management instance.

Note: During initial setup, Tenable configures approved

domains for your Tenable Vulnerability Management
instance. To add domains to your instance, contact your
Tenable representative.

Note: Tenable Vulnerability Management usernames

cannot include the following characters:
', !, #, $, %, ^, &, *, (, ), /, \, |, {, }, [, ], ", :, ;, ~, `, <, > and the

- 1057 -
 comma "," itself.

Email Type a valid email address in the format:

name@domain where domain corresponds to a domain

approved for your Tenable Vulnerability Management
instance.

This email address overrides the email address set in

the Username box. If you leave this option empty,
Tenable Vulnerability Management uses the Username
value as the user's email address.

Note: As an Administrator, you can create user accounts

with email addresses from unapproved domains. Once a
user account is created, you can only change the email
address to another approved domain.

Password Type a valid password. See Password Requirements

for more information.

In Tenable Web App Scanning, passwords must be at

least 12 characters long and contain the following:

l An uppercase letter

l A lowercase letter

l A number

l A special character

Verify Password Type the password again.

Role In the drop-down box, select the role that you want to
assign to the user.

Authentication Select or deselect the available security setting

options. When selected, these settings:

- 1058 -
 Note: If you enable the Password Access or SAML
options for a user with a custom role, the user
automatically has basic access to your dashboards and
widgets.

l API Key — Allow the user to generate API keys.

Tip: You can select only this setting to create an

API-only user account.

l SAML —Allow the user to log in to their account

using a SAML single sign-on (SSO). For more
information, see SAML.

l Username/Password — Allow the user to log in

to their account using a password.

Note: If you deselect this option, you cannot

select the MFA option.

l Two-Factor Required — Require the user to

provide two-factor authentication to log in to
their account.

Tip: You can configure two-factor authentication for

your own account on the My Account page.

User Groups Section

User Groups Select the user group or groups to which you want to
assign the user.

By default, a new user belongs to the system-

generated All Users user group, which assigns the user
the Basic role.

Add a user group:

- 1059 -
 l Click anywhere in the User Groups box.

A search box and drop-down list of roles appear.

l (Optional) In the Search box, type a user group

name.

As you type, a list of user groups matching your

search appears.

l Click the user group you want to add.

In the User Groups box, Tenable Vulnerability

Management adds a label representing the user
group.

l Repeat these steps to add the user to another

user group.

Permission Section

Permissions In the Permissions table, select the permission

configurations you want to assign to the user.

6. Click Save.

Note: If you assign permissions to the user, the button appears as Add & Save.

Tenable Vulnerability Management lists the new user account on the users table.

Edit a User Account

Required User Role: Administrator

To edit a user account:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

- 1060 -
 The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. In the users table, click the name of the user that you want to edit.

The Edit User page appears.

5. Configure the following options:

Option Action

Account Settings

Full Name Edit the first and last name of the user.

Username You cannot edit this option.

Email Type a valid email address in the format:

name@domain where domain corresponds to a domain approved for

your Tenable Vulnerability Management instance.

This email address overrides the email address set in the Username
box. If you leave this option empty, Tenable Vulnerability Management
uses the Username value as the user's email address.

Note: As an Administrator, you can create user accounts with email

addresses from unapproved domains. Once a user account is created, you
can only change the email address to another approved domain.

New Type a valid password. See Password Requirements for more

Password information.

In Tenable Web App Scanning, passwords must be at least 12 characters

long and contain the following:

l An uppercase letter

- 1061 -
 l A lowercase letter

l A number

l A special character

Role In the drop-down box, select the role that you want to assign to the
user.

Groups

User Groups Select the user group or groups to which you want to assign the user.
The user inherits the roles and permissions associated with the user
group.

security Select or deselect the available security setting options. When selected,
settings these settings:

l API — Allow the user to generate API keys.

Tip: You can select only this setting to create an API-only user
account.

l SAML —Allow the user to log in to their account using a SAML

single-sign on (SSO). For more information, see SAML.

l Password Access — Allow the user to log in to their account using

a password.

Note: If you deselect this option, you cannot select the MFA option.

l MFA — Require the user to provide two-factor authentication to

log in to their account.

Tip: You can configure two-factor authentication for you own account on
the My Account page.

6. (Optional) Generate API keys for the user.

7. Click Save.

- 1062 -
 Tenable Vulnerability Management saves the changes to the account.

View Your List of Users

Required User Role: Administrator

On the Access Control page, in the Users tab, you can view a list of all the users on your Tenable
Vulnerability Management instance.

To view users and user data for your Tenable Vulnerability Management instance:

1. In the left navigation plane, click Settings.

The Settings page appears.

2. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

3. Click the Users tab.

The Users tab appears, containing a table of all Tenable Vulnerability Management user
accounts on your Tenable Vulnerability Management instance. This documentation refers to
that table as the users table.

Users Table
On the users table, you can view the following information about users on your Tenable Vulnerability
Management instance.

Column Description

Name The username for the account.

Last Login The date on which the user last successfully logged in to the Tenable
Vulnerability Management interface.

Last Failed The date on which the user failed to log in to the Tenable Vulnerability
Management interface.

Total The total number of failed login attempts for the user.

- 1063 -
 Failed This number resets when either an administrator or the user resets the
password for the user account.

Last API The date on which the user last generated API keys.
Access

Role The role assigned to the user. For more information, see Roles.

Actions The actions an administrator user can take with the user (e.g. export a user).

Tenable Vulnerability Management Password Requirements

Tenable Vulnerability Management enforces the following password requirements for all accounts:

Password Criteria

Passwords must be at least 12 characters long and contain the following:

l An uppercase letter

l A lowercase letter

l A number

l A special character

Password Expiration

Tenable Vulnerability Management passwords do not expire.

Account Lockout

By default, after 5 failed login attempts, Tenable Vulnerability Management locks the user out of
their account. When a user is locked out of their account, they can unlock their own account, or an
administrator can reset their password.

Password History

You cannot reuse a current or former password.

Change Another User's Password

Required User Role: Administrator

- 1064 -
To change the password for another user's account, you must be an administrator. To change your
own password, see Change Your Password.

To change another user's password:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. In the users table, click the name of the user that you want to edit.

The Edit User page appears.

5. In the New Password box, type a new password. See Password Requirements for more
information.

6. Click Save.

Tenable Vulnerability Management saves the new password for the user account.

Assist a User with Their Account

Required User Role: Administrator

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

As an administrator, you can use the user assist functionality to simulate being logged in as another
account. While assisting a user account, you can perform operations in Tenable Vulnerability
Management as that user without needing to obtain their password or having to log out of your
administrator account.

Note: User Assist is available only for user accounts that have one or both of these authentication settings
enabled:

- 1065 -
 l Username/Password
l SAML
To enable these security settings, see Edit a User Account.

To assist a user with their account:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. In the users table, click the check box for the user account you want to assist.

The action bar appears at the top of the table.

Note: You can select only one user to assist at a time.

5. In the action bar, click the button.

Tenable Vulnerability Management refreshes and displays the default dashboard for the user
you are assisting. While you are assisting the user, Tenable Vulnerability Management displays
an overlay at the top of each page with the role of the user you are assisting.

To stop assisting a user with their account:

l At the top of any page, in the overlay that displays the role of the user you are assisting, click
the button.

Generate Another User's API Keys

Required User Role: Administrator

- 1066 -
The API keys associated with your user account enable you to access the API for all Tenable
Vulnerability Management products for which your organization is licensed. These keys must be
used to authenticate with the Tenable Vulnerability Management REST API.

Administrators can generate API keys for any user account. Other roles can generate API keys for
their own accounts. For more information, see Generate API Keys.

Note: The API keys associated with your user account enable you to access the API for all Tenable
Vulnerability Management products for which your organization is licensed. You cannot set separate keys
for individual products. For example, if you generate API keys in Tenable Vulnerability Management, this
action also changes the API keys for Tenable Web App Scanning and Tenable Container Security.

To generate API keys for another user:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. In the users table, click the name of the user that you want to edit.

The Edit User page appears.

5. In the API Keys section, click Generate API Keys.

Caution: Any existing API keys are replaced when you generate new API keys. You must update the
applications where the previous API keys were used.

A warning message appears.

6. Review the warning and click Replace & Generate.

The Generate API Keys text box appears.

The new access and secret keys for the account appear in the text box.

- 1067 -
 7. (Optional) Click Re-generate API Keys.

8. Copy the new access and secret keys to a safe location.

Caution: Be sure to copy the access and secret keys before you navigate away from the Edit User
page. After you close this page, you cannot retrieve the keys from Tenable Vulnerability
Management.

Unlock a User Account

Tenable Vulnerability Management locks you out if you attempt to log in and fail 5 consecutive
times.

Note: A user can be locked out of the user interface but still submit API requests if they are assigned the
appropriate authorizations (api_permitted). For more information, see the Tenable Developer Portal.

You can unlock a user account in one of the following ways:

l If a user has access to the email address specified in the user account, they can unlock their
own account.

l If a user no longer has access to that email address, another user with administrator
privileges can reset the user's password.

Disable a User Account

Required User Role: Administrator

Disabling a user account prevents the user from logging in and prevents their scans from running.
You can enable a disabled user account as described in Enable a User Account.

Important: Disabling a user account does not disable scheduled reports for that user. Additionally, if the
disabled user shared a report with other users, these other users can still generate that report. For more
information, see Reports.

To disable a user account:

1. In the upper-left corner, click the button.

The left navigation plane appears.

- 1068 -
 2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Select the user or users you want to disable:

l
Select a single user:
a. In the users table, in the row for the user account you want to disable, click the
button.

The action buttons appear in the row.

b. In the row, click the button.

A confirmation window appears.

l
Select multiple users:
a. In the users table, click the check box for each user you want to disable.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

5. In the confirmation window, click Disable.

A success message appears.

Tenable Vulnerability Management disables the selected user or users. In the users table, a
disabled user appears in light gray.

Note: If the user you disable has a session in progress, they may continue to have limited access.
However, once they log out, they cannot log back in.

Enable a User Account

Required User Role: Administrator

- 1069 -
When you disable a user account, you can enable an account again to restore a user's access.

To enable a user account:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Select the user or users you want to enable:

Select a single user:

a. In the users table, in the row for the user account you want to enable, click the button.

The action buttons appear in the row.

Note: Users appear grayed out while they are disabled.

b. In the row, click the button.

A confirmation window appears.

Select multiple users:

a. In the users table, click the check box for each user you want to enable.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

5. In the confirmation window, click Enable.

A success message appears.

- 1070 -
 Tenable Vulnerability Management enables the selected user or users. In the users table, an
enabled user appears in black.

Manage User Access Authorizations

Users can access Tenable Vulnerability Management using the following methods:

l Username and password login.

l Single sign-on (SSO). For more information, see SAML.

l Tenable Vulnerability Management REST API with API keys. For more information, see
Generate Another User's API Keys.

When you create a new user, all access methods are authorized by default. Depending on your
organization's security policies, you may need to disable certain access methods, for example,
disable username and password login to enforce SSO.

Use the Tenable Vulnerability Management Platform API to view, grant, and revoke access
authorizations for a user. For more information, see Get User Authorizations and Update User
Authorizations in the Tenable Developer Portal.

Audit User Activity

Required User Role: Administrator

In Tenable Vulnerability Management, the audit log records user events that take place in your
organization's Tenable Vulnerability Management account. For each event, the log includes
information about:

l The action taken

l The time at which the action was taken

l The user ID

l The target entity ID

The audit log provides visibility into the actions that users in your organization take in Tenable
Vulnerability Management, and can be helpful for identifying security issues and other potential
problems.

To view the audit log for your organization's Tenable Vulnerability Management account:

- 1071 -
 l Use the Audit Log endpoint as documented in the Tenable Developer Portal.

Logged Events
Audit log events include the following:

Action Description

audit.log.view The system received and processed an audit-log request.

session.create The system created a session for the user. A user login
triggers this event.

session.delete The session aged out, or the user ended a session.

session.impersonation.end An administrator ended a session where they impersonated

another user.

session.impersonation.start An administrator started a session where they

impersonated another user.

user.authenticate.mfa Two-factor authentication was successful, and login was

allowed.

user.authenticate.password The user authenticated a session start using a password.

user.create An administrator created a new user account.

user.delete An administrator deleted a user account.

user.impersonation.end An administrator stopped impersonating another user.

user.impersonation.start An administrator started impersonating another user.

user.logout The user logged out of their session.

user.update Either an administrator or the user updated a user account.

Export Users

Required User Role: Administrator

On the Users page, you can export one or more users in CSV or JSON format.

- 1072 -
To export your users:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Users tab.

The Users page appears. This page contains a table that lists all users for your Tenable
Vulnerability Management instance.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Select the users that you want to export:

Export
Action
Scope

Selected To export selected users:

users
a. In the users table, select the check box for each user you want to
export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 users, select all the users in the list and
then click Export.

A single To export a single user:

- 1073 -
 user a. In the users table, right-click the row for the user you want to
export.

The action options appear next to your cursor.

-or-

In the users table, in the Actions column, click the button in the
row for the user you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of users.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

- 1074 -
 JSON A JSON file that contains a nested list of users.

Empty fields are not included in the JSON file.

9. (Optional) Deselect any fields you do not want to appear in the export file.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

- 1075 -
 l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a User Account

Required User Role: Administrator

Before you delete a user account, you must first disable the user account.

Caution: Once you delete a user account, the account cannot be recovered and the action cannot be
reversed.

Caution: Tenable Web App Scanning does not support object migration. When you delete a Tenable Web
App Scanning user, the application does not reassign objects belonging to the deleted users. Note that you
cannot reassign a Tenable Web App Scanning scan to a new owner if its owner is deleted.

Caution: Before you delete a user account, reassign any associated Remediation projects. These will not be
reassigned automatically.

The following table describes what objects are migrated, retained, or permanently deleted upon
user deletion:

- 1076 -
 Object Type Deleted Notes

Audit Files in Scans Yes Permanently deleted

Scan Schedules No Migrated to the new object owner

Note: Migrated scan schedules may be disabled if

they rely on other permanently deleted objects, such
as Audit files, Target Groups, or Unmanaged
Credentials.

Historical Scan Results No Migrated to the new object owner

Scan Templates No Migrated to the new object owner

Unmanaged Credentials Yes Permanently deleted

in Scans

Custom Yes Permanently deleted

Dashboards/Widgets

Managed Credentials No Retained (Created By value displays as null)

Tags No Retained (Created By value displays as null)

Recast/Accept Rules No Retained (Owner value displays as Unknown User)

Exclusions No Retained

System Target Groups No Retained

User Target Groups No Migrated to the new object owner

Saved Searches Yes Permanently deleted

Connectors No Retained

Sensors No Retained

To delete a user account:

- 1077 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. In the users table, in the row for the user account you want to delete, click the button.

A menu appears.

5. In the menu, click the button.

Note: If a user is not disabled, then the button does not appear. Disable the user before deleting
them.

Note: You cannot delete the Default Administrator account. If you want to delete the Default
Administrator account, you must contact Tenable Support.

The user plane appears.

6. In the Select New Object Owner drop-down box, select the user to which you want to transfer
any of the user's objects (e.g., scan results, user-defined scan templates).

7. Click Delete.

A confirmation message appears.

8. Click Delete.

Tenable Vulnerability Management deletes the user and transfers any user objects to the user
you designated.

User Groups
User groups allow you to manage user permissions for various resources in Tenable Vulnerability
Management. When you assign users to a group, the users inherit the permissions assigned to the

- 1078 -
group. Your organization may utilize groups to provide permissions to batches of users based on
the roles of those users and your organization's security posture.

To view your user groups:

1. In the left navigation plane, click Settings.

The Settings page appears.

2. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

3. Click the Groups tab.

The Groups page appears.

The User Groups page displays a table of all user groups in your Tenable Vulnerability Management
instance. This documentation refers to that table as the user groups table.

The user groups table contains the following columns:

Column Description

Name The group name. You can define this name for all user groups except the
Tenable-provided All Users and Administrator groups.

Members The number of users assigned to the user group.

Actions The actions you can take with the group.

On the Groups tab, you can perform the following actions:

l Create a Group

l Edit a Group

- 1079 -
 l Export Groups

l Delete a Group

Create a User Group

Required User Role: Administrator

To create a user group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. At the top of the user group table, click the Create User Group button.

The Create Group page appears.

5. In the User Group Name box, type a name for the new group.

6. Add users to the group:

- 1080 -
 a. For each user you want to add, click the Users drop-down box and begin typing a
username.

As you type, Tenable Vulnerability Management filters the list of users in the drop-down
box to match your search.

b. Select a user from the drop-down box.

Tenable Vulnerability Management adds the user to the list of users to be added to the
user group.

Tip: To remove a user from the list of users to be added, roll over the user and click the
button.

7. Click Save.

Tenable Vulnerability Management creates the user group and adds the listed users as
members.

The Groups page appears, where you can view the new group listed in the user groups table.

Edit a User Group

Required User Role: Administrator

To edit a group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. In the user groups table, click the user group that you want to edit.

The Edit User Group page appears.

- 1081 -
 5. Do any of the following:

l In the User Group Name box, type a new group name.

l
Add users to the group:
a. For each user you want to add, click the Users drop-down box and begin typing a
username.

As you type, Tenable Vulnerability Management filters the list of users in the drop-
down box to match your search.

b. Select a user from the drop-down box.

Tenable Vulnerability Management adds the user to the list of users to be added to
the user group.

l
Remove a user from the group:
a. In the Users list, click the button next to the user account you want to remove.

Tenable Vulnerability Management removes the user from the Users list.

l Add or remove permissions from the group.

6. Click Save.

Tenable Vulnerability Management saves the user group with any changes you made.

Export Groups

Required User Role: Administrator

On the Access Control page, in the Groups tab, you can export one or more user groups in CSV or
JSON format.

To export your user groups:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

- 1082 -
 The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Groups tab.

The Groups tab appears, containing a table that lists all user groups in your Tenable
Vulnerability Management instance.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Do one of the following:

To export a single group:

a. In the groups table, right-click the row for the group you want to export.

The action options appear next to your cursor.

-or-

In the groups table, in the Actions column, click the button in the row for the group
you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

- 1083 -
 To export multiple groups:
a. In the groups table, select the check box for each group you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: You can individually select and export up to 200 groups. If you want to export more than
200 groups, you must select all the groups on your Tenable Vulnerability Management instance
by selecting the check box at the top of the groups table and then click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

The Export plane appear. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

- 1084 -
 Format Description

CSV A CSV text file that contains a list of groups.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of groups.

Empty fields are not included in the JSON file.

9. (Optional) Deselect any fields you do not want to appear in the export file.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

- 1085 -
 l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a Group

Required User Role: Administrator

Note: You cannot delete the Tenable-provided Administrator or All Users user group.

Before you begin:

l Remove all users from the user group. You cannot delete a user group that contains any
users.

To delete one or more user groups:

- 1086 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Groups tab.

The Groups page appears. This page displays a table with all the user groups on your Tenable
Vulnerability Management account.

5. Do one of the following:

l
To delete a single user group:
a. In the user groups table, click the button for the user group you want to delete.

A menu appears.

b. Click the Delete button.

A confirmation window appears.

l
To delete multiple user groups.
a. In the user groups table, select the check box for each user group you want to
delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the selected user group or groups. The deleted
group or groups no longer appear in the user groups table.

- 1087 -
Permissions
Tenable Vulnerability Management allows you to create and manage configurations that determine
which users on your organization's account can perform specific actions with the organization's
resources and data. This documentation refers to these configurations as permission
configurations1.

On the My Accounts page, each user can view the permission configurations assigned to them.
However, only administrator users can view or manage permission configurations for other users.
For more information, see Tenable-Provided Roles and Privileges.

When you create a user or user group, you can assign existing permission configurations to them
for assets that meet the criteria specified by a previously created tag. In Tenable Vulnerability
Management, these assets and the tags that define them are called objects2.

Roles vs. Permissions: What's the difference?

l Roles — Roles allow you to manage privileges for major functions in Tenable Vulnerability
Management and control which Tenable Vulnerability Management modules and functions users can
access.
l Permissions — Permissions allow you to manage access to your own data, such as Tags, Assets,
and their Findings.

1A configuration that administrators can create to determine what actions certain users and groups

can perform with a given set of resources.

2In a permission configuration, an asset and the tag that defines it.

- 1088 -
When you create a permission configuration, you must select one or more of the following
predefined permissions. These permissions determine the actions users can take with the object or
objects defined in the permission configuration.

Permission Description

Can View Allows a user or group with this permission to view the assets defined by the
object.

Can Scan Allows a user or group with this permission to scan the assets defined by the
object.

Note: For a manually entered target to be considered valid, it must meet the
following criteria:

l The user is an administrator

OR
l The user has at least Scan Operator role privileges, AND
l If the target does not exist within the Tenable Vulnerability
Management system, the user must have CanScan permissions on
an object that refers to the target explicitly via IPv4, IPV6 or FQDN.
If the object has more than one rule, the rules must be joined by the
"Match Any" filter, OR
l If the target already exists within the Tenable Vulnerability
Management system, then it must be tagged by an object for which
the user has CanScan permissions.

Can Edit Allows a user or group with this permission to edit the tag that defines the
object.

Can Use Allows a user or group with this permission to use the tag that defines the
object.

To view your permission configurations in Tenable Vulnerability Management:

1. In the upper-left corner, click the button.

The left navigation plane appears.

- 1089 -
 2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Permissions tab.

The Permissions tab appears. This tab contains a table that lists all of the permission
configurations on your Tenable Vulnerability Management instance.

Note:The first row of the permissions table contains a read-only entry for Administrators. This entry
exists to remind you that Administrators have all permissions for every resource on your account.
For more information, see Roles.

On the Permissions tab, you can perform the following actions:

l Create and Add a Permission Configuration

l Add a Permission Configuration to a User or Group

l Edit a Permission Configuration

l Export Permission Configurations

l Remove a Permission Configuration from a User or Group

l Delete a Permission Configuration

Create and Add a Permission Configuration

- 1090 -
 Required User Role: Administrator

When you create a permission configuration in Tenable Vulnerability Management, you can apply
that configuration to one or more users or groups.

Before you begin:

l Create a user or group for your Tenable Vulnerability Management account.

l Create a tag for the object for which you want to create a permission.

To create and add a permission configuration to a user or group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Permissions tab.

The Permissions tab appears. This tab contains a table that lists all of the permission
configurations on your Tenable Vulnerability Management instance.

5. At the top of the table, click Create Permission.

The Create Permission window appears.

- 1091 -
6. In the Permission Name box, type a name for the permission configuration.

7. (Optional) In the Users drop-down box, select one or more users.

Note: Although the Users box is optional, you cannot save the permission configuration unless at
least one user or user group is selected.

8. (Optional) In the Groups drop-down box, select one or more user groups.

Note: Although the Groups box is optional, you cannot save the permission configuration unless at
least one user or user group is selected.

Note: You can select All Users in the Groups drop-down box to assign the permission configuration
to all users on your Tenable Vulnerability Management instance. However, Tenable recommends that
you use caution when assigning the permission configuration to all users because doing so goes
against security best practices.

9. In the Permissions drop-down box, select one or more permissions.

- 1092 -
 Caution: Adding the Can Edit permission to your permission configuration along with the Can View
or Can Scan permission allows assigned users to change the scope of the assets they can view and
scan. Tenable recommends that you combine the Can Edit permission with the Can View or Can
Scan permission only for administrator users.

Note: If you select the Can Edit permission, Tenable Vulnerability Management automatically adds
the Can Use permission.

10. In the Objects drop-down box, select one or more objects to which to apply the permission
configuration.

Note: The objects in the drop-down box are previously created tags that identify and define your
assets. For more information, see Permissions.

Tip: You can select All Assets to allow users and group to view or scan all the assets on your
instance, regardless of whether the assets match any existing objects. You can also select All Tags
to allow users and groups on your instance to edit or use all objects on your instance. For more
information about objects, see Permissions.

11. Click Save.

A confirmation message appears.

Tenable Vulnerability Management saves your changes. The permission configuration appears
on the Permissions tab.

Add a Permission Configuration to a User or Group

Required User Role: Administrator

Before you begin:

l Create a user or group for your Tenable Vulnerability Management account.

l Create a permission configuration.

To add a permission configuration to a user or group:

- 1093 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Do one of the following:

l
Add a permission configuration to a user:
a. Click the Users tab.

The Users tab appears. This tab contains a list of all the users on your Tenable
Vulnerability Management instance.

b. In the users table, click the user to which you want to add a permission
configuration.

The Edit User page appears.

c. In the Permissions section, at the top of the table, click Add Permissions.

The Add Permissions window appears.

d. Select the check box next to one or more permission configurations.

e. Click Add.

The permission configuration appears in the Permissions table on the Edit User
page.

l
Add a permission configuration to a user group:

- 1094 -
 a. Click the Groups tab.

The Groups tab appears. This tab contains a list of all the user groups on your
Tenable Vulnerability Management instance.

b. In the groups table, click the group to which you want to add a permission
configuration.

The Edit User Group page appears.

c. In the Permissions section, at the top of the table, click Add Permissions.

The Add Permissions window appears.

d. Select the check box next to one or more permission configurations.

e. Click Add.

The permission configuration appears in the Permissions table on the Edit User
Group page.

5. Click Save.

Tenable Vulnerability Management saves your changes and adds the permission configuration
to the user or group.

Edit a Permission Configuration

Required User Role: Administrator

To edit a permission configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

- 1095 -
4. Click the Permissions tab.

The Permissions tab appears. This tab contains a list of all the permission configurations on
your Tenable Vulnerability Management instance.

5. In the table, click the permission configuration you want to edit.

The Permission Details page appears.

6. (Optional) In the Permission Name box, type a new name for the permission configuration.

7. (Optional) Add or remove users or user groups.

8. (Optional) Add or remove a permission:

Caution: Adding the Can Edit permission to your permission configuration along with the Can View or
Can Scan permission allows the users selected in the permission configuration to change the scope
of the assets they can view and scan. Tenable recommends that you combine the Can Edit
permission with the Can View or Can Scan permission only for administrator users.

Note: If you select the Can Edit permission, Tenable Vulnerability Management automatically adds
the Can Use permission.

Note: You cannot assign permissions to user or groups for a given object that overlap with
permissions assigned to them via another permission configuration. For example, if you selected the
Can Edit permission for an object, but a user listed under Users already has the ability to edit that
object based on an existing permission configuration, Tenable Vulnerability Management generates
an error message and prevents you from saving the current permission configuration until you
modify your selections to remove the redundancy.

a. To add a permission, in the Permissions drop-down box, select one or more

permissions.

b. To remove a permission, in the Permissions drop-down box, click the button next to
each permission you want to remove.

9. (Optional) Add or remove an object.

- 1096 -
 a. To add an object, in the Objects drop-down box, select one or more objects.

b. To remove an object, in the Objects drop-down box, click the button next to each
object you want to remove.

10. Click Save.

Tenable Vulnerability Management saves your changes. The updated permission configuration
appears on the Permissions tab.

Export Permission Configurations

Required User Role: Administrator

On the Permissions page, you can export one or more permission configurations in CSV or JSON
format.

To export your permission configurations:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Permissions tab.

The Permissions tab appears. This tab contains a table that lists all of the permission
configurations on your Tenable Vulnerability Management instance.

Note:The first row of the permissions table contains a read-only entry for Administrators. This entry
exists to remind you that Administrators have all permissions for every resource on your account.
For more information, see Roles.

- 1097 -
5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Do one of the following:

To export a single permission configuration:

a. In the permission configurations table, right-click the row for the permission
configuration you want to export.

The action options appear next to your cursor.

-or-

In the permission configurations table, in the Actions column, click the button in the
row for the permission configuration you want to export.

The action buttons appear in the row.

b. Click Export.

To export multiple permission configurations:

a. In the permission configurations table, select the check box for each permission
configuration you want to export.

The action bar appears at the top of the table.

b. In the action bar, click More.

A menu appears.

c. Click Export.

Note: You can individually select and export up to 200 permission configurations. If you want
to export more than 200 permission configurations, you must select all the permission
configurations on your Tenable Vulnerability Management instance by selecting the check box
at the top of the permission configurations table and then click Export.

The Export plane appears. This plane contains the following:

- 1098 -
 l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of permission configurations.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of permission configurations.

Empty fields are not included in the JSON file.

9. (Optional) Deselect any fields you do not want to appear in the export file.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

- 1099 -
 l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

- 1100 -
 14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Remove a Permission Configuration from a User or Group

Required User Role: Administrator

Note: You cannot remove a permission configuration from the Tenable-provided Administrator or All
Users user groups.

To remove a permission configuration from a user or user group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. To remove a permission configuration from a user:

l Do one of the following:

o
Remove the permission configuration via the Users tab:
a. Click the Users tab.

The Users tab appears. This tab contains a list of all the users on your
Tenable Vulnerability Management instance.

b. In the users table, click the user from which you want to remove a
permission configuration.

The Edit User page appears.

- 1101 -
 c. In the Permissions table, in the Actions column, click the button next to
the permission configuration you want to remove.

d. Click the Remove button.

Tenable Vulnerability Management removes the permission configuration

from the user.

e. (Optional) Repeat for each user from which you want to remove a permission
configuration.

o
Remove the permission via the Permissions tab:
a. Click the Permissions tab.

The Permissions tab appears. This tab contains a table that lists all of the
permission configurations on your Tenable Vulnerability Management
instance.

b. In the table, click the permission configuration you want to remove.

The Permission Details page appears.

c. Under Users, click the button next to each user from which you want to
remove the permission configuration.

Tenable Vulnerability Management removes the permission configuration

from the Users list.

5. To remove a permission configuration from a user group:

l Do one of the following:

o
Remove the permission configuration via the Groups tab:
a. Click the Groups tab.

The Groups tab appears. This tab contains a list of all the user groups on
your Tenable Vulnerability Management instance.

- 1102 -
 b. In the user groups table, click the group from which you want to remove a
permission configuration.

The Edit User Group page appears.

c. In the Permissions table, in the Actions column, click the button next to
the permission configuration you want to remove.

d. Click the Remove button.

Tenable Vulnerability Management removes the permission configuration

from the user group.

e. (Optional) Repeat for each user group from which you want to remove a
permission configuration.

o
Remove the permission configuration via the Permissions tab:
a. Click the Permissions tab.

The Permissions tab appears. This tab contains a table that lists all of the
permission configurations on your Tenable Vulnerability Management
instance.

b. In the table, click the permission you want to remove.

The Permission Details page appears.

c. Under Groups, click the button next to each user group from which you
want to remove the permission configuration.

Tenable Vulnerability Management removes the permission configuration

from the Groups list.

6. Click Save.

Tenable Vulnerability Management saves your changes and removes the permission from the
user or group.

Delete a Permission Configuration

Required User Role: Administrator

- 1103 -
 Note: You cannot delete the default permission configuration.

To remove a permission configuration from a user or user group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Permissions tab.

The Permissions tab appears. This tab contains a table that lists all of the permission
configurations on your Tenable Vulnerability Management instance.

5. In the table, in the Actions column, click the button next to the permission configuration you
want to delete.

6. Click the Delete button.

Tenable Vulnerability Management deletes the permission configuration.

Roles
Roles allow you to manage privileges for major functions in Tenable Vulnerability Management and
control which Tenable Vulnerability Management resources users can access in Tenable
Vulnerability Management.

When you create a user, you must select a role for that user that broadly determine the actions the
user can perform.

Note: You can further refine user access to specific resources by assigning permissions to individual users
or groups. For more information, see Permissions.

- 1104 -
 Roles vs. Permissions: What's the difference?

l Roles — Roles allow you to manage privileges for major functions in Tenable Vulnerability
Management and control which Tenable Vulnerability Management modules and functions users can
access.
l Permissions — Permissions allow you to manage access to your own data, such as Tags, Assets,
and their Findings.

On the Roles page, you can view all Tenable-provided roles and any custom roles created on your
Tenable Vulnerability Management instance.

You can assign one of the following role types to users:

Role Type Description

Tenable- Contains a predefined set of privileges determined by the Tenable

Provided Vulnerability Management product specified on your account license. Each
Roles and role encompasses the privileges of lower roles and adds new privileges.
Privileges Administrators have the most privileges. Basic users have the fewest.

Custom Contains a custom set of privileges that allow you to tailor user privileges and
Roles access to resources on your Tenable Vulnerability Management instance.

To view your user roles:

1. In the upper-left corner, click the button.

The left navigation plane appears.

- 1105 -
 2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Roles tab.

The Roles page appears. This page contains a table that lists all the user roles available on
your Tenable Vulnerability Management instance.

On the Roles page, you can complete the following actions:

l Create a Custom Role

l Duplicate a Role

l Edit a Custom Role

l Export Roles

l Delete a Custom Role

Tenable-Provided Roles and Privileges

The following tables describe privileges associated with each Tenable-provided user role, organized
by function in their respective product.

Note: You can further refine user access to specific resources by assigning permissions to individual users
or groups. For more information, see Permissions.

- 1106 -
 Tenable Vulnerability Management-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

Activity Logs view, export - - - -

API Keys view, modify view, view, view, view,

modify modify modify modify

Account view, modify view, view, view, view,

Settings modify modify modify modify

Agents view, delete view, - - -

delete

Agent Freeze view, create, view, - - -

Windows modify, delete create,
modify,
delete

Agent Groups view, create, view, - - -

modify, delete create,
modify,
delete

Agent Settings view, modify view, - - -

modify

Assets view, modify, view, view, view, view,

export, delete modify, modify, modify, export
export, export, export,
delete delete delete

Connectors view, create, - - - -

modify, delete

Dashboards view, create, view, view, view, view,

modify, export, create, create, create, create,
delete modify, modify, modify, modify,

- 1107 -
 Tenable Vulnerability Management-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

export, export, export, export,

delete delete delete delete

Exclusions view, import, view, - - -

export, delete import,
export,
delete

Exports view, modify, - - - -

export, delete

General view, modify - - - -

Settings

Health and view - - - -

Status

Managed view, create, view, view, view, view,

Credentials modify, delete create, create, create, create,
modify, modify, modify, modify,
delete delete delete delete

PCI Managing view, import, - - - -

export, create,
modify, delete

Recast Rules view, create, - - - -

modify, delete

Reports view, run, view, run, view, run, view, run, view
create, modify, create, create, create,
delete modify, modify, modify,
delete delete delete

Report Results view, delete view, view, view, view

- 1108 -
 Tenable Vulnerability Management-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

delete delete delete

Scans1 view, import, view, view, view, view3,

run, create, import, import, import, import
modify, delete run, run, create, run,
create, modify, create2,
modify, delete modify,
delete delete

Scan Results view, export, view, view, view, view,

delete export, export, export, export,
delete delete delete delete

Sensors view, add, view, add, - - -

modify, delete modify,
delete

Scanner Groups view, create, view, - - -

modify, delete create,
modify,
delete

Tags4 view, create tag view, view, view, view,

category, create tag delete, delete, assign,
create tag value, assign, assign, unassign
value, delete, delete, unassign5 unassign

1User roles determine a user's abilities, but the permissions that a user has for a particular scan are

dictated by scan permissions.

2Can create scans using existing user-defined policies that are shared with the user.
3Can view list of scans, but not scan configuration details.
4Assigning and Unassigning tags can be done from the Asset Details page.
5Standard users must have the Can Use permission to view, delete, assign, and unassign tags.

- 1109 -
 Tenable Vulnerability Management-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

export, assign, assign,

unassign unassign

User Groups view, create, - - - -

modify, delete,
export

User-Defined view, import, view, view, - -

Scan export, create, import, import,
Templates modify, delete export, export,
create, create,
modify, modify,
delete delete

Users view, create, - - - -

modify, delete

Vulnerabilities view, export view, view, view, view,

export export export export

Tenable Web App Scanning-Provided Roles and Privileges

Area Administrator Scan Standard Scan Basic
Manager Operator

Dashboards view, create, view, view, view, view

modify, delete create, create, create,
modify, modify, modify,
delete delete delete

Tenable- view, create, view, view, view -

Provided Scan modify, delete create, create,
Templates modify, modify,
delete delete

- 1110 -
 Tenable Web App Scanning-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

User-Defined view, create, view, view, view, -

Templates modify, delete create, create, create,
modify, modify, modify,
delete delete delete

Scans view, import, view, view, view, view

create, modify, import, create, create1,
(also requires
run, delete create, modify, run, modify,
scan
modify, delete run, delete,
permissions)
run, delete move to
trash

Managed view, create, view, view, view, view,

Credentials modify, delete create, create, create, create,
modify, modify, modify, modify,
delete delete delete delete

Scan view, create, view, view, view, -

Permissions modify, delete2 create, create, create,
modify, modify, modify,
delete3 delete4 delete5

Scan Results view, delete view, view, delete view, view,

delete delete delete
(also requires
scan

1Can create scans using existing user-defined policies that are shared with the user.
2Administrator users can create, modify, and delete permissions for scans that any user on the

account owns.
3Scan Manager users can create, modify, or delete permissions only on scans they own.
4Standard users can create, modify, or delete permissions only on scans they own.
5Scan Operator users can create, modify, or delete permissions only on scans they own.

- 1111 -
 Tenable Web App Scanning-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

permissions)

Lumin Exposure View-Provided Roles and Privileges

Area Administrator Scan Standard Scan Basic
Manager Operator

Settings manage, read read read read read

Access to computing computing computing computing computing

Asset resource resource resource resource resource
Type (host), cloud (host), cloud (host), cloud (host), cloud (host), cloud
resource, web resource, resource, resource, resource,
application, web web web web
identity application, application, application, application,
identity identity identity identity

Export manage own manage own manage own manage own manage own

Exposure create, share, create, create, share, read read

Card read share, read share, read

Tenable Inventory-Provided Roles and Privileges

Area Administrator Scan Standard Scan Basic
Manager Operator

Access computing computing computing computing computing

to Asset resource resource resource resource resource
Type (host), cloud (host), cloud (host), cloud (host), cloud (host), cloud
resource, web resource, resource, resource, resource,
application, web web web web
identity application, application, application, application,
identity identity identity identity

- 1112 -
 Tenable Inventory-Provided Roles and Privileges
Area Administrator Scan Standard Scan Basic
Manager Operator

Export manage own manage own manage own manage own manage own

Tag create, edit create, edit - - -

Attack Path Analysis-Provided Roles and Privileges

Area Administrator Scan Standard Scan Basic
Manager Operator

Export manage own manage manage own manage manage

own own own

Finding manage, read manage, read read read

read

Query search, save search, search, save search search

save

Tenable Identity Exposure-Provided Roles and Privileges

Area
Administrator Custom

Entire Application Read, Edit, Create Defined in-application

Tenable Attack Surface Management-Provided Roles and Privileges

Area Business Administrator Active User View-Only
User

Inventory manage, add, modify, add, modify, leave view

delete

Suggestions manage, add, modify, manage, add, modify, view

delete delete

Subscriptions manage, add, modify, manage, add, modify, view

- 1113 -
 delete delete

Reports manage, add, modify, manage, add, modify, view

delete delete

Txt Records manage, modify, delete manage, modify, view

delete

User Accounts manage, modify, delete - -

Business manage, modify - -

Note: By default, Tenable Attack Surface Management users created within Tenable One are given the
Active User role.

Tenable Cloud Security-Provided Roles and Privileges

Area
Administrator Collaborator Viewer

Console Tabs view view view

Reports view, create, view, create, view, create

schedule, delete schedule, delete

Inventory view, manage, view, manage, -

generate policy generate policy

Findings view, share, view, share, view, share

manage, disable manage

Administration view, manage, - -

audit

Custom Roles

You can create custom roles for users on your Tenable Vulnerability Management instance to give
those users privileges that are specific to your organization's needs.

When you create a custom role, you can add all or some of the following privileges. You can also
edit a custom role to remove privileges. Which privileges you can add to or remove from a role
depend on the area of Tenable Vulnerability Management where each privilege applies.

- 1114 -
Note: A user's access to resources on the account may be limited by their permissions, regardless of their
role.

l Create — Allows users to create an exposure card or a tag. This privilege is specific to Lumin
Exposure View and Tenable Inventory, respectively.

l Manage — Allows the user to create, modify, and delete in the area where the privilege
applies.

Note: When you add the Manage privilege to a custom role, Tenable automatically adds the Read
privilege as well. You cannot disable the Read privilege unless you first disable the Manage privilege.

l Manage All — Allows the user to view, modify, and delete exports, including exports that
others created.

l Manage Own — Allows the user to view, modify, and delete only exports that the user created.

l Share — Allows the user to share objects with other users or groups.

Note: If a custom role does not also have the Read permission enabled, they cannot access a list of
other users with which to share objects.

l Read — Allows the user to view items in the area where the privilege applies.

l Use — Allows the user to use Tenable-provided scan templates during scan creation.

l Submit PCI — Allows the user to submit the scan for PCI validation. For more information, see
the Tenable PCI ASV User Guide.

l Search — Allows the user to search for a query where the privilege applies. This privilege is
specific to Attack Path Analysis.

l Save — Allows the user to save a query where the privilege applies. This privilege is specific to
Attack Path Analysis.

l Cloud Resource — Allows the user to access assets from Cloud Resource data sources. This
privilege is specific to Lumin Exposure View and Tenable Inventory.

l Computing Resource — Allows the user to access assets from Computing Resource data
sources. This privilege is specific to Lumin Exposure View and Tenable Inventory.

- 1115 -
 l Identity — Allows the user to access assets from Identity data sources. This privilege is
specific to Lumin Exposure View and Tenable Inventory.

l Web Application — Allows the user to access assets from Web Application data sources. This
privilege is specific to Lumin Exposure View and Tenable Inventory.

The following table describes the privilege options available for custom roles in different sections
of Tenable Vulnerability Management.

Note: When you create a custom role, you must include Read privileges for the General Settings, License,
and My Account sections. If you do not include Read privileges for these sections, users assigned to the
role cannot log in to Tenable Vulnerability Management.

Section Privilege Options

Platform Settings

Asset Read

Findings Read

My Account Read, Manage

Access Control Read, Manage

Caution: Adding the Manage privilege in Access Control allows any user with
that custom role to create an Administrator user, log in as that user, and
change the privileges or permissions for any user on your Tenable
Vulnerability Management instance, including their own. If you want to
create a user account with the ability to manage your Access Control
configurations, Tenable recommends that you assign that user the
Administrator role. For more information, see Tenable-Provided Roles and
Privileges.

Activity Log Read

General Setting Read, Manage

License Read
Information

Vulnerability Management

- 1116 -
Dashboard Manage, Share

Note: Custom role privileges in the Dashboards section do not include the
ability to export a dashboard. Assign a Tenable-provided role to a user if you
want the user to be able to export dashboards.

Note: All users can view the dashboards they create or that others share with
them regardless of the privileges you assign to them.

Export Manage All, Manage Own

Recast/Accept Read, Manage

Rule

Asset Inventory

Access to Asset Cloud Resource, Computing Resource, Identity, Web Application

Type

Inventory Read

Export Manage Own

Tag Create, Edit

Attack Path Analysis

Export Manage Own

Finding Read, Manage

Query Save, Search

Lumin Exposure View

Access to Asset Cloud Resource, Computing Resource, Identity, Web Application

Type

Export Manage Own

Exposure Card Read, Create, Share

Settings Read, Manage

- 1117 -
 Scan

Nessus/Agent Read, Manage, Submit PCI

Scan

Scan Exclusion Read, Manage

Tenable-Provided Use
Scan Template

User-Defined Scan Read, Manage

Template

Managed Read, Manage

Credential

Target Group Read, Manage

Create a Custom Role

Required User Role: Administrator

Note: Tenable applications do not currently support managing scans and sensors via Custom Roles.

To create a custom role:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Roles tab.

- 1118 -
 The Roles page appears. This page contains a table that lists all the user roles available on
your Tenable Vulnerability Management instance.

5. Do one of the following:

l Duplicate and modify an existing role.

l
Add a new role:
a. At the top of the table, click Add Role.

The Add Role page appears.

b. In the Name box, type a name for your custom role.

c. (Optional) In the Description box, type a description for your custom role.

d. Determine the applications to which the custom role has access:

- 1119 -
 i. In the left panel, click the application name.

An Enable toggle appears.

ii. Click the Enable toggle to enable or disable access to this application for the
custom role you're creating.

For some applications, privileges associated with the application appear.

iii. Select the checkbox for each privilege you want to add to your custom role.
For more information about available privileges, see Custom Roles.

e. Click Save.

Tenable Vulnerability Management saves the role and adds it to the roles table.

Duplicate a Role

- 1120 -
 Required User Role: Administrator

You can create a custom role by duplicating any existing custom role and then modifying
the new role configurations as desired.

Note: You cannot duplicate Tenable-provided roles.

To create a custom role via duplication:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Roles tab.

The Roles page appears. This page contains a table that lists all the user roles available on
your Tenable Vulnerability Management instance.

5. In the roles table, select the check box next to the role you want to duplicate.

The action bar appears at the top of the table.

6. In the action bar, click More.

A menu appears.

7. Click Duplicate.

A copy of the role appears in the table, with the prefix Copy of [role name].

8. Click the duplicated role.

The Roles Details page appears. The name, description, and selected privileges for the
duplicate role are copied from the original role.

- 1121 -
 9. Update one or more of the following configurations:

l Name — In the Name box, type a new name for the role.

l Description — In the Description box, type a description for the role.

l Privileges — Under each Tenable Vulnerability Management area, select or deselect the
check box next to each privilege you want to add to or remove from the role.

10. Click Save.

Tenable Vulnerability Management saves your changes to the duplicate role.

Edit a Custom Role

Required User Role: Administrator

Note: Tenable applications do not currently support managing scans and sensors via Custom Roles.

To edit a custom role:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Roles tab.

The Roles page appears. This page contains a table that lists all the user roles available on
your Tenable Vulnerability Management instance.

5. In the roles table, click the role you want to edit.

The Roles Details page appears.

6. Update one or more of the following configurations:

- 1122 -
 l Name — In the Name box, type a new name for the role.

l Description — In the Description box, type a description for the role.

l Privileges — Under each Tenable Vulnerability Management area, select or deselect the
check box next to each privilege you want to add to or remove from the role.

7. Click Save.

Tenable Vulnerability Management saves your changes.

Delete a Custom Role

Required User Role: Administrator

Note: You can delete only custom roles. You cannot delete Tenable-Provided Roles and Privileges.

To delete a custom role:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Roles tab.

The Roles page appears. This page contains a table that lists all the user roles available on
your Tenable Vulnerability Management instance.

5. In the table, in the Actions column, click the button next to the role you want to delete.

6. Click the Delete button.

Tenable Vulnerability Management deletes the role and removes it from the roles table.

Export Roles

- 1123 -
 Required User Role: Administrator

On the Roles page, you can export one or more user groups in CSV or JSON format.

To export your user roles:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the Roles tab.

The Roles page appears. This page contains a table that lists all the Tenable-provided and
custom roles on your Tenable Vulnerability Management instance.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Do one of the following:

To export a single role:

a. In the roles table, right-click the row for the role you want to export.

The action options appear next to your cursor.

-or-

In the roles table, in the Actions column, click the button in the row for the role you
want to export.

The action buttons appear in the row.

b. Click Export.

- 1124 -
 To export multiple roles:
a. In the roles table, select the check box for each role you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: You can individually select and export up to 200 roles. If you want to export more than
200 roles, you must select all the roles on your Tenable Vulnerability Management instance by
selecting the check box at the top of the roles table and then click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of roles.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of roles.

- 1125 -
 Empty fields are not included in the JSON file.

9. (Optional) Deselect any fields you do not want to appear in the export file.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

- 1126 -
 Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

API Access Security

Tenable Vulnerability Management allows you to restrict access to the Tenable Vulnerability
Management API by specifying which IPv4 and/or IPv6 addresses can access the API. For more
information about using the API, see the Tenable Vulnerability Management API Explorer
documentation.

Caution: Unless your network assignments are restricted to only IPv4 addresses or only IPv6 addresses,
you must specify allowed ranges for both IPv4 and IPv6 in order to avoid blocking some API traffic. It is not
always predictable whether a given client will connect via IPv4 or IPv6.

To restrict Tenable Vulnerability Management API Access:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Control tile.

- 1127 -
 The Access Control page appears. On this page, you can control user and group access to
resources in your Tenable Vulnerability Management account.

4. Click the API Access Security tab.

The API Access Security options appear.

5. In the text box, type the IPv4 addresses to which you want to grant Tenable Vulnerability
Management API access.

Tip: The list can include discrete IP addresses, IP address ranges, and IP subnets. For example,
192.0.2.0, 198.51.100.4-198.51.100.10, 203.0.113.0/24 or
2001:db8:2e92:75f2:d40a:e290:10b3:c0f, 2001:db8:1e1f:46a1:e3cb:2110:22c6:0000-
2001:db8:1e1f:46a1:e3cb:2110:22c6:ffff, 2001:0DB8::/32.

6. Click Save.

Tenable Vulnerability Management allows only the specified IPv4 addresses to access the
Tenable Vulnerability Management API.

Activity Logs

Required User Role: Administrator

- 1128 -
On the Activity Logs page, you can view a list of events for all users in your organization's Tenable
Vulnerability Management account. You can see when each activity took place, the action, the
actor, and other relevant information about the activity.

Important: Tenable currently retains activity log data for 3 years, after which it is deleted from the Tenable
database.

To view your activity logs:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Activity Logs tile.

The Activity Logs page appears. This page shows a list of activities associated with your
organization's Tenable Vulnerability Management account.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Tables.

5. (Optional) Apply a filter to the table:

Filter Description

- 1129 -
 Actor ID The ID of the account performing the action.

Target ID The ID of the account affected by the action, if any.

Action The type of action.

Date The date the action was performed.

6. (Optional) To refresh the activity logs table, in the upper-right corner, click the Refresh
button.

7. (Optional) Filter the table by a specific time period:

l Last 7 Days

l Last 14 Days

l Last 30 Days

l Last 90 Days

l All

What to do next:
l (Optional) Export one or more activity logs.

Export Activity Logs

Required User Role: Administrator

On the Activity Logs page, you can export one or more activity logs in CSV or JSON format.

To export your activity logs:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Activity Logs tile.

- 1130 -
 The Activity Logs page appears. This page shows a list of activities associated with your
organization's Tenable Vulnerability Management account.

4. (Optional) Refine the table data. For more information, see Filter a Table.

5. Select the activity logs that you want to export:

Export
Action
Scope

Selected To export selected activity logs:

activity logs
a. In the activity logs table, select the checkbox for each activity log
you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 activity logs, select all the activity logs in
the list and then click Export.

A single To export a single activity log:

activity log
a. In the activity logs table, right-click the row for the activity log you
want to export.

The action options appear next to your cursor.

-or-

In the activity logs table, in the Actions column, click the button
in the row for the activity log you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

- 1131 -
 l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export ages out.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

6. In the Name box, type a name for the export file.

7. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of activity logs.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of activity logs.

Empty fields are not included in the JSON file.

8. (Optional) Deselect any fields you do not want to appear in the export file.

9. In the Expiration box, type the number of days before the export file ages out.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

- 1132 -
 l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file from the Exports page.

Access Groups

- 1133 -
 Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Note: System target group permissions that controlled viewing scan results and scanning specified targets
have been migrated to access groups. For more information, see Scan Permissions Migration.

With access groups, you can control which users or groups in your organization can:

l View specific assets and related vulnerabilities in aggregated scan result views.

l Run scans against specific targets and view individual scan results for the targets.

An access group contains assets or targets as defined by the rules you set. Access group rules
specify identifying attributes that Tenable Vulnerability Management uses to associate assets or
targets with the group (for example, an AWS Account ID, FQDN, or IP address). By assigning
permissions in the access group to users or user groups, you grant the users view or scan
permissions for assets or targets associated with the access group.

Note: When you create or edit an access group, Tenable Vulnerability Management may take
some time to assign assets to the access group, depending on the system load, the number of
matching assets, and the number of vulnerabilities.
You can view the status of this assignment process in the Status column of the access groups
table on the Access Groups page.

Only administrators can view, create, and edit access groups. As a user assigned any other role, you
can see the access groups to which you belong and the related rules, but not the other users that
are in the access group.

Note: The Access Group tile appears only if you have one or more assigned access groups or if you are an
administrator and users on your Tenable Vulnerability Management are assigned to access groups. Once
you convert all your access groups to permission configurations, the Access Group tile will no longer
appear on your account.

By default, all users have No Access to all assets on your Tenable Vulnerability Management
instance. Therefore, if you want to assign permissions for assets, you must create an access group
and configure user permissions for the group.

- 1134 -
 Note: Tenable Vulnerability Management applies dynamic tags to any assets, regardless of access group
scoping. As a result, it may apply tags you create to assets outside of the access groups to which you
belong.

Your organization can create up to 5,000 access groups.

Transition to Permission Configurations

Required User Role: Administrator

Tenable is converting all access groups into permission configurations. As this conversion runs, you may
notice your existing access groups undergoing changes. Moving forward, Tenable recommends that you
use permissions to manage user and group access to resources on your Tenable Vulnerability Management
instance. For more information, see Transition to Permission Configurations.

Tenable Vulnerability Management has consolidated and moved user and group management to the
Access Control page to make access management more intuitive and efficient.

As part of this effort, Tenable Vulnerability Management is replacing Access Groups with
Permissions, a feature that allows you to create permission configurations. These permission
configurations use tags to determine which users and groups on your Tenable Vulnerability
Management instance can perform specific tasks with your organization's resources.

Previously, you had to create access groups to customize access settings for users on your
instance. When you create a permission configuration, you can view and manage access settings
for users and groups on the Access Control page, where you manage users and groups.

Tenable Vulnerability Management plans to retire access groups once all existing access groups are
converted into permissible configurations. Tenable Vulnerability Management encourages you to
use permission configurations to manage user access to your resources.

What to Expect
As Tenable Vulnerability Management converts your access group data into permission
configurations, you may notice the following changes:

l Tenable Vulnerability Management has split up your access groups that have more than one
access group type and recreated them as separate groups based on type. For more

- 1135 -
 information about access group types, see Access Group Types.

l Tenable Vulnerability Management has converted all your Scan Target type access groups into
Manage Assets type access groups.

l Tenable Vulnerability Management has updated access group rule filters to match tag rule
filters and operators.

l For each access group on your instance that is based on rules instead of tags, Tenable
Vulnerability Management has created tags based on the access group rules and updated the
groups to reference the new tags. For more information about tag rules, see Tag Rules.

l For each access group on your install, Tenable Vulnerability Management has created
permission configurations based on the rules and user permissions defined in that access
group.

Task Parity
The following table lists common tasks you may perform on the Access Groups page and their
equivalent tasks on the Permissions page.

Access Groups Permissions

Create an Access Group Create and Add a Permission Configuration

View Your Assigned Access Groups View Your Account Details

Edit an Access Group Edit a Permission Configuration

Configure User Permissions for an Access l Add a Permission Configuration to a User or

Group Groups

l Remove a Permission Configuration from a

User or Group

Delete an Access Group Delete a Permission Configuration

Convert an Access Group to a Permission Configuration

Required User Role: Administrator

- 1136 -
 Tenable is converting all access groups into permission configurations. As this conversion runs, you may
notice your existing access groups undergoing changes. Moving forward, Tenable recommends that you
use permissions to manage user and group access to resources on your Tenable Vulnerability Management
instance. For more information, see Transition to Permission Configurations.

On the Access Groups page, you can convert your existing access groups into permission
configurations.

Note: Once you convert an access group into a permission configuration, you cannot revert the converted
permission configuration into an access group.

Note: The Access Group tile appears only if you have one or more assigned access groups or if you are an
administrator and users on your Tenable Vulnerability Management are assigned to access groups. Once
you convert all your access groups to permission configurations, the Access Group tile will no longer
appear on your account.

To convert an access group into a permission configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Groups tile.

The Access Groups page appears. This page contains a table that lists the access groups to
which you have access.

4. In the access groups table, select the check box for the access group you want to convert.

The action bar appears at the top of the table.

5. Click Migrate To Permissions.

A confirmation message appears.

6. In the confirmation window, click Migrate To Permissions.

Tenable Vulnerability Management begins converting your access group into a permission
configuration.

- 1137 -
 Tenable Vulnerability Management updates the Status column for the access group to reflect
the current migration status.

Access Group Types

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

You can create the following types of access groups. Select an access group type based on the
identifiers for the targets you want to scan.

Type Description

Manage Users can view the asset records created during previous scans and scan the
Assets associated targets for those assets.

Use this type of access group if the targets you want to view and scan have
been scanned before and can be best identified using tags based on asset
attributes (for example, operating system or AWS Account ID).

Scan Users can scan targets associated with the access group and view the results of
Targets those scans.

Use this type of access group if the targets you want to view and scan have
never been scanned before and can only be identified using certain asset
identifiers (specifically, FQDN, IPv4 address, or IPv6 address).

Note: The access group type names do not represent a limitation on the user actions that each group
controls in relation to the specified targets. For both Manage Assets and Scan Targets groups, you can
grant user permissions to view analytical results for the specified targets in dashboards, to scan the
specified targets, or to both view and scan. For more information on user permissions, see Configure User
Permissions for an Access Group.

Tip: You can add a user to both access group types if you want to allow the user to scan both types of scan
targets.

Restrict Users for All Assets Group

- 1138 -
 Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Required User Role: Administrator

The All Assets group is the default, system-generated access group to which all assets belong.

By default, the following conditions are true:

l The All Users user group, which contains all users in your organization, is assigned to the All
Assets access group.

l The permissions for the All Users group are set to Can View and Can Scan.

If you do not want all users to scan all assets and view the individual and aggregated results, you
must set the permissions for the All Users group to No Access. Optionally, you can then add
specific users or to provide individuals with access to all assets.

Note: When you create or edit an access group, Tenable Vulnerability Management may take
some time to assign assets to the access group, depending on the system load, the number of
matching assets, and the number of vulnerabilities.
You can view the status of this assignment process in the Status column of the access groups
table on the Access Groups page.

To restrict user permissions for the All Assets group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Groups tile.

The Access Groups page appears. This page contains a table that lists the access groups to
which you have access.

4. In the access groups table, click the All Assets group.

- 1139 -
 The Edit All Assets Access Group page appears.

5. In the Users & Groups section, locate the listing for the All Users group.

6. Remove both the Can Edit and Can Scan labels from the All Users group listing:

a. Roll over the label.

The button appears on the label.

b. Click the button.

Tenable Vulnerability Management removes the label.

Note: When configuring permissions for the All Users user group, Tenable recommends
keeping the following in mind:
l If you retain the permissions for All Assets as Can View, all users can view scan results for all
assets or targets for your organization.
l If you set the permissions for All Assets to Can Scan, all users can scan all assets or targets
for your organization and view the related scan results.

7. (Optional) Configure user permissions for each user or group you want to add to the All Assets
group.

8. Click Save.

The Access Groups page appears. Access to the All Assets group is restricted to the user(s)
or group(s) you added.

Create an Access Group

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Required User Role: Administrator

You can create an access group to group assets based on rules, using information such as an AWS
Account ID, FQDN, IP address, and other identifying attributes. You can then assign permissions for
users or user groups to view or scan the assets in the access group.

- 1140 -
To create an access group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Groups tile.

The Access Groups page appears. This page contains a table that lists the access groups to
which you have access.

4. In the upper-right corner of the page, click the Create Access Group button.

The Create Access Group page appears.

5. In the General section, in the Name box, type a name for the access group.

Note: The name must be unique within your organization.

6. In the Type section, select the appropriate access group type based on the type of targets
you want to scan.

If you create an access group of one type, then change the type during configuration, Tenable
Vulnerability Management prompts you to confirm the action. If you confirm, Tenable
Vulnerability Management clears any previously added rule filters.

7. In the Rules section, add rules for the access group.

Access group rules specify the conditions Tenable Vulnerability Management evaluates when
determining whether to include assets or targets in the access group.

Note: You can add up to 1,000 rules per access group.

a. In the Category drop-down box, select an attribute to filter assets or targets.

b. In the Operator drop-down box, select an operator.

Possible operators include:

- 1141 -
 • is equal to: Tenable Vulnerability Management matches the rule to assets or targets
based on an exact match of the specified term.

Note: Tenable Vulnerability Management interprets the operator as 'equals' for rules that
specify a single IPv4 address, but interprets the operator as 'contains' for rules that specify an
IPv4 range or CIDR range.

• contains: Tenable Vulnerability Management matches the rule to assets or targets

based on a partial match of the specified term.

• starts with: Tenable Vulnerability Management matches the rule to assets or targets
that start with the specified term.

• ends with: Tenable Vulnerability Management matches the rule to assets or targets
that end with the specified term.

c. In the text box, type a valid value for the selected category.

Tip: You can enter multiple values separated by commas. For IPV4 Address, you can use CIDR
notation (e.g., 192.168.0.0/24), a range (e.g., 192.168.0.1-192.168.0.255), or a comma-separated
list (e.g., 192.168.0.0, 192.168.0.1).

d. (Optional) To add another rule, click the Add button.

Note: If you configure multiple rules for an access group, the access group includes assets or
targets that match any of the rules. For example, if you configure two rules -- one that
matches on the Network Name attribute and one that matches on IPv4 Address, the access
group includes any assets in the specified network, plus any asset with the specified IPv4
address, regardless of whether that asset belongs to the specified network.

8. In the Users & Groups section, configure user permissions for the access group.

9. Click Save.

Tenable Vulnerability Management creates the access group. The Access Groups page
appears.

Note: When you create or edit an access group, Tenable Vulnerability Management may
take some time to assign assets to the access group, depending on the system load, the
number of matching assets, and the number of vulnerabilities.

- 1142 -
 You can view the status of this assignment process in the Status column of the access
groups table on the Access Groups page.

Configure User Permissions for an Access Group

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Required User Role: Administrator

You can configure access group permissions for individual users or a user group. If you configure
access group permissions for a group, you assign all users in that group the same permissions. For
more information, see User Groups.

You can assign the following access group permissions to a user or user group:

l No Access — (All Users user group only) No users (except for users or groups you specifically
assign permissions) can scan the assets or targets specified in the access group. Also, no
users can view related individual or aggregated scan results for the specified assets or
targets.

l Can View — The user's view in aggregated scan results (workbenches/dashboards) includes
data from scans of the assets or targets specified in the access group. If you assign this
permission to the All Users group for the access group, all users can view aggregated scan
results for the assets or targets in the access group.

l Can Scan — Users can scan assets or targets specified in the access group and view individual
scan results for the assets or targets. If you do not have this permission, Tenable Vulnerability
Management does not prevent you from configuring a scan using assets or targets specified
in the access group; however, the scanner does not scan the assets or targets. If you assign
this permission to the All Users group for the access group, all users can scan the assets or
targets in the access group and view the related individual scan results.

User permissions in an access group are cumulative, rather than hierarchical. To allow a user to
scan an asset or target and view results for that asset or target in aggregated results, you must set
the user's permissions in the access group to both Can View and Can Scan.

- 1143 -
 Tip: To run scans auditing cloud infrastructure, configure a Scan Target access group that includes the
target 127.0.0.1, and set user permissions to Can Scan.

To configure user permissions for an access group:

1. Create or edit an access group.

2. In the Users & Groups section, do any of the following:

l
Edit permissions for the All Users user group.
The default values for the All Users user group depends on the access group:

l For the All Assets access group, Tenable Vulnerability Management assigns Can
View and Can Scan permissions to the All Users group by default. Tenable
recommends you restrict these permissions during initial configuration.

l For all other access groups, Tenable Vulnerability Management assigns No Access
permissions to the All Users group by default. For these access groups, set
permissions for the All Users group as follows:

a. Next to the permission drop-down for the All Users group, click the
button.

b. Click Can View.

c. Next to the permission drop-down, click the button again.

d. Click Can Scan.

e. Click Save.

Tenable Vulnerability Management allows any user to view or scan the assets
or targets in the group.

l
Add a user to the access group.
a. In the search box, type the name of a user or group.

As you type, a filtered list of users and groups appears.

- 1144 -
 b. Select a user or group from the search results.

Tenable Vulnerability Management adds the user to the access group with the
default Can View permissions and adds the related label to the user listing.

c. (Optional) Add Can Scan permissions for the user.

i. Next to the permission drop-down for the user or group, click the button.

ii. Click Can Scan.

Tenable Vulnerability Management adds a Can Scan label to the user listing.

d. Click Save.

Tenable Vulnerability Management adds the user to the access group.

l
Add permissions for an existing user.
a. Locate the user or group you want to edit.

b. Next to the permission drop-down for the user or group, click the button.

c. Click Can View or Can Scan as appropriate.

Tenable Vulnerability Management adds a label representing the new permission to

the user listing.

d. Click Save.

Tenable Vulnerability Management saves your changes to the access group.

l
Remove permissions from an existing user.
a. Locate the user or group you want to edit.

b. In the label representing the permission you want to remove, click the button.

Tenable Vulnerability Management removes the permission label from the user
listing.

If you remove the last permission for the All Users group, Tenable Vulnerability
Management sets the group permissions to No Access.

- 1145 -
 If you remove the last permission for an individual user or group, Tenable
Vulnerability Management prompts you to remove the user from the access group.

l
Remove a user from the access group.
a. Click the button next to the user or user group you want to delete.

The user or group disappears from the Users & Groups list.

b. Click Save.

Tenable Vulnerability Management saves your changes to the access group.

Edit an Access Group

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Required User Role: Administrator

You can edit rules for an existing access group, as well as add or remove users and user groups
assigned to the access group.

Note: You cannot edit the name or rules for the system-generated All Assets access group.

To edit an access group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Groups tile.

The Access Groups page appears. This page contains a table that lists the access groups to
which you have access.

- 1146 -
 4. In the access groups table, click the access group you want to edit.

The Edit Access Group page appears.

5. In the General section, in the Name box, type a new name for the access group.

6. In the Type section, edit the access group type.

a. Select the access group type to which you want to change.

Tenable Vulnerability Management prompts you to confirm the action.

b. Click Confirm.

Tenable Vulnerability Management clears any previously added rule filters.

7. In the Rules section, edit the access group rules.

Access group rules specify the conditions Tenable Vulnerability Management evaluates when
determining whether to include assets or targets in the access group.

l To edit an existing rule, modify the category, operator, and/or value as needed.

l To delete an existing rule, click the button next to the rule.

l To add a new rule, click Add and create a new rule.

8. In the Users & Groups section, configure user permissions for the access group.

9. Click Save.

Tenable Vulnerability Management updates the access group with your changes. The Access
Groups page appears.

Note: When you create or edit an access group, Tenable Vulnerability Management may
take some time to assign assets to the access group, depending on the system load, the
number of matching assets, and the number of vulnerabilities.
You can view the status of this assignment process in the Status column of the access
groups table on the Access Groups page.

View Assets Not Assigned to an Access Group

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that

- 1147 -
 you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Required User Role: Administrator

If an asset does not match any access group rules, Tenable Vulnerability Management does not
assign the asset to any access group. These unassigned assets are only visible to users in the All
Assets group. If your organization limits membership in the All Assets group, users who are not
members of the All Assets group are unable to see these unassigned assets, but this limited
visibility may not be immediately obvious to them. If you are a member of the All Assets group, you
can use a filter to identify these unassigned assets.

To view assets that are not assigned to an access group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Asset View section, click Assets.

The Assets page appears.

3. Create a filter with the following settings:

l Category: Belongs to Access Group

l Operator: is equal to

l Value: false

4. Click Apply.

The assets table updates to display all assets that are not assigned to an access group.

View Your Assigned Access Groups

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

- 1148 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

As an administrator, you can view the rules and assigned users and user groups for any access
group. You can also edit access group parameters.

As a user in any other role, you can view your assigned access groups. This view includes the rules
associated with each access group, but excludes the other users or user groups assigned to the
access group. You cannot edit any access group settings.

Note: The Access Group tile appears only if you have one or more assigned access groups or if you are an
administrator and users on your Tenable Vulnerability Management are assigned to access groups. Once
you convert all your access groups to permission configurations, the Access Group tile will no longer
appear on your account.

To view your assigned access groups:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Groups tile.

The Access Groups page appears. This page contains a table that lists the access groups to
which you have access.

4. The Access Groups page contains a table that includes the following information:

l Name — The access group name.

l Owner — The access group owner.

l Permission Type — The access group type.

l Last Modified — The date on which a user in your organization last changed the access
group configuration.

- 1149 -
 l Last Modified By — The user in your organization who last changed the access group
configuration.

l Status — The status of the Tenable Vulnerability Management process matching assets
to the access group. Possible values are Processing or Completed. To view the
percentage complete for an ongoing process, roll over the Processing status.

5. (Optional) Click an access group to view more details.

The Edit Access Group page appears.

For administrators, this page contains both rules and assigned users and user groups, and you
can edit all access group parameters.

For users in any other role, this page contains rules only, and you cannot edit the rules.

Delete an Access Group

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

Required User Role: Administrator

Note: You cannot delete the system-generated All Assets group.

To delete one or more access groups:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Access Groups tile.

The Access Groups page appears. This page contains a table that lists the access groups to
which you have access.

- 1150 -
 4. Select the access groups you want to delete:

l
Select a single access group:
a. In the access groups table, roll over the access group you want to delete.

The action buttons appear in the row.

b. Click the button.

A confirmation window appears.

l
Select multiple access groups:
a. In the access groups table, select the check boxes next to the access groups you
want to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

5. In the confirmation window, click the Delete button.

Tenable Vulnerability Management deletes the selected access group or groups and updates
the access group table.

Access Group Rule Filters

Tenable is retiring access groups. Moving forward, Tenable recommends that you use permissions to
manage user and group access to resources on your Tenable Vulnerability Management instance and that
you convert your existing access groups into permission configurations. For more information, see
Transition to Permission Configurations.

You can use the filters described in the following sections to create rules for access groups. For
more information, see:

l Tenable-provided Filters

l Guidelines for Tenable-provided Filters

l Tag Filters

Tenable-provided Filters

- 1151 -
The last two columns in the following table indicate whether you can use the filter with the Manage
Assets or Scan Targets group type.

Manage Scan
Filter Description
Assets Targets

AWS Account ID The canonical user identifier for the yes no

Amazon Web Services (AWS) account
associated with the asset. For more
information, see "AWS Account
Identifiers" in the AWS documentation.

AWS Availability The name of the Availability Zone where yes no

Zone AWS hosts the virtual machine instance.
For more information, see "Regions and
Availability Zones" in the AWS
documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI yes no
image in Amazon Elastic Compute Cloud
(Amazon EC2). For more information, see
the Amazon Elastic Compute Cloud
Documentation.

AWS EC2 Instance The unique identifier of the Linux yes no

ID instance in Amazon EC2. For more
information, see the Amazon Elastic
Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine yes no

instance in Amazon EC2.

AWS EC2 Product The product code associated with the yes no
Code AMI used to launch the virtual machine
instance in Amazon EC2.

AWS Region The region where AWS hosts the virtual yes no
machine instance, for example, 'us-east-
1'. For more information, see "Regions

- 1152 -
 and Availability Zones" in the AWS
documentation.

AWS Security Group The security group to which you have yes no
assigned the virtual machine instance in
Amazon EC2. For more information, see
Security Groups in the Amazon Virtual
Private Cloud User Guide.

AWS Subnet ID The unique identifier of the AWS subnet yes no

where the virtual machine instance was
running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud yes no

that hosts the AWS virtual machine
instance. For more information, see the
Amazon Virtual Private Cloud User Guide.

Azure Resource ID The unique identifier of the resource in yes no

the Azure Resource Manager. For more
information, see the Azure Resource
Manager Documentation.

Azure VM ID The unique identifier of the Microsoft yes no

Azure virtual machine instance. For more
information, see "Accessing and Using
Azure VM Unique ID" in the Microsoft
Azure documentation.

FQDN/Hostname One of the following: yes yes

l The fully-qualified domain name of

the asset.

l The hostname of the asset.

Google Cloud The unique identifier of the virtual yes no

Instance ID machine instance in Google Cloud
Platform (GCP).

- 1153 -
Google Cloud The customized name of the project to yes no
Project ID which the virtual machine instance
belongs in GCP. For more information,
see "Creating and Managing Projects" in
the GCP documentation.

Google Cloud Zone The zone where the virtual machine yes no
instance runs in GCP. For more
information, see "Regions and Zones" in
the GCP documentation.

IPv4 Address An IPv4 address for the asset. For this yes yes
filter, you can use CIDR notation (e.g.,
192.168.0.0/24), a range (e.g., 192.168.0.1-
192.168.0.255), or a comma-separated
list (e.g., 192.168.0.0, 192.168.0.1).

IPv6 Address An IPv6 address for the asset. no yes

MAC Address The MAC address of the asset. yes no

NetBIOS Name The NetBIOS name for the asset. yes no

Network Name The name of the network to which the yes no

asset belongs.

Operating System The operating system installed on the yes no

asset.

Qualys Asset ID The Asset ID of the asset in Qualys. For yes no

more information, see the Qualys
documentation.

Qualys Host ID The Host ID of the asset in Qualys. For yes no

more information, see the Qualys
documentation.

ServiceNow Sys ID The unique record identifier of the asset yes no

in ServiceNow. For more information,
see the ServiceNow documentation.

- 1154 -
Guidelines for Tenable-provided Filters
l When configuring rules for Scan Targets access groups, the asset attribute type must match
the target format used in the related scan. For example, if a Scan Targets access group rule
filters on the FQDN/Hostname attribute, the related scan succeeds if the scan target is
specified in FQDN or hostname format, but fails if the scan target is specified in IPv4 address
format.

Tag Filters
In Tenable Vulnerability Management, tags allow you to add descriptive metadata to assets that
helps you group assets by business context. For more information, see Tags.

You can use the tags you create to assign assets to Manage Assets access groups.

To add a tag filter to a rule:

1. In the Category drop-down box, select Tags.

2. In the Operator drop-down box, select contains.

3. In the text box, type the tag category and value you want to search for in the following format:

Category Name:Value Name

4. Continue creating rules and/or save the access group as described in Create an Access Group.

Note: Tag categories with 100,000 or more associated values cannot be applied as a rule to access groups.

Scan Permissions Migration

System target group permissions that controlled whether users can scan specified targets have
been migrated to access groups.

Note: Tenable plans to deprecate access groups in the near future. Currently, you can still create and
manage access groups. However, Tenable recommends that you instead use permissions to manage user
and group access to resources on your Tenable Vulnerability Management instance.

This migration affects your existing Tenable Vulnerability Management configuration as follows:

Component Action

- 1155 -
Existing access Tenable Vulnerability Management:
group
l Updates any existing access group to an access group of the
Manage Assets type.

l Replaces the All Users toggle with a default All Users group.

l Assigns Can View permissions to any existing users or user groups

that currently have view access.

Existing system For each existing system target group, Tenable Vulnerability
target groups Management:

l Creates a new access group with a type of Scan Targets. This

access group specifies the same scan targets as the existing
system target group. Tenable Vulnerability Management lists
migration as the owner of the migrated access groups.

l Moves any user with Can Scan permissions in the system target
group to the new access group, and assigns the user Can Scan
permissions for that access group. To ensure users can view
results for the targets, configure Can View permissions for users in
the access group.

Note: This migration does not delete existing system target groups. The
migration removes only the Can Scan permissions from the system target
groups.

Note: If, at the time of migration, an existing target group includes scan
permissions, a Scan label may appear for the group in the Permissions
column of the target groups table in the new Tenable Vulnerability
Management user interface. This label indicates historical scan permissions
only; access groups specify the current scan permissions.

Existing scan Existing scan configurations retain the system target group as a target
configurations, setting. Existing dashboard filters and saved searches retain the system
dashboard filters, target group as a filter setting. If you have Can Use permissions for a
and saved system target group, you can continue to use the system target group to
searches specify a group of targets in a scan configuration and to use the system

- 1156 -
 target group in filters for dashboards and searches. However, to specify
which users can view scan results for the targets, configure Can View
permissions in the appropriate access group.

Language

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Language page, you can change the user interface language in your Tenable Vulnerability
Management container to English, French, or Japanese. This setting only affects your own user
account.

To change the user interface language:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings

The Settings page appears.

3. Click the Language tile.

The Language tile appears.

4. Under User Interface Language, select the language you want to switch to.

Tenable Vulnerability Management updates the user interface language for your account.

Exports
From the Exports page, you can view and configure your Scheduled Exports and Export Activity.

- 1157 -
Export information on this page comes from the following sources:

l Assets — Information about all assets included on your Tenable Vulnerability Management
license. For more information, see Export Findings or Assets.

l Assets Host —Information about assets Tenable Vulnerability Management identified on your
host during a scan. For more information, see Host Assets and Export Findings or Assets.

l Findings - Vulnerabilities - Host — Information about the vulnerability findings Tenable

Vulnerability Management identified on your host during a scan. For more information, see
Export Findings or Assets.

l Users — Information about the users assigned to your account. For more information, see
Export Users.

For more information, see the following topics:

Scheduled Exports
The Scheduled Export page displays details about the exports on your account that include a
schedule.

Note: You can retain up to 1000 export schedules on your Tenable Vulnerability Management instance.

Export information on this page comes from the following sources:

l Assets — Information about all assets included on your Tenable Vulnerability Management
license. For more information, see Export Findings or Assets.

l Assets Host —Information about assets Tenable Vulnerability Management identified on your
host during a scan. For more information, see Host Assets and Export Findings or Assets.

- 1158 -
 l Findings - Vulnerabilities - Host — Information about the vulnerability findings Tenable
Vulnerability Management identified on your host during a scan. For more information, see
Export Findings or Assets.

l Users — Information about the users assigned to your account. For more information, see
Export Users.

On the Scheduled Exports page, you can do the following:

l View Your Scheduled Exports

l Disable a Scheduled Export

l Enable a Disabled Scheduled Export

l Delete a Scheduled Export

Note: Export expiration is set via the Settings section. For more information, see General Settings.

View Your Scheduled Exports

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Exports page, you can view all the scheduled exports on your account.

Note: You can retain up to 1000 export schedules on your Tenable Vulnerability Management instance.

To view your scheduled exports:

- 1159 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

Schedules Table
The Schedules table contains the following information about your scheduled exports:

Column Description

Name The name of the scheduled export file.

Source The data source for the scheduled export in Tenable Vulnerability
Management. Possible sources include:

l Assets — Information about all assets included on your Tenable

Vulnerability Management license.

l Assets Host —Information about assets Tenable Vulnerability

Management identified on your host during a scan.

l Findings - Vulnerabilities - Host — Information about the vulnerability

findings Tenable Vulnerability Management identified on your host during
a scan.

l Users — Information about the users assigned to your account.

Format The format of the export file, either CSV or JSON.

Schedule The date, time, and frequency on which your export runs.

Next Run The date and time when the export is scheduled to run next.

- 1160 -
 Last Run The date and time when Tenable Vulnerability Management last began the
Start Date export.

Status The status of the most recent scheduled export.

Actions The actions you can perform with the scheduled export, including the
following:

l Disable one or more scheduled exports.

l Enable one or more disabled scheduled exports.

l Delete one or more scheduled exports.

Disable a Scheduled Export

Required User Role: Administrator

Disabling an scheduled export prevents Tenable Vulnerability Management from automatically

creating exports based on the export schedule. You can enable a disabled scheduled export, as
described in Enable a Disabled Scheduled Export.

Note: Disabling a scheduled export does not remove the scheduled export from the Schedules table or
from the list of exports that count against your 1000 scheduled export limit. To remove a scheduled export
from your account, you must delete the scheduled export.

To disable a scheduled export:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

- 1161 -
 5. Do one of the following:

To disable a single scheduled export:

a. In the Schedules table, in the row for the scheduled export you want to disable, click the
button.

The action buttons appear in the row.

b. In the row, click the Disable button.

To disable multiple scheduled exports:

a. In the Schedules table, select the check box for each scheduled export you want to
disable.

Note: You can disable up to 10 export schedules simultaneously.

The action bar appears at the top of the table.

b. In the action bar, click the Disable button.

A success message appears.

Tenable Vulnerability Management disables the selected scheduled export or exports.

In the Schedules table, disabled scheduled exports appear in gray.

Enable a Disabled Scheduled Export

Required User Role: Administrator

When you disable a scheduled export, you can enable the scheduled export again to resume the
export cadence specified in the schedule.

To enable a disabled scheduled export:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1162 -
 3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. Do one of the following:

To enable a single scheduled export:

a. In the Schedules table, in the row for the scheduled export you want to enable, click the
button.

The action buttons appear in the row.

b. In the row, click the Enable button.

To enable multiple scheduled exports:

a. In the Schedules table, select the check box for each disabled scheduled export that
you want to enable.

Note: You can enable up to 10 export schedules simultaneously.

The action bar appears at the top of the table.

b. In the action bar, click the Enable button.

A success message appears.

Tenable Vulnerability Management enables the selected scheduled export or schedules.

In the Schedules table, enabled scheduled exports appear in black.

Delete a Scheduled Export

Required User Role: Administrator

On the Exports page, you can delete one or more scheduled exports from your Tenable Vulnerability
Management instance.

Note: Deleting a scheduled export removes the schedule from your Tenable Vulnerability Management
instance entirely. If you want to instead suspend a scheduled export, you can disable the schedule.

- 1163 -
To delete a scheduled export:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. Do one of the following:

To delete a single scheduled export:

a. In the Schedules table, in the row for the scheduled export you want to delete, click the
button.

A menu appears.

b. Click the Delete button.

To delete multiple scheduled exports:

a. In the Schedules table, select the check box for each scheduled export you want to
delete.

Note: You can delete up to 10 export schedules simultaneously.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

Tenable Vulnerability Management deletes the selected scheduled export or exports. Deleted
scheduled exports no longer appear in the Schedules table.

Export Activity

- 1164 -
On the Export Activity tab, you can view all the exports created on your account. You can see the
source, type, format, status, size, creation date, and author for each export.

Note: Export expiration is set via the Settings section. For more information, see General Settings.

Note: By default, Tenable Vulnerability Management allows you to store up to 500 MB of export data at a
time. Once you reach this limit, you cannot create new exports until you delete some of your existing export
data. To increase your export storage limit, contact your Tenable representative.

To view your export activity:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. Click the Activity tab.

The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

Activity Table
The Activity table contains the following information about your exports:

Column Description

- 1165 -
Name The name of the export file.

Source The data source for the export in Tenable Vulnerability Management. The
possible sources are:

l Assets — Information about all the assets on your Tenable Vulnerability

Management license.

l Assets Host —Information about assets Tenable Vulnerability

Management identified on your host during a scan.

l Findings - Vulnerabilities - Host — Information about the vulnerability

findings Tenable Vulnerability Management identified on your host
during a scan.

l Users — Information about the users assigned to your account.

Type The type of export, either manual or scheduled.

Format The format of the export file, either CSV or JSON.

Status The status of the export. The possible statuses are:

l Pending — Tenable Vulnerability Management is initiating the export

process.

l Running — Tenable Vulnerability Management is preparing the

requested file.

l Completed — Tenable Vulnerability Management has successfully

completed the export process. The export file is now available to
download.

l Canceled — Tenable Vulnerability Management canceled the export

process. A Canceled status appears when a user stops a pending or
running export.

l Failed — The export process failed.

Reason The reason the export attempt failed.

By default, the Reason column is hidden. For information about how to add

- 1166 -
 the column to the table, see Interact with a Customizable Table.

A reason value appears only if the export status is Failed.

Size The size of the export file.

A size value appears only if the export status is Completed.

Creation Date The date and time a user initiated the export.

Completion The date and time when the export process completed.
Date

File Name The name of the CSV or JSON export file.

Expires On The date and time the export expires.

Note: Export expiration is set via the Settings section. For more information,
see .

Author The user who initiated the export.

Actions The actions you can perform with the export, including the following:

l Download an export file.

l Renew the expiration date for one or more exports.

l Delete one or more export files.

l Export your export activity.

On the Export Activity page, you can perform the following actions:

l Filter your Exports

l Renew an Export Expiration Date

l Stop an Export

l Download Export Activity

l Export your Export Activity

l Delete an Export

- 1167 -
 Note: Export expiration is set via the Settings section. For more information, see .

Filter your Exports

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Exports page, you can filter the export data for your Tenable Vulnerability Management
instance.

To filter your exports:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. (Optional) To filter your export activity data, click the Activity tab.

The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

5. In the upper-left corner, click the button.

The filters plane expands. The plane displays a list of default filter options.

6. Click Edit Filters.

A drop-down box appears listing all the filter options.

7. Select or deselect the filters you want to add or remove. For detailed list of available filters,
see Export Filters.

8. Click outside the filter drop-down box.

The drop-down box closes.

- 1168 -
 9. For each selected filter, in the first text box, select an operator.

10. In the second text box, select or type a value for the filter.

Note: You can select up to five different values for each filter to apply to your exports.

Note: If a filter you select has generic options, those options appear below the filter. If the filter
requires a specific, unique value, you must type the value.

Tip: When you type a value for your filter, you can use a wild card character (*) to stand in for a
section of text anywhere in the value. For example, if you want the filter to include all values that
end in 1, type *1. If you want the filter to include all values that begin with 1, type 1*. If you want the
filter to include all values with a 1 somewhere between the first and last characters, type *1*.

11. (Optional) To clear the value of a filter:

a. Hover over the filter you want to clear.

An interactive window appears over the filter.

b. In the window, click Clear to remove the value provided in the filter box.

Tenable Vulnerability Management clears the filter value.

12. (Optional) To remove a filter:

a. Hover over the filter you want to remove.

An interactive window appears over the filter.

b. In the window, click Remove to remove the filter.

Tenable Vulnerability Management removes the filter.

13. Click Apply.

Tenable Vulnerability Management filters your export data.

Export Filters

On the Exports page, you can filter your export data using following filters:

Note: The available filters vary based on the type of data you want to export.

- 1169 -
 Export Data
Filter Description
Type

Name scheduled The name you assigned to the export in Tenable

exports, Vulnerability Management.
export
This filter is selected by default.
activity

Size export The size of the export file in bytes.

activity
This filter is selected by default.

Source scheduled The area of Tenable Vulnerability Management to which

exports, the export applies.
export
This filter is selected by default.
activity

Status scheduled The current status of the export. Possible options are:
exports,
l Pending
export
activity l Running

l Canceled

l Failed

l Completed

This filter is selected by default.

Author export The user who created the export.

activity

Completion export The date on which Tenable Vulnerability Management

Date activity completed the export. This filter applies only to exports
with a Completed status.

Creation Date scheduled The date on which a user on your instance created the
exports, export.
export
activity

- 1170 -
 Expires On export Indicates when the export file expires. The filter value can
activity be a date, date range, or number of days until the export
file expires.

File Name export The name of the export file.

activity

Format scheduled The export file type. Possible options are:

exports,
l CSV
export
activity l JSON

Reason export The reason the export failed. This filter applies only to
activity exports with a Failed status.

Next Run scheduled The date and time on which the next export is scheduled.
exports

Last Run Start scheduled The date and time on which Tenable Vulnerability
Date exports Management last initiated the export.

Last Run scheduled The date and time on which Tenable Vulnerability
Completion exports Management last completed the export.
Date

Created By scheduled The user who created the export.

exports

Updated Date scheduled The date and time on which a user last updated the export.
exports

Updated By scheduled The user who last updated the export.

exports

Renew an Export Expiration Date

Required User Role: Administrator

On the Exports page, you can reset the expiration date for any export on your Tenable Vulnerability
Management instance.

- 1171 -
 Note: You can reset the expiration date for only one export at a time.

Tip: You can also configure your default export expiration settings on the General Settings page.

To reset the expiration date for an export:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. Click the Activity tab.

The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Do one of the following:

l In the exports table, right-click the row for the export for which you want to reset the
expiration date.

The action options appear next to your cursor.

l In the exports table, in the Actions column, click the button in the row for the export
for which you want to reset the expiration date.

The action buttons appear in the row.

7. Click Renew.

Tenable Vulnerability Management resets the export expiration date for 30 days from today's
date.

Stop an Export

- 1172 -
 Required User Role: Administrator

On the Exports page, you can stop one or more pending or running exports on your Tenable
Vulnerability Management instance.

Note:You cannot stop an export that has already been completed, canceled, or failed.

To stop a pending or running export:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. Click the Activity tab.

The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Select the exports that you want to stop:

Stop Scope Action

Selected To stop selected exports:

exports
Tip: You can stop up to 10 exports simultaneously.

a. In the exports table, select the check box for each export you want
to stop.

The action bar appears at the top of the table.

b. In the action bar, click Stop.

- 1173 -
 A single To stop a single export:
export
a. In the exports table, right-click the row for the export you want to
stop.

-or-

In the exports table, in the Actions column, click the button in

the row for the export you want to stop.

The action buttons appear in the row.

b. Click Stop.

Download Export Activity

Required User Role: Administrator

On the Exports page, you can download an export file on your Tenable Vulnerability Management
instance.

Note: You can download only one export file at a time.

Note:You can download the export file only if the export's status is Completed.

To download an export file:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. Click the Activity tab.

- 1174 -
 The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Do one of the following:

l In the exports table, right-click the row for the export file you want to download.

The action options appear next to your cursor.

l In the exports table, in the Actions column, click the button in the row for the export
file you want to download.

The action buttons appear in the row.

7. Click Download.

Tenable Vulnerability Management downloads the export file to your computer.

Export your Export Activity

Required User Role: Administrator

On the Exports page, you can export data for the export activity on your Tenable Vulnerability
Management instance.

To export your export activity data:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. Click the Activity tab.

- 1175 -
 The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Select the exports that you want to export:

Export
Action
Scope

Selected To export selected exports:

exports
a. In the exports table, select the check box for each export you want
to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 exports, select all the exports in the list
and then click Export.

A single To export a single export:

export
a. In the exports table, right-click the row for the export you want to
export.

The action options appear next to your cursor.

-or-

In the exports table, in the Actions column, click the button in

the row for the export you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

- 1176 -
 l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of exports.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of exports.

Empty fields are not included in the JSON file.

9. In the Configurations section, select the fields you want to include in the export file by
selecting the check box next to any field. Use the text box to search for a field.

To view only the selected fields, click View Selected.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To set a schedule for your export to repeat:

- 1177 -
 l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

- 1178 -
 When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete an Export

Required User Role: Administrator

On the Exports page, you can delete one or more exports from your Tenable Vulnerability
Management instance.

Note:You can delete an export file only if the export's status is Completed, Canceled, or Failed.

To delete an export:

1. In the upper-left corner, click the button.

The left navigation plane appears.

In the left navigation plane, click Settings.

The Settings page appears.

2. For more information, see Tenable Vulnerability Management Workbench Tables.

3. Click the Exports tile.

The Exports page appears. By default, the Schedules tab is active.

4. Click the Activity tab.

The Activity page appears. This page displays a table with all the exports on your Tenable
Vulnerability Management account.

5. (Optional) Refine the table data.

- 1179 -
 6. Select the exports that you want to delete:

Delete
Action
Scope

Selected To delete selected exports:

exports
Tip: You can delete up to 10 exports simultaneously.

a. In the exports table, select the check box for each export you want
to delete.

The action bar appears at the top of the table.

b. In the action bar, click Delete.

A single To delete a single export:

export
a. In the exports table, right-click the row for the export you want to
delete.

-or-

In the exports table, in the Actions column, click the button in

the row for the export you want to delete.

The action buttons appear in the row.

b. Click Delete.

Tenable Vulnerability Management removes the export from your account.

Recast/Accept Rules

Note: If a rule is targeted by IP address, that rule applies to the specified IP in each network in which it is
found. For more information, see networks.

Recast Rules
You can use recast rules to modify the severity of vulnerabilities. Vulnerabilities that you recast are
identified as such on the Findings Details page. If you specify an expiration date for a recast rule,

- 1180 -
upon expiration Tenable Vulnerability Management reverts existing dashboards back to their original
severity. Historical scan results, however, remain unchanged.

For Tenable Vulnerability Management standalone customers, recasted severities do not affect
scores such as VPR, CES, or AES. Tenable One and Tenable Lumin customers, however, may notice
updated scores if a recasted severity is included in their score calculations.

Note: When recasting custom scan targets, Tenable Vulnerability Management supports only the following
asset values:

l IPv4
l IPv6
l Hostname
l FQDN

For example, you may have a set of internal servers that you scan regularly. These internal servers
use self-signed certificates for SSL connections. Since the certificates are self-signed, your scans
have been reporting vulnerabilities from plugin 51192, SSL Certificate Cannot Be Trusted, which has
a Medium severity. Since you are aware that the servers use self-signed certificates, you create a
recast rule to change the severity level of plugin 51192 from Medium to Info, and set the target to
those internal servers.

The dashboards reflect the effect of a recast rule. A tag appears to indicate when vulnerabilities
have been recast. The rule applies to all assets or a specific asset based on the rule's parameters.
As long as the rule remains in effect, the rule applies to the corresponding data and scan results.

Note: While recasting Tenable Nessus Network Monitor plugins, the original severity is unknown.

Important:

l Because Tenable PCI ASV scans using the PCI Quarterly External Scan template have their own
set of rules, any recast rules do not apply to the scan results.
l Frictionless Assessment connectors do not support recast rules.

Accept Rules
You can use accept rules to accept the risk of a vulnerability without modifying the severity level of
the plugin. Vulnerabilities that have been accepted are still identified by a scan, but hidden in the

- 1181 -
results of the scan. To view accepted vulnerabilities, you can use the Recast & Accept filter. If you
specify an expiration date for an accept rule, upon expiration Tenable Vulnerability Management no
longer accepts the risk of the vulnerability. Historical scan results, however, remain unchanged.
Accepted severities do not affect scores such as VPR, AES, or CES.

Consider the previous example. Rather than recasting the severity level from Medium to Info, you
acknowledge that there is a risk associated with using self-signed certificates, but you do not want
to see the vulnerability appearing for those servers any longer. You create an accept rule to accept
the risk of plugin 51192, which hides that vulnerability for the targets you specified. If the same
vulnerability is identified on other assets during the scan, those still appear in the scan results.

Tenable Vulnerability Management reflects the effect of an accept rule. Accepted vulnerabilities are
hidden, and can be viewed using the Recast & Accepted filter.

False Positives
Additionally, you can use an accept rule to report false positives. Tenable reviews reported false
positives in order to identify potential issues with a plugin.

Consider again the previous example. In this case, you know the servers in question are in fact
using certificates from a proper Certificate Authority. However, plugin 51192 continues to report
vulnerabilities for those servers. To hide the false results and report the issue, you create an accept
rule that accepts the vulnerability as a false positive.

Integrity of Scan History

In the case of both recast and accept rules, the historical results of a scan are not modified. Scan
history is immutable in order to provide an accurate representation of the scan over time, and to
prevent any internal or external auditing issues that might be created by the scan history changing.

View Recast/Accept Rules

Required User Role: Administrator

The Recast/Accept Rules page displays all configured recast and accept rules in your Tenable
Vulnerability Management instance.

To view the Recast/Accept Rules page:

- 1182 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Recast tile.

The Accept/Recast Rules page appears. This page contains a table that lists all your recast
rules.

Create a Recast Rule

Required User Role: Administrator

Important: The time it takes to apply a recast/accept rule depends on the system load and the number of
matching vulnerabilities.

To create a recast rule:

1. View the Recast/Accept Rules page.

2. In the upper-right corner, click the Add Rule button.

The Add Rule plane appears.

- 1183 -
 Note: The form can only be submitted after the user changes the N/A value, under the New Severity
drop-down, to some other value.

3. In the Action section, select Recast.

4. In the Vulnerability box, type the ID of the plugin that you want to recast. For example, 51192.

Note: If the plugin ID corresponds to a Tenable Nessus plugin, the Original Severity indicator
changes to match the default severity of the vulnerability. The Original Severity indicator does not
change if another type of plugin is used.

5. In the New Severity drop-down box, select the severity level for the vulnerability.

6. In the Targets drop-down box, do one of the following:

- 1184 -
 l To target all assets, select All. This is the default target.

Note: If the Targets drop-down is set to All, a warning appears indicating that this option may
override existing rules.

l To target a custom set of assets:

a. Select Custom.

A Target Hosts box appears.

b. In the Target Hosts box, type one or more targets for the rule. You can type a
comma-delimited list that includes any combination of IP addresses, IP ranges,
CIDR, and hostnames.

Caution: You can only specify 1000 comma-separated custom entries. If you want to
target a larger number of custom entries, create multiple rules.

7. (Optional) In the Expires box, set an expiration date for the rule. This action is only necessary
if you want the rule to expire. By default, the rule applies indefinitely.

8. (Optional) In the Comments box, type a description of the rule. The text you type in this box is
only visible if the rule is modified and has no functional effect.

9. Click Save.

Tenable Vulnerability Management starts applying the rule to existing vulnerabilities. This
process may take some time, depending on the system load and the number of matching
vulnerabilities. The change is reflected on dashboards, where a label appears to indicate how
many instances of affected vulnerabilities have been recast.

Note: A recast rule does not affect the historical results of a scan.

Create an Accept Rule for a Plugin

Required User Role: Administrator

Important: The time it takes to apply a recast/accept rule depends on the system load and the number of
matching vulnerabilities.

To create an accept rule:

- 1185 -
1. View the Recast/Accept Rules page.

2. In the upper-right corner, click the Add Rule button.

The Add Rule plane appears.

3. In the Action section, select Accept.

4. In the Vulnerability box, type the ID of the plugin that you want to recast. For example, 51192.

Note: If the plugin ID corresponds to a Tenable Nessus plugin, the Original Severity indicator
changes to match the default severity of the vulnerability. The Original Severity indicator does not
change if another type of plugin is used.

5. In the Targets drop-down box, do one of the following:

- 1186 -
 l To target all assets, select All. This is the default target.

l To target a custom set of assets:

a. Select Custom.

A Target Hosts box appears.

b. In the Target Hosts box, type one or more targets for the rule. You can type a
comma-delimited list that includes any combination of IP addresses, IP ranges,
CIDR, and hostnames.

Caution: You can only specify 1000 comma-separated custom entries. If you want to
target a larger number of custom entries, create multiple rules.

6. (Optional) In the Expires box, set an expiration date for the rule. This action is only necessary
if you want the rule to expire. By default, the rule applies indefinitely.

7. (Optional) In the Comments box, type a description of the rule. The text you type in this box is
only visible if the rule is modified and has no functional effect.

8. (Optional) To report the vulnerability as a false positive:

a. Enable the Report as false positive toggle.

A Message To Tenable box appears.

b. In the Message to Tenable box, type a description of the false positive to send to
Tenable.

9. Click Save.

Tenable Vulnerability Management starts applying the rule to existing vulnerabilities. This
process may take some time, depending on the system load and the number of matching
vulnerabilities. The affected vulnerability is hidden on your workbench.

Note: To view vulnerabilities hidden from your workbench, use the Recast & Accept advanced filter.

Edit a Recast or Accept Rule

Required User Role: Administrator

To edit a recast or accept rule:

- 1187 -
 1. View the Recast/Accept Rules page.

2. In the Recast/Accept Rules table, click the row of the rule you want to edit.

The Rule plane appears.

3. Make any desired changes.

For more information about configuration options, see Create a Recast Rule or Create an
Accept Rule for a Plugin.

4. Click Save.

Tenable Vulnerability Management applies your changes to the rule. This process may take
some time, depending on the system load and the number of matching vulnerabilities.

Export Recast Rules

Required User Role: Administrator

On the Accept/Recast Rules page, you can export one or more recast rules in CSV or JSON format.

To export your recast rules:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Recast tile.

The Accept/Recast Rules page appears. This page contains a table that lists all your recast
rules.

4. (Optional) Refine the table data. For more information, see Filter a Table.

5. Select the recast rules that you want to export:

Export
Action
Scope

- 1188 -
 Selected To export selected recast rules:
recast rules
a. In the recast rules table, select the check box for each recast rule
you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 recast rules, select all the recast rules in
the list and then click Export.

A single To export a single recast rule:

recast rule
a. In the recast rules table, right-click the row for the recast rule you
want to export.

The action options appear next to your cursor.

-or-

In the recast rules table, in the Actions column, click the button
in the row for the recast rule you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

- 1189 -
 l A toggle to configure the export schedule.

l A toggle to configure the email notification.

6. In the Name box, type a name for the export file.

7. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of recast rules.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of recast rules.

Empty fields are not included in the JSON file.

8. (Optional) Deselect any fields you do not want to appear in the export file.

9. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

- 1190 -
 l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a Recast or Accept Rule

Required User Role: Administrator

To delete a recast or accept rule:

- 1191 -
 1. View the Recast/Accept Rules page.

2. Select a rule or rules to delete:

l
Select a single rule.
a. In the Recast/Accept Rules table, roll over the row of the rule you want to delete.

b. On the right side of the row, click the button.

A Delete Recast Rule confirmation message appears.

l
Select multiple rules.
a. In the Recast/Accept Rules table, select the check boxes next to the rules you
want to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A Delete Recast Rule confirmation message appears.

3. Click Delete.

Tenable Vulnerability Management deletes the selected rule or rules. Tenable Vulnerability
Management may take some time to remove the rule or rules from existing vulnerabilities,
depending on the system load and the number of matching vulnerabilities.

Tags
You can add your own business context to assets by tagging them with descriptive metadata in
Tenable Vulnerability Management. An asset tag is primarily composed of a Category:Value pair. For
example, if you want to group your assets by location, create a Location category with the value
Headquarters. You can then manually apply the tag to individual assets, or you can add rules to the
tag that enable Tenable Vulnerability Management to apply the tag automatically to matching
assets.

For more information about tag structure and related best practices, see:

- 1192 -
 l Tag Format and Application

l Considerations for Tags with Rules

l Examples: Asset Tagging

Note: If you want to create tags without individual categories, Tenable recommends that you add the
generic category Category, which you can use for all your tags.

Adding your own business context to assets using tags allows you to filter analysis views by tag.

To view your tags:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. Do one of the following:

To view the categories to which all the tags in your Tenable Vulnerability
Management instance are assigned:

- 1193 -
 a. View your tag categories and relevant data about them in the Categories table:

Column Description

Name The name of the tag.

Created By The username of the user who created the tag.

Last Used The username of the user who most recently created or edited the
By tag value or category.

Created The date on which the tag was created.

# of Values The number of tag values associated with the tag category.

Actions The actions you can perform with the tag.

To view all the tags in your Tenable Vulnerability Management instance:

a. Click the Values tab.

The Values page appears, containing a table of all the tags on your Tenable Vulnerability
Management instance.

b. View your tags and relevant data about them in the Values table:

Column Description

Name The name of the tag.

Created By The username of the user who created the tag.

Updated By The username of the user who last updated the tag category or
value.

Created The date on which the tag was created.

Applied Indicates whether the tag is applied Manually or Automatically.

Last Processed The date and time when Tenable Vulnerability Management last
processed the scan and applied it to all relevant assets.

- 1194 -
 Assessment Indicates whether Tenable Vulnerability Management has
finished identifying and apply the tag to all matching assets.

Actions The actions you can perform with the tag.

Examples: Asset Tagging

See the following configuration examples to tag assets for common use cases. For general
information about tags, see Tags.

l Example: Automatically Tag by Installed Software

l Example: Manually Tag by Priority

Example: Automatically Tag by Installed Software

Your company manages assets that run on two software types: Oracle and Wireshark. Your
company assigns asset ownership to employees based on the software type. Employees must
resolve any vulnerabilities identified on assets with the software type they manage.

As an administrator, you can create an automatic tag for each software type. Then, employees can
search for assets by the Installed Software tag and filter Tenable Vulnerability Management assets
by the software type they manage.

Note: For more precise results, set the tag value to the appropriate NVD Common Platform Enumeration
(CPE), for example, cpe:/a:microsoft:office.

To automatically tag assets by installed software:

- 1195 -
 1. Create and automatically apply a tag for Oracle assets using the following settings:

Option Value

Category Installed Software

Value Oracle

Rules Enabled, with the following rule specified:

l Match All

l Category: Installed Software

l Operator: is equal to

l Value: Oracle

2. Create and automatically apply a tag for Wireshark assets using the following settings:

Option Value

Category Installed Software

Value Wireshark

Rules Enabled, with the following rule specified:

l Match All

l Category: Installed Software

l Operator: is equal to

l Value: Wireshark

3. Instruct employees to use the new tags to filter assets in the assets table or to search for
assets from the tags table.

Example: Manually Tag by Priority

Your company owns sensitive assets and you want employees to prioritize addressing
vulnerabilities on these assets first, regardless of the asset's other attributes (for example, the
asset's VPR).

- 1196 -
To make sure employees view and mediate these sensitive assets first, you can create a High
Priority tag and manually add it to assets that you want employees to prioritize. Then, employees
can search for assets using the High Priority tag to filter by the highest priority assets they
manage.

To manually tag assets by priority:

1. Create a tag for your highest priority assets using the following settings:

Option Value

Category Priority

Value High Priority

Value A custom description about the urgency of remediating the

Description vulnerabilities on assets with this tag.

2. Apply the tag manually to your highest priority assets.

3. Instruct employees to use the new tag to filter assets in the assets table or to search for
assets from the tags table.

Tag Format and Application

An asset tag is primarily composed of a Category:Value pair. For example, if you want to group your
assets by location, create a Location category with the value Headquarters.

Note: If you want to create tags without individual categories, Tenable recommends that you add the
generic category Category, which you can use for all your tags.

Tag membership is reevaluated:

l When you update or create a tag

l When Tenable Vulnerability Management imports data

l Every 12 hours

Manual Tags vs. Automatic Tags

- 1197 -
When you create a tag, Tenable Vulnerability Management automatically applies it to the assets on
your instance that match the tags rules. These automatically applied tags are sometimes called
dynamic tags. When you create an automatic tag, Tenable Vulnerability Management applies that
tag to all your current assets and any new assets added to your organization's account. Tenable
Vulnerability Management also regularly reviews your assets for changes to their attributes and
adds or removes automatic tags accordingly.

Note: When you create or edit an automatic tag, Tenable Vulnerability Management may take some time to
apply the tag to existing assets, depending on the system load and the number of matching assets.

You can also create a tag without rules and then manually apply the tag to individual assets.
Alternatively, you can manually apply an automatic tag to additional assets that may not meet the
rules criteria for that tag. These manually applied tags are sometimes called static tags.

Manual tags appear with the icon, whereas automatic tags appear with the icon.

See the following examples for clarification:

Tag
Scenarios Tag Type
Icon

You create a tag with Location:Headquarters as the Manual

Category:Value pair, but you do not add any tag rules. Later, you
add the tag to assets located at your headquarters.

You create a tag with Location:Headquarters as the Automatic

Category:Value pair, and you specify an IP address range in the
tag rules. Tenable Vulnerability Management then automatically
applies the tag to all existing or new assets within that IP address
range.

Create a Manual or Automatic Tag

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Note: When you create a tag from the Tagging page, you can select from a list of generic asset filters to
create tag rules. If you want to create a tag based on filters that are specific to certain asset types,
Tenable recommends that you create a tag from the Assets page, where you can select additional filters
that are specific to each asset type.

- 1198 -
On the Create Tag page, you can create one of the following types of tags:

l Manual — You can create and save a tag to manually apply to individual assets at any time.
Tenable does not automatically apply manual tags to assets.

l Automatic — You can create a tag and add Tag Rules that Tenable Vulnerability Management
uses to identify and tag matching assets. Tenable Vulnerability Management automatically
applies the tag to assets identified by the rule at specific intervals.

Important: You must add a tag rule to the tag in order for Tenable Vulnerability Management to
identify and tag the appropriate assets.

Tip: If your tags fail to apply, the tag rules you configured likely returned too many assets for
Tenable Vulnerability Management to process. For example, a long list of Fully Qualified Domain
Names (FQDNs) with wildcards would cover a large number of assets. When this happens, Tenable
recommends reducing the number of assets through stricter tag rules. If needed, you can then use
an additional tag to join each list.

For more information, see Considerations for Tags with Rules.

Note: You can create up to 100 tag categories, and each category can have up to 100,000 tags.

To create a tag from the Tags page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. In the upper-right corner of the page, click the Create Tag button.

The Create Tag page appears.

- 1199 -
5. Click the Category drop-down box.

6. In the Add New Category box, type a category.

As you type, the list filters for matches.

7. From the drop-down box, select an existing category, or if the category is new, click Create
"category name".

Note: You can create a maximum of 100 categories for your Tenable Vulnerability Management
instance.

8. (Optional) In the Category Description box, type a description of the tag category.

9. In the Value box, type a name for the tag.

Note: Tag names cannot include commas or be more than 50 characters in length.

Tip: Tenable recommends that you provide a tag name that directly corresponds with the tag
category. For example, if the category is Location, Headquarters would be an appropriate value.

10. (Optional) In the Value Description box, type a description for the new tag.

11. Do one of the following:

To save the tag as a manual tag:

a. Click Save.

Tenable Vulnerability Management saves the tag to the tags table.

- 1200 -
 b. (Optional) Manually add the tag to one or more assets.

To save and apply the tag automatically:

a. Create a tag rule.

b. Click Save.

Tenable Vulnerability Management creates the tag, evaluates existing assets, and
automatically applies the tag to assets that match the tag rules.

Note: When you create an automatic tag, Tenable Vulnerability Management may take a few
minutes to apply the tag and update any excluded assets, depending on the system load and
the number of assets.

Considerations for Tags with Rules

Automatic Application
Tenable Vulnerability Management evaluates assets against tag rules in the following situations:

l When you add a new asset (via scan, connector import, or leveraging the Tenable Vulnerability
Management API), Tenable Vulnerability Management evaluates the asset against your tag
rules.

l When you create or update a tag rule, Tenable Vulnerability Management evaluates your
assets against the tag rule.

Note: When you create or edit a tag rule, Tenable Vulnerability Management may take some time to
apply the tag to existing assets, depending on the system load and the number of matching assets.

l When you update an existing asset, Tenable Vulnerability Management re-evaluates the asset
and removes the tag if the asset's attributes no longer match the tag rules.

Manual Application
If you manually apply a tag that has been configured with rules, Tenable Vulnerability Management
excludes that asset from any further evaluation against the rules.

Tag Rules

- 1201 -
Tag rules allow Tenable Vulnerability Management to automatically apply tags you create to the
assets on your instance that match the tags rules. These automatically applied tags are called
dynamic or automatic tags.

Tag rules are composed of one or more filter-value pairs based on asset attributes. When you
create a rule and add it to a tag, Tenable Vulnerability Management applies the tag to all assets on
your instance that match the tag rule.

Note: Tenable Vulnerability Management supports a maximum of 1,000 rules per tag. This limit means that
you can specify a maximum of 1,000 and or or conditions for a single tag value. Additionally, Tenable
Vulnerability Management supports a maximum of 1,024 values per individual tag rule.

For more information about automatic tags, see:

l Tag Format and Application

l Considerations for Tags with Rules

In the Tags section, you can complete the following tasks with tag rules:

l Create a Tag Rule

l Edit a Tag Rule

l Delete A Tag Rule

Create a Tag Rule

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

When you create or edit a tag to apply automatically, you must create and apply rules to the tag
using tag rules filters. You can create a tag rule in either Basic or Advanced mode.

Caution: If you create a tag rule in Basic mode and then switch to Advanced mode, the rules you created
appear in the Advanced mode format. However, if you switch from Advanced mode to Basic mode,
Tenable Vulnerability Management removes all rules from the rules section.

Note: When you create a tag from the Tagging page, you can select from a list of generic asset filters to
create tag rules. If you want to create a tag based on filters that are specific to certain asset types,

- 1202 -
 Tenable recommends that you create a tag from the Assets page, where you can select additional filters
that are specific to each asset type.

For more information about applying tags automatically, see Considerations for Tags with Rules.

Before you begin:

l Create or edit a tag.

To create and add a rule to a tag:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. Click the Values tab.

The Values page appears, containing a table of all the tags on your Tenable Vulnerability
Management instance.

5. Click the Rules toggle to enable the rule settings.

The Rules section appears.

6. For each tag rule you want to create, do one of the following:

Note: Basic mode is active by default.

To create a tag rule in Basic mode:

a. In the Rules section, click Select Filters.

A drop-down box appears, listing the tag rule filter options.

- 1203 -
 Note: Each tag rule filter has different limits on the number of values you can apply to a single
filter. For information about those limits, see Tag Rules Filters.

b. Select a filter.

The filter you select appears in the Rules section.

c. Click outside the drop-down box.

The drop-down box closes.

d. In the filter, click the button.

The filter expands.

e. In the first drop-down box, select the operator you want to apply to the filter.

f. In the second drop-down box, select or type one or more values for the filter.

g. Determine whether you want to Match Any or Match All assets:

In the Rules section, in the Match Any drop-down box, do one of the following:

l To apply the tag to assets that match any one of the defined rules, select Match
Any.

An OR operator appears between each rule.

If an asset matches one or more of the filters defined in the tag rule, Tenable
Vulnerability Management applies the tag to that asset.

l To apply the tag only to assets that match all of the filters defined in the tag rule,
select Match All.

An AND operator appears between each rule.

If an asset matches every individual filter defined within the rule, Tenable
Vulnerability Management applies the tag to that asset.

- 1204 -
 Important: If you select Match All and separate the values by commas, Tenable
Vulnerability Management processes the string using OR logic, similar to the Match Any
option.

h. (Optional) To create another rule, repeat the steps to create a tag rule in Basic mode.

To create a tag rule in Advanced mode:

a. In the Rules section, click Advanced.

A text box appears.

b. Place your cursor in the text box.

A drop-down box appears, listing the tag rule filter options.

Note: Each tag rule filter has different limits on the number of values you can apply to a single
filter. For information about those limits, see Tag Rules Filters.

Note: If there is a typo in the tag rule, an error appears in the Rules box with a description of
the issue.

c. Select or type the filter you want to apply.

Tip: You can use the arrow keys to navigate filter drop-down boxes, and press the Enter key
to select an option.

The filter appears in the text box.

An operator drop-down box appears to the right of the filter.

d. Select one of the following operators. Available operators depend on the filter you
select:

Note: If you want to filter on a value that starts with (') or ("), or includes (*) or (,), then you
must wrap the value in quotation marks (").

- 1205 -
Operator Description

exists Filters for items for which the selected filter exists.

does not Filters for items for which the selected filter does not exist.
exist

is equal to Filters for items that match the filter value.

is not equal Filters for items that do not include the filter value.
to

is greater Filters for items with a value greater than the specified filter value.
than If you want to include the value you specify in the filter, then use
the is greater than or equal to operator.
is greater
than or
equal to

is less than Filters for items with a value less than the specified filter value. If
you want to include the value you specify in the filter, then use the
is less than
is less than or equal to operator.
or equal to

within last Filters for items with a date within a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

after Filters for items with a date after the specified filter value.

before Filters for items with a date before the specified filter value.

older than Filters for items with a date more than a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

is on Filters for items with a specified date.

between Filters for items with a date between two specified dates.

- 1206 -
 Operator Description

contains Filters for items that contain the specified filter value.

does not Filters for items that do not contain the specified filter value.
contain

wildcard Filters for items with a wildcard (*) as follows:

l Begin or end with – Filters for values that begin or end with
text you specify. For example, to find all values that begin
with "1", type 1*. To find all values that end in "1", type *1.

l Contains –Filters for values that contain text you specify. For
example, to find all values with a "1" between the first and last
characters, type *1*.

l Turn off case sensitivity – Filters for values without case

sensitivity. For example, to search for findings with a Plugin
Name of "TLS Version 1.2 Protocol Detection" or "tls version 1.2
protocol detection", type *tls version 1.2 protocol detection.

e. Where applicable, to the right of the operator, select or type a value for the filter.

Tip: Some text filters support the character (*) as a wildcard to stand in for a section
of text in the filter value. For example, if you want the filter to include all values that
end in 1, type *1. If you want the filter to include all values that begin with 1, type 1*.
You can also use the wildcard operator to filter for values that contains certain text.
For example, if you want the filter to include all values with a 1 somewhere between
the first and last characters, type *1*.

f. Press the Space key.

A CONDITIONS drop-down box appears, with AND and OR as options:

l Select OR to "match any" assets tagged by the rule. If an asset matches one or
more of the filters defined in the tag rule, Tenable Vulnerability Management

- 1207 -
 applies the tag to that asset.

l Select AND to "match all" assets tagged by the rule. If an asset matches every
individual filter defined within the rule, Tenable Vulnerability Management applies
the tag to that asset.

Important: If you select AND and separate the values by commas, Tenable Vulnerability
Management processes the string using OR logic, similar to the OR option.

g. (Optional) To create more rules for the tag, repeat steps c-f.

7. Click Save.

Tenable Vulnerability Management creates the rule and applies it to the tag.

Edit a Tag Rule

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

Once you create an automatic tag, you can edit the rules that apply to the tag from the Edit Value
page.

Note: When you edit rules from the Tagging page, you can select from a list generic asset filters to create
tag rules. However, if you want to add filters that are specific to a certain asset type (e.g., web application
assets), Tenable recommends that you edit the tag from the Assets page, where you can select filters that
are specific to each asset type.

Before you begin:

l Create an automatic tag.

To edit a tag rule:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

- 1208 -
 The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. Click the Values tab.

The Values page appears, containing a table of all the tags on your Tenable Vulnerability
Management instance.

5. In the tags table, click the tag for which you want to edit a tag rule.

The Edit Value page appears.

Tip: You can also navigate to the Edit Value page from the Edit Category page by clicking the tag
you want to review in the Values table.

6. Click the Rules toggle to enable the rule settings.

The Rules section appears.

7. In the Rules section, in the rule filter you want to edit, click the button.

A drop-down box appears with the lists of rule values previously selected for that filter.

Note: You can apply up to 10 filters to a tag rule.

8. (Optional) In the first drop-down box, select a new operator.

9. (Optional) In the second box, add or remove a rule value.

Note: If the rule filter has selectable options (e.g., dates ranges), those options appear below the
filter. Otherwise, you must type the value.

10. Click outside the rules drop-down box.

The drop-down box closes.

11. Click Save.

- 1209 -
 Tenable Vulnerability Management save your changes, evaluates existing assets, and
automatically applies the tag to assets that match the updated tag rules.

Note: Tenable Vulnerability Management may take some time to apply the tag to assets, depending
on the system load and the number of assets.

Delete A Tag Rule

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

When you delete a rule from an automatic tag, Tenable Vulnerability Management removes the tag
from any assets that match the tag rule. When you delete all rules from an automatic tag, the tag
becomes a manual tag.

To delete a tag rule:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. On the Tags page, click the Values tab.

The Values page appears, containing a table with all the tags on your Tenable Vulnerability
Management instance.

5. In the tags table, click the tag from which you want to delete a tag rule.

The Edit Value page appears.

- 1210 -
 Tip: You can also navigate to the Edit Value page from the Edit Category page by clicking the tag
you want to review in the Values table.

6. In the Rules section, in the rule you want to delete, click the button.

The rule disappears from the Rules section.

7. Click Save.

Tenable Vulnerability Management saves and applies your changes.

Tag Rules Filters

Note: If there is a typo in the tag rule, an error appears in the Rules box with a description of the issue.

Note: Tenable Vulnerability Management supports a maximum of 1,000 rules per tag. This limit means that
you can specify a maximum of 1,000 and or or conditions for a single tag value. Additionally, Tenable
Vulnerability Management supports a maximum of 1,024 values per individual tag rule.

On the Tags page, you can select from the following filters to create rules for an automatic tag:

Filter Description

Account ID The unique identifier assigned to the asset resource in the cloud
service that hosts the asset.

ACR (Requires Tenable Lumin license) The asset's ACR (Asset Criticality
Rating).

ACR Severity (Requires Tenable Lumin license) The ACR category of the ACR
calculated for the asset.

AES (Requires Tenable Lumin license)The Asset Exposure Score (AES)

calculated for the asset.

AES Severity (Requires Tenable Lumin license) The AES category of the AES
calculated for the asset.

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

- 1211 -
ARN The Amazon Resource Name (ARN) for the asset.

ASN The Autonomous System Number (ASN) for the asset.

Assessed vs. Specifies whether Tenable Vulnerability Management scanned the asset
Discovered for vulnerabilities or if Tenable Vulnerability Management only
discovered the asset via a discovery scan. Possible values are:

l Assessed

l Discovered Only

Asset ID The asset's UUID.

AWS Availability The name of the Availability Zone where AWS hosts the virtual machine
Zone instance. For more information, see Regions and Availability Zones in
the AWS documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI image in Amazon Elastic
Compute Cloud (Amazon EC2). For more information, see the Amazon
Elastic Compute Cloud Documentation.

AWS EC2 Instance The unique identifier of the Linux instance in Amazon EC2. For more
ID information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product The product code associated with the AMI used to launch the virtual
Code machine instance in Amazon EC2.

AWS Instance State The state of the virtual machine instance in AWS at the time of the
scan. For possible values, see API Instance State in the Amazon Elastic
Compute Cloud Documentation.

AWS Instance Type The type of virtual machine instance in Amazon EC2. Amazon EC2
instance types dictate the specifications of the instance (for example,
how much RAM it has). For a list of possible values, see Amazon EC2
Instance Types in the AWS documentation.

AWS Owner ID A UUID for the Amazon AWS account that created the virtual machine
instance. For more information, see AWS Account Identifiers in the

- 1212 -
 AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For
other asset types, this attribute is empty.

AWS Region The region where AWS hosts the virtual machine instance, for example,
us-east-1. For more information, see Regions and Availability Zones
in the AWS documentation.

AWS Security The AWS security group (SG) associated with the Amazon EC2 instance.
Group

AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine
instance was running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud User Guide.

Azure Resource The name of the resource group in the Azure Resource Manager. For
Group more information, see the Azure Resource Manager Documentation.

Azure Resource ID The unique identifier of the resource in the Azure Resource Manager.
For more information, see the Azure Resource Manager
Documentation.

Azure Resource The resource type of the resource in the Azure Resource Manager. For
Type more information, see the Azure Resource Manager Documentation.

Azure Subscription The unique subscription identifier of the resource in the Azure
ID Resource Manager. For more information, see the Azure Resource
Manager Documentation.

Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance.
For more information, see Accessing and Using Azure VM Unique ID in
the Microsoft Azure documentation.

BIOS ID The NetBIOS name for the asset.

Cloud Provider The name of the cloud provider that hosts the asset.

- 1213 -
Created Date The time and date when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair.
For more information about custom attributes, see the Tenable
Developer Portal.

Deleted Specifies whether the asset has been deleted.

Deleted Date The date when a user deleted the asset record or the number of days
since a user deleted the asset. When a user deletes an asset record,
Tenable Vulnerability Management retains the record until the asset
ages out of the license count.

DNS (FQDN) The fully-qualified domain name of the asset host.

Note: This does not apply to Web Application assets, for which you must
use the Name filter.

Domain The domain which has been added as a source or discovered by ASM as
belonging to a user.

First Seen The date and time when a scan first identified the asset.

Google Cloud The unique identifier of the virtual machine instance in Google Cloud
Instance ID Platform (GCP).

Google Cloud The customized name of the project to which the virtual machine
Project ID instance belongs in GCP. For more information, see Creating and
Managing Projects in the GCP documentation.

Google Cloud Zone The zone where the virtual machine instance runs in GCP. For more
information, see Regions and Zones in the GCP documentation.

Has Plugin Results Specifies whether the asset has plugin results associated with it.

Host Name (Domain The host name for assets found during attack surface management
Inventory) scans; only for use with Domain Inventory assets.

Hosting Provider The hosting provider for the asset.

- 1214 -
IaC Resource Type The Infrastructure as Code (IAC) resource type of the asset.

Installed Software A list of Common Platform Enumeration (CPE) values that represent
software applications a scan identified as present on an asset. This
field supports the CPE 2.2 format. For more information, see the
Component Syntax section of the CPE Specification documentation,
Version 2.2. For assets identified in Tenable scans, this field contains
data only if a scan using Tenable Nessus Plugin ID 45590 has evaluated
the asset.

Note: If no scan detects an application within 30 days of the scan that

originally detected the application, Tenable Vulnerability Management
considers the detection of that application expired. As a result, the next
time a scan evaluates the asset, Tenable Vulnerability Management
removes the expired application from the Installed Software attribute. This
activity is logged as a remove type of attribute change in the asset activity
log.

IPv4 Address The IPv4 address associated with the asset record..

This filter supports multiple asset identifiers as a comma-separated list

(for example, hostname_example, example.com, 192.168.0.0). For IP
addresses, you can specify individual addresses, CIDR notation (for
example, 192.168.0.0/24), or a range (for example, 192.168.0.1-
192.168.0.255).

Note: A CIDR mask of /0 is not supported for this parameter, because that
value would match all IP addresses. If you submit a /0 value for this
parameter, Tenable Vulnerability Management returns a 400 Bad Request
error message.

Note: Ensure the tag filter value does not end in a period.

IPv6 Address An IPv6 address that a scan has associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated

list. The IPV6 address must be an exact match. (for example,
0:0:0:0:0:ffff:c0a8:0).

- 1215 -
 Note: Ensure the tag filter value does not end in a period.

Is Attribute Specifies whether the asset is an attribute.

Is Auto Scale Specifies whether the asset scales automatically.

Is Unsupported Specifies whether the asset is unsupported in Tenable Vulnerability

Management.

Last Audited The time and date at which the asset was last audited.

Last Authenticated The date and time of the last authenticated scan run against the asset.
Scan An authenticated scan that only uses discovery plugins updates the
Last Authenticated Scan field, but not the Last Licensed Scan field.

Last Licensed Scan The date and time of the last scan in which the asset was considered
"licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For
more information on licensed assets, see Tenable Vulnerability
Management Licenses.

Last Seen The date and time of the scan that most recently identified the asset.

Licensed Specifies whether the asset is included in the asset count for the
Tenable Vulnerability Management instance.

MAC Address A MAC address that a scan has associated with the asset record.

Mitigation Last The date and time of the scan that last identified mitigation software
Detected on the asset.

Name The asset identifier that Tenable Vulnerability Management assigns

based on the presence of certain asset attributes in the following
order:

1. Agent Name (if agent-scanned)

2. NetBIOS Name

- 1216 -
 3. FQDN

4. IPv6 address

5. IPv4 address

For example, if scans identify a NetBIOS name and an IPv4 address for
an asset, the NetBIOS name appears as the Asset Name.

NetBIOS Name The NetBIOS name for the asset.

Network The name of the network object associated with scanners that
identified the asset. The default name is Default. For more information,
see Networks.

Open Ports Open ports on the asset.

Operating System The operating system that a scan identified as installed on the asset.

Port The port associated with the asset.

Public Specifies whether the asset is available on a public network.

Record Type The asset type.

Region The cloud region where the asset runs.

Repositories Any code repositories associated with the asset.

Resource Category The name of the category to which the cloud resource type belongs (for
example, object storage or virtual network).

Resource Tags (By Tags synced from a cloud source, such as Amazon Web Services (AWS),
Key) matched by the tag key (for example, Name).

Resource Tags (By Tags synced from a cloud source, such as Amazon Web Services (AWS),
Value) matched by the tag value.

Resource Type The asset's cloud resource type (for example, network, virtual machine).

ServiceNow Sys ID Where applicable, the unique record identifier of the asset in
ServiceNow. For more information, see the ServiceNow
documentation.

- 1217 -
Source The source of the scan that identified the asset. Possible filter values
are:

l AWS

l AWS FA

l Azure

l AZURE FA

l Cloud Connector

l Cloud IAC

l Cloud Runtime

l GCP

l Nessus Agent

l Nessus Scan

l NNM

l ServiceNow

l WAS

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

System Type The system types as reported by Plugin ID 54615. For more information,
see Tenable Plugins.

Tags A unique filter that searches tag (category: value) pairs. When you type
a tag value, you must use the category: value syntax, including the
space after the colon (:). You can use commas (,) to separate values. If
there is a comma in the tag name, insert a backslash (\) before the
comma. You can add a maximum of 100 tags.

For more information, see tags.

- 1218 -
 Note: If your tag name includes double quotation marks (" "), you must use
the UUID instead.

Target Groups The target group to which the asset belongs. This attribute is empty if
the asset does not belong to a target group. For more information, see
Target Groups.

Tenable ID The UUID of the agent present on the asset.

Terminated Specifies whether or not the asset is terminated.

Type The system type on which the asset is managed. Possible filter values
are:

l Cloud Resource

l Container

l Host

l Cloud

Updated Date The time and date when a user last updated the asset.

VPC The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud User Guide.

Create a Tag via Asset Filters

Required User Role: Administrator

When you filter your assets, you can use the filters as tag rules to create a new automatic tag.

After you create the tag, Tenable Vulnerability Management automatically applies the tag to any
assets identified through those filters.

You can also create a manual or automatic tag for your assets from the Tagging page.

To create a tag using asset filters:

- 1219 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Assets.

The Assets page appears.

3. Filter the table, selecting and deselecting filters based on the rules you want to add to or
remove from your tag.

The filters you selected appear in the header above the filter plane.

4. In the header, to the left of the first filter, click Add Tags.

The Add Tags window appears.

5. Under Create/Select Tag, in the first drop-down box, type a category.

As you type, the list filters for matches.

6. In the drop-down box, select an existing category, or if the category is new, click Create
"category ".

- 1220 -
 Tip: You can create a generic tag category and apply to different tag values to group your tags. For
example, if you create a Location category, you can apply it to multiple values such as Headquarters
or Offshore to create a group of location tags.

7. Under Create/Select Tag, in the second drop-down box, type a value for your new tag.

8. In the drop-down box, click Create "value ".

9. Click Save.

Tenable Vulnerability Management saves the tag and applies it to applicable assets on your
account.

Note: It can take up to several minutes for Tenable Vulnerability Management to apply a tag to the
applicable assets.

Edit a Tag or Tag Category

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

In the Tagging section, you can edit one or more components of a tag, including the category to
which the tag belongs as well as the tag's name and description and any rules applied to the tag.

To edit a tag or tag category:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

- 1221 -
 4. To edit an individual tag:
a. On the Tags page, click the Values tab.

The Values page appears, containing a table with all the tags on your Tenable
Vulnerability Management instance.

b. In the Values table, click the tag you want to edit.

The Edit Value page appears.

Tip: You can also navigate to the Edit Value page from the Edit Category page by clicking the
tag you want to review in the Values table.

c. (Optional) In the Value box, edit the tag name.

d. (Optional) In the Value Description (Optional) box, edit the tag description.

e. (Optional) Configure the tag rules.

5. To edit the tag category:

Note: When you edit a tag category, Tenable Vulnerability Management changes the category for all
the tags in that category.

a. In the tag categories table, click the category you want to edit.

The Edit Category page appears.

b. In the tag categories table, click the category you want to edit.

The Edit Category page appears.

c. (Optional) To edit the name, in the Category box, type a new name.

d. (Optional) To edit the description, in the Category Description box, type a new
description.

6. Click Save.

Tenable Vulnerability Management saves and applies your changes.

Edit a Tag via Asset Filters

- 1222 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

On the Assets page, you can use asset filters to edit a tag's rules, category, and value.

To edit a tag using asset filters:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Assets.

The Assets page appears. By default, the Hosts tab is visible.

3. Filter the table, selecting and deselecting filters based on the rules you want to add to or
remove from your tag.

The filters you applied appear in the header above the filter plane.

4. In the header, to the left of the first filter, click the button.

The Tag Matching Assets window appears.

5. Do one of the following:

l To edit a recently used tag:

a. Under Recently Used Tags, click the tag you want to edit.

The tag category appears in the Select or create Category drop-down box.

The tag value appears in the Select or create Value drop-down box.

l To edit any other tag:

a. In the Select or create Category drop-down box, type a category name.

As you type, the list filters for matches.

b. Select the category for the tag you want to edit.

- 1223 -
 c. In the Select or create Value drop-down box, type a value name.

As you type, the list filters for matches.

d. In the drop-down box, select the value for the tag you want to edit.

6. (Optional) To edit the tag category:

a. In the Select or create Category drop-down box, type a new name for your category.

Create "category" appears in the drop-down box.

b. In the drop-down box, select Create "category".

The new category name appears selected in the drop-down box.

7. (Optional) To edit the tag value:

a. In the Select or create Value drop-down box, type a new value for your tag.

Create "value" appears in the drop-down box.

b. In the drop-down box, select Create "value".

The new value name appears selected in the drop-down box.

8. (Optional) In the Chosen Search Filters for Tag box, click the inside any filters you want to
remove from the tag.

9. Click Save.

Tenable Vulnerability Management saves your edits.

Add a Tag to an Asset

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can Use permission for applicable asset tags.

After you create a tag, you can manually apply it to one or more assets on your Tenable Vulnerability
Management instance.

To add a tag to an asset:

- 1224 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Assets.

The Assets page appears. By default, the Hosts tab is visible.

3. View your assets list.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. Do one of the following:

To add a tag to a single asset:

- 1225 -
a. Select the page where you want to add the tag:

Location Action

Assets page To add a tag from the Assets page:

a. In the assets table, right-click the row for the asset to

which you want to add a tag.

The action options appear next to your cursor.

-or-

In the assets table, in the Actions column, click the

button for the asset to which you want to add a tag.

The action buttons appear in the row.

b. Click Add Tags.

Asset Details To add a tag from the Asset Details page:

page preview
a. In the assets table, click the row for the asset to which
plane
you want to add a tag.

The preview plan for the asset's Asset Details page

appears.

b. In the left section of the preview plane, next to Tags,

click the button.

Asset Details To add a tag from the Asset Details page:

page
a. View the Asset Details page for the asset from which
you want to remove the tag.

The Asset Details page appears.

b. In the upper-right corner, click the Actions button.

- 1226 -
 The actions menu appears.

c. In the actions menu, click Add Tag.

-or-

On the left side of the page, next to Tags, click the

button.

The Add Tags window appears.

b. Click Add.

The assets table appears. A confirmation message also appears. Tenable Vulnerability
Management adds the tags specified in Tags to be Added to the assets.

To add a tag to multiple assets:

a. In the assets table, select the check box for each asset to which you want to add a tag.

The action bar appears at the top of the table.

b. Click Add Tags.

The assets table appears. A confirmation message also appears. Tenable Vulnerability
Management adds the tags specified in Tags to be Added to the assets.

6. Do one of the following:

To add a recently used tag:

l Under Recently Used Tags, select the tag you want to add.

The tag appears in the Tags to be Added box.

Tip: To remove a tag from Tags to be Added, roll over the tag and click the button.

To add a new or existing tag:

a. In the Category box, type a category.

As you type, the list filters for matches.

- 1227 -
 b. From the drop-down box, select an existing category, or if the category is new, click
Create "category name".

Tip: You can create a generic tag category and apply to different tag values to group your
tags. For example, if you create a Location category, you can apply it to multiple values such
as Headquarters or Offshore to create a group of location tags.

c. In the Value box, type a value.

As you type, the list filters for matches.

d. From the drop-down box, select an existing value, or if the value is new, click Create
"value".

Note: The system does not save new tags you create by this method until you add the new tags to
the asset.

The tag appears in the Tags to be Added box.

Tip: To remove a tag from Tags to be Added, roll over the tag and click the button.

7. Click Add.

The assets table appears. A confirmation message also appears. Tenable Vulnerability
Management adds the tags specified in Tags to be Added to the assets.

Remove a Tag from an Asset

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Access Group Permissions: Can View, Can Edit

When you manually add a tag to an asset or create a tag that Tenable Vulnerability Management
automatically applies to that asset based on the tag's rules, you can manually remove from the
asset if you want to exclude the asset from the tag's scope.

To remove a tag from an asset:

- 1228 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Explore section, click Assets.

The Assets page appears. By default, the Hosts tab is visible.

3. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

4. Do one of the following:

To remove a tag from single asset:

Select the page where you want to remove the tag from the asset:

Location Action

Assets To remove a tag from an asset on the Assets page:

page
a. In the assets table, right-click the row for the asset from which you
want to remove a tag.

The action options appear next to your cursor.

-or-

In the assets table, in the Actions column, click the button for
the asset from which you want to remove a tag.

The action buttons appear in the row.

b. Click Remove Tags.

The Remove Tags window appears.

c. Under Current Tags, roll over the tag you want to remove and click
the button.

The tag appears in the Tags To Be Removed box.

- 1229 -
 Tip: To remove a tag from Tags to be Removed, roll over the tag and
click the button.

Asset To remove a tag from an asset on the Asset Details page:

Details page
a. View the Asset Details page for the asset from which you want to
remove the tag.

b. Do one of the following:

l On the left side of the page, in the Tags section, roll over the
tag you want to remove and click the button.

l To remove the tag via the Actions menu:

i. In the upper-right corner, click the Actions button.

The actions menu appears.

ii. In the actions menu, click Remove Tags.

The Remove Tags window appears.

iii. Under Current Tags, roll over the tag you want to
remove and click the button.

The tag appears in the Tags To Be Removed box.

Tip: To remove a tag from Tags to be Removed, roll over

the tag and click the button.

To remove a tag from multiple assets:

a. Search your assets by the tag you want to remove.

b. Do one of the following:

l To remove the tag from selected assets, in the assets table, select the check box
next to each asset from which you want to remove the tag.

l To remove the tag from all your assets:

- 1230 -
 i. In the assets table header row, select the check box next to the total number
of assets.

The action bar appears at the top of the table.

All assets on the page are selected.

ii. Click Select all [total number of tagged assets] assets.

Note: If you do not select all the tagged assets, Tenable Vulnerability
Management removes the tag from the assets on only the current page.

c. In the action bar, click the More button.

A menu appears.

d. In the actions menu, click Remove Tags.

The Remove Tags window appears.

e. Under Current Tags, roll over the tag you want to remove and click the button.

The tag appears in the Tags To Be Removed box.

Tip: To remove a tag from Tags to be Removed, roll over the tag and click the button.

5. Click Remove.

Tenable Vulnerability Management removes the selected tag from the assets.

Export Tags

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

On the Tags page, you can export tag categories and values in CSV or JSON format.

To export tag categories or values:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

- 1231 -
 The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

Note: You cannot filter the tables on the Tags page.

5. Do one of the following:

To export tag categories:

- 1232 -
 a. Select the tag categories that you want to export:

Export Scope Action

Selected tag To export selected tag categories:

categories
a. In the categories table, select the check box for each tag
category you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections.

If you want to export more than 200 tag categories, select all
the tag categories in the list and then click Export.

A single tag To export a single tag category:

category
a. In the categories table, right-click the row for the tag
category you want you want to export.

The action options appear next to your cursor.

-or-

In the categories table, in the Actions column, click the

button in the row for the tag category you want to export.

The action buttons appear in the row.

b. Click Export.

To export tag values:

a. Click the Values tab.

The Values tab appears. This tab consists of a table that contains all your tag values.

b. Select the tag values that you want to export:

- 1233 -
 Export
Action
Scope

Selected To export selected tag values:

tag values
a. In the values table, select the check box for each tag value
you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If

you want to export more than 200 tag values, select all the tag
values in the list and then click Export.

A single tag To export a single tag value:

value
a. In the categories table, right-click the row for the tag value
you want you want to export.

The action options appear next to your cursor.

-or-

In the values table, in the Actions column, click the button

in the row for the tag value you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

- 1234 -
 l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

6. In the Name box, type a name for the export file.

7. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of tag categories or values.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of tag categories or values.

Empty fields are not included in the JSON file.

8. (Optional) Deselect any fields you do not want to appear in the export file.

9. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

- 1235 -
 l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a Tag Category

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

- 1236 -
When you delete a tag category, Tenable Vulnerability Management deletes any tags created under
that category and removes those tags from all assets where they were applied.

Caution: When you delete a tag category, all associated values and assignments are also deleted. If you
want to remove a specific tag, see Delete a Tag .

To delete a tag category:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. Click the Categories tab.

The tag categories table appears.

5. To delete one tag category:

a. In the tags table, in the Action column , click the button.

A menu appears.

b. Click the Delete button.

A confirmation window appears, asking if you are sure that you want to delete the
category and all associated tags and assignments.

To delete multiple tag categories:

a. In the tag category table, select the check box for each category you want to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the Delete button.

- 1237 -
 A confirmation window appears, asking if you are sure that you want to delete the
category and all associated tags and assignments..

6. Click Delete.

Tenable Vulnerability Management deletes the tag category and any associated tags, and
removes those tags from all assets where you applied them.

Delete a Tag

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags.

When you delete a tag, Tenable Vulnerability Management removes that specific tag from all assets
where you applied the tag.

To delete one or more tags:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

4. Delete a one or more tags:

Scope of
Action
Deletion

A single tag To delete a single tag:

a. Click the Values tab.

- 1238 -
 The Values tab appears, displaying a table with all the tags on your
Tenable Vulnerability Management instance in Category:Value
format.

b. In the tags table, right-click the row for the tag you want to delete.

The action options appear next to your cursor.

-or-

In the tags table, in the Actions column, click the button for the
tag you want to delete.

The action buttons appear in the row.

c. Click Delete.

Multiple To delete multiple tags:

tags
a. Click the Values tab.

The Values tab appears, displaying a table with all the tags on your
Tenable Vulnerability Management instance in Category:Value
format.

b. In the tags table, select the check box for each tag you want to
delete.

The action bar appears at the top of the table.

c. In the action bar, click Delete.

-or-

Delete all tags in a category by deleting the tag category.

5. Click the Values tab.

6. To delete one tag:

- 1239 -
 a. In the tags table, roll over the tag you want to delete.

The action buttons appear in the row.

b. Click the Delete button.

A confirmation window appears.

To delete multiple tags:

a. In the tags table, select the check box for each tag you want to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the Delete button.

A confirmation window appears.

7. Click Confirm.

Tenable Vulnerability Management deletes the tag and removes it from all assets where you
applied the tag.

Search for Assets by Tag from the Tags Table

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can see which assets have a specific tag applied by searching for assets by tag.

To search for assets by tag from the tags table:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Tagging tile.

The Tags page appears. On this page, you can view your asset tag categories and values.

The Categories tab is active.

- 1240 -
 4. Click the Values tab.

5. In the table, click the button.

The actions menu appears.

6. Click Search by Tag.

The Assets page appears and displays the assets table filtered by the tag you selected.

Sensors
Tenable Vulnerability Management supports the following sensor types:

l Tenable-provided regional cloud sensors. For more information, see Cloud Sensors.

l Manually configured linked sensors (Tenable Nessus scanners, Tenable Nessus Network
Monitor instances, Tenable Web App Scanning sensors, and Tenable Nessus Agents). For
more information, see Linked Sensors.

Tip: For information on other ways to ingest data into Tenable Vulnerability Management, see the Data
Ingestion in Tenable Vulnerability Management quick reference guide.

Agents
Agents increase scan flexibility by making it easy to scan assets without needing ongoing host
credentials or assets that are offline. Agents allow for large-scale concurrent scanning with little
network impact.

After you install a Tenable Nessus Agent on a host and link the agent to Tenable Vulnerability
Management, the agent appears on the Tenable Vulnerability Management Linked Agents page.

- 1241 -
 Note: If you assign one or more agents to a network and any of those agents are already assigned to
another custom network, a confirmation message appears indicating that, by adding agents to this
network, they are reassigned from their previous networks.

Agents send the following information to Tenable Vulnerability Management:

l Version information (agent version, host architecture)

l Versions of installed Tenable plugins

l OS information (for example, Microsoft Windows Server 2008 R2 Enterprise Service

Pack 1)

l Tenable asset IDs (for example, /etc/tenable_tag on Unix, HKEY_LOCAL_

MACHINE\SOFTWARE\Tenable\TAG on Windows)

l Network interface information (network interface names, MAC addresses, IPv4 and IPv6
addresses, hostnames and DNS information if available)

l Hostname if update_hostname is set to yes (see Tenable Nessus Agent Advanced Settings
for more information)

l (Agents 10.0.x and later) AWS EC2 instance metadata, if available:

Note: Tenable Nessus Agent connect to 169.254.169.254 to provide AWS metadata to Tenable
Vulnerability Management; traffic between Tenable Nessus Agent and 169.254.169.254 is normal and
expected behavior.

l privatelp

l accountId

l imageId

l region

l instanceType

l availabilityZone

l architecture

l instanceId

- 1242 -
 l local-hostname

l public-hostname

l public-ipv4

l mac

l iam/security-credentials/

l public-keys/0/openssh-key

l security-groups

Note: For agents versions 8.3.1 and older, agents check in on start and after a restart.

For agents version 10.0.0 and later, agents check in on start, after a restart, and whenever the
metadata is updated (no more than every 10 minutes).

Tip: For information on other ways to ingest data into Tenable Vulnerability Management, see the Data
Ingestion in Tenable Tenable Vulnerability Management quick reference guide.

Retrieve the Tenable Nessus Agent Linking Key

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Before you begin the Tenable Nessus Agents installation process, you must retrieve the agent
linking key from Tenable Vulnerability Management.

To retrieve the agent linking key:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

- 1243 -
 4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Click Add Nessus Agent.

The Add Agent plane appears.

6. Click the Copy button to copy the Linking Key.

A Linking key copied to clipboard confirmation message appears.

What to do next:
l Install Tenable Nessus Agent

Download Linked Agent Logs

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

In Tenable Vulnerability Management, you can request and download a log file containing logs and
system configuration data from any of your linked agents. This information can help you
troubleshoot system problems and easily provide data for Tenable Support.

You can store a maximum of five log files from each agent. Once the limit is reached, you must
remove an old log file to download a new one. After you request an agent log file, Tenable
Vulnerability Management retains the log file for seven days.

To download logs from a linked agent in Tenable Vulnerability Management:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

- 1244 -
 The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the agents table, click the agent for which you want to download logs.

The details page for that agent appears.

6. Click the Logs tab.

A table shows any previously downloaded logs.

7. In the upper-right corner, click Request Logs.

Note: If you have reached the maximum of five log files, the Request Logs button is disabled.
Remove an existing log before downloading a new one.

Tenable Vulnerability Management requests the logs from the agent the next time it checks in,
which may take several minutes. You can view the status of the request in the user interface
until the download is complete.

Once you request agent logs, Tenable Vulnerability Management retains the logs for seven
days.

8. To download the log file, click the button.

The system downloads the log file.

To remove an existing log:

1. In the row of the log you want to remove, click the button.

A confirmation window appears.

2. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the log and removes it from the table.

To cancel a pending or failed log request:

l In the row of the pending or failed log request that you want to cancel, click the button.

Tenable Vulnerability Management cancels the log request and removes it from the table.

Restart an Agent

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

- 1245 -
In Tenable Vulnerability Management, you can restart linked agents (versions 7.6 and later) on the
Linked Agents tab.

To restart an agent:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. (Optional) Search for a specific agent or filter the agents in the table.

6. Do one of the following:

To restart a single agent:

a. In the agents table, in the row for the agent you want to restart, click the button.

The Restart Agent window appears.

b. Select one of the following Restart Types:

Restart
Description
Type

Soft Restart the agent backend without restarting the service.

Hard Restart the agent backend and service.

Idle Restart the agent backend and service when the agent is not running
a scan.

c. Click Save.

- 1246 -
 Tenable Vulnerability Management saves your settings, and the changes take effect the
next time the agent checks in. For online agents, this can take up to 45 minutes.

To restart multiple agents:

a. Do one of the following:

l In the agents table, select the check box next to each agent you want to restart.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

Tip: In the action bar, select Select All Pages to select all linked agents.

b. In the action bar, click the button.

The Restart Agents window appears.

c. Select one of the following Restart Types:

Restart
Description
Type

Soft Restart the agent backend without restarting the service.

Hard Restart the agent backend and service.

Idle Restart the agent backend and service when the agent is not running
a scan.

d. Click Save.

Tenable Vulnerability Management saves your settings, and the changes take effect the
next time the agent checks in. For online agents, this can take up to 45 minutes.

Unlink an Agent

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

When you manually unlink an agent, the agent is removed from the Agents page, but the system
retains related data for the period of time specified in agent settings. When you manually unlink an
agent, the agent does not automatically relink to Tenable Vulnerability Management.

- 1247 -
 Tip: You can configure agents to automatically unlink if they are inactive for a certain number of days, as
described in agent settings.

To unlink agents in Tenable Vulnerability Management:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. (Optional) Search for a specific agent or filter the agents in the table. For filter descriptions,
see Agent Filters.

- 1248 -
 6. Select the agent you want to unlink:

Scope Action

Unlink a single To unlink an agent from the Nessus Agents tab:

agent
a. In the agents table, right-click the row for the agent you want
to unlink.

-or-

In the row of the agent you want to unlink, in the Actions

column, click the button.

The action buttons appear in the row.

-or-

Select the check box next to the agent you want to unlink.

In the action bar, Tenable Vulnerability Management enables

More > Unlink Selected.

b. Click Unlink or Unlink Selected, as applicable.

Unlink multiple To unlink multiple agents from the Nessus Agents tab:
agents
a. Select the check box next to the agents you want to unlink.

In the action bar, Tenable Vulnerability Management enables

More > Unlink Selected.

b. Click Unlink Selected.

Tenable Vulnerability Management unlinks the agents.

Rename an Agent

You can rename your linked agents from the Sensors menu. This can be helpful for making agents
more recognizable to other users.

To rename an agent:

- 1249 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Click the row of the agent you want to rename.

The agent Details page appears.

6. Click the button next to the agent name.

7. Edit the agent name.

8. Click the button next to the agent name.

Tenable Vulnerability Management saves the new agent name and updates any related tables
with the new name.

Agent Settings

On your agent's manager, you can configure global agent settings to specify agent and freeze
window settings for all your linked agents. For more information on creating, modifying, and
deleting freeze windows, see Freeze Windows.

You can also adjust log level, performance level, automatic hostname update, and automatic version
update settings for individual agents. For more information, see Modify Remote Agent Settings .

Modify Remote Agent Settings

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

- 1250 -
In Tenable Vulnerability Management, you can modify settings for individual agents (versions 7.6 and
later) on the Linked Agents tab. For information on editing similar settings in the command line
interface, see Advanced Settings in the Tenable Nessus Agent User Guide.

Note: In addition to using the following procedure, you can manually update agents through the command
line. For more information, see the Tenable Nessus Agent User Guide.

To modify remote agent settings in Tenable Vulnerability Management:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. (Optional) Search for a specific agent or filter the agents in the table, as described in Filter
Agents in the Tenable Nessus Agent Deployment and User Guide.

6. Do one of the following:

To edit a single agent:

a. In the agents table, in the row for the agent you want to edit, click the button.

The Edit Agent window appears.

b. Edit the agent settings:

Setting Description Default Values

Nessus Agent The logging level of normal l normal -

Log Level the backend.log log Changes the

- 1251 -
file, as indicated by a backend.log
set of log tags that logging level to
determine what normal and
information to include sets log tags
in the log. to "log",
"info",
If you manually edited
"warn",
log.json to set a
"error",
custom set of log
"trace"
tags for
backend.log, this l debug -
setting overwrites Changes the
that content. backend.log
logging level to
For more information,
debug and
see log.json Format in
sets log tags
the Tenable Nessus
to "log",
User Guide.
"info",
"warn",
"error",
"trace",
"debug"

l verbose -
Changes the
backend.log
logging level to
verboseand
sets log tags
to "log",
"info",
"warn",
"error",

- 1252 -
 "trace",
"debug",
"verbose"

Plugin Sets plugin high low, medium, or

Compilation compilation high
Performance performance, which
affects CPU usage.
Low performance
slows down plugin
compilation, but
reduces the agent's
CPU consumption.
Setting the
performance to
medium or high
means that plugin
compilation
completes more
quickly, but the agent
consumes more CPU.
For more information,
see Agent CPU
Resource Control in
the Tenable Nessus
Agent Deployment and
User Guide.

Scan Sets scan high low, medium, or

Performance performance, which high
affects CPU usage.
Low performance

- 1253 -
 slows down scans,
but reduces the
agent's
CPU consumption.
Setting the
performance to
medium or high
means that scans
complete more
quickly, but the agent
consumes more CPU.
For more information,
see Agent CPU
Resource Control in
the Tenable Nessus
Agent Deployment and
User Guide.

Nessus Agent Sets the agent's Keep up to Keep up to date

Update Plan update plan to date with with GA releases,
determine what GA Opt in to Early
version the agent releases Access releases,
automatically updates or Delay updates,
to. staying on the
last stable
Note: If you release
assign an agent
an agent profile,
the agent profile
version overrides
the Nessus Agent
Update Plan.
If you assign an

- 1254 -
 agent a freeze
window, the
freeze window
overrides both the
Nessus Agent
Update Plan and
the agent profile.
In this case, the
agent remains on
its current version
and no software
updates occur for
that agent as long
as the agent is
assigned to the
freeze window.

Automatic When enabled, when no yes or no

Hostname the hostname on the
Update endpoint is modified
the new hostname
will be updated in the
agent's manager. This
feature is disabled by
default to prevent
custom agent names
from being
overridden.

Offline Agent Specifies the number 14 Integers 1-48

Scan Trigger of days an agent can
Execution be offline before rule-
Threshold based scans stop
executing.

- 1255 -
 Maximum Scans Specifies the 10 Integers 1 or more
Per Day maximum number of
scans to run on the
agent per day.

c. Click Save.

Tenable Vulnerability Management saves your settings, and the changes take effect the
next time the agent checks in. For online agents, this can take up to 45 minutes.

If necessary for the setting changed, the agent restarts the next time it becomes idle.

To edit multiple agents:

a. Do one of the following:

l In the agents table, select the check box next to each agent you want to edit.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

Tip: In the action bar, select Select All Pages to select all linked agents.

b. In the action bar, click the button.

The Edit Agents window appears.

c. Edit the agent settings:

Setting Description Default Values

Nessus Agent The logging level of normal l normal - Sets

Log Level the backend.log log log tags to
file, as indicated by a "log",
set of log tags that "info",
determine what "warn",
information to include "error",
in the log. "trace"

- 1256 -
 If you manually edited l debug - Sets
log.json to set a log tags to
custom set of log tags "log",
for backend.log, this "info",
setting overwrites "warn",
that content. "error",
"trace",
For more information,
"debug"
see log.json Format in
the Tenable Nessus l verbose -
User Guide. Sets log tags
to "log",
"info",
"warn",
"error",
"trace",
"debug",
"verbose"

Plugin Sets plugin high low, medium, or

Compilation compilation high
Performance performance, which
affects CPU usage.
Low performance
slows down plugin
compilation, but
reduces the agent's
CPU consumption.
Setting the
performance to
medium or high
means that plugin
compilation

- 1257 -
 completes more
quickly, but the agent
consumes more CPU.
For more information,
see Agent CPU
Resource Control in
the Tenable Nessus
Agent Deployment and
User Guide.

Scan Sets scan high low, medium, or

Performance performance, which high
affects CPU usage.
Low performance
slows down scans, but
reduces the agent's
CPU consumption.
Setting the
performance to
medium or high
means that scans
complete more
quickly, but the agent
consumes more CPU.
For more information,
see Agent CPU
Resource Control in
the Tenable Nessus
Agent Deployment and
User Guide.

Automatic When enabled, when no yes or no

Hostname the hostname on the

- 1258 -
Update endpoint is modified
the new hostname will
be updated in the
agent's manager. This
feature is disabled by
default to prevent
custom agent names
from being
overridden.

Nessus Agent Sets the agent's Keep up to Keep up to date

Update Plan update plan to date with with GA
determine what GA releases, Opt in
version the agent releases to Early Access
automatically updates releases, or Delay
to. updates, staying
on the last
Note: If you assign stable release
an agent an agent
profile, the agent
profile version
overrides the
Nessus Agent
Update Plan.
If you assign an
agent a freeze
window, the
freeze window
overrides both the
Nessus Agent
Update Plan and
the agent profile.
In this case, the
agent remains on
its current version

- 1259 -
 and no software
updates occur for
that agent as long
as the agent is
assigned to the
freeze window.

Offline Agent Specifies the number 14 Integers 1-48

Scan Trigger of days an agent can
Execution be offline before rule-
Threshold based scans stop
executing.

Maximum Scans Specifies the 10 Integers 1 or more

Per Day maximum number of
scans to run on the
agent per day.

d. Click Save.

Tenable Vulnerability Management saves your settings, and the changes take effect the
next time the agent checks in. For online agents, this can take up to 45 minutes.

If necessary for the setting changed, the agents restart the next time they become idle.

Modify Global Agent Settings

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to edit agent settings in Tenable Vulnerability Management.

To modify global agent settings in Tenable Vulnerability Management:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1260 -
3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Select Settings in the drop-down box.

The Settings page appears.

6. Edit the settings as necessary:

Option Description

Inactive Agents

Unlink agents Specifies the number of days an agent can be inactive before the
that have manager unlinks the agent. After the specified number of days, the
been inactive agent is unlinked, but the corresponding agent data is not removed from
for X days the manager.

Tenable Vulnerability Management automatically tracks unlinked agents

and related data for the number of days specified in this option. You
cannot turn off this tracking.

Note: Inactive agents that were automatically unlinked by Tenable

Vulnerability Management do not automatically relink if they come back
online.

Override Freeze Windows

Exclude all Enable this option to prevent all linked agents from receiving software
agents from updates at any time. This option takes precedence over any existing
software freeze windows.
updates
Agents continue to receive plugin updates and perform scheduled scans
if you enable this setting.

7. Click Save.

- 1261 -
 Tenable Vulnerability Management saves your changes.

Agent Profiles

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can use agent profiles to apply a specific version to your linked agents. This can be helpful for
testing; for example, you may want to schedule a testing period on a subset of your agents before
upgrading all your agents to a new version.

An agent profile allows you to apply a newer version to a subset of your agents for a limited time,
and more broadly, allows you to upgrade and downgrade agents to different versions easily. You can
only assign an agent to one profile.

There are two types of agent profile:

l Default — The profile to which an agent or agent group belongs to unless you assign it to a
custom profile. You cannot copy, delete, or edit the name and description of the Default
profile.

l Custom profiles — A custom profile that you create. Custom networks allow you to associate
and configure different agents and agent groups based on your business needs.

Note: You cannot set agent profiles to versions earlier than 10.4.1. Agent profiles do not affect agents on
versions earlier than 10.4.1.

Note: The agent profile version overrides the agent's Nessus Agent update plan setting. If you assign the
agent a freeze window, the freeze window overrides both the Nessus Agent update plan and the agent
profile. In this case, the agent remains on its current version and no software updates occur for that agent
as long as the agent is assigned to the freeze window.

To manage agent profiles:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1262 -
 3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Above the linked agents table, click Profiles.

The Profiles page appears.

Use the following procedures to manage your agent profiles:

Create an agent profile:

Note: You cannot create an agent profile for an end-of-life (EOL) Tenable Nessus Agent version.

To create an agent profile:

1. On the Profiles page, click Add Agent Profile.

The Create Agent Profile page appears.

2. Enter a Name for the agent profile.

3. (Optional) Enter a Description for the agent profile.

4. Select the agent profile's Sensor Version. This is the version that agents assigned to the
profile are upgraded or downgraded to.

You can set the agent profile to stay on the latest major version release (for example, 10.x) or
the latest minor version release (for example, 10.4.x), or you can set the agent profile to a
specific patch release (for example, 10.4.1).

5. (Optional) Select the Open Agent Port checkbox and enter the open agent port of your
targets. The port must be between 1025 and 65535.

Selecting Open Agent Port allows Tenable scanners to identify scan targets that host the
agents assigned to this profile. These hosts then appear as a single asset regardless of
whether they are the target of a scanner's network scan or are generating agent scans. This
helps minimize asset duplication in your network. To learn more about the Open Agent Port,

- 1263 -
 see Configure Agent Profiles to Avoid Asset Duplication in Tenable Vulnerability Management
in the Tenable Nessus Agent User Guide.

Note: Configuring the Open Agent Port permits your network scanners to probe each target system
on the port you select.

Note: Only agents version 10.6.0 and later can use the Open Agent Port setting. The setting does not
apply to any agent on an earlier version.

6. Under Assign Agents, select the checkboxes next to the agents you want to assign.

7. Click Create.

View an agent profile ID:

You can link an agent to a profile by running the nessuscli agent link command and specifying
the optional --profile-uuid argument. You can also link an agent to a profile during deployment
by specifying the profile-uuid in the config.json file. Use the following procedure to view a
profile's --profile-uuid.

To view an agent profile ID:

1. On the Profiles page, double-click the agent profile that you want to view the ID of.

The Sensor Profile Details page appears.

2. In the Details tab, view the --profile-uuid under Agent Profile ID. You can click to copy
the ID to your clipboard.

Edit an agent profile:

To edit an agent profile:

1. On the Profiles page, double-click the profile that you want to edit.

The Sensor Profile Details page appears.

2. Edit the agent profile as needed:

- 1264 -
 l To edit the agent profile name, click next to the agent name.

l In the Details tab, you can edit the profile description and the agent version that the
profile sets linked agents to.

l In the Details tab, you can edit the profile description, the agent version, and the Open
Agent Port of the profile.

l In the Agents tab, you can add or remove linked agents from the agent profile.

3. Click Save.

Tenable Vulnerability Management saves your changes. If you added or removed agents from
the profile, the agents' versions update within 24 hours of your edit.

Copy an agent profile:

Copy an agent profile to create a duplicate of the existing agent profile. You can then use the
duplicate to set up a new agent profile.

To copy an agent profile:

1. On the Profiles page, click in the row of the profile that you want to copy.

A menu appears.

2. Click Copy.

Tenable Vulnerability Management creates a new profile with "Copy of" appended to the profile
name.

Delete an agent profile:

Delete an agent profile if you no longer need the agent profile. You cannot undo an agent profile
deletion.

To delete an agent profile:

1. On the Profiles page, click in the row of the profile that you want to delete.

A menu appears.

- 1265 -
 2. Click Delete.

The Delete Agent Profile window appears.

3. Click Delete to confirm the deletion.

Tenable Vulnerability Management deletes the agent profile and removes all the linked agents
from the profile.

What to do next:
l Add or Remove Agents from Agent Profiles

Add or Remove Agents from Agent Profiles

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use the following procedures to add an agent to an agent profile or remove an agent from an agent
profile in Tenable Vulnerability Management. You can also add and remove agents from profiles
from the Sensor Profile Details page. For more information, see Edit an agent profile.

In addition to using the Tenable Vulnerability Management user interface, you can link an agent to a
profile by running the nessuscli agent link command and specifying the optional --profile-
uuid argument. You can link an agent to a profile during deployment by specifying the profile-
uuid in the config.json file. To find a profile's profile-uuid, see View an agent profile ID.

Note: The agent profile version overrides the agent's Nessus Agent update plan setting. If you assign the
agent a freeze window, the freeze window overrides both the Nessus Agent update plan and the agent
profile. In this case, the agent remains on its current version and no software updates occur for that agent
as long as the agent is assigned to the freeze window.

Apply an agent profile to an agent

To apply an agent profile to an agent:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1266 -
3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Do one of the following:

l To assign a single agent to an agent profile:

a. Click in the row of the agent that you want to assign to the profile.

The action buttons appear in the row.

b. Click Apply Agent Profile.

The Select Agent Profile window appears.

c. In the table, select the checkbox of the agent profile that you want to assign the
agent to.

d. Click Apply.

Tenable Vulnerability Management assigns the agent to the agent profile.

l To assign multiple agents to an agent profile, do one of the following:

l In the agents table, select the check box next to each agent you want to add.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

Tip: In the action bar, select Select All Pages to select all linked agents.

a. In the action bar, click Apply Agent Profile.

The Select Agent Profile window appears.

- 1267 -
 b. In the table, select the checkbox of the agent profile that you want to assign the
agents to.

c. Click Apply.

Tenable Vulnerability Management assigns the agents to the agent profile. The
agents' versions update within 24 hours of the profile application.

Remove an agent profile from an agent

To remove an agent profile from an agent:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Do one of the following:

l To remove a single agent from an agent profile:

a. Click in the row of the agent that you want to assign to the profile.

The action buttons appear in the row.

b. Click Remove Agent Profile.

The Remove Agent Profile window appears.

c. Click Remove to confirm.

Tenable Vulnerability Management removes the agent from the agent profile.

- 1268 -
 l To remove multiple agents from an agent profile, do one of the following:

l In the agents table, select the check box next to each agent you want to add.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

Tip: In the action bar, select Select All Pages to select all linked agents.

a. In the action bar, click Remove Agent Profile.

The Remove Agent Profile window appears.

b. Click Remove to confirm.

Tenable Vulnerability Management removes the agents from the agent profile or
profiles. The agents' versions update within 24 hours of the profile removal.

What to do next:
l Manage agent profiles

Agent Status

Tenable Nessus Agents can be in one of the following statuses:

Status Description

Online The host that contains the Tenable Nessus Agent is currently connected and
in communication with Tenable Vulnerability Management.

Offline The host that contains the Tenable Nessus Agent is currently powered down
or not connected to a network.

Initializing The Tenable Nessus Agent is in the process of checking in with Tenable
Vulnerability Management.

Export Agents

To export agents data in Tenable Vulnerability Management:

- 1269 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Select the agents that you want to export by clicking each agent's checkbox.

6. At the top of the agent table, click the Export button.

The Export plane appears and shows the number of agents that will be exported.

7. In the Formats section, select the CSV format.

Note: If your .csv export file includes a cell that begins with any of the following characters (=, +, -,
@), Tenable Vulnerability Management automatically inputs a single quote (') at the beginning of the
cell. For more information, see the related knowledge base article.

8. To export agents data in .csv format, click Export.

Your browser's download manager appears.

9. Click OK to save the agents.csv file.

The agents.csv file exported from Tenable Vulnerability Management contains the following data:

Field Description

Agent Name The name of the agent.

Status The status of the agent at the time of export. Possible values are unlinked,
online, or offline.

IP Address The IPv4 or IPv6 address of the agent.

- 1270 -
 Platform The platform the agent is installed on.

Profile Name The name of the agent's assigned agent profile.

Profile UUID The UUID of the agent's assigned agent profile.

Groups The names of any groups the agent belongs to.

Group IDs The group IDs of any groups the agent belongs to.

Version The version of the agent.

Last Plugin The date (in ISO-8601 format) the agent's plugin set was last updated.
Update

Agent ID The ID of the agent.

Agent UUID The UUID of the agent.

Linked On The date (in ISO-8601 format) the agent was linked to Tenable Vulnerability
Management.

Last Connect The date (in ISO-8601 format) of the agent's last check-in.

Last Scanned The date (in ISO-8601 format) the agent was last scanned.

Export Linked Agents

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

On the Sensor Management page, you can export one or more linked agents in CSV or JSON format.

To export your linked agents:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

- 1271 -
 The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Freeze Windows.

6. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

7. Select the linked agents that you want to export:

Export
Action
Scope

A single To select and export a single linked agent:

linked
a. In the linked agents table, right-click the row for the linked agent you
agent
want to export.

The action options appear in the row.

-or-

In the linked agents table, in the Actions column, click the button
in the row for the linked agent you want to export.

The action options appear in the row.

-or-

In the linked agents table, select the check box of the agent you
want to export.

The action bar appears at the top of the table.

b. Click Export.

Multiple To select and export multiple linked agents:

linked
a. In the linked agents table, select the check box for each linked agent

- 1272 -
 agents you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 linked agents, select all the linked agents
in the list and then click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the email notification.

8. In the Name box, type a name for the export file.

9. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of linked agents.

JSON A JSON file that contains a nested list of linked agents.

Empty fields are not included in the JSON file.

10. (Optional) Deselect any fields you do not want to appear in the export file.

11. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

- 1273 -
 12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Export Linked Agent Details

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

On the Details page for any linked agent, you can export details about your linked agent in CSV or
JSON format.

To export details about a linked agent:

- 1274 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. In the linked agents table, click the linked agent for which you want to export details.

The Details page appears.

7. In the upper-right corner, click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

8. In the Name box, type a name for the export file.

9. Click the export format you want to use:

- 1275 -
 Format Description

CSV A CSV text file that contains a list of your linked agent details, organized by
fields.

JSON A JSON file that contains a nested list of your linked agent details,
organized by fields.

Empty fields are not included in the JSON file.

10. (Optional) Deselect any fields you do not want to appear in the export file.

11. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

- 1276 -
 When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Filter Agents

To filter agents in the agents table in Tenable Vulnerability Management

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. In the left navigation menu, click Nessus Agents.

The Linked Agents page appears.

5. Above the agents table, click the Filters button.

The Filters pane appears.

6. Configure the options as necessary. Depending on the parameter you select, different options
appear:

Category Operator Value

Distro contains In the text box, type the distribution name on which
you want to filter.
does not
contain

- 1277 -
Category Operator Value

IP Address is equal to In the text box, type the IPv4 or IPv6 addresses on
which you want to filter.
is not equal
to

contains

does not
contain

Last earlier than In the text box, type the date on which you want to
Connection filter.
later than
Last Plugin
on
Update
not on
Last Scanned

Member of is equal to From the drop-down list, select from your existing
Group agent groups.
is not equal
to

Name is equal to In the text box, type the agent name on which you
want to filter.
is not equal
to

contains

does not
contain

Platform contains In the text box, type the platform name on which you
want to filter.
does not
contain

Status is equal to In the drop-down list, select an agent status.

- 1278 -
 Category Operator Value

is not equal
to

Version is equal to In the text box, type the version you want to filter.

is not equal
to

contains

does not
contain

7. Click Apply.

The manager filters the list of agents to include only those that match your configured
options.

Agent Filters

Tenable Vulnerability Management supports filtering agents by the following categories:

Category Operator Value

Distro contains In the text box, type the distribution name on which you
want to filter.
does not
contain

IP Address is equal to In the text box, type the IPv4 or IPv6 addresses on which you
want to filter.
is not equal
to

contains

does not
contain

Last earlier than In the text box, type the date on which you want to filter.
Connection
later than

- 1279 -
Category Operator Value

Last Plugin on
Update
not on
Last Scanned

Member of is equal to From the drop-down list, select from your existing agent
Group groups.
is not equal
to

Name is equal to In the text box, type the agent name on which you want to
filter.
is not equal
to

contains

does not
contain

Platform contains In the text box, type the platform name on which you want
to filter.
does not
contain

Status is equal to In the drop-down list, select an agent status.

is not equal
to

UUID is equal to In the text box, type the agent UUID that you want to filter.

is not equal You can use either of the following agent UUID formats:
to
l xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (for example,
885c5f3e-aca3-42bf-9355-ace1c71bfe9a)

l xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (for example,

885c5f3eaca342bf9355ace1c71bfe9a)

You can find the agent's UUID by viewing the agent's details

- 1280 -
 Category Operator Value

in the Tenable Vulnerability Management user interface, or

by running the # nessuscli agent status --show-uuid
command.

Version is equal to In the text box, type the version you want to filter.

is not equal
to

contains

does not
contain

Agent Groups

You can use agent groups to organize and manage the agents linked to Tenable Vulnerability
Management. You can add an agent to more than one group, and configure scans to use these
groups as targets.

Use the following processes to create and manage agent groups:

l Create an Agent Group

l Add an Agent to an Agent Group

l Edit an Agent Group

l Delete an Agent Group

l Remove an Agent from an Agent Group

l View Agents in an Agent Group

l Agent Group Filters

Create an Agent Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can use agent groups to organize and manage the agents linked to your account. You can add
an agent to more than one group and configure scans to use these groups as targets.

- 1281 -
Use this procedure to create an agent group in Tenable Vulnerability Management.

To create a new agent group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Agent Groups.

The list of agent groups appears.

6. Click Add Agent Group.

The agent group settings plane appears.

7. In the Group Name box, type a name for the new agent group.

8. Configure user permissions for the agent group.

9. Click Save.

The new agent group appears in the table.

What to do next:
l Use the agent group in an agent scan configuration.

Add an Agent to an Agent Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

- 1282 -
Use this procedure to add an agent to an agent group in Tenable Vulnerability Management. You can
also add agents to a group when you modify an agent group.

To add an agent to agent groups:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Agent Groups.

The list of agent groups appears.

6. (Optional) Search for a specific agent or filter the agents in the table. For filter descriptions,
see Agent Filters.

7. Do one of the following:

l To add a single agent to agent groups:

a. In the agents table, roll over the agent you want to add.

The action buttons appear in the row.

b. Click the button.

The Add to Groups plane appears.

l To add multiple agents to agent groups, do one of the following:

- 1283 -
 l In the agents table, select the check box next to each agent you want to add.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

Tip: In the action bar, select Select All Pages to select all linked agents.

a. In the action bar, click the button.

The Add to Groups plane appears.

8. Do one of the following:

l If there are existing agent groups, select one:

a. In the search box, search by agent group name.

b. Click the agent group you want to select.

l If there are no existing agent groups, create one:

a. Click add a new group.

The agent group settings plane appears.

b. In the text box, type the name of the new group.

c. In the Users & Groups section, set the user permissions for the new group.

d. Click Save.

The Add to Groups plane reappears. The new group appears in the selection list.

9. Click Save to save your changes.

Tenable Vulnerability Management adds the agent to the selected group or groups.

Edit an Agent Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to modify an agent group in Tenable Vulnerability Management

To modify an agent group:

- 1284 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Agent Groups.

The list of agent groups appears.

6. (Optional) Search for a specific agent group or filter the agent groups in the table. For filter
descriptions, see Agent Group Filters.

7. Edit agent group settings:

a. In the agents table, do one of the following:

l In the Actions column, click the icon for the agent you want to edit.

The action options appear in the row.

l Right-click the agent you want to edit.

The action options appear next to your cursor.

l Select the check box next to the agent you want to edit.

The action bar appears at the top of the table.

b. Click the Edit button.

The Edit Agent Group plane appears.

c. In the box, type a new name for the agent group.

- 1285 -
 d. Configure user permissions for the agent group.

e. Click Save to save your changes.

Tenable Vulnerability Management saves your changes.

8. Assign agents to an agent group:

a. Click the row of the agent group where you want to add agents.

The agent group details page appears.

b. In the upper-right corner, click Assign Agents.

The assign agents page appears.

c. (Optional) Search for a specific agent or filter the agents in the table. For filter
descriptions, see Agent Filters.

d. In the agents table, select the check boxes next to the agents you want to add to the
agent group.

e. Click Assign.

Tenable Vulnerability Management adds the agents to the agent group, and the details
page appears.

Delete an Agent Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to delete an agent group in Tenable Vulnerability Management.

To delete an agent group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

- 1286 -
 The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Agent Groups.

The list of agent groups appears.

6. (Optional) Search for a specific agent group or filter the agent groups in the table. For filter
descriptions, see Agent Group Filters.

7. In the agents table, do one of the following:

l In the row for the agent group you want to delete, in the Actions column, click the
button.

The action options appear in the row.

l Right-click the agent you want to delete.

The action options appear next to your cursor.

l Select the check box for the agent you want to delete.

The action bar appears at the top.

8. Click Delete.

A confirmation window appears.

9. Click Delete.

Tenable Vulnerability Management deletes the agent group.

Remove an Agent from an Agent Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to remove an agent or agents from an agent group in Tenable Vulnerability
Management.

To remove an agent from an agent group:

- 1287 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Agent Groups.

The list of agent groups appears.

6. (Optional) Search for a specific agent group or filter the agent groups in the table. For filter
descriptions, see Agent Group Filters.

7. In the agent groups table, click the agent group you want to modify.

The Group Details page appears.

8. Remove selected agent groups.

To remove Action

A single agent a. Do one of the following:

group l In the agents table, right-click the agent group you want to
remove.

The action buttons appear in the row.

l In the row of the agent group you want to remove, in the

Actions column, click the button.

The action buttons appear in the row.

- 1288 -
 l Select the check box next to the agent group you want to
remove.

Tenable Vulnerability Management enables More > Remove

from Group.

b. Click Remove from Group.

Multiple agent a. Do one of the following:

groups l In the agents table, select the check box next to each
agent you want to remove.

l In the table header, select the check box to select the

entire page.

Tenable Vulnerability Management enables More > Remove

Selected from Group.

b. Click Remove Selected from Group.

Tenable Vulnerability Management removes the agent or agents from the group.

View Agents in an Agent Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to view agents in an agent group in Tenable Vulnerability Management.

To view agents in an agent group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

- 1289 -
 4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Agent Groups.

The list of agent groups appears.

6. (Optional) Search for a specific agent or filter the agents in the table. For filter descriptions,
see Agent Filters.

7. In the agent groups table, click the agent group you want to view.

The Group Details page appears. This page contains a table listing the agents assigned to the
group.

Agent Group Filters

You can use the filters listed below to filter agent groups in the Agent Groups tab.

Category Operator Value

Name is equal to In the text box, type the name of the agent group.

is not equal
to

contains

does not
contain

Creation earlier than In the text box, type the date on which the agent group was
Date created.
later than

on

not on

Last earlier than In the text box, type the date on which the agent group was
Modified last modified.
later than
Modifications include:
on
l You modified the agent name or description.

- 1290 -
 not on l You added an agent to the group.

l You removed an agent from the group.

Freeze Windows

Freeze windows allow you to schedule times where certain agent activities are suspended for all
linked agents. This activity includes:

l Receiving and applying software updates

Freeze windows do not prevent linked agents from:

l Receiving plugin updates

l Installing or executing agent scans

Note: Freeze windows override both agent profiles and the Nessus Agent update plan. If you assign an agent
to a freeze window and enable the freeze window, any version updates that would normally occur due to an
agent's agent profile or the agent's update plan are blocked.

To create and manage freeze windows:

l Create a Freeze Window

l Modify a Freeze Window

l Enable or Disable a Freeze Window

l Delete a Freeze Window

Create a Freeze Window

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to create freeze windows.

Freeze windows will apply to all linked agents and will prevent the agents from receiving and
applying software updates during scheduled windows. Agents still receive plugin updates and
continue performing scheduled scans during these windows.

To create a freeze window for linked agents:

- 1291 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Freeze Windows.

6. Click New Freeze Window.

The New Freeze Window plane appears.

7. Configure the options as necessary.

8. Click Save.

The freeze window is saved and appears on the Freeze Windows psge.

Edit a Freeze Window

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to manage a freeze window for agent scanning in Tenable Vulnerability
Management.

To edit a freeze window:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1292 -
 3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Freeze Windows.

The list of freeze windows appears.

6. In the freeze window table, click the freeze window you want to modify.

The Update a Freeze Window page appears.

7. Edit the options as necessary.

8. Click Save to save your changes.

Tenable Vulnerability Management saves the changes to the freeze window.

Enable or Disable a Freeze Window

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to enable or disable a freeze window for linked agents in Tenable Vulnerability
Management.

To enable or disable a freeze window for linked agents in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

- 1293 -
 The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Freeze Windows.

6. Search for the freeze window you want to enable or disable.

7. In the row for the freeze window you want to enable or disable, click the Status toggle.

The freeze window is enabled or disabled and a confirmation window appears.

Export Freeze Windows

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

On the Sensors page, you can export one or more freeze windows in CSV or JSON format.

To export your freeze windows:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. In the drop-down box, select Freeze Windows.

The list of freeze windows appears.

6. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

7. Export selected freeze windows.

- 1294 -
 Scope Action

To export a a. In the freeze windows table, do one of the following:

single l Right-click the row for the freeze window you want to export.
freeze
window The action options appear in the row.

l In the Actions column, click the button in the row for the
freeze window you want to export.

The action options appear in the row.

l Select the check box for the freeze window you want to export

The action bar appears at the top of the table.

b. Click Export.

To export a. In the freeze windows table, select the check box for each freeze
multiple window you want to export.
freeze
The action bar appears at the top of the table.
windows
b. In the action bar, click Export.

Note: You can individually select and export up to 200 freeze windows.
If you want to export more than 200 freeze windows, you must select all
the freeze windows on your Tenable Vulnerability Management instance
by selecting the check box at the top of the freeze windows table and
then click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

- 1295 -
 l A text box to set the number of days before the export expires.

l A toggle to configure the email notification.

8. In the Name box, type a name for the export file.

9. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of freeze windows.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of freeze windows.

Empty fields are not included in the JSON file.

10. (Optional) Deselect any fields you do not want to appear in the export file.

11. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

- 1296 -
 Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Delete a Freeze Window

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Use this procedure to delete a freeze window for agent scanning in Tenable Vulnerability
Management.

To delete a freeze window for agent scanning:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

- 1297 -
 5. In the drop-down box, select Freeze Windows.

The list of freeze windows appears.

6. Delete the selected freeze windows:

Scope Action

Delete a single a. In the freeze window table, do one of the following:

freeze window l Right-click the window you want to delete.

The action options appear in the row.

l In the Actions column, click the button in the row

for the freeze window you want to delete.

The action options appear in the row.

l Select the check box for the freeze window you want
to delete.

The action bar appears at the top of the table.

b. Click Delete.

A confirmation window appears.

Delete multiple a. In the freeze windows table, select the check box next to
freeze windows each window you want to delete.

The action bar appears at the top of the table.

b. Click Delete.

A confirmation window appears.

7. Click Delete to confirm the deletion.

Tenable Vulnerability Management deletes the selected freeze window or windows.

Plugin Updates

- 1298 -
The following table describes the behavior of differential plugin updates for agents linked to
Tenable Vulnerability Management:

Differential
Linked Full Update
Update

Tenable The agent The agent performs a full plugin update at scan time
Vulnerability requests whenever the agent needs all plugin sets for certain
Management differential scan policies.
updates from
The agent also deletes unused plugin sets after a
Tenable
configurable amount of time. After the amount of
Vulnerability
time passes, the agent performs a full update and
Management once
deletes the unused plugin sets. For more
every 24 hours.
information, see the days_to_keep_unused_
plugins advanced setting.

Connection Disruptions

In the event of agent connectivity disruption in Tenable Vulnerability Management, the agent tests
connectivity approximately every 30 minutes.

Once connectivity is restored, the agent attempts to upload the scan result. After three failed
upload attempts, the agent stops attempting.

l When using a scan window, once an agent completes a scan, it uploads its scan results. As
long as the window is active, Tenable Vulnerability Management accepts the results. If the
agent fails to upload its scan results during the window, the results are discarded. The agent
re-scans and re-uploads during the next window.

l When using a triggered scan, once an agent completes a scan, it uploads its scan results. If
there are connectivity interruptions during transmission, the agent waits until connectivity is
restored and attempts to upload the scan result. If the agent fails to upload the result three
times, the agent re-scans and re-uploads the results upon the next trigger.

An agent that is offline for an extended time continues to scan if the trigger is met, replaces
the previous scan results, and uploads the results once connectivity is restored.

- 1299 -
 Tip: You can use the Offline Agent Scan Trigger Execution Threshold agent setting configure the
number of days an agent can be offline before it stops executing triggered scans. For more
information, see Modify Remote Agent Settings .

Networks
In larger enterprises, you can reduce the time and cost of setting up and maintaining locations by
deploying environments with the same internal IP addresses. To disambiguate between assets that
have the same IP addresses across environments, use networks in Tenable Vulnerability
Management. Networks can also be used to logically separate assets for reporting, Role-Based
Access Control (RBAC), and Tagging purposes.

If you deploy environments with the same internal IP addresses, create a network for each
environment you have, and assign scanners and scanner groups to each network. When a scanner
scans an asset, the associated network is added to the asset's details. You can filter assets by
network or create dynamic tags based on a network. Recast rules and access groups do not support
networks.

A scanner or scanner group can only belong to one network at a time.

There are two types of networks:

l Default network — The network to which a scanner or scanner group belongs unless you
assign it to a custom network.

You can view scanners in the default network, but you cannot add or remove scanners from
the default network. If you remove a scanner or scanner group from a custom network, or if
you delete a custom network, Tenable Vulnerability Management returns the scanner or
scanner groups to the default network. Imported scans always belong to the default network.

Note: Assets from AWS pre-authorized scanners can only appear in the Default network.

Note: If you move agents from a custom network to the Default network, you need to move the
agents' associated assets to the Default network manually. Assets do not revert back to the Default
network automatically. For more information, see Add an Agent to a Network and Move Assets to a
Network via Settings.

l Custom network — A custom network that you create. Custom networks allow you to group
and separate different scanners and assets based on your business needs. For example, you

- 1300 -
 can create networks for different sub-organizations, external versus internal scanning, or
ephemeral versus static scanning.

Caution: Any scanner that scans an asset that is not in the same network as the scanner will create
a duplicate asset record. Therefore, you need to ensure that any new scanner or scanner group is
part of the correct network before you begin scanning.

Create a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Create a custom network only if you want to scan targets in separate environments that contain
overlapping IP ranges. If your scans do not involve separate environments with overlapping IP
ranges, keep all scanners in the Default network.

To create a new network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Networks tab.

The list of networks appears.

- 1301 -
 5. Click Add Network.

The Settings page appears.

6. Type a name for the network.

7. (Optional) Type a description for the network.

8. (Optional) Configure Asset Age Out:

Note: By default, the Asset Age Out toggle is enabled and the value is set to 180 days. At that point,
Tenable Vulnerability Management deletes all asset records and associated vulnerabilities. These
cannot be recovered, and the deleted assets no longer count towards your license.

l To change the number of days after which Tenable Vulnerability Management deletes
unseen assets, in the Delete Assets Not Seen in the Last text box, type the number of
days.

l To disable the Asset Age Out toggle, click the toggle.

9. In the lower-right corner, click Create.

Tenable Vulnerability Management creates the new network. The Manage Scanners page
appears.

View or Edit a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To view or edit the configuration of an existing network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

- 1302 -
 4. Click the Networks tab.

The list of networks appears.

5. In the Networks table, click the network to edit.

The Network Details page appears with the Settings tab active.

6. Make changes to your network details:

a. Edit the network Name or Description. The name can contain any alphanumeric and
special characters except < and >.

b. Turn on Asset Age Out to permanently delete network assets that have not been seen
on a scan for a specific number of days.

c. In the text box that appears, type the number of days. The minimum value is 14 and the
maximum value is 450.

Caution: When you enable and save this option, Tenable Vulnerability Management
immediately deletes assets. All asset records and associated vulnerabilities are deleted and
cannot be recovered. The deleted assets no longer count towards your license.

Note: You cannot age out assets which are older than 15 months (456 days). To delete these
assets, filter for them on the Assets workbench and then delete them manually. For more
information, see Delete Assets.

7. Click Save.

Tenable Vulnerability Management saves your changes.

Add a Scanner to a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

A scanner or scanner group is part of the default network unless you add it to a custom network. A
scanner or scanner group can only be part of one network at a time.

You can only add a scanner group to a custom network if all scanners in that group belong to either
the default network or the same custom network. If you try to add a scanner group that contains a
scanner already assigned to a different custom network, Tenable Vulnerability Management
prevents you from adding the scanner group to the network until you resolve the conflict.

You cannot add an AWS pre-authorized scanner to a network.

- 1303 -
Before you begin:
l Create a new network.

Note: Tenable recommends moving scanners to a new network, rather than an existing network, to
prevent unwanted asset merges. If the network where you move a scanner already contains asset
records, and the identifiers for assets from the moved scanner match the identifiers already existing
in the network, Tenable Vulnerability Management automatically merges those assets.

l If you want to move a scanner from one existing network to another existing network:

l Note the IP addresses of the assets identified by the scanner you want to move.

l Use the IP addresses to move the assets from the first network to the second network.

l Add the scanner from the first network to the second network. Use the steps below to
add a scanner.

To add a scanner or scanner group to a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Networks tab.

The list of networks appears.

5. In the networks table, click the network you want to add a scanner or scanner group to.

The Settings page appears.

6. In the left navigation list, click Manage Scanners.

A list of Available Scanners to Add and Member Scanners in Network appear.

- 1304 -
 7. In the row of the scanner or scanner group you want to add to the network, click the
button.

Tenable Vulnerability Management determines whether there are any scanner group conflicts:

If no conflicts are present, Tenable Vulnerability Management adds the scanner or scanner
group to the network and moves it to the Member Scanners table.

If any conflicts are present, Tenable Vulnerability Management displays a message. You need
to remove a scanner from the scanner group to resolve the conflict. For more information
about removing scanners from scanner groups, see Edit a Scanner Group.

The scanner or scanner group appears in the Member Scanners in Network.

Remove a Scanner from a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

If you remove a scanner or a scanner group from a custom network, Tenable Vulnerability
Management reassigns it to the default network.

Tip: If you want to delete a scanner group or remove a sensor from a scanner group, see Delete a Scanner
Group and Remove a Sensor from a Scanner Group.

To remove a scanner or scanner group from a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Networks tab.

The list of networks appears.

- 1305 -
 5. In the networks table, click the network where you want to remove a scanner or scanner
group.

The Settings page appears.

6. In the left navigation plane, click Manage Scanners.

A list of Available Scanners to Add and Member Scanners in Network appear.

7. In the row of the scanner or scanner group you want to remove from the network, click the
button.

Tenable Vulnerability Management moves the scanner or scanner group to the default
network. The scanner or scanner group appears in the Available Scanners list.

Add an Agent to a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

An agent is part of the Default network unless you add it to a custom network. An agent can only be
part of one network at a time.

Note: If you assign one or more agents to a network and any of those agents are already assigned to
another custom network, a confirmation message appears indicating that, by adding agents to this
network, they are reassigned from their previous networks.

Before you begin:

l Create a new network.

Note: Tenable recommends moving agents to a new network, rather than an existing network, to
prevent unwanted asset merges. If the network where you move an agent already contains asset
records, and the identifiers for assets from the moved agent match the identifiers already existing in
the network, Tenable Vulnerability Management merges those assets automatically.

l If you want to move an agent from one existing network to another existing network:

l Note the IP addresses of the assets identified by the agent you want to move.

l Use the IP addresses to move the assets from the first network to the second network.

l Add the agent from the first network to the second network.

- 1306 -
To add an agent to a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Do one of the following:

l
To add agents from the Linked Agents tab:
a. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

b. Select an agent or agents in one of the following ways:

l In the agents table, right-click the row for the agent you want to add.

The action buttons appear in the row.

l In the Actions column, click the button in the row for the freeze window
you want to delete.

The action buttons appear in the row.

l In the agents table, select the check box next to each agent you want to add.

The action bar appear at the top of the table.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

c. Click Add to network or Add Selected to Network, as applicable.

The Add to Network plane appears.

- 1307 -
 d. In the drop-down list, select the network to which you want to add the agent or
agents.

e. Click Assign.

Tenable Vulnerability Management adds the agents to the selected network.

l
To add agents from the Networks page:
a. Click the Networks tab.

The list of networks appears.

b. In the networks table, click the network you want to add an agent to.

The Settings page appears.

c. In the left navigation list, click Manage Agents.

Lists of both Available Agents to Add and Member Agents in Network appear.

d. In the row of the agent to add to the network, click the button.

Tenable Vulnerability Management determines whether there are any agent group
conflicts. Once you manually resolve the conflict, repeat the steps above.

If there are no group conflicts, Tenable Vulnerability Management adds the agent
to the network.

If you moved the agents from a custom network to the Default network, you need to move the
agents' associated assets to the Default network manually. Assets do not revert back to the
Default network automatically. For more information, see Move Assets to a Network via
Settings.

To add an agent group to a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

- 1308 -
 The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

5. Filter the agent table to view the agent group you want to add to a network:

a. Click Filters.

b. Select Member of Group from the Category drop-down list.

c. Select the agent group to add in the Value drop-down list.

d. Click Apply.

6. In the agent table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

7. In the action bar, click the Add selected to network.

The Add to Network plane appears.

8. In the drop-down, select the network to which you want to add the agent or agents.

9. Click Assign.

Tenable Vulnerability Management adds the agents to the selected network.

If you moved the agents from a custom network to the Default network, you need to move the
agents' associated assets to the Default network manually. Assets do not revert back to the
Default network automatically. For more information, see Move Assets to a Network via
Settings.

Remove an Agent from a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Before you begin:

- 1309 -
 l If you want to move an agent from one existing network to another existing network:

l Note the IP addresses of the assets identified by the agent you want to move.

l Use the IP addresses to move the assets from the first network to the second network.

l Add the agent from the first network to the second network.

To remove an agent from a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Do one of the following:

l
To remove agents from the Linked Agents tab:
a. Click the Nessus Agents tab.

The list of agents appears and Linked Agents is selected in the drop-down box.

b. Select an agent or agents in one of the following ways:

l In the agents table, right-click the row for the agent you want to remove.

The action buttons appear in the row.

l In the agents table, select the check box for the agent you want to remove.

Tenable Vulnerability Management enables Remove selected from

network in the action bar.

l In the table header, select the check box to select the entire page.

The action bar appears at the bottom of the page.

- 1310 -
 c. Click Remove from network or Remove selected from network, as applicable.

Tenable Vulnerability Management removes the agents from their networks and
adds them to the Default network.

l
To remove agents from the Networks tab:
a. Click the Networks tab.

The list of networks appears.

b. In the networks table, select the network from which you want to remove an agent
or agents.

The Settings page appears.

c. In the left navigation menu, click Manage Agents.

Lists of both Available Agents to Add and Member Agents in Network appear.

d. In the row of the agent to remove from the network, click the button.

Tenable Vulnerability Management removes the agent from the network and adds
it to the Default network. <<ASK SME if same as scanner group conflicts -- refer to
that doc if so.>>

Move Assets to a Network via Settings

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

When a scanner scans assets, the scanner automatically adds the network to which it belongs to
the scanned assets' identifying details. However, if you want to change the network assets are
assigned to, you can also manually move assets to a network.

Move assets to a new network before you run scans on the new network. If you move assets to a
network where scans have already run, Tenable Vulnerability Management may create duplicate
asset records that count against your license.

Tip: You can also move assets to a network via the Explore > Assets workbench.

- 1311 -
 Note: If you moved agents or agent groups from a custom network to the Default network, you need to
move the agents' associated assets to the Default network manually. Assets do not revert back to the
Default network automatically.

To move an asset or assets to a network from the Networks page:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Networks tab.

The list of networks appears.

5. In the networks table, do one of the following:

l Right-click the network you want to move an asset or assets to.

The action buttons appear in the row.

l In the Actions column, click the button in the row for the freeze window you want to
delete.

The action buttons appear in the row.

6. Click Move assets.

The Move Assets page appears.

7. In the Source Network drop-down box, select the network you want to move an asset or
assets to.

8. In the text box, do one of the following:

- 1312 -
 l To search for a single asset, enter an IP address.

l To search for multiple assets, enter a CIDR range or individual IP addresses separated by
commas.

Tenable Vulnerability Management shows the asset or assets that match your search criteria.

9. Do one of the following:

l
Move a single asset:
a. In the assets table, do one of the following:

l Right-click the asset you want to move. The action buttons appear in the
row.

l In the Actions column, click the button in the row for the asset you want
to move. The action buttons appear in the row.

a. Click Move assets.

Tenable Vulnerability Management moves the asset to the selected network.

l
Move selected assets:
a. For each asset you want to select, roll over the icon.

The check box for the asset appears.

b. Click the check box.

The action bar appears at the bottom of the page.

c. In the action bar, click the button.

Tenable Vulnerability Management moves the selected asset or assets from the
source network to the destination network.

l
Move all assets on the current page:

- 1313 -
 a. In the assets table header, click the check box.

Tenable Vulnerability Management selects all assets on the current page. The
action bar appears at the bottom of the page.

b. In the action bar, click the button.

Tenable Vulnerability Management moves the selected assets from the source
network to the destination network.

l
Move all assets in the source network:
a. Roll over the icon of an asset.

The action bar appears at the bottom of the page.

b. In the action bar, click Select All Assets.

Tenable Vulnerability Management selects all assets in the source network.

c. In the action bar, click the button.

Tenable Vulnerability Management moves all assets from the source network to
the destination network.

To move an asset or multiple assets to a network from the asset table:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation bar, click Assets.

The Assets dashboard appears, and displays the assets table.

3. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Tables.

4. (Optional) Apply a saved search filter.

5. Do one of the following:

- 1314 -
l
Move a single asset:
a. Roll over the asset you want to move.

The action buttons appear in the row.

b. Click the button.

c. The Move plane appears.

d. In the Default drop-down box, select the network you want to move the asset to.

e. Click the Move button.

f. Tenable Vulnerability Management moves the asset to the selected network.

l
To move selected assets:
a. For each asset you want to move, click the check box in the asset row.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

The Move plane appears.

c. In the Default drop-down box, select the network you want to move the asset to.

d. Click the Move button.

Tenable Vulnerability Management moves the assets to the selected network.

l
To move all assets on the current page:
a. Click the check box in the table header.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

The Move plane appears.

c. In the Default drop-down box, select the network you want to move the asset to.

d. Click the Move button.

- 1315 -
 Tenable Vulnerability Management moves the assets to the selected network.

l
To move all assets:
a. Click the check box in the table header.

b. The action bar appears at the bottom of the page.

c. In the action bar, click Select All Assets.

Note: If you click Select All Assets, all assets on the current page and any additional
pages are selected.

d. In the action bar, click Move.

e. The Move plane appears.

f. In the Default drop-down box, select the network you want to move the assets to.

g. Click the Move button.

h. Tenable Vulnerability Management moves the assets to the selected network.

Note: Depending on the filter applied and the number of assets selected, it may take some time for
Tenable Vulnerability Management to move all assets to the destination network.

Delete Assets in a Network

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Tip: If you want to remove an asset from a network but not delete the asset, see Move Assets to a Network
via Settings.

Delete Assets Manually

If you manually delete an asset, Tenable Vulnerability Management no longer displays the asset in
the default view of the assets table, deletes vulnerability data associated with the asset, and stops
matching scan results to the asset. Manually deleted assets continue to count against your Tenable
Vulnerability Management license until the assets age out after 14 days.

To view manually deleted assets, see View Deleted Assets.

To delete assets manually:

- 1316 -
 l Delete an individual asset. For more information, see Delete Assets.

l Delete multiple assets using the Tenable Vulnerability Management API. For more information,
see the Tenable Developer Portal.

Delete Assets Automatically

If you automatically delete assets in a network, Tenable Vulnerability Management permanently

deletes the asset and all associated vulnerability data after a specified number of days.
Automatically deleted assets do not count against your Tenable Vulnerability Management license.

To automatically delete assets, enable the Asset Age Out feature when you create or edit the
network.

Export Networks

Required User Role: Administrator

On the Sensors page, you can export one or more networks.

To export a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Networks tab.

The list of networks appears.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Select the networks that you want to export:

- 1317 -
 Export
Action
Scope

Selected To export selected networks:

networks
a. Select the check box for each network you want to export.

The action bar appears at the top of the table.

b. Click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 networks, select all the networks in the
list and then click Export.

A single To export a single network:

network
a. In the networks table, right-click the row for the network you want
to export.

The action options appear next to your cursor.

-or-

In the networks table, in the Actions column, click the button in

the row for the network you want to export.

The action options appear in the row.

-or-

Select the check box for the network you want to export.

The action bar appears at the top of the table.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

- 1318 -
 l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of networks.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of networks.

Empty fields are not included in the JSON file.

9. (Optional) Deselect any fields you do not want to appear in the export file.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

- 1319 -
 l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

12. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

13. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

14. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file from the Exports page.

Delete a Network

- 1320 -
 Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

l If you delete a network, assets that were in the deleted network still retain the network
attribute.

l Tenable Vulnerability Management retains any asset records for the deleted network until the
assets age out of your licensed assets count. You can still filter for assets that use the
deleted network.

l You cannot create a new network that has the same name as a deleted network.

Before you begin:

Before you delete a network, consider the following:

l Consider moving assets to a different network before you delete the network. To move assets
from a deleted network to another network, you must use the Tenable Vulnerability
Management API.

l Tenable Vulnerability Management re-assigns any scanners or scanner groups in the deleted
network to the default network. If you want to delete the scanners or scanner groups, see
Remove a Sensor from a Scanner Group and Delete a Scanner Group.

To delete a network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the Networks tab.

The list of networks appears.

- 1321 -
 5. Delete selected networks.

Delete Scope Action

To delete a To delete a single network:

single network
a. In the networks table, right-click the row for the network you
want to delete.

The action options appear next to your cursor.

-or-

In the networks table, in the Actions column, click the button

in the row for the network you want to delete.

The action options appear in the row.

-or-

Select the check box for the network you want to delete.

The action bar appears at the top of the table.

b. Click Delete.

To delete To delete multiple networks:

multiple
a. In the networks table, select the check box for the network you
networks
want to delete.

The action bar appears at the top of the table.

b. Click Delete.

Tenable Vulnerability Management deletes the network.

Linked Scanners
After you install a Tenable Nessus scanner, Tenable Nessus Network Monitor instance, Tenable Web
App Scanning sensor, or Tenable Nessus Agent sensor, you can link it to Tenable Vulnerability
Management.

Before you can use linked scanners in Tenable Vulnerability Management scans, you must:

- 1322 -
 1. Install the appropriate Tenable product on the sensor or the host you want to scan.

Sensor Type More Information

Tenable Nessus l Environments

Agent l Install Tenable Nessus Agent in the Tenable Nessus Agent
Deployment and User Guide

Tenable Nessus l Environments

Network Monitor l Install Tenable Nessus Network Monitor in the Tenable
Nessus Network Monitor User Guide

l Deploy or Install Tenable Container Security + Tenable Nessus

Network Monitor in the Tenable Core User Guide

Tenable Nessus l Environments

l Install Tenable Nessus in the Tenable Nessus User Guide

l Deploy or Install Tenable Core + Tenable Nessus in the

Tenable Core User Guide

Note: If a Tenable Nessus scanner has multiple NICs/interfaces, you

may see multiple IPv4/IPv6 addresses for the scanner.

Tenable Web App l Environments

Scanning l Deploy or Install Tenable Core + Tenable Web App Scanning
in the Tenable Core User Guide

2. Link the sensor to Tenable Vulnerability Management.

View Linked Scanners

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To view your linked scanners:

- 1323 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. To view a different type of linked scanners, in the top navigation bar, click the type of linked
scanners you want to view.

Tenable Vulnerability Management displays the selected type of linked scanners.

Rename a Linked Scanner

You can rename your linked scanners from the Sensors menu. This can be helpful for making linked
scanners more recognizable to other users.

Note: You cannot rename a cloud scanner. The cloud scanner names are managed by Tenable.

To rename a linked scanner:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1324 -
 3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the row of the scanner you want to rename.

The scanner Details page appears.

5. Click the button next to the scanner name.

6. Edit the scanner name.

7. Click the button next to the scanner name.

Tenable Vulnerability Management saves the new scanner name and updates any related
tables with the new name.

Download Linked Scanner Logs

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

In Tenable Vulnerability Management, you can request and download a log file containing logs and
system configuration data from any of your linked scanners. This information can help you
troubleshoot system problems and easily provide data for Tenable Support.

You can store a maximum of five log files from each scanner. Once the limit is reached, you must
remove an old log file to download a new one.

To download logs from a linked scanner in Tenable Vulnerability Management:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

- 1325 -
 4. In the linked scanners table, click the scanner for which you want to download logs.

The details page for that scanner appears.

5. Click the Logs tab.

A table shows any previously downloaded logs.

6. In the upper-right corner, click Request Logs.

Note: If you have reached the maximum of five log files, the Request Logs button is disabled.
Remove an existing log before downloading a new one.

The pending log appears as a row in the logs table. Tenable Vulnerability Management
requests the logs from the scanner the next time it checks in, which may take several
minutes.

7. In the row for an available log file, click the button.

Your system downloads the log file.

To remove an existing log:

1. In the row of the log you want to remove, click the button.

A confirmation window appears.

2. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the log and removes it from the table.

To cancel a pending or failed log request:

l In the row of the pending or failed log request that you want to cancel, click the button.

Tenable Vulnerability Management cancels the log request and removes it from the table.

Export Linked Scanners

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

On the Sensors page, you can export one or more linked scanners in CSV or JSON format.

To export your linked scanners:

- 1326 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Do one of the following:

l To export Tenable Nessus linked scanners, in the drop-down box, select the Linked
Scanners tab.

The Linked Scanners page appears, displaying a table with all your Tenable Nessus
linked scanners.

l To export Tenable Nessus Network Monitor linked scanners, click the Nessus Network
Monitors tab.

A table with all your Tenable Nessus Network Monitor linked scanners appears.

l To export Tenable Web App Scanning linked scanners, click the Web App Scanners tab.

A table with your Tenable Web App Scanning linked scanners appears.

5. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

6. Select the linked scanners that you want to export:

Export
Action
Scope

A single To export a single linked scanner from the Linked Scanners page:
linked
a. In the linked scanners table, right-click the row for the linked
scanner
scanner you want to export.

- 1327 -
 -or-

In the linked scanners table, in the Actions column, click the

button in the row for the linked scanner you want to export.

The action buttons appear in the row.

-or-

Select the check box for the linked scanner you want to export.

The action bar appears at the top of the table.

b. Click Export.

To export from the Details page:

a. In the linked scanners table, click the row for the linked scanner you
want to export.

The Details page appears.

b. In the upper-right corner, click the Export button.

Multiple To export multiple selected linked scanners:

linked
a. In the scanners table, select the check box for each linked scanner
scanners
you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 scanners, select all the scanners in the
list and then click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

- 1328 -
 l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of linked scanners.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of linked scanners.

Empty fields are not included in the JSON file.

9. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

- 1329 -
 l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Export Linked Scanner Details

- 1330 -
 Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

On the Details page for any linked scanner, you can export details about your linked scanner in
CSV or JSON format.

To export details for a linked scanner:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. In the linked scanners table, click the linked scanner for which you want to export details.

The Details page appears.

6. In the upper-right corner, click Export.

The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

- 1331 -
 7. In the Name box, type a name for the export file.

8. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of your linked scanner details, organized
by fields.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of your linked scanner details,
organized by fields.

Empty fields are not included in the JSON file.

9. (Optional) Deselect any fields you do not want to appear in the export file.

10. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

- 1332 -
 Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file in the Export Management
View.

Differential Plugin Updates

The following table describes the behavior of differential plugin updates for Tenable Nessus
scanners linked to Tenable Vulnerability Management.

Linked to Differential Update Full Update

Tenable The scanner requests The scanner performs a full plugin update if
Vulnerability differential updates from it does not have plugins (for example,
Management Tenable Vulnerability immediately after you link the scanner to
Management once every 24 Tenable Vulnerability Management).
hours.

Scanner Groups
You can use scanner groups to organize and manage the scanners linked to your Tenable
Vulnerability Management instance. For example, you can add all sensors related to a specific
geographical location to a group, for example, a group named "East Coast Scanners."

You can add a scanner to one or more scanner groups.

- 1333 -
When you create a scan, you can select the scanner group to use to launch the scan. Alternatively,
you can select Auto-Select to enable scan routing for the scan, which assigns scans to scanners
based on the targets configured in scanner groups.

Tenable Vulnerability Management determines which scanner in a scanner group to use based on
the following criteria:

l The scanner is active and has communicated to Tenable Vulnerability Management within the
last 5 minutes.

l The scanner is running the lowest number of active scans and is scanning the lowest number
of hosts.

Note: If your organization uses scan networks, you can only add scanners to scanner groups that belong to
the same network. For more information, see Networks.

Note: If a remote scanner is part of a Scanner Group and is unlinked during its operations, the scan's
operations complete, but Tenable Vulnerability Management does not include the unlinked scanner for
future use.

Create a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To create a scanner group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

- 1334 -
 The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. In the drop-down box, select Scanner Groups.

The list of existing scanner groups you have permission to use or manage appears.

5. Click Add Scanner Group.

The Add Scanner Group plane appears.

6. In the Group Name field, type a name for the group.

7. (Optional) In the Targets for Scan Routing box, type a comma-separated list of scan routing
targets.

Targets in the list must be in the supported formats.

This list specifies the targets that scanners in this scanner group can scan if a scan is
configured to use the Auto-Select scanner. For more information, see Example: Scan
Routing.

Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group.
For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four
scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard
and range formats, instead of individual IP addresses.

8. (Optional) Configure user permissions for a scanner group.

By default, in any new scanner group, Tenable Vulnerability Management assigns the system-
generated All Users group Can Use permissions.

9. Click Save.

If Targets for Scan Routing specifies more than the maximum number of targets, an error
message appears. Condense the scan routing targets by using wildcard and range formats
instead of individual IP addresses, then try again to save the scanner group.

In all other cases, the new group appears in the Scanner Groups list.

Modify a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

- 1335 -
To modify a scanner group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. In the drop-down box, select Scanner Groups.

The list of existing scanner groups you have permission to use or manage appears.

5. (Optional) Search the table for the group you want to modify. For more information, see
Tenable Vulnerability Management Tables.

6. In the scanner group table, do one of the following:

l In the Actions column of the scanner group you want to modify, click the button.

The action options appear in the row.

l Right-click the scanner group you want to modify.

The action options appear next to your cursor.

7. Click Edit.

The Edit Scanner Group plane appears.

8. Modify any of the following settings:

Setting Action

Name Type a new name.

User and Group Permissions Configure user permissions for the scanner group.

- 1336 -
 9. (Optional) In the Targets for Scan Routing box, type a comma-separated list of scan routing
targets.

Targets in the list must be in the supported formats.

This list specifies the targets that scanners in this scanner group can scan if a scan is
configured to use the Auto-Select scanner. For more information, see Example: Scan
Routing.

Note: You can specify up to 10,000 individual scan routing targets for an individual scanner group.
For example, 192.168.0.1, example.com, *.example.net, 192.168.0.0/24 specifies four
scan routing targets. To condense a scan routing target list, Tenable recommends using wildcard
and range formats, instead of individual IP addresses.

10. Click Save.

If Targets for Scan Routing specifies more than the maximum number of targets, an error
message appears. Condense the scan routing targets by using wildcard and range formats
instead of individual IP addresses, then try again to save the scanner group.

In all other cases, Tenable Vulnerability Management updates the scanner group with your
changes.

To assign scanners to a scanner group:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. (Optional) For Tenable Web App Scanning, click the Web App Scanners tab.

The Web App Scanners tab appears and Linked Scanners is selected in the drop-down box.

5. In the drop-down box, select Scanner Groups.

- 1337 -
 The list of existing scanner groups you have permission to use or manage appears.

6. In the scanner groups table, click the row of the scanner group where you want to add
scanners.

The Group Details page appears.

7. Click Assign Scanners.

The Assign Scanner page appears.

8. (Optional) Search the table for the scanner you want to assign. For more information, see
Tenable Vulnerability Management Tables.

9. In the scanners table, select the check boxes next to the scanner or scanners you want to add
to the scanner group.

10. Click Assign.

If the assignment is successful, Tenable Vulnerability Management adds the scanner to the
scanner group, and the Group Details page appears.
If Tenable Vulnerability Management encounters any problems during processing, the Assign
Scanners page remains active, and one of the following messages appears in the Assignment
column of the affected scanner:

Possible Error Messages Action

This sensor already exists in the scanner Click Cancel to close the page.
group.

An error occurred adding this sensor to Click Assign again. If the processing still
the scanner group. fails, contact Tenable Support.

Configure User Permissions for a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can configure scanner group permissions for individual users or a user group. If you configure
scanner group permissions for a user group, you assign all users in that group the same
permissions. For more information, see User Groups.

You can assign the following scanner group permissions to a user or user group:

- 1338 -
 l No Access — (All Users user group only) No users (except for users or groups you specifically
assign permissions) can use the scanner group in scan configurations.

l Can Use — The user or user group can use the scanner group in scan configurations. The user
or user group can view but not edit the scanner group configuration.

l Can Manage — The user or user group can use the scanner group in scan configurations. The
user or user group can view and edit the scanner group configuration.

To configure user permissions for a scanner group:

1. Create or edit a scanner group.

2. During scanner group configuration, in the Users & Groups section, do any of the following:

l
Edit permissions for the All Users user group.
a. Next to the permission drop-down for the All Users group, click the button.

b. Select a permissions level.

l
Add a user or user group to the scanner group.
a. In the User & Groups heading, click the button.

The Add Users & Group plane appears.

b. In the Search field, type or click the drop-down to find and add a user or group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual
users, to minimize maintenance as individual users leave or join your organization.

Added users and groups appear below the Search field.

c. Click the Add button.

The scanner group plane appears.

By default, Tenable Vulnerability Management assigns the added user or user

group Can Use permissions.

l
Edit permissions for an existing user or user group.

- 1339 -
 a. Next to the permissions drop-down for the user or user group you want to edit,
click the button.

b. Select a permissions level.

l
Remove a user or user group from the scanner group.
a. Roll over the user or group you want to remove.

b. Click the button next to the user or user group.

The user or group disappears from the Users & Groups list.

3. Click Save.

Tenable Vulnerability Management saves your changes to the scanner group.

What to do next:
l Use the scanner group in a scan configuration.

Delete a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To delete one or more scanner groups:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. In the drop-down box, select Scanner Groups.

The list of existing scanner groups you have permission to use or manage appears.

5. In the scanner groups table, select one or more scanner groups to delete:

- 1340 -
 Scope Action

To delete a single a. In the scanner groups table, do one of the following:

scanner group l Select the check box for the scanner group you want
to delete.

The action bar appears at the top of the table.

l Right-click the scanner group you want to delete.

The action options appear next to your cursor.

l In the Actions column, click the button for the

scanner group you want to delete.

The action options appear in the row.

b. Click Delete.

A confirmation window appears.

To delete multiple a. In the scanner groups table, select the check boxes next to
scanner groups the scanner groups you want to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the Delete button.

A confirmation window appears.

6. In the confirmation window, click the Delete button.

Tenable Vulnerability Management deletes the group or groups you selected.

Add a Sensor to a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can add the following types of sensors to a scanner group:

Sensor Type Supported?

On-premises Tenable Nessus yes

- 1341 -
 On-premises Tenable Web App Scanning yes

Tenable Vulnerability Management cloud no

Tenable Nessus sensor for Amazon Web Services (AWS) no

Tenable Nessus Network Monitor (NNM) no

Tenable Nessus Agent no (see Agent Groups)

To add sensor to one or more scanner groups in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. (Optional) Search for the scanner you want to add to a scanner group.

5. Select the scanners you want to add and the groups you want to add the scanners to:

Scope Action

Add a single scanner to a a. In the scanner group table, do one of the following:
group or groups l Right-click the sensor you want to add to a
scanner group.

The action options appear next to the cursor.

l In the Actions column, click the button for the

sensor you want to add to a scanner group.

The action options appear in the row.

l Select the check box for the sensor you want to

- 1342 -
 add to a scanner group.

Tenable Vulnerability Management enables Add

selected to Groups in the action bar.

b. Click Add to Groups.

The Add to Groups plane appears.

c. In the search box, type the name of the scanner group

where you want to add the scanner.

d. In the drop-down box of matching groups, click a

group.

e. (Optional) Repeat steps c and d to add additional

scanner groups.

Add multiple scanners to a. In the scanner table, select the check boxes next to the
a group or groups scanners you want to add to scanner groups.

The action bar appears at the bottom of the page.

b. Click the Add selected to Groups button.

The Add to Groups plane appears.

c. In the search box, type the name of the scanner group

where you want to add the scanner.

d. In the drop-down list of matching groups, click a group.

e. (Optional) Repeat steps c and d to add additional

scanner groups.

6. Click Save to save your changes.

Tenable Vulnerability Management adds the scanner or scanners to the selected group or
groups and closes the Add to Groups plane.

Remove a Sensor from a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

- 1343 -
 Required Tenable Web App Scanning User Role: Scan Manager or Administrator

To remove a sensor from a scanner group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. In the drop-down box, select Scanner Groups.

The list of existing scanner groups you have permission to use or manage appears.

5. (Optional) Search the table for the group you want to modify. For more information, see
Tenable Vulnerability Management Tables.

6. In the scanner group table, click the scanner group you want to modify.

The Group Details page appears. This page contains a table listing sensors assigned to this
group.

7. (Optional) Search for the sensor you want to remove. For more information, see Tenable
Vulnerability Management Tables.

8. Select the sensor or sensors you want to remove:

9. Select the sensors you want to remove:

Scope Action

Remove a single a. In the sensors table, do one of the following:

sensor l Right-click the sensor you want to remove.

The action options appear next to your cursor.

- 1344 -
 l In the Actions column, click the button for the sensor
you want to remove.

The action options appear in the row.

l Select the check box for the sensor you want to remove.

The action buttons appear at the top of the table.

b. Click the Remove from Group button.

A confirmation window appears.

Remove multiple a. In the sensors table, select the check box for each sensor you
sensors want to remove from the group.

The action bar appears at the bottom of the page.

b. In the action bar, click the Remove from Group button.

A confirmation window appears.

10. In the confirmation window, click Remove.

Tenable Vulnerability Management removes the sensor or sensors from the scanner group.

View Sensors in a Scanner Group

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To view sensors assigned to a scanner group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

- 1345 -
 4. In the drop-down box, select Scanner Groups.

The list of existing scanner groups you have permission to use or manage appears.

5. (Optional) Search the table for the group you want to view. For more information, see Tenable
Vulnerability Management Tables.

6. In the scanner group table, click the scanner group you want to view.

The Group Details page appears. This page contains a table listing sensors assigned to this
group.

View All Running Scans for a Sensor

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Note: You can only view all scans for sensors in Tenable Nessus scanner groups.

To view all running scans for a sensor:

1. View the sensors in the appropriate scanner group.

2. In the sensors table, click the sensor for which you want to view all scans.

The scanner Details page appears.

3. Click the Manage Scans tab.

Tenable Vulnerability Management shows a list of all scans the sensor is currently running.

OT Connectors

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

If your organization has OT Security and Tenable Vulnerability Management, you can allow
OT Security to transmit assets and findings data to Tenable Vulnerability Management by setting up
OT connectors. You can manage OT connectors from the Tenable Vulnerability Management
Sensors page.

To open the OT Connectors menu in Tenable Vulnerability Management:

- 1346 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the OT Connectors tab.

The list of linked OT connectors appears.

5. Use the following procedures to manage OT connectors:

Add an OT connector:

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To add an OT connector:

1. Click Add OT Connector.

The Add OT Connector window appears.

2. Click Generate.

Tenable Vulnerability Management shows the appropriate cloud site to link the OT connector
to and generates an OT linking key.

Note: You can use the linking key to link one OT connector, and you must use the linking key within
two hours of generation. To link additional OT connectors, generate and use a new linking key for
each connector.

3. Use the cloud site and linking key to link the connector to Tenable Vulnerability Management
from the OT Security user interface. For more information, see the OT Security User Guide.

Modify an OT connector name or type:

- 1347 -
 Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To ensure that your OT connectors are recognizable and represent the correct types, you may need
to modify the OT connector names and types in Tenable Vulnerability Management. You can choose
from two types: ICP and EM (Enterprise Manager). For more information about the types, see the
OT Security User Guide.

Note: Updating an OT connector name or type in Tenable Vulnerability Management does not cause any
changes in OT Security.

To modify an OT connector name or type:

1. In the OT Connectors table, double-click the Name or Type cell to edit it.

2. Enter the new name or select the new type (ICP or EM).

3. Click out of the cell.

Tenable Vulnerability Management saves your change.

Enable or disable an OT connector:

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

There may be some cases where you want to disable an OT connector temporarily and enable it at a
later time. For example, you may want to disable an OT connector if OT Security begins sending
data from an unwanted network to Tenable Vulnerability Management. Once the issue is resolved,
you can re-enable the connector.

To enable or disable an OT connector:

1. In the OT Connectors table, click in the row of the connector that you want to enable or
disable.

A drop-down menu appears.

2. If the connector is currently enabled, click Disable. If the connector is currently disabled,
click Enable.

- 1348 -
 If you enabled the connector, Tenable Vulnerability Management bolds the connector row text
and updates the Enabled column to Yes. If you disabled the connector, Tenable Vulnerability
Management grays the connector row text and updates the Enabled column to No.

Delete an OT connector:

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Delete an OT connector from Tenable Vulnerability Management if you no longer want the OT
connector to send data to Tenable Vulnerability Management. For example, if you need to redeploy
OT Security, you would need to delete any connector associated with the old deployment.

Tenable recommends that whenever you delete an OT connector from Tenable Vulnerability
Management, you also delete the related connector in OT Security to ensure that Tenable
Vulnerability Management and OT Security stay aligned.

Note: You cannot undo an OT connector deletion; if you want to relink the OT connector, you have to
repeat the Add an OT connector process.

To delete an OT connector from Tenable Vulnerability Management:

1. In the OT Connectors table, click in the row of the connector that you want to delete.

A drop-down menu appears.

2. Click Delete.

The Delete OT Connector window appears.

3. Click Delete.

Tenable Vulnerability Management removes the connector from the table.

Cloud Sensors
By default, Tenable provides regional cloud sensors for use in Tenable Vulnerability Management.
You can select these sensors when you create and launch scans.

The following table identifies each regional cloud sensor and, for allow list purposes, its IP address
ranges. These IP address ranges are exclusive to Tenable.

- 1349 -
 Note: If you use cloud connectors, Tenable recommends allowlisting the IP addresses for the region in which
the site resides.

Note: While these IP addresses are for outbound requests, they are also used for inbound
cloud.tenable.com requests.

Tip: The cloud sensor and IP address information contained in the table below is also provided in JSON
format for users that want to parse the data programmatically.

For Cloud IPs associated with Tenable Attack Surface Management, see Cloud Sensors in the
Tenable Attack Surface Management User Guide.

Sensor Region IPv4 Range IPv6 Range

ap-northeast-1 13.115.104.128/25 2406:da14:e76:5b00::/56

35.73.219.128/25

ap-southeast-1 13.213.79.0/24 2406:da18:844:7100::/56

18.139.204.0/25
54.255.254.0/26

ap-southeast-2 13.210.1.64/26 2406:da1c:20f:2f00::/56

3.106.118.128/25
3.26.100.0/24

ap-south-1 3.108.37.0/24 2406:da1a:5b2:8500::/56

- 1350 -
Sensor Region IPv4 Range IPv6 Range

ca-central-1 3.98.92.0/25 2600:1f11:622:3000::/56

35.182.14.64/26

eu-west-1 3.251.224.0/24 2a05:d018:f53:4100::/56

eu-west-2 18.168.180.128/25 2a05:d01c:da5:e800::/56

18.168.224.128/25
3.9.159.128/25
35.177.219.0/26

eu-central-1 18.194.95.64/26 2a05:d014:532:b00::/56

3.124.123.128/25
3.67.7.128/25
54.93.254.128/26

me-central-1 51.112.93.0/24 2406:da17:524:dd00::/56

us-east-1 34.201.223.128/25 2600:1f18:614c:8000::/56

44.192.244.0/24
54.175.125.192/26

us-east-2 13.59.252.0/25 2600:1f16:8ca:e900::/56

18.116.198.0/24
3.132.217.0/25

us-west-1 13.56.21.128/25 2600:1f1c:13e:9e00::/56

3.101.175.0/25
54.219.188.128/26

us-west-2 34.223.64.0/25 2600:1f14:141:7b00::/56

35.82.51.128/25
35.86.126.0/24
44.242.181.128/25

35.93.174.0/24

sa-east-1 15.228.125.0/24 2600:1f1e:9a:ba00::/56

static 162.159.129.83/32 2606:4700:7::a29f:8153

- 1351 -
 Sensor Region IPv4 Range IPv6 Range

162.159.130.83/32 2606:4700:7::a29f:8253

Note: For troubleshooting Tenable Web App Scanning issues with Tenable Support, you may be asked to
add the following IP range to your allow list:

l 13.59.250.76/32

Regional cloud sensors appear in the following groups:

l US East Cloud Scanners: A group of scanners from the us-east-1 (Virginia) or the us-east-2
(Ohio) ranges.

l US West Cloud Scanners: A group of scanners from the us-west-1 (California) or the us-west-
2 (Oregon) ranges.

l AP Singapore Cloud Scanners: A group of scanners from the ap-southeast-1 (Singapore)

range.

l AP Sydney Cloud Scanners: A group of scanners from the ap-southeast-2 (Sydney) range.

l AP Tokyo Cloud Scanners: A group of scanners from the ap-northeast-1 (Tokyo) range.

l CA Central Cloud Scanners: A group of scanners from the ca-central-1 (Canada) range.

l EU Frankfurt Cloud Scanners: A group of scanners from the eu-central-1 (Frankfurt) range.

l UK Cloud Scanners: A group of scanners from the eu-west-2 (London) range.

l Brazil Cloud Scanners: A group of scanners from the sa-east-1 (São Paulo) range.

l India Cloud Scanners: A group of scanners from the ap-south-1 (Mumbai) range.

l Amazon GOV-CLOUD: A group of scanners available for Federal Risk and Authorization
Management Program (FedRAMP) environments.

l US Cloud Scanner: A group of scanners from the following AWS ranges:

l us-east-1 (Virginia)

l us-east-2 (Ohio)

- 1352 -
 l us-west-1 (California)

l us-west-2 (Oregon)

l APAC Cloud Scanners: A group of scanners from the following AWS ranges:
o ap-northeast-1 (Tokyo)
o ap-southeast-1 (Singapore)
o ap-southeast-2 (Sydney)
o ap-south-1 (Mumbai)

l EMEA Cloud Scanners: A group of scanners from the following AWS ranges:
o eu-west-1 (Ireland)
o eu-west-2 (London)
o eu-central-1 (Frankfurt)

Note: If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners,
Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM)
located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of
sensor.cloud.tenable.com.

Tenable FedRAMP Moderate Cloud Sensors

l For cloud based network scans, add the following IP ranges to your allow list:
o 3.32.43.0 - 3.32.43.31 (3.32.43.0/27)
o 3.31.100.0/24

l For internal scanner or agent communications, add the following IP ranges to your allow list:
o 52.61.37.84
o 15.200.117.191
o 162.159.140.154
o 172.66.0.152

- 1353 -
 o 2606:4700:7::98
o 2a06:98c1:58::98
o 162.159.140.155
o 172.66.0.153
o 2606:4700:7::99
o 2a06:98c1:58::99

Sensor Security
See the following sections to learn more about sensor security and encryption when using the
Tenable Vulnerability Management platform:

l Sensor Overview

l Linking Keys

l Data Encryption

Sensor Overview
Sensors access Tenable Vulnerability Management through the following site: <port> -
sensor.cloud.tenable.com:443. All sensors (Tenable Nessus scanners, Tenable Nessus Agents,
Tenable Nessus Network Monitor) need access to cloud.tenable.com:443.

Note: If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners,
Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM)
located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of
sensor.cloud.tenable.com.

Depending on how you deploy and set up Tenable Nessus scanners and Tenable Nessus Network
Monitor - you need to access their respective user interfaces for initial setup:

l Tenable Nessus — <IP>:8834

l Tenable Nessus Network Monitor — <IP>:8835

Note: If you are deploying Tenable Nessus or Tenable Nessus Network Monitor with Tenable Core,
you also need access to the underlying virtual appliance interface: <IP>:8000.

- 1354 -
Tenable Vulnerability Management uses a user interface, driven by Tenable's customer-facing APIs,
for all operations. The sensors that connect to Tenable Vulnerability Management play a major role
in your security, collecting vulnerability and asset information. Protecting this data and ensuring the
communication paths are secure is a core function of Tenable Vulnerability Management.

Nessus sensors connect to the Tenable Vulnerability Management platform after securely
authenticating and linking to Tenable Vulnerability Management (see Linking Keys in the following
section to learn more). Once linked, Tenable Vulnerability Management manages all updates to
ensure the sensors are always up to date.

Sensors always initial the traffic between sensors and Tenable Vulnerability Management, and the
traffic is outbound-only over port 443. Traffic is encrypted via SSL communication using TLS 1.2+
(or version 1.2 when in NIAP mode) with a 4096-bit key. This removes the need for firewall changes
and allows you to control the connections via firewall rules.

Note: To learn more about NIAP mode, see the following topics in their respective product user
guides:
l Configure Tenable Nessus for NIAP Compliance
l Configure Tenable Nessus Agent for NIAP Compliance
l Configure Tenable Nessus Network Monitor for NIAP Compliance

Linking Keys
Tenable Vulnerability Management uses a linking key as an initial authentication token for sensors.
The linking key allows you to create the initial link between your sensor (a Nessus scanner, Nessus
Agent, or Tenable Nessus Network Monitor) and Tenable Vulnerability Management.

When the Tenable Vulnerability Management platform receives a link request from a sensor, it
validates the presented linking key with valid linking keys. If it finds that it matches a valid linking
key, Tenable Vulnerability Management allows the sensor to link.

Upon linking, Tenable Vulnerability Management randomly generates, saves, and sends a 256-bit
length key to the sensor. This key is unique to the sensor.

Once the link process is complete, the sensor no longer needs or uses the linking key. Any future
authentication is performed in the following ways:

- 1355 -
 l Sensor-to-platform authentication

After the initial linking process, the sensor provides the 256-bit key to identify and
authenticate its requests. These requests include, but are not limited to, requesting jobs,
scan policies, plugin updates, scanner binary updates, and providing information back to
Tenable Vulnerability Management, such as scan results or sensor health data.

l Sensor-to-platform job communication

Sensors check in to Tenable Vulnerability Management every so often (different sensor types
have different check-in frequencies). When a scan job is launched, Tenable Vulnerability
Management generates a policy and encrypts it with a randomly generated 128-bit key. The
sensor requests the policy from the platform. The policy is stored on disk, but the key resides
only in memory. The controller uses the key to encrypt the policy, which includes the scan
credentials.

Data Encryption
Tenable Vulnerability Management encrypts all data in all states with at least one level, using no less
than AES-256:

l Data at rest — Tenable Vulnerability Management stores data on encrypted media using at
least one level of AES-256 encryption. Some data classes include a second level of per-file
encryption.

l Data in transport — Tenable Vulnerability Management uses TLS version 1.2+ with a 4096-bit
key to encrypt data during transportation (including internal transports).

l Backed up or replicated data — Tenable Vulnerability Management stores volume snapshots

and data replicas with the same level of encryption as their source: no less than AES-256. All
replication is done within AWS. Tenable does not back up any data to physical, off-site media
or physical systems.

l Index data — Tenable Vulnerability Management stores index data on encrypted media using at
least one level of AES-256 encryption.

Tenable can rotate all the stored, encrypted data to a new key. Alternatively, you can switch to a
new site to use a new key (in other words, Tenable does not reuse keys when provisioning a new
site). Tenable manages the keys with AWS Key Management.

Link a Sensor

- 1356 -
 Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Tenable Web App Scanning User Role: Scan Manager or Administrator

This procedure describes how to link a sensor to Tenable Vulnerability Management.

Linking a sensor to Tenable Vulnerability Management represents a one-time event in managing a

sensor, unless you remove the sensor. After you link the sensor, the sensor connects to Tenable
Vulnerability Management using unique credentials.

Once you copy the linking key in Tenable Vulnerability Management, you must paste the linking key
in the appropriate location of the sensor user interface (for example, the Tenable Nessus Agent CLI
or the Tenable Nessus Network Monitor Cloud Settings section). Expand the following sections for
specific details.

Note: If you use domain allowlists for firewalls, Tenable recommends adding:

l * cloud.tenable.com (Commercial)
l *.fedcloud.tenable.com (FedRAMP)
(with the wildcard character) to the allowlist. This ensures communication with
sensor.fed/cloud.tenable.com, which the scanner uses to communicate with Tenable Vulnerability
Management. If you are connecting to Tenable Vulnerability Management through Tenable Nessus
scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network
Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of
sensor.cloud.tenable.com.

Note: Under certain circumstances, you may need to regenerate the linking key. See Regenerate a Linking
Key for more information. To learn more about the sensor security and linking keys, see Sensor Security.

To link a sensor:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

- 1357 -
 The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Then:

To link a Tenable Nessus Agent sensor, click the Nessus Agents tab.
a. Click Add Agent.

The Add Agent plane appears.

b. Do one of the following:

l To install and link Tenable Nessus Agent manually:

a. In the Linking Key section, click Copy.

A Linking key copied to clipboard confirmation message appears.

b. Access the Tenable Nessus Agent instance that you want to link to Tenable
Vulnerability Management.

c. Use the copied linking key in the Tenable Nessus Agent CLI to link the
sensor. For more information, see Install Tenable Nessus Agent in the
Tenable Nessus Agent Deployment and User Guide.

l (Windows only) To use a single command to install and link Tenable Nessus Agent:

a. Under the Installing Agent on Windows platforms header, copy the

command.

The command contains the linking key and syntax required to install the
agent, link the agent to Tenable Vulnerability Management, change the agent
name, and add the agent to an agent group. For example:

Invoke-WebRequest -Uri “https://cloud.tenable.com/install/

{sensorType}/installer/ms-install-script.ps1” -OutFile “./ms-
installscript.
ps1"; & “./ms-install-script.ps1” -key “{linkingKey}” -type
“{sensorType}” -name “<agent name>” -groups “<list of groups>“;
Remove-Item -Path “./ms-install-script.ps1”

- 1358 -
 Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

b. In the command, replace <agent name> with the agent name.

Tip: If you do not want to set a custom agent name, remove -name
"<agent name>". If you do not set a custom name, Tenable names the
agent using the hostname of the machine on which you installed the
agent.

c. In the command, replace <list of groups> with the agent group name or
names.

Note: The agent group name is case-sensitive and must match exactly. You must
encase the agent group name in quotation marks (for example, --groups="My
Group").

Tip: If you do not want to add the agent to an agent group, remove -
groups "<list of groups>".

d. As a user with administrative privileges, access the CLI of the Windows

machine on which you want to install the agent.

e. Run the command.

Tenable Nessus Agent installs on your Windows machine, links to your

instance of Tenable Vulnerability Management, and updates the agent name
and agent group if necessary.

l (Linux only) To use a single command to install and link Tenable Nessus Agent:

a. Under the Installing Agent on Linux platforms header, copy the command.

The command contains the linking key and syntax required to install the
agent, link the agent to Tenable Vulnerability Management, change the agent
name, and add the agent to an agent group. For example:

- 1359 -
 curl -H 'X-Key:
abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yz5678abcd1234ef'
'https://cloud.tenable.com/install/agent?name=agent-
name&groups=agent-group' | bash

Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

b. In the command, replace agent-name with the agent name.

Tip: If you do not want to set a custom agent name, remove

name=agent-name. If you do not set a custom name, Tenable names the
agent using the hostname of the machine on which you installed the
agent.

c. In the command, replace agent-group with the agent group name.

Note: The agent group name is case-sensitive and must match exactly. You must
encase the agent group name in quotation marks (for example, --groups="My
Group").

Tip: If you do not want to add the agent to an agent group, remove
groups=agent-group.

d. As a user with administrative privileges, access the CLI of the Linux machine
on which you want to install the agent.

e. Run the command.

Tenable Nessus Agent installs on your Linux machine, links to your instance
of Tenable Vulnerability Management, and updates the agent name and agent
group if necessary.

To link an Tenable Nessus Network Monitor instance, click the Nessus

Network Monitors tab.
a. Click Add Nessus Network Monitor.

The Add Nessus Network Monitor plane appears.

- 1360 -
 b. In the Linking Key section, click Copy.

A Linking key copied to clipboard confirmation message appears.

c. Access the Tenable Nessus Network Monitor instance that you want to link to Tenable
Vulnerability Management.

d. Use the copied linking key in the Tenable Nessus Network Monitor user interface to link
the sensor. For more information, see the NNM User Guide.

To link a Tenable Nessus sensor, click the Nessus Scanners tab.

a. Click Add Nessus Scanner.

The Add Nessus plane appears.

b. Do one of the following:

l To install and link Tenable Nessus manually:

a. In the Linking Key section, click Copy.

A Linking key copied to clipboard confirmation message appears.

b. Access the Tenable Nessus instance that you want to link to Tenable
Vulnerability Management.

c. Use the copied linking key in the Tenable Nessus user interface to link the
sensor. For more information, see the Link to Tenable Vulnerability
Management in the Tenable Nessus User Guide.

l (Windows only) To use a single command to install and link a Tenable Nessus
scanner:

a. Under the One-Line Installation instructions, copy the command.

The command contains the linking key and syntax required to install the
scanner, link the scanner to Tenable Vulnerability Management, change the
scanner name, and add the scanner to a scanner group. For example:

- 1361 -
 Invoke-WebRequest -Uri
"https://cloud.tenable.com/install/scanner/installer/ms-install-
script.ps1" -OutFile "./ms-install-script.ps1"; & "./ms-install-
script.ps1" -key
"51cc161bfa7c62dd7fc90a63561a256306cda982e3edba9d7ebadc05f6a2118c"
-type "scanner" -name "<scanner name>" -groups "<list of groups>";
Remove-Item -Path "./ms-install-script.ps1"

Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

b. In the command, replace <scanner-name> with the scanner name.

Tip: If you do not want to set a custom scanner name, remove -name
"<scanner-name>". If you do not set a custom name, Tenable names
the scanner using the hostname of the machine on which you installed
the scanner.

c. In the command, replace <list of groups> with the scanner group name.

Note: The scanner group name is case-sensitive and must match exactly.

Tip: If you do not want to add the scanner to a scanner group, remove -
groups "<list of groups>".

d. As a user with administrative privileges, access the CLI of the Windows

machine on which you want to install the scanner.

e. Run the command.

Tenable Nessus installs on your Windows machine, links to your instance of

Tenable Vulnerability Management, and updates the scanner name and
scanner group if necessary.

l (Linux only) To use a single command to install and link a Tenable Nessus scanner:

- 1362 -
 a. Under the One-Line Installation instructions, copy the command.

The command contains the linking key and syntax required to install the
scanner, link the scanner to Tenable Vulnerability Management, change the
scanner name, and add the scanner to a scanner group. For example:

curl -H 'X-Key:
abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yz5678abcd1234ef'
'https://cloud.tenable.com/install/scanner?name=scanner-
name&groups=scanner-group'| bash

Tip: For Tenable FedRAMP Moderate environments, use "fedcloud.tenable.com".

b. In the command, replace scanner-name with the scanner name.

Tip: If you do not want to set a custom scanner name, remove

name=scanner-name. If you do not set a custom name, Tenable names
the scanner using the hostname of the machine on which you installed
the scanner.

c. In the command, replace scanner-group with the scanner group name.

Note: The scanner group name is case-sensitive and must match exactly.

Tip: If you do not want to add the scanner to a scanner group, remove
groups=scanner-group.

d. As a user with administrative privileges, access the CLI of the Linux machine
on which you want to install the scanner.

e. Run the command.

Tenable Nessus installs on your Linux machine, links to your instance of

Tenable Vulnerability Management, and updates the scanner name and
scanner group if necessary.

To link a Tenable Core + Tenable Web App Scanning instance, in the left
navigation menu, click Web App Scanners.

- 1363 -
 a. Click Add Web Application Scanner.

The Add Web Application Scanner plane appears.

b. In the Linking Key section, click Copy.

A Linking key copied to clipboard confirmation message appears.

c. Access the Tenable Core + Tenable Web App Scanning instance that you want to link to
Tenable Vulnerability Management.

d. Use the copied linking key in the Tenable Core + Tenable Web App Scanning user
interface to link the sensor. For more information, see the Tenable Core+Tenable Web
App Scanning User Guide.

What to do next:
l Manage the sensor in Tenable Vulnerability Management (including disabling or re-enabling the
sensor link).

l Select the sensor when configuring Tenable Vulnerability Management scans.

Regenerate a Linking Key

Required User Role: Administrator

Under certain circumstances, you may need to regenerate the linking key for your Tenable
Vulnerability Management instance. For example, you may regenerate the key for security reasons if
an employee with knowledge of the linking key leaves your organization.

Regenerating a linking key does not affect sensors that are currently linked to Tenable Vulnerability
Management, because the linking key is only used to establish the initial link. After you link a sensor,
the sensor connects to Tenable Vulnerability Management using unique credentials.

If your organization has hard-coded a linking key into implementation scripts, keep in mind the
following:

l Be sure to replace the original key with the regenerated key to prevent script failure.

l Each Tenable Vulnerability Management instance uses a single linking key for all sensor types.
If you regenerate the linking key while working with one type of sensor (for example, Tenable
Nessus scanners), you also regenerate the linking key for the other sensor types. If you

- 1364 -
 regenerate the linking key, be sure to update the implementation for scripts involving all types
of sensors.

Note: To learn more about Tenable Vulnerability Management linking keys, see Sensor Security.

To regenerate a linking key for your Tenable Vulnerability Management instance:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click any sensor type tab (for example, NNM).

The appropriate sensor page appears.

5. Click the Add [Sensor Type] button (for example, Add NNM).

The appropriate sensor plane appears (for example, Add NNM).

6. In the Add [Sensor Type] plane, click the Regenerate button.

A confirmation window appears.

7. In the confirmation window, click Regenerate.

The Regenerated Linking Key message appears, and the new linking key replaces the original
linking key in the Add [Sensor Type] plane.

What to do next:
l Link a sensor.

View Sensors and Sensor Groups

- 1365 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Sensors page, you can view your linked sensors: Tenable Vulnerability Management cloud
sensors, your Tenable Nessus Scanners, Tenable Nessus Agents, Tenable Nessus Network Monitors,
and Tenable Web App Scanning Scanners. You can also view your scanner groups and agent groups.

To view sensors and sensor groups:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

Use the left navigation pane to choose what sensors to view:

l Nessus Scanners — Cloud Scanners, Linked Scanners, Scanner Groups

l Nessus Agents — Linked Agents, Agent Groups

l Nessus Network Monitors

l Web Application Scanners — Linked Tenable Web App Scanning Scanners, Tenable Web
App Scanning Scanner Groups

Each sensor page shows a list of your linked sensors or groups, along the basic information
listed in the following table. Depending on what sensor you are viewing, you may not see all
the columns described.

Column Description

- 1366 -
 Name The name of the sensor.

Created The date on which the sensor group was created.

IP Address The IP address of the sensor.

Last The date on which the sensor was last modified.

Modified

Linked On The date on which the sensor was linked to Tenable Vulnerability
Management.

Network The network associated with the sensor or sensor group.

Platform The platform associated with the sensor.

Plugin Set The plugin set of the sensor.

Scan Count The number of scans that the sensor or sensor group is currently
running.

Scanner The number of scanners in the group.

Count

Status The status of the sensor — Online or Offline.

Updated The date on which the sensor group was last updated.

Version The version of the sensor.

Actions The actions that you can perform for each sensor.

View Sensor Details

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can view details for both cloud sensors and linked sensors.

To view sensor details:

- 1367 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the sensor type tab you want to view.

A table of sensors appears.

5. For Nessus Scanners, do one of the following:

l In the drop-down box, select the Cloud Scanners tab to view cloud scanners connected
to Tenable Vulnerability Management. For more information, see Cloud Sensors.

l In the drop-down box, click the Linked Scanners tab to view on-premises scanners
linked to Tenable Vulnerability Management. For more information, see Linked Scanners.

6. In the sensors table, click the sensor where you want to view details.

The Details page appears.

Depending on the sensor type, you can do the following in the Details page:

l Click the Settings tab to modify sensor settings.

l Click the Permissions tab to modify sensor permissions.

Edit Sensor Settings

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can edit certain settings for the following types of linked sensors:

l Tenable Nessus Network Monitor

l Tenable Nessus for Amazon Web Service (AWS)

To edit sensor settings in the new interface:

- 1368 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the appropriate sensor type tab.

The sensor table appears.

5. If the sensor is a Nessus Scanner, do one of the following:

l In the drop-down box, select the Cloud Scanners tab to view cloud scanners connected
to Tenable Vulnerability Management. For more information, see Cloud Sensors.

l In the drop-down box, select the Linked Scanners tab to view scanners linked to
Tenable Vulnerability Management. For more information, see Linked Scanners

6. In the table of linked sensors, click the sensor for which you want to edit settings.

The sensor details appear. By default, the Overview tab is active.

7. Click the Settings tab.

The sensor settings appear.

8. Edit the sensor settings:

Setting Sensor Type Description

Report NNM Specifies the frequency, in minutes, that

Frequency you want the sensor to report information to
Tenable Vulnerability Management.

Software Update NNM (5.6.1 and later Specifies which components, if any, you
Type only) want Tenable Nessus Network Monitor to

- 1369 -
 automatically update.

All components includes web server,

HTML client, plugins, and engine.

Updates AWS Specifies the frequency, in minutes, that

instances every you want the AWS sensor to report
(minutes) information to Tenable Vulnerability
Management about the instances it has
access to.

9. In the lower-right corner of the page, click Save.

Edit Sensor Permissions

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can set the following Tenable Vulnerability Management user permissions levels in your sensor
configuration:

l No Access — The user or group cannot use the scanner in scan configurations or edit the
scanner configuration.

l Can Use — The user or group can use the scanner in scan configurations, but cannot edit the
scanner configuration.

l Can Manage — The user or group can use the scanner in scan configurations and edit the
scanner configuration.

Note: Cloud scanners always have the Can Use permission regardless of how you configure them.

To modify sensor permissions:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

- 1370 -
 3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the appropriate sensor type tab.

A sensors table appears.

5. If the sensor is a Nessus Scanner, click the Linked Scanners tab to view on-premises
scanners linked to Tenable Vulnerability Management. For more information, see Linked
Scanners.

6. In the table of linked sensors, click the sensor for which you want to set permissions.

The Details page appears. For all sensors except agents, the Overview tab is active by
default.

7. Click the Permissions tab.

Note: By default, any user in your Tenable Vulnerability Management instance can use the scanner.

8. Do any of the following:

l To select a permissions level from the drop-down box for the Default user.

l
To specify permissions for an individual user or user group:
a. In the Add users or user groups text box, type the name of a user or user group.

As you type, Tenable Vulnerability Management searches for matches to existing

users or user groups.

b. In the search results, select a user or user group.

c. In the permissions drop-down, select a permissions level for the user or user
group you added.

9. In the lower-right corner of the page, click Save.

Enable or Disable a Sensor

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

- 1371 -
To enable or disable a sensor:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the appropriate sensor type tab.

The sensors table appears.

5. (Optional) If the sensor is a Nessus Scanner, select Linked Scanners in the drop-down box to
view on-premises scanners linked to Tenable Vulnerability Management. For more
information, see Linked Scanners.

6. In the table of linked sensors, do one of the following:

l Right-click the sensor you want to enable or disable.

The action options appear next to your cursor.

l In the Actions column, click the button you want to enable or disable.

The action options appear in the row.

7. Do one of the following:

l To enable a sensor, click the Enable button.

l To disable a sensor, click the Disable button.

Tenable Vulnerability Management enables or disables the sensor.

Remove a Sensor

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Note: You cannot remove cloud sensors.

- 1372 -
To remove a sensor:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Sensors tile.

The Sensors page appears. By default, the Nessus Scanners tab is active and Linked
Scanners is selected in the drop-down box.

4. Click the appropriate sensor type tab.

The sensor table appears.

5. For Nessus Scanners, select Linked Scanners in the drop-down box to view on-premises
scanners linked to Tenable Vulnerability Management. For more information, see Linked
Scanners.

6. In the table of linked sensors, do one of the following roll over the sensor you want to remove.

Scope Action

Remove a a. In the sensors table, do one of the following:

sensor l Right-click the sensor you want to remove.

The action options appear next to the cursor.

l In the Actions column, click the button for the sensor you
want to remove.

The action options appear in the row.

l Select the check box next to the sensor you want to remove.

The action bar appears at the top of the table.

b. Click Delete.

- 1373 -
 A confirmation window appears.

Remove a. In the sensors table, select the check box for the sensors you want
multiple to remove. The action bar appears at the top of the table.
sensors
b. Click Delete.

A confirmation window appears.

7. Click Delete to confirm the removal.

Tenable Vulnerability Management removes the sensor from the list.

Credentials

Note: This section describes creating and maintaining managed credentials. For more information about
scan-specific or policy-specific credentials, see Credentials in Tenable Vulnerability Management Scans or
Credentials in Tenable Web App Scanning Scans.

Managed credentials allow you to store credential settings centrally in a credential manager. You
can then add those credential settings to multiple scan configurations instead of configuring
credential settings for each individual scan.

You and users to whom you grant permissions can use managed credentials in scans. Credential
user permissions control which users can use and edit managed credentials.

Create a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 1374 -
 Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

This topic describes creating a managed credential in the Tenable Vulnerability Management
credential manager.

You can also create a managed credential during scan configuration, as well as convert a scan-
specific credential to a managed credential. For more information, see Add a Credential to a Scan
or Configure Credentials Settings in Tenable Web App Scanning.

To create a managed credential:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Credentials tile.

The Credentials page appears. The credentials table lists the managed credentials you have
permission to view.

4. In the upper-right corner of the page, click the Create Credential button.

The Select Credential Type plane appears.

- 1375 -
5. Do one of the following:

l Select one of the available credential types.

l Click on a credential type in the category sections.

The credential settings appear.

6. In the Title box, type a name for the credential.

- 1376 -
 7. (Optional) In the Description box, type a description for the credential.

8. Configure the settings for the credential type you selected.

For more information about credential settings, see Credentials (Tenable Vulnerability
Management) or Credentials (Tenable Web App Scanning).

9. Add user permissions.

10. Click Save.

Tenable Vulnerability Management adds the credential to the credentials table in the
Credentials page.

Edit a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

This topic describes editing a credential in the Tenable Vulnerability Management credential
manager.

You can also edit managed credentials during scan configuration. For more information, see Add a
Credential to a Scan for Tenable Vulnerability Management or Configure Credentials Settings in a
Tenable Web App Scanning Scan for Tenable Web App Scanning.

You can edit any credentials where you have Can Edit permission.

To edit managed credentials:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Credentials tile.

- 1377 -
 The Credentials page appears. The credentials table lists the managed credentials you have
permission to view.

4. Filter or search the credentials table for the credential you want to edit. For more information,
see Tenable Vulnerability Management Tables.

5. In the credentials table, click the name of the credential you want to edit.

The credential settings plane appears.

6. Do one of the following:

l
Edit the credential name or description.
a. Roll over the name or description box.

b. Click the button that appears next to the box.

c. Make your changes.

d. Click the button at the lower right corner of the box to save your changes.

l Edit the settings for the credential type. For more information about these settings, see
Credentials (Tenable Vulnerability Management) or Credentials (Tenable Web App
Scanning).

l Configure user permissions for the credential.

7. Click Save.

Configure User Permissions for a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You configure user permissions for a managed credential separately from the permissions you
configure for the scans where you use the credential.

You can configure credential permissions for individual users or a user group. If you configure
credential permissions for a group, you assign all users in that group the same permissions. You

- 1378 -
may want to create the equivalent of a credential manager role by creating a group for the users
you want to manage credentials. For more information, see User Groups.

If you create a managed credential, Tenable Vulnerability Management automatically assigns you
Can Edit permissions.

To configure user permissions for a managed credential:

1. Create or edit a managed credential:

Location Action

In the credential manager create or edit

In a scan configuration create or edit

2. Do one of the following:

l
Add permissions for a user or user group.
a. In the credential settings plane, click the button next to the User Permissions
title.

The Add User Permission settings appear.

b. In the search box, type the name of a user or group.

As you type, a filtered list of users and groups appears.

c. Select a user or group from the search results.

d. Click the button next to the permission drop-down for the user or group.

e. Select a permission level:

l Can Use — The user can view the credential in the managed credentials table
and use the credential in scans.

l Can Edit — The user can view and edit credential settings, delete the
credential, and use the credential in scans.

f. Click Add.

g. Click Save.

- 1379 -
 l
Edit permissions for a user or user group.
a. In the User Permissions section of the credential settings plane, click the
button next to the permission drop-down for the user or group.

b. Select a permission level:

l Can Use — The user can view the credential in the managed credentials table
and use the credential in scans.

l Can Edit — The user can view and edit credential settings, delete the
credential, and use the credential in scans.

c. Click Save.

l
Delete permissions for a user or user group.
a. In the User Permissions section of the credential settings plane, roll over the user
or group you want to delete.

b. Click the button next to the user or user group.

The user or group is removed from the User Permissions list.

c. Click Save.

Export Credentials

Required User Role: Administrator

On the Credentials page, you can export the data for one or more managed credentials.

Note: When you export credential data, authentication details such as usernames, passwords, or keys are
not included in the export.

To export credential data:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

- 1380 -
 The Settings page appears.

3. Click the Credentials tile.

The Credentials page appears. The credentials table lists the managed credentials you have
permission to view.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. Select the credentials that you want to export:

Export Scope Action

Selected To export selected credentials:

credentials
a. In the credentials table, select the check box for each credential
you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 credentials, select all the credentials
in the list and then click Export.

A single To export a single credential:

credential
a. In the credentials table, right-click the row for the credential you
want to export.

The action options appear next to your cursor.

-or-

In the credentials table, in the Actions column, click the button

in the row for the credential you want to export.

The action buttons appear in the row.

b. Click Export.

- 1381 -
 The Export plane appears. This plane contains:

l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

6. In the Name box, type a name for the export file.

7. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of credentials.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of credentials.

Empty fields are not included in the JSON file.

8. (Optional) Deselect any fields you do not want to appear in the export file.

9. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

- 1382 -
 l Click the Schedule toggle.

The Schedule section appears.

l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

- 1383 -
 When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file from the Exports page.

Delete a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can delete any credentials where you have Can Edit permission.

To delete a managed credential:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Credentials tile.

The Credentials page appears. The credentials table lists the managed credentials you have
permission to view.

4. Filter or search the credentials table for the credential you want to delete. For more
information, see Tenable Vulnerability Management Tables.

5. In the table, roll over the credential you want to delete.

The action buttons appear in the row.

6. Click the button.

The Confirm Deletion window appears.

7. Do one of the following:

- 1384 -
 l If no scans use the credential, click Delete.

l
If any scans use the credential:
a. Click View Scans.

The Scans plane appears.

b. Filter or search for scans that use the credential.

c. Do one of the following:

l Click Cancel to cancel the deletion.

l Click Delete to confirm the deletion.

Exclusions
You can use exclusions to restrict the scanning of specific hosts based on a selected schedule.

Note: Exclusions do not apply to Agent scans.

For more information on exclusions, see the following topics:

Create an Exclusion

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Note: Exclusions do not apply to Agent scans.

To create an exclusion:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exclusions tile.

The Exclusions page appears.

- 1385 -
 4. In the upper-right corner of the page, click the Create Exclusion button.

The Create an Exclusion page appears.

5. Set the exclusion settings.

6. Click Save.

Tenable Vulnerability Management saves the exclusion and applies the exclusion to the
selected scan targets.

Edit an Exclusion

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To edit an exclusion:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exclusions tile.

The Exclusions page appears.

4. In the exclusions table, click the exclusion you want to edit.

- 1386 -
 The Update an Exclusion page appears.

5. Edit the exclusion settings.

6. Click Save.

Tenable Vulnerability Management saves the exclusion, and the Exclusions page appears.

Import an Exclusion

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can import an exclusion as a .csv file.

Note: When you import an exclusion, Tenable Vulnerability Management automatically assigns it to the
default network. After import, you can move the exclusion to a custom network.

Before you begin:

l Create a .csv file in the specified format.

To import an exclusion:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exclusions tile.

The Exclusions page appears.

4. In the upper-right corner of the page, click the Import button.

Your operating system's file manager appears.

5. Select a .csv file to import.

Tenable Vulnerability Management imports the file and adds the exclusions to the exclusions
table.

Exclusion Import File

- 1387 -
You can import one or more exclusions as a .csv file.

Note:Tenable does not recommend opening the .csv file in Microsoft Excel, as Excel can add additional
characters to the file that Tenable Vulnerability Management cannot recognize.

This file is composed of a header and at least one line of data. Each line in the file must be
separated by a new line break.

Header (Optional)
A header line in the file is optional. If included, the header must be the first line in the file and be
formatted as follows:

id,name,description,members,creation_date,last_modification_date

Note: There are no spaces after the commas.

Data (Required)
Each data line in the file represents one exclusion configuration. Data lines must be separated from
each other by a new line break. The file must include at least one data line.

Each data line is a comma-separated string of fields described in the table below.

Note: Optional fields can be blank, but the associated comma separator must be present in the data line.

Field Description Required

id An integer that uniquely identifies the exclusion. No

name The name of the exclusion. You can use any combination Yes
of alpha-numeric characters or symbols.

description A description for the exclusion. Yes

members The target or targets where you want the scan exclusion Yes
to apply.

This value can have the following formats:

- 1388 -
 l A hostname (example.com)

l An IP address (192.0.2.57)

l An IP range (192.0.2.57-192.0.2.67)

l A comma-separated list of multiple hostnames, IP

addresses, or IP ranges, bracketed by quotation
marks ("192.0.2.57,192.0.2.177,192.0.2.8")

creation_date The Unix timestamp that Tenable Vulnerability No

Management uses as the creation date for the imported
exclusion.

last_ The Unix timestamp that Tenable Vulnerability No

modification_ Management uses as the last modification date for the
date exclusion.

Example

id,name,description,members,creation_date,last_modification_date
1,Exclusion Rule 1,routers,"192.0.2.57,192.0.21.177,192.0.28",1561643735,1561643785,Exclusion Rule
2,workstations,192.0.257-192.0.267,,

Export an Exclusion

Required User Role: Administrator

On the Exclusions page, you can export one or more scanning exclusions.

To export an exclusion:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exclusions tile.

- 1389 -
 The Exclusions page appears. This page displays a list of exclusions configured on your
Tenable Vulnerability Management account.

4. (Optional) Refine the table data. For more information, see Tenable Vulnerability Management
Workbench Tables.

5. Select the exclusions that you want to export:

Export Scope Action

Selected To export selected exclusions:

exclusions
a. In the exclusions table, select the check box for each exclusion
you want to export.

The action bar appears at the top of the table.

b. In the action bar, click Export.

Note: The Export link is available for up to 200 selections. If you

want to export more than 200 exclusions, select all the exclusions in
the list and then click Export.

A single To export a single exclusion:

exclusion
a. In the exclusions table, right-click the row for the exclusion you
want to export.

The action options appear next to your cursor.

-or-

In the exclusions table, in the Actions column, click the button

in the row for the exclusion you want to export.

The action buttons appear in the row.

b. Click Export.

The Export plane appears. This plane contains:

- 1390 -
 l A text box to configure the export file name.

l A list of available export formats.

l A table of configuration options for fields to include in the exported file.

Note: By default, all fields are selected.

l A text box to set the number of days before the export expires.

l A toggle to configure the export schedule.

l A toggle to configure the email notification.

6. In the Name box, type a name for the export file.

7. Click the export format you want to use:

Format Description

CSV A CSV text file that contains a list of exclusions.

Note: If your .csv export file includes a cell that begins with any of the following
characters (=, +, -, @), Tenable Vulnerability Management automatically inputs a
single quote (') at the beginning of the cell. For more information, see the
related knowledge base article.

JSON A JSON file that contains a nested list of exclusions.

Empty fields are not included in the JSON file.

8. (Optional) Deselect any fields you do not want to appear in the export file.

9. In the Expiration box, type the number of days before the export file expires.

Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export
expiration.

10. (Optional) To set a schedule for your export to repeat:

l Click the Schedule toggle.

The Schedule section appears.

- 1391 -
 l In the Start Date and Time section, select the date and time on which you want the
export schedule to start.

l In the Time Zone drop-down box, select the time zone to which you want the schedule
to adhere.

l In the Repeat drop-down box, select how often you want the export to repeat.

l In the Repeat Ends drop-down, select the date on which you want the schedule to end.

Note: If you select never, the schedule repeats until you modify or delete the export schedule.

11. (Optional) To send email notifications on completion of the export:

Note: You can enable email notifications with or without scheduling exports.

l Click the Email Notification toggle.

The Email Notification section appears.

l In the Add Recipients box, type the email addresses to which you want to send the
export notification.

l (Required) In the Password box, type a password for the export file. You must share this
password with the recipients to allow them to download the file.

Note: Tenable Vulnerability Management sends an email to the recipients and from the link in
the email, the recipients can download the file by providing the correct password.

12. Click Export.

Tenable Vulnerability Management begins processing the export. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
export.

When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

13. Access the export file via your browser's downloads directory. If you close the export plane
before the download finishes, then you can access your export file from the Exports page.

Delete an Exclusion

- 1392 -
 Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

To delete an exclusion:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Exclusions tile.

The Exclusions page appears.

4. Select the exclusion or exclusions you want to delete:

l
Select a single exclusion.
a. In the exclusions table, roll over the exclusion you want to delete.

The action buttons appear in the row.

b. In the row, click the button.

A confirmation window appears.

l
Select multiple exclusions.
a. In the exclusions table, select the check box for each exclusion you want to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the selected exclusion or exclusions.

Exclusion Settings

Note: Exclusions do not apply to Agent scans.

- 1393 -
Setting Description

Settings

Name Specifies a name for the exclusion.

Description Specifies a description for the exclusion.

Targets Specifies targets that you want excluded from scans. Add targets as host
names or IP ranges, separated by commas.

You cannot use the Targets setting if you already specified targets with the
Upload Targets setting.

Tip: The Targets setting supports excluding specific ports per IP address by
typing IP:Port entries.

Network Specifies the network that the targets belong to: either Default or a custom
network.

Upload Targets Uploads a text file with host names or IP ranges, separated by commas, that
you want excluded from scans.

You cannot use the Upload Targets setting if you already specified targets
with the Targets setting.

Schedule

Enabled Enables or disables a schedule for when the exclusion is enabled. When
disabled, the exclusion is set to Always On. When enabled, you can
configure the following settings, which set a frequency and schedule for
when the exclusion is enabled.

Summary A summary of the selections for the Frequency, Starts, and Ends settings.

Frequency A drop-down box that contains the following options: Once, Daily, Weekly,
Monthly, and Yearly.

Starts Two drop-down boxes in which you can select a date and time when the
exclusion begins.

- 1394 -
Setting Description

Tip: To select a more granular start time, manually type the desired time in the
box, then click Create.

Note: Tenable Vulnerability Management does not support an exclusion that

starts and ends at 00:00 - 00:00.

Ends Two drop-down boxes in which you can select a date and time when the
exclusion ends.

Tip: To select a more granular end time, manually type the desired time in the
box, then click Create.

Note: Tenable Vulnerability Management does not support an exclusion that

starts and ends at 00:00 - 00:00.

Time Zone A drop-down box with a search bar in which you can select a time zone for
the selected dates and times.

- 1395 -
Connectors

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Vulnerability Management uses connectors, including third-party data connectors, to

import assets from other platforms. Tenable Vulnerability Management supports connectors for
Tenable Vulnerability Management and Tenable Container Security.

Tenable Vulnerability Management Connectors

Vulnerability Management includes connectors for AWS, GCP, and Microsoft Azure. To use Tenable
Vulnerability Management connectors to scan your assets, you must first configure the platform the
connector integrates with, then create the connector, as described in the appropriate section for
your platform:

l Amazon Web Service (AWS)

l Google Cloud Platform (GCP)

l Microsoft Azure

After you configure platforms and create connectors, you can manage connectors from the
Settings page in Tenable Vulnerability Management.

Note: When using cloud connectors. Tenable recommends allowlisting the IP addresses for the region in
which the Tenable Vulnerability Management site resides.

The licensing implications are as follows:

l Assets discovered through the connectors do not count against the license until and unless
the asset is scanned for vulnerabilities. Discovery through the connector is free.

l Assets discovered through the connectors that did become licensed fall off the license the
day after the asset was terminated. This event can be observed via the connector.

l When an asset is terminated, Tenable Vulnerability Management stops matching scan results
to the asset. The asset is also deleted from the default view of the assets table.
 l When an asset is deleted, Tenable Vulnerability Management purges the asset and any
associated findings in Explore, and releases the asset’s license. For more information, see
Delete Assets.

Tip: For information on other ways to ingest data into Tenable Vulnerability Management, see the Data
Ingestion in Tenable Vulnerability Management quick reference guide.

Container Security Connectors

For information about Tenable Container Security connectors, see Configure Tenable Container
Security Connectors to Import and Scan Images.

Supported Plugins
To view the supported plugins for AWS and Azure, see the Tenable Plugins page. Use the filter
Supported Sensors to view the Frictionless Assessment plugins.

Amazon Web Services Connector

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Amazon Web Services (AWS) connector provides real-time visibility and inventory of EC2
instances in your AWS account.

To import and analyze information about EC2 instances in AWS, you must first configure AWS to
support your connector configuration, then create an AWS connector in Tenable Vulnerability
Management.

You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability
Management. Assets discovered through the connectors do not count against the license until and
unless the asset is scanned for vulnerabilities.
To assess AWS assets for vulnerabilities, Tenable recommends that you use Frictionless
Assessment to assess for vulnerabilities in the cloud. Alternatively, you can run a Tenable Nessus
scanner or agent scan, which runs plugins locally on the host.

Note: The AWS connector performs two types of imports:

l Full Sync: Occurs when the AWS connector describes all EC2 instances in your account
and imports them to Tenable Vulnerability Management.
l Partial Sync: Occurs when the AWS connector reads all cloud trail events and imports any
created or terminated EC2 instances since the previous sync.
The AWS connector performs up to 47 partial syncs and one full sync in a 24-hour period. When
you set a new schedule, the AWS resets and triggers another full sync.

Goal Connector Type

Discover AWS assets and assess for vulnerabilities using l Keyless

Frictionless Assessment authentication
with Frictionless
The cloud connector discovers AWS assets and collects an
Assessment
inventory of data points on your AWS EC2 instances, then
enabled
assesses the hosts for vulnerabilities in the cloud, rather than
running plugins locally on the host.

For more information, see Frictionless Assessment for AWS .

Discover AWS assets l Keyless

authentication
The cloud connector discovers AWS assets without assessing
(recommended)
them for vulnerabilities. Optionally, you can scan discovered assets
later using a Tenable Nessus scanner or agent scan. l Key-based
authentication
For more information, see AWS Cloud Connector (Discovery Only).

To manage existing AWS connectors, see Manage Connectors.

Tip: For descriptions of common connector errors, see Connectors in the Tenable Developer Portal.

Frictionless Assessment for AWS

 Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

With Frictionless Assessment, Tenable Vulnerability Management discovers and collects an

inventory of data points on your Amazon Web Services (AWS) EC2 instances. Then, for EC2
instances with an AWS tag that you specify for Frictionless Assessment, Tenable Vulnerability
Management assesses the hosts for vulnerabilities in the cloud, rather than running plugins locally
on the hosts.

Note: Frictionless Assessment reports on Asset information even if it is in a "stopped" state. The AWS
Systems Manager Agent (SSM Agent), which Frictionless Assessment leverages to collect data from a host
and create an inventory of data points on your AWS EC2 instances, also collects data even in "stopped"
state.

Frictionless Assessment uses the AWS Systems Manager Inventory and AWS Systems Manager
Agent (SSM Agent) to collect the required data. For more information on AWS configuration
requirements, see Configure AWS for Frictionless Assessment.

You do not need to configure scanners, Tenable Nessus Agents, scans, or scan schedules to assess
hosts with Frictionless Assessment.

Operating System Coverage

Frictionless Assessment has vulnerability coverage for EC2 instances created from the following
Amazon Machine Images:

l Amazon Linux 1 / 2

l CentOS 6 / 7 / 8

l Red Hat 6 / 7 / 8

l SUSE Linux Enterprise Server (SLES) 11.4-15.2

 l SUSE Linux Enterprise Desktop (SLED) 12-15.2

l Ubuntu 16.04 / 18.04 / 20.04

l Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019,
Windows Server 2022

l Windows 7, Windows 8, Windows 10, Windows 11

Licensing Considerations

In general in Tenable Vulnerability Management, assets count towards your license when they are
assessed for vulnerabilities. Therefore, EC2 hosts that are assessed by Frictionless Assessment
count against your license. For more information, see Tenable Vulnerability Management Licenses.

When you select AWS tags for hosts to be assessed by Frictionless Assessment, note that all hosts
with any of those tags count towards your license. Hosts that are only discovered by the connector,
and not assessed by Frictionless Assessment (for example, hosts that do not have a tag you
selected for Frictionless Assessment), do not count towards your license.

Supported Regions

The following regions are supported for AWS Frictionless Assessment:

l us-east-1, US East (N. Virginia)

l us-east-2, US East (Ohio)

l us-west-1, US West (N. California)

l us-west-2, US West (Oregon)

l ca-central-1, Canada (Central)

l ap-south-1, Asia Pacific (Mumbai)

l ap-northeast-1, Asia Pacific (Tokyo)

l ap-northeast-2, Asia Pacific (Seoul)

l ap-southeast-1, Asia Pacific (Singapore)

l ap-southeast-2, Asia Pacific (Sydney)

l eu-central-1, EU (Frankfurt)
 l eu-west-1, EU (Ireland)

l eu-west-2, EU (London)

l eu-west-3, EU (Paris)

l sa-east-1, South America (Sao Paulo)

Limitations

l Frictionless Assessment does not run informational plugins, run remote vulnerability plugins,
or gather compliance data.

l A connector configured with Frictionless Assessment only supports one AWS account. If you
want to assess hosts across multiple AWS accounts, you must configure a separate connector
for each AWS account.

l You must use a single AWS tag key to identify the assets you want Frictionless Assessment to
access.

l Tenable Vulnerability Management creates an AWS Systems Manager inventory association on

your instance to collect inventory for Frictionless Assessment. However, AWS Systems
Manager has a restriction that only one inventory association can be applied to an instance at
a time, as described in the AWS Documentation. If you have an existing inventory association
applied to your instance, remove it before configuring Frictionless Assessment. For more
information, see the AWS Documentation.

l The limit for Frictionless Assessment scans is one per day, whereas existing Frictionless
Assessment connectors created before May 1, 2023 transmit inventory data more frequently.
Frictionless Assessment drops data exceeding the frequency limit and does not scan it.

Note: The limitation does not apply to Tenable Container Security, Agentless Assessment, or
Tenable Nessus Agent-based inventory scans.

Get Started

1. Determine who in your organization has the appropriate AWS credentials to access the
AWS console.

2. Depending on who has the AWS credentials, do one of the following:

 l If you are setting up the Tenable Vulnerability Management cloud connector and also
have the appropriate AWS credentials for your organization:

a. Ensure your AWS configuration meets the requirements for Frictionless

Assessment, as described in Configure AWS for Frictionless Assessment.

b. Create your AWS connector, as described in Create an AWS Connector for

Frictionless Assessment.

l If you are setting up the Tenable Vulnerability Management cloud connector, but
someone other than you in your organization has the necessary AWS credentials:

a. The person with AWS credentials must ensure the AWS configuration meets the
requirements for Frictionless Assessment, as described in Configure AWS for
Frictionless Assessment.

b. The person with AWS credentials must manually configure AWS roles and policies
for use with Frictionless Assessment.

c. Create your AWS connector, as described in Create an AWS Connector with

Keyless Authentication for Frictionless Assessment.

3. To delete an AWS cloud connector, see Delete a Connector.

4. If you delete a connector, manually delete the CloudFormation stack in AWS, as described in
Manually Delete Connector Artifacts in AWS.

Configure AWS for Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Frictionless Assessment leverages the AWS Systems Manager Inventory and AWS Systems Manager
Agent (SSM Agent) to collect data from a host and create an inventory of data points on your AWS
EC2 instances. You do not need to configure scanners, Tenable Nessus Agents, scans, or scan
schedules to assess hosts with Frictionless Assessment.

If you have access to your organization's AWS console, ensure your AWS configuration meets the
following requirements before creating the Tenable Vulnerability Management cloud connector.

If someone other than you has access to your organization's AWS console, ensure they configure
AWS to meet the following requirements before you create the Tenable Vulnerability Management
cloud connector.

To configure your AWS environment for use with Frictionless Assessment:

1. Set up AWS Systems Manager for your account, as described in the AWS Systems
Manager documentation.

2. Ensure that you have access to AWS Systems Manager Inventory. For more information, see
AWS Systems Manager Inventory in the AWS Systems Manager documentation.

3. Ensure your EC2 instances have the SSM Agent installed.

l Most EC2 instance distributions come with SSM Agent preinstalled. For more
information, see About SSM Agent in the AWS Systems Manager documentation.

l If your distribution does not have SSM installed, manually install the SSM Agent as
described in the AWS Systems Manager documentation.

4. Ensure the target EC2 instances you want to assess with Frictionless Assessment are tagged
with a single AWS tag key. For example, you can use the tag key Tenable.

Later, you will select this AWS tag key to identify instances you want to assess with
Frictionless Assessment.

5. Tenable Vulnerability Management creates an AWS Systems Manager inventory association on

your instance to collect inventory for Frictionless Assessment. However, AWS Systems
Manager has a restriction that only one inventory association can be applied to an instance at
a time, as described in the AWS Documentation. If you have an existing inventory association
applied to your instance, remove it before configuring Frictionless Assessment. For more
information, see the AWS Documentation.

What to do next:
 l Depending on who has the AWS credentials for your organization, do the following:

l If you are setting up the Tenable Vulnerability Management cloud connector and also
have the appropriate AWS credentials for your organization:

l Create your AWS connector, as described in Create an AWS Connector for

Frictionless Assessment.

Create an AWS Connector for Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

When you configure an Amazon Web Services (AWS) cloud connector with keyless authentication
for Frictionless Assessment, Tenable Vulnerability Management uses a Cloud Formation template
(CFT) to configure the required roles and policies for your AWS account automatically. This
configuration sets up the regular cloud connector and Frictionless Assessment.

To use Frictionless Assessment with your AWS connector, you must enter an AWS tag key to
identify hosts to be assessed by Frictionless Assessment. If you do not enter a tag key, the
connector functions as discovery-only and assets are not assessed for vulnerabilities.

Note: Create a separate cloud connector for each AWS account that owns hosts you want to evaluate for
Frictionless Assessment.

Before you begin:

l Ensure that your AWS configuration meets the requirements for Frictionless Assessment, as
described in Configure AWS for Frictionless Assessment.
 l For best results, ensure that this is a new AWS cloud connector setup. If you have existing
AWS cloud connectors configured, delete the existing tenableio-connector IAM role before
creating the new AWS cloud connector.

Note: To use Legacy Tenable Cloud Security Preview or Legacy Tenable Cloud Security, you must
update or create new roles that support Legacy Tenable Cloud Security. Tenable Vulnerability
Management cloud connector roles do not support Agentless Assessment.

l In another window or tab of the same browser with which you are accessing Tenable
Vulnerability Management, log in to the AWS console with the AWS account that you want to
target with Frictionless Assessment.

Create the AWS Frictionless Assessment connector and CFT:

1. Log in to your Tenable Vulnerability Management user interface and go to Settings > Cloud
Connectors.

2. Click Create Cloud Connector.

The Select a Cloud Connector panel appears.

3. In the Cloud Connectors list, select Frictionless Assessment.

The Connector Setup pop-up appears.

4. In the Cloud Provider step, select AWS and enter a Connector Name.

Click Next.

5. In the Enable Features step, ensure the check box to Identify vulnerabilities using
frictionless assessment is selected.

Click Next.

6. In the Configuration step, select the target parameters:

a. Enter the Account ID to target.

b. Select a tag by providing the Tag key and value:

 i. In the Tag Key box, type the AWS tag key.

For example, in the AWS tag Tenable:FA, the tag key is Tenable.

ii. In the Tag Value box, do one of the following:

For example, in the AWS tag Tenable:FA, the tag value is FA.

Tip: You can only specify one tag for AWSFrictionless Assessment.

Note: The tag key and value are case sensitive and must match what is in AWS exactly.

Note: To use Frictionless Assessment with your AWS connector, you must enter an AWS tag
key to identify hosts to be assessed by Frictionless Assessment. If you do not enter a tag key,
the connector functions as discovery-only and assets are not assessed for vulnerabilities.

c. Select the Network to target. You can select an existing network or create a new
network using the Network drop-down menu. If you do not specify a network, your
default network is selected.

Click Next.

7. In the Apply Choices step, click Download and Finish.

The CFT downloads in .yml format, and the new connector shows on the Cloud Connectors
page.

Deploy the connector using the CFT:

Deploy the CFT you downloaded in the previous section to your AWS accounts (for more
information, see the AWS documentation).

If you need to deploy to more than one region, Tenable recommends deploying the template as a
stack set (for more information, see the AWS stack set documentation).

What to do next:
l Create an AWS Connector with Keyless Authentication (Discovery Only) for your AWS account
if you do not already have one. Your AWS account needs a keyless connector for Tenable
Vulnerability Management to track asset states and asset terminations.
 Note: The keyless connector needs to be set up for the same account that AWS Frictionless
Assessment is set up for.

l Edit the AWS Frictionless Assessment connector's tags when needed. For more information,
see Edit an AWS Frictionless Assessment Connector.

l View Assets to see hosts discovered by the connector. Hosts found by an AWS connector
using Frictionless Assessment appear with the source SSM.

l View vulnerabilities to see vulnerabilities identified by Frictionless Assessment.

Edit an AWS Frictionless Assessment Connector

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can edit the name, tags, and network of an Amazon Web Services (AWS) Frictionless
Assessment connector.

Note: If you edit an AWS Frictionless Assessment connector's tags, you have to redeploy the connector to
your AWS accounts to update the tag information in AWS.

To edit your AWS Frictionless Assessment connector:

1. Log in to your Tenable Vulnerability Management user interface and go to Settings > Cloud
Connectors.

2. From the Cloud Connectors table, click the AWS_FA connector that you want to edit tags for.

The Edit connector page appears.

3. Edit the connector:

 l To edit the connector name, click the Connect Name field and enter a new name.

l To edit the connector tags, do the following:

a. In the Tag Key box, type the AWS tag key.

For example, in the AWS tag Tenable:FA, the tag key is Tenable.

b. In the Tag Value box, do one of the following:

For example, in the AWS tag Tenable:FA, the tag value is FA.

Tip: You can only specify one tag for AWS Frictionless Assessment.

Note: The tag key and value are case sensitive and must match what is in AWS exactly.

Note: To use Frictionless Assessment with your AWS connector, you must enter an AWS tag
key to identify hosts to be assessed by Frictionless Assessment. If you do not enter a tag key,
the connector functions as discovery-only and assets are not assessed for vulnerabilities.

l To edit the change the network the connector is linked to, select an existing network or
create a new network using the Network drop-down menu. If you do not specify a
network, Tenable Vulnerability Management selects your default network.

4. Click the Download CFT button.

Note: If you edited the connector tags, the button shows as Download CFT & Save.

The CFT downloads in .yml format and the Cloud Connectors page appears with the updated
connector information.

5. If you edited the connector tags, redeploy the CFT to your AWS accounts (for more
information, see the AWS documentation).

If you need to deploy to more than one region, Tenable recommends deploying the template
as a stack set (for more information, see the AWS stack set documentation).

Manually Delete Connector Artifacts in AWS

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
 Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

After you delete your last AWS connector, Tenable Vulnerability Management triggers an automatic
deletion of most AWS artifacts associated with the connector and the Frictionless Assessment
configuration.

However, the CloudFormation stack or stack set is not automatically deleted. You must manually
delete the CloudFormation stack or stack set in the AWS CloudFormation console.

Before you begin:

l Delete the AWS connector, as described in Delete a Connector.

To manually delete artifacts from the AWS connector:

l Delete the Tenable-created CloudFormation stack or stack set, as described in Deleting a
stack on the AWS CloudFormation console in the AWS CloudFormation User Guide. The stack is
a .yml file and has the same name as its associated connector.

Update AWS Frictionless Assessment Connectors to Detect Log4j

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To ensure that your AWS Frictionless Assessment connectors can detect the Log4j vulnerability,
update the TenableInventoryCollection script in each AWS region where the script is installed.
 Note: If you have multiple AWS accounts, you need to complete the steps below for all the relevant regions
within each account.

To update the AWS Frictionless Assessment connectors to detect Log4j:

1. Go to the Tenable Frictionless Downloads page and download the

TenableInventoryCollection-document-v2.json file.

2. Log in to the AWS console.

3. Open the Systems Manager.

4. Click Documents > Owned by me.

5. Open the TenableInventoryCollection document.

The TenableInventoryCollection Description page opens.

6. In the upper-right corner, click Actions.

7. Click Create new version.

The new version's Content pane appears.

8. Select the JSON radio button.

9. Delete the contents in the box under JSON.

10. Copy and paste the contents of TenableInventoryCollection-document-v2.json in the

box under JSON.

11. Below the content box, click Create new version.

The Documents > Owned by Amazon page opens.

12. Go to the Documents > Owned by me page.

13. Open the TenableInventoryCollection document.

14. In the upper-right corner, click Actions.

15. Click Set default version.

The Set default version page appears.

16. Set the Version value to 2 using the drop-down list.

 17. Click Set default version.

Note: To verify that the AWS region is updated to detect Log4j, open the
TenableInventoryCollection document, go to the Contents tab, and search (Ctrl + F) for "log4j". If the
code contains "log4j", it is updated.

AWS Cloud Connector (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Amazon Web Services (AWS) cloud connector provides real-time visibility and inventory of EC2
assets in AWS accounts.

You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability
Management. Assets discovered through the connectors do not count against the license until and
unless the asset is scanned for vulnerabilities.

Tip: To configure an AWS connector with Frictionless Assessment, which allows you to assess EC2
instances for vulnerabilities without configuring agents or scans, see Frictionless Assessment for AWS.

You can create AWS connectors for discovery with either of the following configurations:

l Recommended: AWS Connector with Keyless Authentication (Discovery Only)

l AWS Connector with Key-based Authentication

Supported Regions
The following regions are supported for AWS Discovery Connectors:

l us-east-1, US East (N. Virginia)

l us-east-2, US East (Ohio)

l us-west-1, US West (N. California)

l us-west-2, US West (Oregon)

l ca-central-1, Canada (Central)

l ap-south-1, Asia Pacific (Mumbai)

 l ap-northeast-1, Asia Pacific (Tokyo)

l ap-northeast-2, Asia Pacific (Seoul)

l ap-southeast-1, Asia Pacific (Singapore)

l ap-southeast-2, Asia Pacific (Sydney)

l ap-southeast-3, Asia Pacific (Jakarta)

l eu-central-1, EU (Frankfurt)

l eu-west-1, EU (Ireland)

l eu-west-2, EU (London)

l eu-west-3, EU (Paris)

l me-south-1, Middle East (Bahrain)

l ap-east-1, Asia Pacific (Hong Kong)

l af-south-1, Africa (Cape Town)

l eu-south-1, Europe (Milan)

l sa-east-1, South America (São Paulo)

AWS Connector with Keyless Authentication (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Amazon Web Services (AWS) Connector provides real-time visibility and inventory of EC2
assets in AWS accounts.

You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability
Management. Assets discovered through the connectors do not count against the license until and
unless the asset is scanned for vulnerabilities.

Tip: To configure an AWS connector with Frictionless Assessment, which allows you to assess EC2
instances for vulnerabilities without configuring agents or scans, see Frictionless Assessment for AWS.

Keyless Authentication
Tenable Vulnerability Management AWS connectors support keyless authentication via AWS role
delegation. Keyless authentication via AWS role delegation allows the automatic discovery of your
AWS assets. To use keyless authentication, you must establish a trust relationship between your
AWS accounts and the Tenable AWS account. In this scenario, your AWS accounts communicate
with a trusted Tenable AWS account that communicates with your AWS connector.

Automatic Discovery of AWS Accounts

If you want to allow the Tenable AWS Account to automatically find other AWS accounts in your
organization, use keyless authentication with auto account discovery. You must enable AWS
Organizations and assign a ListAccounts policy, which then discovers other AWS accounts and
establishes trust relationships as shown in the following diagram.

For more information about setting up AWS Organizations, see the AWS documentation.

Manual Linking of AWS Accounts

If you do not want to use auto account discovery or if you are not using AWS Organizations, you can
manually configure linked AWS accounts, as shown in the following diagram.
To configure and create an AWS connector with keyless authentication:

1. Configure AWS for Keyless Authentication (Discovery Only)

2. Create an AWS Connector with Keyless Authentication (Discovery Only)

Configure AWS for Keyless Authentication (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you create a discovery-only connector with keyless authentication, you must first configure
AWS. For more information on linking AWS accounts and establishing trust relationships, see AWS
Connector with Keyless Authentication (Discovery Only)

Before you begin:

1. On your AWS account, enable CloudTrail.

2. Create a trail if one does not already exist.

3. In the trail, turn on All or Write Only Management Events, as well as logging.

Note: When an AWS connector is used to import assets, Tenable queries all the CloudTrails for that
connector and determine the set of all regions that those CloudTrails receive events for. That set of
regions is then used when making calls to the EC2 and CloudTrail APIs.

To manually configure AWS for a discovery-only connector with keyless authentication:

1. Obtain your Tenable Vulnerability Management container ID, as described in License

Information.

2. In your AWS account, create a role named tenableio-connector to delegate permissions to an

IAM user:

Tip: For more information, see the Amazon AWS documentation.

a. In the navigation pane of the AWS console, click Roles > Create role.

b. For role type, click Another AWS account.

c. For Account ID, type the ID 012615275169.

Note: 012615275169 is the account ID of the Tenable AWS account that you will be
establishing a trust relationship with to support AWS role delegation.
d. Select the Require external ID check box, and type the Tenable Vulnerability
Management container ID that you obtained in step 1.

e. Click Next: Add Permissions.

f. Create or reuse a policy with the following permissions:

AWS Service Permission

Amazon EC2 l DescribeInstances

AWS CloudTrail l DescribeTrails

l GetEventSelectors

l GetTrailStatus

l ListTags

l LookupEvents

AWS l ListAccounts
Organizations
Note: The ListAccounts permission is required for
Tenable Vulnerability Management to automatically discover
AWS accounts. If you do not use auto account discovery,
you do not need this permission.

Note: Tenable recommends that you set Amazon Resource Name to * (all resources) for each
AWS Service.

a. Click Next: Tags.

b. (Optional) Add any desired tags.

c. Create Policy.

g. Click Next: Review.

h. In the Role name box, type tenableio-connector.

Caution: The role must be named tenableio-connector for the connector to work.
 i. Review the role, ensuring that the role name is tenableio-connector, and then click
Create role.

j. Viewing the new tenableio-connector role, click the Trust Relationship tab.

k. Click Edit Trust Relationship.

The policy document appears in a text box.

l. At the AWS line of the text box, replace arn:aws:iam::012615275169:root with

arn:aws:iam::012615275169:role/keyless_connector_role.

m. Click Update Trust Policy.

What to do next:
l Create an AWS Connector with Keyless Authentication (Discovery Only)
Create an AWS Connector with Keyless Authentication
(Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability
Management. Assets discovered through the connectors do not count against the license until and
unless the asset is scanned for vulnerabilities.

Before you begin:

l Configure AWS for Keyless Authentication (Discovery Only)

Note: To use Legacy Tenable Cloud Security Preview or Legacy Tenable Cloud Security, you must update
or create new roles that support Legacy Tenable Cloud Security. Tenable Vulnerability Management cloud
connector roles do not support Agentless Assessment.

To create an AWS connector with keyless authentication for discovery only:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the upper-right corner of the page, click the Create Cloud Connector button.

The cloud connector selection plane appears.

5. In the Cloud Connectors section, click Amazon Web Services.

The connector creation plane appears.

6. In the Connector Name box, type a name to identify the connector.

7. In the Account ID box, type your primary AWS account ID.

8. (Optional) Click Create Stack to deploy a Cloud Formation Template (CFT) to your
AWS account.

Note: For discovery-only connectors, skip the stack creation steps in the user interface only if you
have manually configured tenableio-connector role in your AWS account. The stack configures
parameters, policies, and roles required for using the Tenable Vulnerability Management connector.

9. (Optional) To expand more cloud connector settings, click Cloud Connector Advanced
Settings.

a. (Optional) Use the Auto Account Discovery toggle to enable or disable automatic
discovery of linked accounts and CloudTrails.

Note: Make sure that you create a tenableio-connector role either manually or via CFT for each
linked account.

b. (Optional) If you disabled Auto Account Discovery, do any of the following:

l To manually add AWS accounts, next to Accounts for Cloud Assessment, click .

l To manually add AWS CloudTrails, next to AWS CloudTrails for Cloud Assessment,
click .

c. (Optional) In the Select or Create Network drop-down box, select an existing network to
which the connector should be added.

When the connector discovers an asset, the associated network is added to the asset's
details. For more information, see Networks.

d. (Optional) Use the Cloud Connector Schedule toggle to enable or disable scheduled
imports.

By default, Tenable Vulnerability Management requests new and updated asset records
every 1 day.

If enabled:

i. In the text box, type the frequency with which Tenable Vulnerability Management
sends data requests to the AWS server.
 ii. In the drop-down box select Minutes, Hours, or Days.

Note: When you schedule a connector configuration to sync every 30 minutes, a

discovery job is placed in a queue every 30 minutes. The results of the discovery job
become available in the Tenable Vulnerability Management interface and logs depending
on the workload for the connector services. So, the results of the discovery job can
take more than 30 minutes depending on the queue.

10. Do one of the following:

l To save the connector, click Save.

l To save the connector and import your assets from AWS, click Save & Import.

Tenable Vulnerability Management imports your assets from AWS. There may be a short delay
before your assets appear.

What to do next:
l View Assets to see assets that were discovered by the connector.

AWS Connector with Key-based Authentication

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Amazon Web Services (AWS) Connector provides real-time visibility and inventory of EC2
assets in AWS accounts.

You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability
Management. Assets discovered through the connectors do not count against the license until and
unless the asset is scanned for vulnerabilities.

Key-based Authentication
Tenable Vulnerability Management AWS connectors support key-based authentication that uses an
IAM user with permissions and a secret key and access key. In this scenario, the Tenable
Vulnerability Management AWS connector authenticates with your primary AWS account via a
secret key and an access key. Additionally, you can manually configure secondary linked AWS
accounts with trust relationships to your primary AWS account., as shown in the diagram below.
For more information about other AWS authentication options, see Amazon Web Services
Connector.

Note: AWS connectors configured with key-based authentication do not support the automatic discovery
of AWS accounts. Additionally, key-based authentication is not recommended.

To fully configure AWS key-based authentication with Tenable Vulnerability Management:

1. In AWS, configure your primary AWS account to support key-based authentication for your
connectors, as described in Configure AWS for Key-based Authentication.

2. (Optional) In AWS, manually configure linked AWS accounts, as described in Configure Linked
AWS Accounts (Key-based).

3. In Tenable Vulnerability Management, create your AWS connector, as described in Create an

AWS Connector with Key-based Authentication.
Configure AWS for Key-based Authentication

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you begin:

l Enable CloudTrail and create a trail if one does not already exist.

Note: You must turn on All or Write Only Management Events, as well as logging for the trail.

To configure AWS to support Tenable Vulnerability Management connectors via an IAM

user with permissions (key-based authentication):

1. Use the Policy Generator to create an IAM permission policy for integration with Tenable
Vulnerability Management.

2. Add the following permissions to the policy:

AWS Service Permission

EC2 l DescribeInstances

CloudTrail l DescribeTrails

l GetEventSelectors

l GetTrailStatus

l ListTags

l LookupEvents

Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS
Service.

3. Create an IAM user with programmatic access.

4. Assign the policy you created in Step 2 to the IAM user.

5. Obtain Access and Secret keys.

(Optional) To configure linked AWS accounts:
l Link AWS Accounts

What to do next:
l Create an AWS connector with Keyed Authentication.
Configure Linked AWS Accounts for Key-based Authentication

Required User Role: Administrator

This section assumes that access keys have already been generated for the primary account, and
explains how to configure linked AWS accounts as depicted in the diagram below.

Before you begin:

l Configure the primary AWS account.

l Record the Account ID for the primary AWS account.

To configure linked AWS accounts:

1. Obtain your Tenable Vulnerability Management container ID, as described in License

Information.

2. In your AWS account, create a role named tenableio-connector to delegate permissions to an

IAM user, as described in the Amazon AWS documentation.

a. In the navigation pane of the console, click Roles > Create role.

b. For role type, click Another AWS account.

c. For Account ID, type the AWS account ID of the primary AWS account.
 d. Select the Require external ID check box, and type the Tenable container ID that you
obtained in Step 1.

e. Click Next: Permissions.

f. Create or reuse a policy with the following permissions:

AWS Service Permission

Amazon EC2 l DescribeInstances

AWS CloudTrail l DescribeTrails

l GetEventSelectors

l GetTrailStatus

l ListTags

l LookupEvents

Tenable recommends that you set Amazon Resource Name to * (all resources) for each
AWS Service.

g. Click Next: Tagging.

h. (Optional) Add any desired tags.

i. Click Next: Review.

j. In the Role name box, type tenableio-connector.

Caution: The role must be named tenableio-connector for the connector to work.

k. Review the role, ensuring that the role name is tenableio-connector, and then click
Create role.

l. Record the Role ARN for the created role. You need the Role ARN for the next section of
the configuration.

To configure the primary AWS account:

Note: For more detailed steps, see the Amazon documentation: Accessing and Administering the Member
Accounts in Your Organization.
1. Create a policy that has permission to use the AWS Security Token Service (AWS STS)
AssumeRole API (sts:AssumeRole) action.

a. Navigate to Policies and then click Create Policy.

b. For Service, choose STS.

c. For Actions, type AssumeRole in the Filter box and then select the check box next to it
when it appears.

d. Click You chose actions that require the role resource type.

e. Click Add ARN.

f. In the Specify ARN for role field, paste the ARN recorded for the role created in the
linked account(s).

g. Click Add.

h. Click Review policy.

i. In the Name field, type a unique name for your policy.

j. Click Create Policy.

2. Add the policy created in step 1 to a user or group associated with the access keys used when
you created your connector.

a. Click the Add Permissions button.

b. Select the Attach existing policies directly check box.

c. Find the policy with sts:AssumeRole that was created in step 1.

d. Click Next: Review.

e. Click Add permissions.

Create an AWS Connector with Key-based Authentication

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you begin:

l Complete the required AWS configuration steps for key-based authentication.

To create an AWS connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the upper-right corner of the page, click the Create Cloud Connector button.

The cloud connector selection plane appears.

5. In the Cloud Connectors section, click AWS - Keyed setup.

The cloud connector creation plane appears.

6. In the Connector Name box, type a name to identify the connector.

7. In the Access Key box, type the access key that you obtained when configuring AWS.

8. In the Secret Key box, type the secret key that corresponds to the access key you used.

9. In the Select or Create Network drop-down box, select an existing network for your
connector or click the button to create a new network.
 Note: Networks help to avoid IP address collisions between cloud assets and Nessus-discovered
assets. Tenable recommends creating a network for each connector type in use to prevent asset
records in different cloud environments from overwriting each other. For more information about
the network feature, see Networks.

10. Use the Cloud Connector Schedule toggle to enable or disable scheduled imports.

Note: By default, Tenable Vulnerability Management requests new and updated asset records every 1
hour.

If enabled:

l In the Import text box, type the frequency with which Tenable Vulnerability Management
sends data requests to the AWS server.

l In the drop-down box select Minutes, Hours, or Days.

Note: When you schedule a connector configuration to sync every 30 minutes, a discovery job
is placed in a queue every 30 minutes. The results of the discovery job become available in the
Tenable Vulnerability Management interface and logs depending on the workload for the
connector services. So, the results of the discovery job can take more than 30 minutes
depending on the queue.

11. Do one of the following:

l To save the connector, click Save.

l To save the connector and import your assets from AWS, click Save & Import.

Note: There may be a short delay before your assets appear in Tenable Vulnerability Management.

Microsoft Azure Connector

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.
The Microsoft Azure Connector provides real-time visibility and inventory of assets in Microsoft
Azure accounts.

To import and analyze information about assets in Microsoft Azure, you must configure Azure to
support connectors and then create an Azure connector in Tenable Vulnerability Management.

Note: If your Azure deployment includes Azure instances in the Azure China or Azure Government regions,
Tenable Vulnerability Management cannot connect to those instances.

To assess Azure assets for vulnerabilities, Tenable recommends that you use Frictionless
Assessment to assess for vulnerabilities in the cloud. Alternatively, you can run a Nessus scanner or
agent scan, both of which run plugins locally on the host.

Connector
Goal
Type

Discover Microsoft Azure assets and assess for vulnerabilities using Frictionless
Frictionless Assessment Assessment

The cloud connector discovers Azure assets, then assesses the hosts for
vulnerabilities in the cloud, rather than running plugins locally on the host.

For more information, see Frictionless Assessment for Azure.

Discover Microsoft Azure assets Discovery

Connector
The cloud connector discovers Azure assets without assessing them for
vulnerabilities. Optionally, you can scan discovered assets later using a
Nessus scanner or agent scan.

To analyze assets via a Microsoft Azure connector:

1. Configure your Azure account to support your connectors, as

described in Configure Microsoft Azure (Discovery Only).

2. Create your Azure connector, as described in Create a Microsoft Azure

Connector.

Note: To manage existing Microsoft Azure connectors, see Manage Connectors. in the Tenable Vulnerability
Management User Guide.

Tip: For common connector errors, see Connectors in the Tenable Developer Portal.
Frictionless Assessment for Azure

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

With Frictionless Assessment, Tenable Vulnerability Management discovers and collects an

inventory of data points on your Azure virtual machine (VM) instances and VM scale set instances.
Then, for instances that you specify for Frictionless Assessment, Tenable Vulnerability Management
assesses the hosts for vulnerabilities in the cloud, rather than running plugins locally on the hosts.

Frictionless Assessment uses a custom automation runbook to collect the required data from VMs
and VM scale sets in your selected resource groups. You do not need to configure a Microsoft Azure
discovery connector, scanners, Tenable Nessus Agents, scans, or scan schedules to assess hosts
with Frictionless Assessment.

The Azure Frictionless Assessment runbook collects data from each VM with basic commands to
gather information such as installed packages and the existence of specific files. This information
is then securely sent to Tenable using Azure's Public Blob Resource API. This connection is made
using a customer-specific, regularly rotating shared access signature (SAS) token. For more
information about the data that the runbook collects from VMs, see Azure Runbook Information .

Note: Virtual machines scanned by Azure Frictionless Assessment need outbound network access to push
information to Azure's Public Blob Resource API. This can be accomplished by adding an outbound security
rule using the "Storage" service tag. Without this access, the result of Runbook collection will not be
received by Tenable and no assets or vulnerabilities will be assessed.

Operating System Coverage

Frictionless Assessment has vulnerability coverage for the following:

l Amazon Linux 1 / 2

l CentOS 6 / 7 / 8
 l Red Hat 6 / 7 / 8

l SUSE Linux Enterprise Server (SLES) 11.4-15.2

l SUSE Linux Enterprise Desktop (SLED) 12-15.2

l Ubuntu 16.04. / 18.04 / 20.04 / 20.10

l Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019,
Windows Server 2022

l Windows 7, Windows 8, Windows 10, Windows 11

Licensing Considerations
In general in Tenable Vulnerability Management, assets count towards your license when they are
assessed for vulnerabilities. Therefore, hosts that are assessed by Frictionless Assessment count
against your license. For more information, see Tenable Vulnerability Management Licenses.

When you select Azure tags for hosts to be assessed by Frictionless Assessment, note that all hosts
with any of those tags count towards your license. Hosts that are only discovered by the connector,
and not assessed by Frictionless Assessment (for example, hosts that do not have a tag you
selected for Frictionless Assessment), do not count towards your license.

Limitations
l Frictionless Assessment does not run informational plugins, run remote vulnerability plugins,
or gather compliance data.

l Frictionless Assessment in Azure does not support custom encrypted disks.

l A connector configured with Frictionless Assessment only supports one Azure subscription. If
you want to assess hosts across multiple Azure subscriptions, you must configure a separate
connector for each subscription.

l You must have the Microsoft.ContainerInstance resource provider registered for each Azure
subscription you plan to deploy the ARM template to.

l The limit for Frictionless Assessment scans is one per day, whereas existing Frictionless
Assessment connectors created before May 1, 2023 transmit inventory data more frequently.
Frictionless Assessment drops data exceeding the frequency limit and does not scan it.
 Note: The limitation does not apply to Tenable Container Security, Agentless Assessment, or
Tenable NessusAgent-based inventory scans.

Get Started
1. Create an Azure Connector for Frictionless Assessment.

Note: If you delete a Frictionless Assessment Azure connector, manually delete the remaining Azure
artifacts as described in Manually Delete Connector Artifacts from Azure Frictionless Assessment.

2. Verify that the Runbook in the automation account used for Frictionless Assessment Azure
completes successfully. If it does not, contact your Azure administrator or support
representative to resolve the issue.

You can find the Runbook in Microsoft Azure > Automation Accounts > Tenable FA
Automation Account > Process Automation > Runbooks/Job.

Create an Azure Connector for Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

When you configure an Azure cloud connector for Frictionless Assessment, Tenable Vulnerability
Management uses an Azure Resource Manager (ARM) template. ARM is Azure's method for
organizing, updating, provisioning resources in an Azure resource group or subscription. It allows
users to define resources, dependencies, and networking for their application or use cases.

Follow the steps below to create a Microsoft Azure Frictionless Assessment connector in Tenable
Vulnerability Management. This process also creates the ARM template that you will need to deploy
to each of your Azure subscriptions that you want to evaluate for Frictionless Assessment.
Before you begin:
l In another window or tab of the same browser with which you are accessing Tenable
Vulnerability Management, log in to the Azure console with the Azure account that you want to
target with Frictionless Assessment.

Note: To use Legacy Tenable Cloud Security Preview or Legacy Tenable Cloud Security, you must update
or create new roles that support Legacy Tenable Cloud Security. Tenable Vulnerability Management cloud
connector roles do not support Agentless Assessment.

Create the Microsoft Azure Frictionless Assessment connector and ARM template:
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. Click Create Cloud Connector.

 The Select a Cloud Connector panel appears.

5. In the Cloud Connectors list, select Microsoft Azure Frictionless Assessment.

The Connector Setup pop-up appears.

6. In the Cloud Provider step, enter a Connector Name.

Click Next.

7. In the Enable Features step, ensure the check box to Identify vulnerabilities using
frictionless assessment is selected.

Click Next.

8. In the Configuration step, either select the Scan all check box, or select specific target
parameters.

Note: To target a more specific subset of resources, you can target your connector on a specific
resource group, a specific tag key, a specific tag value, or a combination of all three.
 Note: Use the ANY input from the drop-down as a wild card to target all values for a resource group,
tag key, or tag value.

Note: Multiple targets with specific parameters can be selected.

Click Next.

9. In the Apply Choices step, click Download and Finish.

The new ARM template downloads in .json format, and the new connector shows on the Cloud
Connectors page.

Deploy the connector using the ARM template:

Deploy the ARM template you downloaded in the previous section to your Azure subscription(s).

For deployment guidance, refer to Microsoft Azure documentation.

Note: You must have the Microsoft.ContainerInstance resource provider registered for each Azure
subscription you are deploying the ARM template.

Note: When deploying Azure Frictionless Assessment through the Azure CLI, use subscription
deployment with the ARM template produced by the steps above.
Example:

az deployment sub create --location eastus --template-file /path/to/arm-

template.json

You can add --debug to the command generate verbose logging during deployment.

az deployment sub create --location eastus --template-file /path/to/arm-

template.json --debug

Manually Delete Connector Artifacts from Azure Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you begin:

l Delete the Azure Frictionless Assessment connector, as described in Delete a Connector.

Delete the following Azure Frictionless Assessment artifacts in the Azure portal:
l The Automation account role assignment related to the custom role definition (e.g. Tenable-
FA-Automation-Account)

l The custom role definition (e.g. Tenable FA Role (Subscription: [UUID] | Connector: [UUID]))

l The Frictionless Assessment resource group (e.g. TenableFA-Connector-{UUID})

Note: The resource group can also be deleted from the Azure CLI with the following
command, given that the Azure client has Contributor permissions or greater:

az group list --tag Tenable=AzureFa --query "[].name" -o tsv | xargs -ot az group delete
--no-wait -n

For more information on the listed Azure artifacts, see the Microsoft Azure documentation.

Azure Runbook Information

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Frictionless Assessment uses a custom automation runbook and collects the following data from
VMs and VM scale sets in your selected resource groups.
Some intermediary resources show up after the first few minutes of deploying an arm template.
These resources are deployment scripts that Tenable Vulnerability Management uses to deploy the
following resources. Tenable Vulnerability Management removes the scripts once the deployments
are complete.

l Resource group:

l Name: Starts with Tenable-FA-Connector

l Contains Azure Frictionless Assessment resources.

l Automation Account:

l Name: Starts with Tenable-FA-Automation-Account

l Runbooks:

l Name: TenableFATerminatedInstances

l Description: Tenable Frictionless Assessment runbook for terminated instances.

l Name: TenableFACollector

l Description: The Tenable Frictionless Assessment collection runbook.

l Storage Account:

l Name: Starts with scripts.

l Description: Contains shell/powershell scripted checks to run against assets.

l Role Definitions:

l Name: Starts with Tenable FA Role or Tenable-FA-Custom-Role-Def.

 l Description: The role required for runbook to allow it to scan assets.

l Actions:

"Microsoft.ClassicCompute/operatingSystems/read",
"Microsoft.ClassicCompute/operatingSystemFamilies/read",
"Microsoft.ClassicCompute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action"

Configure Microsoft Azure (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Before you can use Tenable Vulnerability Management Azure connectors, you must perform several
steps in Microsoft Azure.

Note: If your Azure deployment includes Azure instances in the Azure China or Azure Government regions,
Tenable Vulnerability Management cannot connect to those instances.

To configure Microsoft Azure:

1. Create an Azure Application if one does not already exist.

Note: The Azure Application ID and Client Secret are obtained during this step.

2. Obtain the Azure Tenant ID (Directory ID).

3. Obtain the Azure Subscription ID.

4. Grant the Azure Application reader role permissions.

5. (Optional) Link Additional Azure Subscriptions to your Azure Application.

What to do next:
l Create an Azure connector.

Create Azure Application

 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To create an Azure Application for an Azure Tenable Vulnerability Management connector:

1. Log in to the Microsoft Azure portal.

2. In the left-hand menu, click Microsoft Entra ID.

3. Click App registrations.

4. To add a new application, click New registration.

5. In the Name box, enter a descriptive name for the application.

6. In the Supported Account types section, choose one of the three options to specify the type
of accounts that can access the API.

7. (Optional) In the Redirect URI section, select either Web or Public client (mobile & desktop)
from the drop-down, and then enter the URI in the text box.

8. Click Register to finalize the settings and create the application.

A success message appears at the top of the page stating that the new application has been
created, and the page is redirected to the Overview page for the application.

9. Copy the Application (client) ID. This information is used to configure a connector with
Tenable Vulnerability Management.
10. In the Manage section for the application, click Certificates & secrets.
11. In the Client Secrets section, click + New client secret.

12. In the Description box, type a description for the client secret.

13. For the Expires option, select an expiration date.

14. Click the Add button.

The new client secret is added.

15. Copy or make a note of the client secret value.

 Later, you will need this client secret to configure a connector with Tenable Vulnerability
Management.

What to do next:
l Obtain the Azure Tenant ID (Directory ID)

Obtain Azure Tenant ID (Directory ID)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To obtain your Tenant ID for an Azure Tenable Vulnerability Management connector:

1. Log in to the Microsoft Azure portal.

2. In the left-hand menu, click Microsoft Entra ID.

The Directory Overview page appears.

3. In the Manage section, click Properties.

The Directory properties page appears.

 4. Copy the Directory ID.

Note: The Tenant ID and Directory ID are the same.

What to do next:
l Obtain the Azure Subscription ID.

Obtain Azure Subscription ID

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To obtain your Subscription ID for an Azure Tenable Vulnerability Management connector:

1. Log in to the Microsoft Azure portal.

2. In the left-hand menu, click All Services.

 3. In the General section, click Subscriptions.

4. Copy the Subscription ID for the applicable subscription.

What to do next:
l Grant the Azure Application reader role permissions.
Grant the Azure Application Reader Role Permissions

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To grant an Azure application reader role permissions for an Azure Tenable Vulnerability
Management connector:

Note: For more information, see the Microsoft Azure documentation: Manage access to Azure resources using
RBAC and the Azure portal.

1. Log in to the Microsoft Azure portal.

2. In the left-hand menu, click All Services.

3. In the General section, click Subscriptions.

4. In the subscription table, click the applicable subscription.

The Overview page for the subscription appears.

5. In the menu for the subscription, click Access control (IAM).

The Access control (IAM) page appears.

6. Click the +Add button.

A pop-up menu appears.

7. Click Add role assignment.

8. In the Add role assignment window, in the Role tab, search and select Reader.
9. In the Members tab, in the Assign access to section, select User, group, or service principal.

10. To select your Azure Application, click + Select Members.

The Select members plane appears.

 11. Search for the Azure application and select the required application from the list.

12. In the Review + assign tab, review the selected role and members.

13. Click Review + assign.

The selected application gets added as Reader for the subscription.

What to do next:

Do one of the following:

 l (Optional) Link Additional Azure Subscriptions to your Azure Application.

l Create an Azure connector.

Link Azure Subscriptions

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Before you begin:

l Record the name of the application you created for your primary Azure subscription.

To configure linked Azure subscriptions:

Grant the secondary subscription reader role permissions for the application you created for your
primary Azure subscription.

1. Log in to the Microsoft Azure portal.

2. In the left-hand menu, click All Services.

3. In the General section, click Subscriptions.

4. In the subscription table, click the applicable subscription.

The Overview page for the subscription appears.

5. In the menu for the subscription, click Access control (IAM).

The Access control (IAM) page appears.

6. Click the +Add button.

A pop-up menu appears.

7. Click Add role assignment.

8. In the Add role assignment window, in the Role tab, search and select Reader.
9. In the Members tab, in the Assign access to section, select User, group, or service principal.

10. To select your Azure Application, click + Select Members.

The Select members plane appears.

 11. Search for the Azure application and select the required application from the list.

12. In the Review + assign tab, review the selected role and members.

13. Click Review + assign.

The selected application gets added as Reader for the subscription.

What to do next:
l Create an Azure connector.

Create a Microsoft Azure Connector

 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you begin:

l Complete the required Microsoft Azure configuration steps.

l Update your plugin set to 2018-12-19 or later.

To create a Microsoft Azure connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the upper-right corner of the page, click the Create Cloud Connector button.

The Cloud Connectors plane appears.

5. In the Cloud Connectors section, click Microsoft Azure.

The Microsoft Azure settings plane appears.

6. In the Connector Name box, type a name to identify the connector.

7. In the Application ID box, type the Azure application ID that you obtained when configuring
Microsoft Azure.

8. In the Tenant ID box, type the Azure Tenant ID obtained when configuring Microsoft Azure.

9. In the Client Secret box, type the client secret obtained when configuring Microsoft Azure.

10. Use the Auto Account Discovery toggle to enable or disable automatic discovery of Azure
subscription ID(s).
 Note: Auto account discovery is enabled by default. The Azure connector automatically discovers
your subscription ID and any linked subscription ID(s).

11. (Optional) If Auto Account Discovery is disabled, manually add one or more subscription IDs:

a. In the Subscription IDs section, click the button next to Subscription IDs.

The Add Subscription IDs plane appears.

b. In the Subscription ID box, type the subscription ID obtained when configuring Microsoft
Azure.

c. (Optional) Click the button next to Add Another Subscription ID to add additional
linked Azure accounts.

d. In the Subscription ID box, type the subscription ID for the Azure account that you want
to link. For information about configuring linked subscriptions, see Link Azure
Subscription.

e. To add the Subscription ID(s), click Add.

Tenable Vulnerability Management displays the Microsoft Azure settings plane, and the
Subscription ID(s) you linked are listed under Subscription IDs.

12. In the Select or Create Network drop-down box, select an existing network for your
connector or click the button to create a new network.

Note: Networks help to avoid IP address collisions between cloud assets and Nessus-discovered
assets. Tenable recommends creating a network for each connector type in use to prevent asset
records in different cloud environments from overwriting each other. For more information about
the network feature, see Networks.

13. Use the Schedule Import toggle to enable or disable scheduled imports.

Note: By default, Tenable Vulnerability Management requests new and updated asset records every
(1) days.

When enabled:

l In the Import text box, type the frequency with which Tenable Vulnerability Management
sends data requests to the Azure server.
 l In the drop-down box select Minutes, Hours, or Days.

Note: When you schedule a connector configuration to sync every 30 minutes, a discovery job
is placed in a queue every 30 minutes. The results of the discovery job become available in the
Tenable Vulnerability Management interface and logs depending on the workload for the
connector services. So, the results of the discovery job can take more than 30 minutes
depending on the queue.

14. Do one of the following:

l To save the connector, click Save.

l To save the connector and import your assets from Azure, click Save & Import.

Note: There may be a short delay before your assets appear in Tenable Vulnerability Management.

Google Cloud Platform Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Google Cloud Platform (GCP) Connector provides real-time visibility and inventory of assets in
Google Cloud Platform. The GCP connector refreshes according to a schedule set by the user.

To import and analyze information about assets in Google Cloud Platform, you must configure GCP
to support connectors and then create a GCP connector in Tenable Vulnerability Management.

To analyze assets via a GCP connector:

1. Configure your GCP account to support your connectors, as described in Configure Google
Cloud Platform (GCP).

2. Create your GCP connector, as described in Create a Google Cloud Platform Connector
(Discovery Only).

Note: To manage existing GCP connectors, see Manage Connectors.

Tip: For common connector errors, see Connectors in the Tenable Developer Portal.

Configure Google Cloud Platform (GCP)

 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you can use Tenable Vulnerability Management GCP connectors, you must configure GCP to
support your connectors.

Note: Before configuring, you must enable the compute engine API for each project you want scanned
from within Google Cloud Platform. See the Google API documentation for more information.

To configure GCP to support Tenable Vulnerability Management connectors:

1. Log into Google Cloud Platform.

2. In the left navigation bar, select IAM & admin.

The IAM & admin page appears.

3. In the Select a project drop-down box in the upper-left, select the applicable GCP project.

4. In the left navigation bar, select Service accounts.

The Service accounts page for your GCP project appears.

5. Click + CREATE SERVICE ACCOUNT.

The Create service account page appears.

6. In the Service account name box, type a display name for your service account.

7. In the Service account ID box, type a unique service account ID.

8. In the Service account description box, describe what the service account will do.

9. Click the CREATE button.

The Grant this service account access to project page appears.

10. In the drop-down box on the Service account permissions (optional) page, add the Logging ->
Logs Viewer role.
 Note: The service accounts must have the Logging -> Log Viewer role for discovery sync
(incremental syncs after initial full sync).

11. Click + ADD ANOTHER ROLE on the Service account permissions (optional) page.

12. Add the Compute Engine -> Compute Viewer role.

 13. Click the Continue button.

The Grant users access to this service account page appears.

14. In the Create key (optional) section, click +CREATE KEY.

The create key (optional) pane appears.

15. Under Key type, select JSON to create a key in JSON format.

16. Click the CREATE button.

17. Your browser downloads the key in JSON format.

(Optional) To configure a GCP service account that can access multiple projects:

You may have dozens of GCP accounts that are added and removed regularly. Instead of adding
each GCP account as a different connector, you can configure the top-level service account to
access multiple projects. The GCP connector automatically discovers all linked projects and pulls
assets from those projects.

Note: The top-level service account must have the Cloud Resource Manager API enabled in order to access
multiple projects.
 Caution: The GCP connector pulls assets from any project that is configured with access to the top-level
service account. Only add projects that you want the GCP connector to pull data from.

1. Log into Google Cloud Platform.

2. In the left navigation bar, select IAM & admin.

The IAM & admin page appears.

3. In the drop-down menu in the upper-left corner, select the second GCP project.

4. In the IAM menu bar, click + ADD.

The Add members to project pane appears.

5. In the New Members box, type the name of the top-level service account that you created in
step 6 of the first section.

6. In the Select a role drop-down box, select the Logging > Logs Viewer role.

7. Click the + ADD ANOTHER ROLE button.

8. In the Select a role drop-down box, select the Compute Engine > Compute Viewer role.

9. (Optional) Click the + ADD ANOTHER ROLE button to add additional roles.

10. To add additional projects, repeat steps 3 through 9.

What to do next:
l Create a GCP Connector, as described in Create a Google Cloud Platform Connector (Discovery
Only).

Create a Google Cloud Platform Connector (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you begin:

l Complete the required GCP configuration steps.

To create a GCP connector:

 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the upper-right corner of the page, click the Create Connector button.

The Select a Connector pane appears.

5. In the Connectors section, click Google Cloud Platform.

The Google Cloud Platform pane appears.

6. In the Connector Name: box, type a name to identify the connector.

7. In the Service Account Key section, click Add File to upload your service account key that
you obtained when configuring GCP.

8. The Auto Account Discovery toggle is always enabled and cannot be disabled. Any Project ID
(s) associated with the service account you provided are auto-discovered and assets will be
pulled from those projects.

9. In the Select or Create Network drop-down box, select an existing network for your
connector or click the button to create a new network.

Note: Networks help to avoid IP address collisions between cloud assets and Nessus-discovered
assets. Tenable recommends creating a network for each connector type in use to prevent asset
records in different cloud environments from overwriting each other. For more information about
the network feature, see Networks.

10. Use the Schedule Import: toggle to enable or disable scheduled imports.

Note: By default, Tenable Vulnerability Management requests new and updated asset records every 1
day.

If enabled:
 l In the Import text box, type the frequency with which Tenable Vulnerability Management
sends data requests to the GCP server.

l In the drop-down box select Minutes, Hours, or Days.

Note: When you schedule a connector configuration to sync every 30 minutes, a discovery job
is placed in a queue every 30 minutes. The results of the discovery job become available in the
Tenable Vulnerability Management interface and logs depending on the workload for the
connector services. So, the results of the discovery job can take more than 30 minutes
depending on the queue.

11. Do one of the following:

l To save the connector, click Save.

l To save the connector and import your assets from GCP, click Save & Import.

Note: There may be a short delay before your assets appear in Tenable Vulnerability Management.

Manage Existing Connectors

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Cloud Connectors page displays the Connectors table, which lists all your configured
connectors.

Launch a Connector Import Manually

 Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

To launch a manual import for a connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the row of the connector from which you want to launch a manual import, in the Actions
column, click > Import.

Tenable Vulnerability Management sends a request for data to the source. During the request
processing, the import button appears as a check mark. You cannot launch another manual
import for that connector until the request process completes.

View Connectors Details

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

On the Connectors page, you can view details about your connectors and imports.

Note: You can also complete connector management tasks from the Connectors page, including launching
an import manually, editing a connector, and deleting a connector. For more information, see Manage
Existing Connectors.

Before you begin:

l Configure the platform your connector must access and create your connector, as described
in Connectors.

To view connector and import details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the Connectors table, you can:

a. Search the Connectors table.

b. View details about your connectors and imports.

Column Action

Name View the name of the connector.

Type View the platform or registry type from which your connector pulls
assets.
 Status View the status for your most recent asset import.

Note: If your connector is a Tenable Container Security connector, you

can hover over the connector row in the STATUS column to view error
details for failed imports.

Date l View the date your connector was created in MM/DD/YYYY

Created format.

l Click the column header to sort your connectors by creation

date.

Last View the date for the most recent asset import.
Import
Note: If your connector is a Tenable Container Security connector, a
green icon appears next the date after the import starts. You can
hover over the icon to view details for each asset the connector
imports. As the import progresses, the details update in real time.

View Connector Event History

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

For Microsoft Azure connectors and AWS connectors configured with keyless authentication, you
can view connector event history to help you troubleshoot issues. You can see events such as when
Tenable Vulnerability Management synced with the connector, imported assets, or checked for
terminated assets.

Before you begin:

 l Configure the platform your connector must access and create your connector, as described
in Connectors.

To view connector event history:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the connector table, click the connector for which you want to view event history.

Note: You can view event history for Microsoft Azure connectors and AWS connectors configured
with keyless authentication.

The connector settings plane appears.

5. Click View Event History.

The connector plane expands and displays the Connector Event History table. The table
displays events sent by the connector to Tenable Vulnerability Management, such as when
Tenable Vulnerability Management synced with the connector, imported assets, or checked
for terminated assets. For information on connector errors, see Connectors as documented in
the Tenable Developer Portal.

Edit a Connector

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.
 Required User Role: Administrator

From the Settings page, you can edit your connector details, including the asset import schedule.
The steps to edit a connector vary depending on the platform.

Before you begin:

l Configure and create your connector, as described in Connectors.

l Log in to Tenable Vulnerability Management.

To edit a Microsoft Azure connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the connector table, click the connector that you want to edit.

The Edit Connector pane appears.

5. Modify any of the following connector settings:

l In the Select or Create Network drop-down box, change the existing network for your
connector or click the button to create a new network.

l In the Connector Name box, change the name of the connector.

l In the Application ID box, change the application ID.

l In the Tenant ID box, change the tenant ID.

l In the Client Secret box, change the client secret.

l Use the Auto Account Discovery toggle to enable or disable automatic discovery of
subscription IDs.
 l If Auto Account Discovery is disabled, add or remove subscription IDs.

l In the Schedule Import options, change the frequency of scheduled imports.

6. Click Save.

Tenable Vulnerability Management saves the connector. There may be a short delay before
your assets appear in Tenable Vulnerability Management.

To edit an Amazon Web Service (AWS) connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the connector table, click the connector that you want to edit.

The Edit Connector pane appears.

5. Modify the connector.

If using AWS role delegation (keyless authentication):

l In the Select or Create Network drop-down box, change the existing network for your
connector or click the button to create a new network.

l In the Connector Name box, change the name of the connector.

l Use the Auto Account Discovery toggle to enable or disable automatic discovery of
linked accounts and CloudTrails.

l In the Schedule Import options, change the frequency of scheduled imports.

If using key-based authentication:

l In the Select or Create Network drop-down box, change the existing network for your
connector or click the button to create a new network.

l In the Connector Name box, change the name of the connector.

 l In the Access Key box, change the access key.

l In the Secret Key box, change the secret key that corresponds to the access key.

l In the Additional Accounts section, add or remove linked accounts.

l In the AWS CloudTrails section, add or remove CloudTrails.

l Click Refresh CloudTrails to query the AWS regions and update the AWS CloudTrails
table.

l In the Schedule Import options, change the frequency of scheduled imports.

6. (Optional) If you selected different trails, click Find Assets.

The number of assets to be imported into Tenable Vulnerability Management appears next to
the Find Assets button. This number may include assets that were previously imported. No
duplicate is created if an asset was previously imported.

7. Click Save.

The connector saves. If you selected different trails, your assets from AWS import. There may
be a short delay before your assets appear in Tenable Vulnerability Management.

To edit a Google Cloud Platform (GCP) connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the connector table, click the connector that you want to edit.

The Edit Connector pane appears.

5. Modify any of the following connector settings:

l In the Select or Create Network drop-down box, change the existing network for your
connector or click the button to create a new network.
 l In the Connector Name box, change the name of the connector.

l Under Service Account Key, click Add File to change your service account key.

l In the Schedule Import options, change the frequency of scheduled imports.

6. Click Save.

Tenable Vulnerability Management saves the connector. There may be a short delay before
your assets appear in Tenable Vulnerability Management.

To edit a Tenable Container Security connector:

1. Log in to Tenable Container Security. For information about how to log in, see Log In to
Tenable Container Security in the Tenable Container Security User Guide.

2. In the Connectors section of the Container Security dashboard, click View Connectors.

The Connectors page appears.

3. In the connector table, click the connector you want to edit.

The Enter Connector Details pane appears.

4. Modify one or more of the following connector details:

l In the URL box, change the URL.

l In the PORT box, change the port ID.

l In the USER NAME box, change your username.

l In the PASSWORD box, change your password.

5. Click Save.

The connector saves. There may be a short delay before your assets appear in Tenable
Vulnerability Management.

Note: For more information about Tenable Container Security connectors, see Configure Connectors to
Import Images in the Tenable Vulnerability Management Container Security User Guide.

Delete a Connector

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
 December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

To delete a connector:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Cloud Connectors tile.

The Cloud Connectors page appears and displays the configured connectors table.

4. In the connector table, click the button next to the connector that you want to delete.

A Confirm Deletion window appears.

5. Click Delete.

Tenable Vulnerability Management deletes the connector.

What to do next:
l If you deleted an AWS connector with keyless authentication, see Manually Delete Connector
Artifacts in AWS.

Remove Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able
to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on
December 31, 2023, and will no longer receive support or updates. However, existing Frictionless
 Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024.
Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning
your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

You can remove or offboard your existing AWS and Azure connectors from your Tenable container
when you upgrade to Agentless Assessment.

l Remove AWS Frictionless Assessment

l Remove Azure Frictionless Assessment

Important: Frictionless Assessment connectors do not support Recast/Accept Rules.

Remove AWS Frictionless Assessment

There are two types of connectors:

l AWS Frictionless Assessment connector with keyless authentication

l AWS Frictionless Assessment connector

AWS Frictionless Assessment Connector with Keyless Authentication

Considerations before removing the AWS Frictionless Assessment connector with keyless
authentication:
l This connector includes both discovery and Frictionless Assessment functionality.

l After deletion, you must create another discovery connector to continue the discovery
functionality.

l Check if the connector deployed one of the following CloudFormation templates during the
creation process.
 l AWS Keyless Frictionless Assessment single tag CloudFormation template

l AWS Keyless Frictionless Assessment CloudFormation template

To remove the AWS Frictionless Assessment connector with keyless authentication:

1. Delete the AWS connector. For more information, see Delete a Connector.

Tenable removes the following AWS Systems Manager resources from your account:

l TenableInventoryAssociation — AWS Systems Manager association name.

l TenableInventoryCollection — AWS Systems Manager document name.

l tenb-inv-upload-<customerRegionName>-<clusterName>-sync —
ResourceDataSync.

2. In AWS, verify if the AWS Systems Manager resources are removed from your account.

3. In AWS, remove the Stack instance with the name tenableio-connector-aws-keyless-

fa-single-tag-cft or tenableio-connector-aws-keyless-fa-cft.

This removes the permissions that Tenable required to perform the Frictionless Assessment
inventory scanning and discovery.

4. (Optional) Remove the tags for AWS EC2 instances used for Frictionless Assessment.

AWS Frictionless Assessment Connector

Considerations before removing AWS Frictionless Assessment connector:

l This connector includes only the Frictionless Assessment functionality.

l The CloudFormation StackSet deployed the AWS Systems Manager resources for this
connector. Therefore, when you delete the stack instances and the StackSet from your AWS
Account, the AWS Systems Manager resources are removed.

l Check if you have set up a separate discovery connector for the same account as the one for
the Frictionless Assessment connector. This discovery connector detects terminated assets.
There is no need to remove this discovery connector as it continues to discover and import
assets from your AWS account.

To remove the AWS Frictionless Assessment connector:

 1. In Tenable Vulnerability Management, delete the AWS Frictionless Assessment connector. For
more information, see Delete a Connector.

Tenable removes the backend configuration for the connector so that the inventory for your
account is no longer processed.

2. In AWS, remove the StackSet that you deployed with this CloudFormation template from your
AWS account.

This removes the AWS Systems Manager association, AWS Systems Manager document, and
ResourceDataSync from your account. When this step is complete, Tenable no longer receives
your inventory for scanning.

3. (Optional) Remove the tags for EC2 instances scanned by Frictionless Assessment.

Remove Azure Frictionless Assessment

The Azure Frictionless Assessment is similar to AWS Frictionless Assessment connector.

To remove Azure Frictionless Assessment connector:

1. In Tenable Vulnerability Management, delete the Azure Frictionless Assessment connector.

For more information, see Delete a Connector.

2. In the Azure portal, locate and delete the Tenable-FA-Connector-* resource group.

This is the resource group deployed by the ARM template when you created the Azure
Frictionless Assessment connector.

3. (Optional) Remove the tags used for Frictionless Assessment.