Tenable Vulnerability Management User Guide

Last Revised: June 20, 2024

Copyright © 2024 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other
products or services are trademarks of their respective owners.
Table of Contents

Welcome to Tenable Vulnerability Management 29

Get Started with Tenable Vulnerability Management 31

Tenable Vulnerability Management Licenses 36

System Requirements 41

Sensor Connection Requirements 41

Log in to Tenable Vulnerability Management 42

CVSS vs. VPR 43

CVSS 43

CVSS-Based Severity 44

CVSS-Based Risk Factor 45

Vulnerability Priority Rating 45

VPR Key Drivers 46

Vulnerability Severity Indicators 47

Vulnerability Mitigation 48

Vulnerability States 49

Log Out of Tenable Vulnerability Management 50

Navigate Tenable Vulnerability Management 51

Navigate Breadcrumbs 57

Navigate Planes 58

Tenable Vulnerability Management Tables 59

Tenable Vulnerability Management Workbench Tables 59

Filter a Table 62

Get Started with Tenable Lumin 64

-2-
 Error Messages 68

Dashboards 81

Vulnerability Management Dashboard 81

Vulnerability Management Overview (Explore) 86

Tenable Web App Scanning Dashboard 91

View the Dashboards Page 92

Tenable-Provided Dashboards 94

Export a Full Dashboard Landing Page 94

Export an Individual Dashboard Widget 95

View an Individual Dashboard 96

View the Dashboard Template Library 97

Create a Dashboard 98

Preview a Dashboard 103

Enable Explore Dashboards 103

Manage Dashboards 104

Dashboard Groups 104

Add a Dashboard Group 105

Share a Dashboard Group 105

Edit a Dashboard Group 106

Delete a Dashboard Group 107

Automatically Update Widgets on a Dashboard 108

Edit a Dashboard 109

Set a Default Dashboard 112

Rename a Dashboard 113

-3-
 Duplicate a Dashboard 114

Filter a Dashboard 114

Filter a Dashboard by Time 116

Share a Dashboard 117

Manage Dashboard Exports 118

Export a Dashboard 118

Download a Dashboard Export 123

View Dashboard Export History 124

Delete a Dashboard Export Download 125

Delete a Dashboard Export Configuration 125

Delete a Dashboard 126

Manage Widgets 127

View the Widget Library 128

Delete a Widget from the Widget Library 129

Create a Custom Widget 129

Create a Custom Widget for Explore Dashboards 132

Edit a Custom Widget 137

Add a Widget to a Dashboard 138

Configure a Widget 139

Duplicate a Widget 142

Rename a Widget 142

Delete a Widget from a Dashboard 143

Welcome to Tenable Lumin 144

Tenable Lumin Metrics 144

-4-
 Improve Your Tenable Lumin Metrics 166

Edit an ACR Manually 167

Tenable Lumin Data Timing 170

View the Tenable Lumin Dashboard 172

Export the Tenable Lumin Dashboard Landing Page 173

Export a Widget from the Tenable Lumin Dashboard 174

Update the Tenable Lumin Industry Benchmark 175

Tenable Lumin Dashboard Widgets 176

View the CES Details Panel 188

View Assessment Maturity Details 196

View Remediation Maturity Details 203

View Business Context/Tag Asset Details 210

View Mitigations Details in Tenable Lumin 217

Plugins for Mitigation Detection 219

Export Mitigations 222

Mitigations Export File Contents 223

View and Download Exported Mitigations 224

View Recommended Actions 225

Export Recommended Actions 227

Recommended Actions Export File Contents 228

Scans 232

Manage Scans 232

Scans Overview 232

Create a Scan 233

-5-
 View Scans 237

View Scan Details 239

View Scan Vulnerability Details 248

Scan Filters 249

Launch a Scan 250

Launch a Scan 251

Launch a Rollover Scan 252

Launch a Remediation Scan 254

Stop a Running Scan 261

Pause or Resume a Scan 262

Change Scan Ownership 263

Change the Scan Read Status 265

Edit a Scan Configuration 266

Configure vSphere Scanning 267

Copy a Scan Configuration 270

Export Scan Results 271

Import a Scan 275

Organize Scans by Folder 277

Move a Scan to the Trash Folder 282

Delete a Scan 283

Discovery Scans vs. Assessment Scans 286

Identify Assets That Have Not Been Assessed 288

Scan Failovers 290

Scan Status 290

-6-
Scan Templates 292

Tenable-Provided Tenable Nessus Scanner Templates 293

Tenable-Provided Tenable Nessus Agent Templates 299

Tenable-Provided Tenable Web App Scanning Templates 302

User-Defined Templates 304

Scan Settings 317

Tenable Vulnerability Management Scan Settings 318

Basic Settings in Tenable Vulnerability Management Scans 319

Basic Settings in User-Defined Templates 331

Triggered Agent Scans 338

Triggered vs. Window Scans 339

Find Triggered Scan Details 340

Scan Targets 341

Target Groups 344

Info-level Reporting 356

Description 356

Configuration 357

Limitations and Considerations 358

Discovery Settings in Tenable Vulnerability Management Scans 359

Preconfigured Discovery Settings 368

Assessment Settings in Tenable Vulnerability Management Scans 384

Preconfigured Assessment Settings 399

Report Settings in Tenable Vulnerability Management Scans 407

Advanced Settings in Tenable Vulnerability Management Scans 408

-7-
 Preconfigured Advanced Settings 417

Credentials in Tenable Vulnerability Management Scans 425

Add a Credential to a Scan 427

Edit a Credential in a Scan 429

Add a Credential to a User-defined Template 430

Edit a Credential in a User-defined Template 432

Convert a Scan-specific Credential to a Managed Credential 432

Cloud Services 433

Database Credentials 437

DB2 437

MySQL 437

Oracle 438

PostgreSQL 439

SQL Server 440

Sybase ASE 441

Cassandra 441

MongoDB 442

Database Credentials Authentication Types 442

Client Certificate 443

Password 443

Import 444

BeyondTrust 445

CyberArk 446

CyberArk (Legacy) 448

-8-
Delinea 451

HashiCorp Vault 452

Lieberman 454

QiAnXin 457

Senhasegura 459

Host 460

Privilege Escalation 516

Miscellaneous 522

Mobile 529

Patch Management 534

Plaintext Authentication 544

Compliance in Tenable Vulnerability Management Scans 550

SCAP Settings in Tenable Vulnerability Management Scans 553

Configure Plugins in Tenable Vulnerability Management Scans 555

Tenable Web App Scanning Scan Settings 557

Basic Settings in Tenable Web App Scanning Scans 558

Scope Settings in Tenable Web App Scanning Scans 563

Assessment Settings in Tenable Web App Scanning Scans 567

Report Settings in Tenable Web App Scanning Scans 572

Advanced Settings in Tenable Web App Scanning Scans 573

Credentials in Tenable Web App Scanning Scans 579

Tenable Web App Scanning Selenium Commands 580

HTTP Server Authentication Settings in Tenable Web App Scanning Scans 583

Web Application Authentication 584

-9-
 Client Certificate Authentication 588

Plugin Settings in Tenable Web App Scanning Scans 589

Scan Distribution 591

Scanner Capacity 592

Job Queues 593

Dispatching Tasks 594

Configure Scan Routing 595

Scan Best Practices 598

Introduction 598

General Best Practices 599

Role-Based Access Control (RBAC) 599

Credentialed Scanning 599

Proper Inventory of Assets 599

Deleting Assets 599

Agent Scanning 600

Scan Hygiene 600

API Scan Creation Best Practices 601

Duplication Challenges and Remedies 601

Server with Multiple NICs 601

Firewall and Layer 3 Switches 602

Agents and Non-Credentialed Scans 602

Ephemeral Assets 602

Scan Limitations 603

Vulnerability Intelligence 605

- 10 -
 Search Known Vulnerabilities 606

View Vulnerability Profiles 606

Vulnerability Information 607

How Does This Affect Me 611

Sources 612

Vulnerability Metrics 613

Identify Your Exposure 615

Work with the Query Builder 617

Query Builder Filters 619

Use Saved Searches in Vulnerabity Intelligence 623

Export from Vulnerability Intelligence 625

CVEs 626

My Findings 627

My Affected Assets 629

Plugins 629

Tag Affected Assets 630

Vulnerability Categories 632

Explore 634

Explore Overview 634

Findings 636

View the Findings Workbench 636

Vulnerabilities 637

Cloud Misconfigurations 640

Host Audits 642

- 11 -
 Web Application Findings 644

View Finding Details 645

Vulnerability Details 647

Cloud Misconfiguration Details 655

Host Audit Details 660

Web Application Findings Details 664

Findings Filters 669

Group Your Findings 686

Add Recast or Accept Rules in Findings 692

Generate a Findings Report 695

Assets 697

View the Assets Workbench 698

Host Assets 699

Cloud Resources 704

Web Applications 705

Domain Inventory 707

View Asset Details 709

Host Asset Details 710

Cloud Resource Details 716

Web Application Details 719

Domain Inventory Preview 722

Asset Filters 724

Open Ports and the Assets workbench 747

Working with Ports 748

- 12 -
 Supported Plugins 748

View Asset Visualizations 749

Edit the ACR for Host Assets 750

Move Assets to Another Network 753

Remove and Prevent Duplicate Assets 754

Download Inventory Debug Data 755

Delete Assets 756

Filter Findings or Assets 757

Use Filters 758

Use the Context Menu 764

Customize Explore Tables 765

Export Findings or Assets 766

Saved Filters for Findings or Assets 768

Create a Saved Filter 769

Use a Saved Filter 769

Edit a Saved Filter 769

Rename a Saved Filter 770

Share a Saved Filter 771

Delete a Saved Filter 771

Explore vs. Legacy Workbenches 772

Vulnerabilities 774

View Vulnerabilities by Plugin 776

View Vulnerabilities by Asset 778

View Vulnerabilities by Application in Tenable Web App Scanning 780

- 13 -
 View Vulnerability Details 781

Create an Accept Rule from Vulnerability Details 787

Create a Recast Rule from Vulnerability Details 789

View Plugin Output 792

Copy Plugin Output 794

View Plugin Attachments 795

Export Vulnerability Data 797

CSV Vulnerability Export Fields 803

Vulnerability Filters 805

Application Filters in Tenable Web App Scanning 812

Assets 813

View Assets 815

Asset View 817

Discover and Assess 819

View Asset Details 822

View Asset Activity 826

Manage Asset Tags 827

Search Assets by Tag from the Assets Page 827

Remove a Tag from an Asset via the Asset View 828

Export Asset Data 831

CSV Asset Export Fields 834

Download an Asset's Inventory Debug Data (Assets View section) 840

Export Vulnerability Data for an Asset 841

Delete Assets 843

- 14 -
 View Deleted Assets 846

Asset Filters 848

Act 861

Reports 861

Report Templates 862

Report Settings 863

Create a Report 864

Generate a Report 867

View Report Details 868

Share Report Templates 870

Edit an Existing Report 872

Filter Reports 873

Schedule a Report 875

Email Report Results 880

Edit a Report Schedule 882

Delete a Report 883

Remediation 885

View Remediations 885

Remediation Filters 887

Remediation Projects 888

Create a New Remediation Project 889

Create a New Remediation Project From Findings 892

View Remediation Project Details 895

Remediation Project Details 896

- 15 -
 Edit a Remediation Project 898

Activate a Remediation Project 899

Suspend a Remediation Project 901

Close a Remediation Project 902

Export Remediation Projects 903

Delete a Remediation Project 906

Remediation Goals 908

Fixed-Scope and Ongoing Remediation Goals 909

Create a New Remediation Goal 909

View Remediation Goal Details 913

Edit a Remediation Goal 914

Activate a Remediation Goal 916

Suspend a Remediation Goal 918

Close a Remediation Goal 919

Export Remediation Goals 921

Delete a Remediation Goal 924

Solutions 926

View Solutions 926

Solutions Filters 928

Export Solutions 929

View Solution Details 930

Tenable Container Security Dashboard 934

Tenable Container Security Scanner Scanning Overview 934

Log in to Tenable Container Security via the Docker CLI 935

- 16 -
Push a Container Image to Tenable Container Security 936

Push from Bamboo to Tenable Container Security 938

Push from CircleCI to Tenable Container Security 939

Push from Codeship to Tenable Container Security 942

Push from Distelli to Tenable Container Security 943

Push from Drone.io to Tenable Container Security 944

Push from Jenkins to Tenable Container Security 945

Push from Shippable to Tenable Container Security 947

Push from Solano Labs to Tenable Container Security 948

Push from Travis CI to Tenable Container Security 950

Push from Wercker to Tenable Container Security 952

Tenable Container Security Scanner with Kubernetes 953

Tenable Container Security Scanner System Requirements for Kubernetes 953

Prepare Kubernetes Objects to Configure and Run the Tenable Container Security
Scanner 954

Configure and Run the Tenable Container Security Scanner in Kubernetes 956

Tenable Container Security Scanner 960

Tenable Container Security Scanner System Requirements 960

Download the Tenable Container Security Scanner 961

Tenable Container Security Scanner Environment Variables 963

Configure and Run the Tenable Container Security Scanner 976

Scan an Image via the Tenable Container Security Scanner 976

Scan a Registry via the Tenable Container Security Scanner 977

Prepare your Registry 979

Glossary of Tenable Container Security Terms 981

- 17 -
 Configure Tenable Container Security Connectors to Import and Scan Images 983

Configure an AWS ECR Connector to Import Images in Tenable Container Security 985

Configure a Local Connector to Import Images in Tenable Container Security 987

View Container Details 989

View Scan Results for Container Images 994

Manage Tenable Container Security Image Repositories 996

Delete an Image in Tenable Container Security 998

Manage Tenable Container Security Policies 999

Add a Tenable Container Security Policy 999

Edit a Tenable Container Security Policy 1001

Delete a Tenable Container Security Policy 1002

Tenable Container Security Policy Condition Settings 1003

Risk Metrics in Tenable Container Security 1004

View Tenable Container Security Data Usage 1005

Tenable PCI ASV 1007

Settings 1008

General Settings 1009

My Account 1016

View Your Account Details 1018

Update Your Account 1022

Change Your Password 1024

Configure Two-Factor Authentication 1025

Generate API Keys 1029

Unlock Your Account 1032

- 18 -
SAML 1033

View SAML Configurations 1034

Add a SAML Configuration 1036

Edit a SAML Configuration 1040

Disable a SAML Configuration 1044

Enable a SAML Configuration 1045

Enable Automatic Account Provisioning 1046

Disable Automatic Account Provisioning 1047

Delete a SAML Configuration 1048

License Information 1049

Access Control 1054

Users 1054

Create a User Account 1056

Edit a User Account 1060

View Your List of Users 1063

Tenable Vulnerability Management Password Requirements 1064

Change Another User's Password 1064

Assist a User with Their Account 1065

Generate Another User's API Keys 1066

Unlock a User Account 1068

Disable a User Account 1068

Enable a User Account 1069

Manage User Access Authorizations 1071

Audit User Activity 1071

- 19 -
 Export Users 1072

Delete a User Account 1076

User Groups 1078

Create a User Group 1080

Edit a User Group 1081

Export Groups 1082

Delete a Group 1086

Permissions 1088

Create and Add a Permission Configuration 1090

Add a Permission Configuration to a User or Group 1093

Edit a Permission Configuration 1095

Export Permission Configurations 1097

Remove a Permission Configuration from a User or Group 1101

Delete a Permission Configuration 1103

Roles 1104

Tenable-Provided Roles and Privileges 1106

Custom Roles 1114

Create a Custom Role 1118

Duplicate a Role 1120

Edit a Custom Role 1122

Delete a Custom Role 1123

Export Roles 1123

API Access Security 1127

Activity Logs 1128

- 20 -
 Export Activity Logs 1130

Access Groups 1133

Transition to Permission Configurations 1135

Convert an Access Group to a Permission Configuration 1136

Access Group Types 1138

Restrict Users for All Assets Group 1138

Create an Access Group 1140

Configure User Permissions for an Access Group 1143

Edit an Access Group 1146

View Assets Not Assigned to an Access Group 1147

View Your Assigned Access Groups 1148

Delete an Access Group 1150

Access Group Rule Filters 1151

Scan Permissions Migration 1155

Language 1157

Exports 1157

Scheduled Exports 1158

View Your Scheduled Exports 1159

Disable a Scheduled Export 1161

Enable a Disabled Scheduled Export 1162

Delete a Scheduled Export 1163

Export Activity 1164

Filter your Exports 1168

Export Filters 1169

- 21 -
 Renew an Export Expiration Date 1171

Stop an Export 1172

Download Export Activity 1174

Export your Export Activity 1175

Delete an Export 1179

Recast/Accept Rules 1180

View Recast/Accept Rules 1182

Create a Recast Rule 1183

Create an Accept Rule for a Plugin 1185

Edit a Recast or Accept Rule 1187

Export Recast Rules 1188

Delete a Recast or Accept Rule 1191

Tags 1192

Examples: Asset Tagging 1195

Tag Format and Application 1197

Create a Manual or Automatic Tag 1198

Considerations for Tags with Rules 1201

Tag Rules 1201

Create a Tag Rule 1202

Edit a Tag Rule 1208

Delete A Tag Rule 1210

Tag Rules Filters 1211

Create a Tag via Asset Filters 1219

Edit a Tag or Tag Category 1221

- 22 -
 Edit a Tag via Asset Filters 1222

Add a Tag to an Asset 1224

Remove a Tag from an Asset 1228

Export Tags 1231

Delete a Tag Category 1236

Delete a Tag 1238

Search for Assets by Tag from the Tags Table 1240

Sensors 1241

Agents 1241

Retrieve the Tenable Nessus Agent Linking Key 1243

Download Linked Agent Logs 1244

Restart an Agent 1245

Unlink an Agent 1247

Rename an Agent 1249

Agent Settings 1250

Modify Remote Agent Settings 1250

Modify Global Agent Settings 1260

Agent Profiles 1262

Add or Remove Agents from Agent Profiles 1266

Agent Status 1269

Export Agents 1269

Export Linked Agents 1271

Export Linked Agent Details 1274

Filter Agents 1277

- 23 -
 Agent Filters 1279

Agent Groups 1281

Create an Agent Group 1281

Add an Agent to an Agent Group 1282

Edit an Agent Group 1284

Delete an Agent Group 1286

Remove an Agent from an Agent Group 1287

View Agents in an Agent Group 1289

Agent Group Filters 1290

Freeze Windows 1291

Create a Freeze Window 1291

Edit a Freeze Window 1292

Enable or Disable a Freeze Window 1293

Export Freeze Windows 1294

Delete a Freeze Window 1297

Plugin Updates 1298

Connection Disruptions 1299

Networks 1300

Create a Network 1301

View or Edit a Network 1302

Add a Scanner to a Network 1303

Remove a Scanner from a Network 1305

Add an Agent to a Network 1306

Remove an Agent from a Network 1309

- 24 -
 Move Assets to a Network via Settings 1311

Delete Assets in a Network 1316

Delete Assets Manually 1316

Delete Assets Automatically 1317

Export Networks 1317

Delete a Network 1320

Linked Scanners 1322

View Linked Scanners 1323

Rename a Linked Scanner 1324

Download Linked Scanner Logs 1325

Export Linked Scanners 1326

Export Linked Scanner Details 1330

Differential Plugin Updates 1333

Scanner Groups 1333

Create a Scanner Group 1334

Modify a Scanner Group 1335

Configure User Permissions for a Scanner Group 1338

Delete a Scanner Group 1340

Add a Sensor to a Scanner Group 1341

Remove a Sensor from a Scanner Group 1343

View Sensors in a Scanner Group 1345

View All Running Scans for a Sensor 1346

OT Connectors 1346

Cloud Sensors 1349

- 25 -
 Tenable FedRAMP Moderate Cloud Sensors 1353

Sensor Security 1354

Link a Sensor 1356

Regenerate a Linking Key 1364

View Sensors and Sensor Groups 1365

View Sensor Details 1367

Edit Sensor Settings 1368

Edit Sensor Permissions 1370

Enable or Disable a Sensor 1371

Remove a Sensor 1372

Credentials 1374

Create a Managed Credential 1374

Edit a Managed Credential 1377

Configure User Permissions for a Managed Credential 1378

Export Credentials 1380

Delete a Managed Credential 1384

Exclusions 1385

Create an Exclusion 1385

Edit an Exclusion 1386

Import an Exclusion 1387

Exclusion Import File 1387

Export an Exclusion 1389

Delete an Exclusion 1392

Exclusion Settings 1393

- 26 -
 Connectors 1396

Amazon Web Services Connector 1397

Frictionless Assessment for AWS 1398

Operating System Coverage 1399

Licensing Considerations 1400

Supported Regions 1400

Limitations 1401

Get Started 1401

Configure AWS for Frictionless Assessment 1402

Create an AWS Connector for Frictionless Assessment 1404

Edit an AWS Frictionless Assessment Connector 1407

Manually Delete Connector Artifacts in AWS 1408

Update AWS Frictionless Assessment Connectors to Detect Log4j 1409

AWS Cloud Connector (Discovery Only) 1411

AWS Connector with Keyless Authentication (Discovery Only) 1412

Configure AWS for Keyless Authentication (Discovery Only) 1415

Create an AWS Connector with Keyless Authentication (Discovery Only) 1418

AWS Connector with Key-based Authentication 1420

Configure AWS for Key-based Authentication 1422

Configure Linked AWS Accounts for Key-based Authentication 1424

Create an AWS Connector with Key-based Authentication 1427

Microsoft Azure Connector 1428

Frictionless Assessment for Azure 1430

Create an Azure Connector for Frictionless Assessment 1432

- 27 -
 Manually Delete Connector Artifacts from Azure Frictionless Assessment 1435

Azure Runbook Information 1436

Configure Microsoft Azure (Discovery Only) 1438

Create Azure Application 1438

Obtain Azure Tenant ID (Directory ID) 1444

Obtain Azure Subscription ID 1445

Grant the Azure Application Reader Role Permissions 1447

Link Azure Subscriptions 1452

Create a Microsoft Azure Connector 1456

Google Cloud Platform Connector 1459

Configure Google Cloud Platform (GCP) 1459

Create a Google Cloud Platform Connector (Discovery Only) 1464

Manage Existing Connectors 1466

Launch a Connector Import Manually 1466

View Connectors Details 1467

View Connector Event History 1469

Edit a Connector 1470

Delete a Connector 1474

Remove Frictionless Assessment 1475

Remove AWS Frictionless Assessment 1476

Remove Azure Frictionless Assessment 1478

- 28 -
Welcome to Tenable Vulnerability Management
Tenable Vulnerability Management® (formerly known as Tenable.io) allows security and audit teams
to share multiple Tenable Nessus, Tenable Nessus Agent, and Tenable Nessus Network Monitor
scanners, scan schedules, scan policies, and scan results among an unlimited set of users or
groups.

Note: Tenable Vulnerability Management can be purchased alone or as part of the Tenable One package.
For more information, see Tenable One.

Tip: The Tenable Vulnerability Management User Guide is available in English and Japanese. The Tenable
Vulnerability Management user interface is available in English, Japanese, and French. To switch the user
interface language, see Language.

For additional information on Tenable Vulnerability Management, review the following customer
education materials:

l Tenable Vulnerability Management Self Help Guide

l Tenable Vulnerability Management Introduction (Tenable University)

Tenable One Exposure Management Platform

Tenable One is an Exposure Management Platform to help organizations gain visibility across the
modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber
risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources,
containers, web apps, and identity systems, builds on the speed and breadth of vulnerability
coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and
communicate cyber risk. Tenable One allows organizations to:

l Gain comprehensive visibility across the modern attack surface

l Anticipate threats and prioritize efforts to prevent attacks

l Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of

the Tenable One Exposure Management platform.

- 29 -
 Tip: For additional information on getting started with Tenable One products, check out the Tenable One
Deployment Guide.

Tenable Vulnerability Management

Video: Introduction to Tenable Vulnerability Management

Get Started with Tenable Vulnerability Management

By making different resources available for sharing among users and groups, Tenable Vulnerability
Management provides endless possibilities for creating customized workflows for vulnerability
management programs, regardless of any of the numerous regulatory or compliance drivers that
demand keeping your business secure.

Tenable Vulnerability Management can schedule scans, push policies, view scan findings, and
control multiple Tenable Nessus scanners from the cloud. This enables the deployment of Tenable
Nessus scanners throughout networks to both public and private clouds as well as multiple physical
locations.

Tenable Lumin
Get Started with Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Lumin features augment Tenable Vulnerability Management data. Use Tenable Lumin to
quickly and accurately assess your exposure risk and compare your health and remediation
performance to other Tenable customers in your Salesforce industry and the larger population.

Tenable Lumin correlates raw vulnerability data with asset business criticality and threat context
data to support faster, more targeted analysis workflows than traditional vulnerability management
tools.

Tenable Web App Scanning

Tenable Web App Scanning offers significant improvements over the existing Web Application
Tests policy template provided by the Tenable Nessus scanner, which is incompatible with modern

- 30 -
web applications that rely on Javascript and are built on HTML5. This leaves you with an incomplete
understanding of your web application security posture.

Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web
applications. Tenable Web App Scanning's accurate vulnerability coverage minimizes false positives
and false negatives, ensuring that security teams understand the true security risks in their web
applications. The product offers safe external scanning that ensures production web applications
are not disrupted or delayed, including those built using HTML5 and AJAX frameworks.

Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Video: Introducing Tenable Container Security

Tenble Container Security stores and scans container images as the images are built, before
production. It provides vulnerability and malware detection, along with continuous monitoring of
container images. By integrating with the continuous integration and continuous deployment
(CI/CD) systems that build container images, Tenable Container Security ensures every container
reaching production is secure and compliant with enterprise policy.

Tenable Vulnerability Management API

See the API

The Tenable Vulnerability Management API can be leveraged to develop your own applications using
various features of the Tenable Vulnerability Management platform, including scanning, creating
policies, and user management.

Get Started with Tenable Vulnerability Management

Use the following getting started sequence to configure and mature your Tenable Vulnerability
Management deployment.

1. Prepare a Deployment Plan

2. Install and Link Scanners

- 31 -
 3. Configure Scans

4. Additional Tenable Vulnerability Management Configurations

5. Review and Analyze

6. Expand

Tip: For additional information on Tenable Vulnerability Management, review the following customer
education materials:

l Tenable Vulnerability Management Self Help Guide

l Tenable Vulnerability Management Introduction (Tenable University)

Prepare a Deployment Plan

To establish a deployment plan and analysis workflow:

1. Review principles of the TCP/IP internet protocol suite. Tenable Vulnerability Management
documentation assumes you know basic networking concepts and principles.

2. Get your Tenable Vulnerability Management access information and starter account
credentials from your Tenable representative.

3. If necessary, access Tenable Support and training resources for Tenable Vulnerability
Management, including the Professional Services Scan Strategy guide.

4. Design a deployment plan by identifying your organization's objectives and analyzing your
network topology. Consider Tenable-recommended best practices for your environment.

For more information about environment requirements, see the guidelines provided for your
scanner in the General Requirements Guide. For more information about supported browsers
for Tenable Vulnerability Management, see System Requirements.

5. Design an internal scanning and external scanning plan. Identify the scans you intend to run
and ensure that you have sufficient network coverage.

6. Design an analysis workflow. Identify key stakeholders in your management and operational
groups, considering the data you intend to share with each stakeholder.

Install and Link Scanners

- 32 -
To install your scanners and link them to Tenable Vulnerability Management:

1. Log in to the Tenable Vulnerability Management user interface.

2. Set up your linked scanners:

l If your deployment plan includes Tenable Nessus scanners, install Tenable Nessus as
described in Install Tenable Nessus in the Tenable Nessus User Guide.

l If your deployment plan includes Tenable Nessus Agents, install agents as described in
Install Tenable Nessus Agents in the Tenable Nessus Agent Deployment and User Guide.

l If your deployment plan includes Tenable Nessus Network Monitor, install Tenable
Nessus Network Monitor as described in Install NNM in the Tenable Nessus Network
Monitor User Guide.
o Then, configure Tenable Nessus Network Monitor to communicate with Tenable
Vulnerability Management, as described in Configure NNM in the Tenable Nessus
Network Monitor User Guide.

l If your deployment plan includes Tenable Web App Scanning, install web applications as
described in Deploy or Install Tenable Core + Tenable Web App Scanning in the Tenable
Core User Guide.

Then, link your first scanners to Tenable Vulnerability Management, as described in Link a
Sensor.

Configure Scans
Configure and run basic scans to begin evaluating the effectiveness of your deployment
plan and analysis workflow:

Note: For information on how to configure scans based on your environment and business needs, see the
Tenable Vulnerability Management Scan Tuning Guide.

- 33 -
 1. Configure your first active scan using the Basic Network Scan template:

a. Create a scanner group, as described in Create a Scanner Group.

b. Create a scan using the Basic Network Scan template, as described in Create a Scan.

2. Configure your first agent scan using the Basic Agent Scan template:

a. Create an agent group, as described in Create an Agent Group.

b. Create an agent scan using the Basic Agent Scan template, as described in Create a
Scan.

3. Launch your first Tenable Nessus scan and agent scan, as described in Launch a Scan.

4. Confirm your Tenable Nessus scan and agent scan completed, accessing all targeted areas of
your network. Review your discovered assets to assess your knowledge of your network.

Additional Tenable Vulnerability Management Configurations

Configure other features, if necessary, and refine your existing configurations:

1. Create user accounts and create user groups within your Tenable Vulnerability Management
container.

2. Create access groups to manage view and scan permissions for assets and targets.

3. Configure tags to organize, group, and control access to assets.

4. Set up asset discovery with connectors, Professional Services integrations, or integrated

products. For more information, see Connectors, the Custom Integration Services page, or
the Integration Guides section of the Tenable Vulnerability Management Documentation page.

5. Configure managed credentials, scan-specific credentials, or policy-specific credentials for a

Tenable Nessus scan, as described in Credentials. For more information about configuring
and troubleshooting credentialed scans, see Tenable Nessus Credentialed Checks.

a. Launch your credentialed Tenable Nessus scan and credentialed agent scan, as
described in Launch a Scan.

b. Confirm your credentialed scan completed, accessing all targeted areas of your
network.

- 34 -
 6. If you want to assess your exposure, obtain a Tenable Lumin license.

7. If you want to perform web application scanning, obtain a Tenable Web App Scanning license.

8. If you want to evaluate risk on your containers, obtain a Tenable Container Security license.

9. Configure user Access Control to control what objects users can and cannot view and interact
with within Tenable Vulnerability Management.

Review and Analyze

Tip: Tenable recommends frequently reviewing your scan results and scan coverage. You may need to
modify your scan configurations to suit your organization's objectives and reach all areas of your network.

To review and analyze your data further, you can:

1. View your scans and individual scan details.

2. View and analyze your vulnerability and asset findings via the Findings and Assets pages.

3. Create a dashboard to gain immediate insight and quickly analyze vulnerabilities in your
network. Use interactive widgets and customizable tables to explore your data.

4. Filter your dashboards, assets, and findings to drill into data and investigate your progress.

5. Create recast or accept rules to recast or accept vulnerabilities discovered by scans.

6. Create a report to share scan and vulnerability information with others in your organization.

Expand
Tenable recommends the following as best practices to keep up to date with your
deployment plan and analysis workflow:
l Conduct weekly meetings to review your organization's responses to identified vulnerabilities.
Conduct weekly management meetings to oversee your teams executing the analysis
workflow.

l Review your scan results and scan coverage. You may need to modify your scan
configurations to suit your organization's objectives and reach all areas of your network.

- 35 -
 l Consider API integrations, as described in the Tenable Vulnerability Management API
Documentation.

Tenable Vulnerability Management Licenses

This topic breaks down the licensing process for Tenable Vulnerability Management as a standalone
product. It also explains how assets are counted, lists add-on components you can purchase,
explains how licenses are reclaimed, and notes plugins whose output is excluded from your license
count.

Licensing Tenable Vulnerability Management

To use Tenable Vulnerability Management, you purchase licenses based on your organizational
needs and environmental details. Tenable Vulnerability Management then assigns those licenses to
your assets: assessed resources from the past 90 days, either identified on scans or imported with
vulnerabilities (for example, servers, storage devices, network devices, virtual machines, or
containers).

When your environment expands, so does your asset count, so you purchase more licenses to
account for the change. Tenable licenses use progressive pricing, so the more you purchase, the
lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click
and then click License Information. To learn more, see License Information Page.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more,
contact your Tenable representative.

How Assets Are Counted

When Tenable Vulnerability Management scans an asset, it compares it to previously discovered
assets. In general, if the new asset does not match a previously discovered asset and has been
assessed for vulnerabilities, it counts towards your license.

Tenable Vulnerability Management uses a complex algorithm to identify new assets without creating
duplicates. The algorithm looks at the asset’s BIOS UUID, MAC address, NetBIOS name, fully
qualified domain name (FQDN), and more. Authenticated scanners or agents also assign a Tenable

- 36 -
UUID to each asset to mark it as unique. For more information, see the Tenable Vulnerability
Management FAQ.

The following table describes when assets count towards your license.

Counted Towards Your License Not Counted Towards Your License

l An asset identified by an active scan. l A scan configured with the Host

Discovery template or configured to
l An asset identified by an agent scan.
use only the discovery plugins.
l An asset import containing
l An asset import containing no
vulnerabilities (for example, a scan result
vulnerabilities (for example,
from Tenable Nessus Professional).
ServiceNow data).
l Host and Tenable Web App Scanning
l A linked instance of Tenable Nessus
asset types, if the last licensed scan was
Network Monitor running in discovery
within the past 90 days.
mode.
l An asset identified by a scan with plugin
l A discovery-only connector, until and
debugging enabled. To prevent such
unless the asset is scanned for
assets from counting against your
vulnerabilities Scanned Mobile Device
license, delete them.
Management assets.

l Some plugin output, as described in

Excluded Plugin Output.

Tenable Vulnerability Management Components

You can customize Tenable Vulnerability Management for your use case by adding components.
Some components are add-ons that you purchase.

Included with Purchase Add-on Component

l Unlimited Tenable Nessus scanners. l Tenable PCI ASV.

l Unlimited Tenable Nessus Agents. l Tenable Attack Surface

Management.
l Unlimited Tenable Nessus Network Monitors with
vulnerability detection.

- 37 -
 l Access to the Tenable Vulnerability Management API.

Reclaiming Licenses
When you purchase licenses, your total license count is static for the length of your contract unless
you purchase more licenses. However, Tenable Vulnerability Management reclaims licenses under
some conditions—and then reassigns them to new assets so that you do not run out of licenses.

The following table explains how Tenable Vulnerability Management reclaims licenses.

Asset Type License Reclamation Process

Deleted assets Tenable Vulnerability Management removes deleted assets from the Assets
workbench and reclaims their licenses within 24 hours.

Aged out In Settings > Sensors > Networks, if you enable Asset Age Out, Tenable
assets Vulnerability Management reclaims assets after they have not been scanned
for a period you specify.

Assets from Tenable Vulnerability Management reclaims assets from connectors the day
connectors after they are terminated. You can observe this event in each connector.

All other Tenable Vulnerability Management reclaims all other assets—such as those
assets imported from other products or assets with no age-out setting—after they
have not been scanned for 90 days.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated
threats, Tenable licenses are elastic. However, when you scan more assets than you have licensed,
Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario Result

You scan more assets than are A message appears in Tenable Vulnerability
licensed for three consecutive days. Management.

You scan more assets than are A message and warning about reduced functionality
licensed for 15+ days. appears in Tenable Vulnerability Management.

- 38 -
 You scan more assets than are A message appears in Tenable Vulnerability
licensed for 45+ days. Management; scan and export features are disabled.

Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated
asset counts. To learn more, see Scan Best Practices.

Expired Licenses
The Tenable Vulnerability Management licenses you purchase are valid for the length of your
contract. 30 days before your license expires, a warning appears in the user interface. During this
renewal period, work with your Tenable representative to add or remove products or change your
license count.

After your license expires, you can no longer sign in to the Tenable platform.

Excluded Plugin Output

The plugins listed in this section do not count towards your license limit.

Note: Plugin IDs are static, but Tenable products may sometimes update plugin names. For the latest
information on plugins, see Tenable Plugins.

Tenable Nessus Plugins in Discovery Settings

Configure the following Tenable Nessus plugins in Discovery Settings. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

10180 Ping the remote host

10335 Nessus TCP scanner

11219 Nessus SYN scanner

14274 Nessus SNMP Scanner

14272 Netstat Portscanner (SSH)

34220 Netstat Portscanner (WMI)

- 39 -
 34277 Nessus UDP Scanner

Tenable Nessus Plugins on the Plugins Page

Configure the following Tenable Nessus plugins on the Plugins page. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

45590 Common Platform Enumeration (CPE)

54615 Device Type

12053 Host Fully Qualified Domain Name (FQDN)

11936 OS Identification

10287 Traceroute Information

22964 Service Detection

11933 Do not scan printers

87413 Host Tagging

19506 Nessus Scan Information

33812 Port scanners settings

33813 Port scanner dependency

Tenable Nessus Network Monitor Plugins

The following Tenable Nessus Network Monitor plugins do not count towards your license.

Tenable Nessus Network Monitor Plugin ID Plugin Name

0 Open Ports

12 Host TTL discovered

18 Generic Protocol Detection

- 40 -
 19 VLAN ID Detection

20 Generic IPv6 Tunnel Traffic Detection

113 VXLAN ID Detection

132 Host Attribute Enumeration

System Requirements

Display Settings
Minimum screen resolution: 1440 x 1024

Supported Browsers
Tenable Vulnerability Management supports the latest versions of the following browsers.

Note: Before reporting issues with Tenable Vulnerability Management, ensure your browser is up to date.

l Google Chrome

l Apple Safari

l Mozilla Firefox

l Microsoft Edge

Note: Tenable Vulnerability Management is not supported on mobile browsers.

Sensor Connection Requirements

Tenable Vulnerability Management requires access to specific addresses and ports for inbound and
outbound traffic with scanners and agents:

l 162.159.129.83/32

l 162.159.130.83/32

l 162.159.140.26/32

- 41 -
 l 172.66.0.26/32

l 2606:4700:7::1a

l 2a06:98c1:58::1a

l 2606:4700:7::a29f:8153

l 2606:4700:7::a29f:8253

l *.cloud.tenable.com with the wildcard character (*) to allow cloud.tenable.com and all
subdomains, such as sensor.cloud.tenable.com

Tip: For information about the port requirements for Tenable Security Center, Tenable Nessus
scanners, and Tenable Nessus Agents, see the following topics:
l Tenable Security Center Port Requirements
l Tenable Nessus Port Requirements
l Tenable Nessus Agent Port Requirements

Log in to Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: If you bookmark a Tenable Vulnerability Management page within your browser, you must still log in
before accessing the bookmarked page.
In some cases, you may also need to navigate through the Workspace page and navigate to the Tenable
Vulnerability Management application before accessing the bookmarked page.

Before you begin:

l Obtain credentials for your Tenable Vulnerability Management user account.

Note: If you are an administrator logging in to your Tenable Vulnerability Management instance for
the first time, Tenable provides your first-time credentials during setup. After you log in for the first
time, you can set your new password. If you are logging in to Tenable Vulnerability Management after
initial setup, your username is the email address you used to register for your Tenable Vulnerability
Management account.

- 42 -
 l Review the System Requirements in the General Requirements User Guide and confirm that
your computer and browser meet the requirements.

Note: If your account is configured to use SAML, you can log in to Tenable Vulnerability Management
directly through your SAML provider. For more information, see SAML.

To log in to Tenable Vulnerability Management:

1. In a supported browser, navigate to https://cloud.tenable.com.

The Tenable Vulnerability Management login page appears.

2. In the username box, type your Tenable Vulnerability Management username.

3. In the password box, type the Tenable Vulnerability Management password you created during
registration.

4. (Optional) To retain your username for later sessions, select the Remember Me check box.

5. Click Sign In.

The Tenable Vulnerability Management Workspace page appears.

Note:Tenable Vulnerability Management logs you out after a period of inactivity (typically, 30
minutes).

CVSS vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to
quantify the risk and urgency of a vulnerability.

Note: When you view these metrics on an analysis page organized by plugin (for example, the
Vulnerabilities by Plugin page), the metrics represent the highest value assigned or calculated
for a vulnerability associated with the plugin.
For Tenable Lumin-specific information about VPR and the other Tenable Lumin metrics, see
Tenable Lumin Metrics.

CVSS

- 43 -
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved
from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities. CVSS
scores power a vulnerability's Severity and Risk Factor values.

Note: If a vulnerability's related plugin has CVSS vectors, the Risk Factor is calculated based on the
CVSSv2 vector and equates to the CVSSv2 score Severity. If a plugin does not have CVSS vectors, Tenable
independently calculates the Risk Factor.

Tenable Vulnerability Management imports a CVSS score every time a scan sees a vulnerability.

CVSS-Based Severity

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Configure Your Severity Metric.

Tenable Vulnerability Management analysis pages provide summary information about

vulnerabilities using the following CVSS categories. For more information about the icons used for
each severity, see Vulnerability Severity Indicators.

Severity CVSSv2 Range CVSSv3 Range CVSSv4 Range

Critical The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is 10.0. score is between 9.0 score is between 9.0
and 10.0. and 10.0.

High The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 7.0 score is between 7.0 score is between 7.0
and 9.9. and 8.9. and 8.9.

Medium The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 4.0 score is between 4.0 score is between 4.0
and 6.9. and 6.9. and 6.9.

Low The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 0.1 score is between 0.1 score is between 0.1

- 44 -
 and 3.9. and 3.9. and 3.9.

Info The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv3
score is 0. score is 0. score is 0.

- or - - or - - or -

The plugin does not The plugin does not The plugin does not
search for search for search for
vulnerabilities. vulnerabilities. vulnerabilities.

CVSS-Based Risk Factor

For each plugin, Tenable interprets CVSS scores for the vulnerabilities associated with the plugin
and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The Vulnerability
Details page shows the highest risk factor value for all the plugins associated with a vulnerability.

Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS
scores. In these cases, Tenable determines the risk factor based on vendor advisories.

Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a
custom risk factor based on information provided in related security advisories.

Vulnerability Priority Rating

Video: Vulnerability Priority Rating in Tenable Vulnerability Management

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher
likelihood of exploit.

VPR Category VPR Range

Critical 9.0 to 10.0

High 7.0 to 8.9

- 45 -
 Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many
vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these
vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on
your network. Then, Tenable Vulnerability Management automatically provides new and updated
VPR values daily.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores
and summary data in:

l The Tenable-provided Vulnerability Management Overview dashboard

l The Vulnerabilities by Plugin plane

l The Vulnerabilities by Plugin (Classic) page

VPR Key Drivers

You can view the following key drivers to explain a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Age of Vuln The number of days since the National Vulnerability Database (NVD) published
the vulnerability.

CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact not provide a score, Tenable Vulnerability Management displays a Tenable-
Score predicted score.

Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal

- 46 -
 and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The
possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit
Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.

Threat The relative intensity based on the number and frequency of recently observed
Intensity threat events related to this vulnerability: Very Low, Low, Medium, High, or
Very High.

Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

l A discussion of the vulnerability on hacker forums

Vulnerability Severity Indicators

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Configure Your Severity Metric.

- 47 -
The Tenable Vulnerability Management interface uses different icons for each severity category and
accepted or recasted status.

Icon Category And

Critical You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Critical.

High You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to High.

Medium You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Medium.

Low You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Low.

Info You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Info.

Vulnerability Mitigation
Tenable Vulnerability Management vulnerabilities exist in one of two categories: Active or Fixed.
When Tenable Vulnerability Management discovers a vulnerability on an asset, the vulnerability
remains in the Active category until it is mitigated or fixed. Then, the vulnerability moves to the
Fixed category.

Active Vulnerabilities

- 48 -
Active vulnerabilities are any vulnerabilities in the New, Active, or Resurfaced states. For more
information, see Vulnerability States.

Fixed Vulnerabilities
The Fixed category contains vulnerabilities that Tenable Vulnerability Management determines are
not vulnerable, based on the scan definition, the results of the scan, and authentication
information. To be considered for mitigation, a vulnerability must be active and successfully
authenticated.

A vulnerability is mitigated when:

l The vulnerability's IP address or another combination of identifying attributes (IAs) is on the

scan's target list. For more information on IAs, see the Tenable Community.

l The vulnerability's plugin ID is listed in the scan policy.

l The vulnerability's port is on the list of scanned ports.

l A vulnerability with that combination of IP address, port, protocol, and plugin ID is not listed in
the scan results.

Mitigation Exceptions
Note the following exceptions for vulnerability mitigation:

l Vulnerabilities identified during a thorough scan by a plugin with the thorough_tests attribute
can only be mitigated by another thorough scan.

l Vulnerabilities identified during a paranoid scan by a plugin with the requires_paranoid_

scanning attribute can only be mitigated by another paranoid scan.

l Vulnerabilities discovered by a local or combined plugin reported on port 0 or 445 via a

credential scan can only be mitigated by another credential scan.

l The list of scanned ports can be expanded to “all” ports when one of the following plugins
triggered the host:14272 (SSH netstat), 34220 (WMI netstat), 14274 (SNMP).

l Agent scans cannot mitigate vulnerabilities discovered by a combined type plugin reported on
a remote port (not 0/445).

Vulnerability States

- 49 -
Tenable assigns a state to vulnerabilities detected on your network. You can track and filter by
vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.
To filter for vulnerabilities by their state, use the Findings workbench.

Vulnerability
Description
State

New Indicates that Tenable Vulnerability Management detected the vulnerability

once.

Active Indicates that Tenable Vulnerability Management detected the vulnerability

more than once.

Note: When you filter for Active vulnerabilities, Tenable Vulnerability

Management also returns New vulnerabilities. For filtering purposes, New is a
subcategory of Active.

Fixed Indicates that Tenable Vulnerability Management detected the vulnerability

on a host, but no longer detects it.

Note: To view Fixed vulnerabilities by date range, use the Last Fixed filter.

Resurfaced Indicates that Tenable Vulnerability Management previously marked the

vulnerability as Fixed, but has detected it again. When a vulnerability is
Resurfaced, it remains in this state until a scan identifies the vulnerability
as remediated. Then, the vulnerability returns to Fixed.

Note: The API uses different terms for vulnerability states than the user interface. In the API, the new and
active states are both labeled as open. The resurfaced state is labeled as reopened. The fixed state is the
same.

Log Out of Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To log out of Tenable Vulnerability Management:

- 50 -
 1. In the upper-right corner, click the blue user circle.

The user account menu appears.

2. Click Sign Out.

Navigate Tenable Vulnerability Management

Tenable Vulnerability Management includes several helpful shortcuts and tools that highlight
important information and help you to navigate the user interface more efficiently:

Quick Actions Menu

The quick actions menu displays a list of the most commonly performed actions.

To access the quick actions menu:

1. In the upper-right corner, click the Quick Actions button.

The quick actions menu appears.

2. Click a link to begin one of the listed actions.

Resource Center

The Resource Center displays a list of informational resources including product announcements,
Tenable blog posts, and user guide documentation.

- 51 -
To access the Resource Center:

1. In the upper-right corner, click the button.

The Resource Center menu appears.

2. Click a resource link to navigate to that resource.

Notifications

In Tenable Vulnerability Management, the Notifications panel displays a list of system notifications.
The button shows the current number of unseen notifications. When you open the Notifications
panel, Tenable Vulnerability Management marks those notifications as seen. Once you have seen a
notification, you can clear it to remove it from the Notifications panel.

- 52 -
 Note:Tenable Vulnerability Management groups similar notifications together.

To view notifications:

l In the upper-right corner, click the button.

The Notifications panel appears and displays a list of system notifications.

In the Notifications panel, you can do the following:

o To clear one notification, next to the notification, click the button.

o To expand a group of notifications, at the bottom of the grouped notification, click More
Notifications.
o To collapse an expanded group of notifications, at the top of the expanded notifications,
click Show Less.
o To clear an expanded group of notifications, at the top of the expanded notifications,
click Clear Group.
o To clear all notifications, at the bottom of the panel, click Clear All.

Settings Icon

Click the button to navigate directly to the Settings page, where you can configure your system
settings.

Workspace

When you log in to Tenable, the Workspace page appears by default. On the Workspace page, you
can switch between your Tenable applications or set a default application to skip the Workspace
page in the future. You can also switch between your applications from the Workspace menu,
which appears in the top navigation bar.

Important: Tenable disables application tiles for expired applications. Tenable removes expired application
tiles from the Workspace page and menu 30 days after expiration.

Open the Workspace Menu

- 53 -
To open the Workspace menu:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. Click an application tile to open it.

View the Workspace Page

To view the Workspace page:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. In the Workspace menu, click Workspace.

- 54 -
 The Workspace page appears.

Set a Default Application

When you log in to Tenable, the Workspace page appears by default. However, you can set a default
application to skip the Workspace page in the future.

By default, users with the Administrator, Scan Manager, Scan Operator, Standard, and Basic roles can set
a default application. If you have another role, contact your administrator and request the Manage
permission under My Account. For more information, see Custom Roles.

To set a default login application:

1. Log in to Tenable.

The Workspace page appears.

2. In the top-right corner of the application to choose, click the button.

A menu appears.

- 55 -
 3. In the menu, click Make Default Login Page.

This application now appears when you log in.

Remove a Default Application

To remove a default login application:

1. Log in to Tenable.

The Workspace page appears.

2. In the top-right corner of the application to remove, click the button.

A menu appears.

3. Click Remove Default Login Page.

The Workspace page now appears when you log in.

User Account Menu

The user account menu provides several quick actions for your user account.

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

- 56 -
 2. Do one of the following:

l Click My Profile to configure your own user account. You navigate directly to the My
Account settings page. See My Account for more information.

l Click Sign out to sign out of Tenable Vulnerability Management.

l Click What's new to navigate directly to the Tenable Vulnerability Management Release
Notes.

l Click View Documentation to navigate directly to the Tenable Vulnerability Management

User Guide documentation.

For additional information about navigating the Tenable Vulnerability Management interface, see
the following topics:

Navigate Breadcrumbs

Navigate Planes

Tenable Vulnerability Management Tables

Navigate Breadcrumbs
In the Tenable Vulnerability Management interface, certain pages display breadcrumbs in the top
navigation bar. From left to right, the breadcrumbs show the path of pages you visited to reach your
current page:

- 57 -
To navigate breadcrumbs:
l In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Navigate Planes
Tenable Vulnerability Management combines fixed pages with overlapping planes.

To navigate planes in the new interface:

1. Access a plane using one of the following methods:

l Click a widget on a dashboard.

l
Use the left navigation plane as follows:
a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click a menu option.

With the exception of the left navigation plane, planes open from the right side of the screen.

2. Manipulate a plane using the following buttons at the left edge of the plane:

Button Short Name Action

expand Expand a plane. Some planes can expand to full screen.

retract Retract an expanded plane to its default size.

close Close a plane.

expand preview Expand a preview plane.

retract preview Retract an expanded plane to the preview plane.

3. Return to a previous plane or page (and close a new plane or planes) by clicking the previous
plane.

- 58 -
Tenable Vulnerability Management Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management Workbench Tables

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section. These tables feature search and navigational
capabilities. They also include the ability to drag and drop columns in any order, change column
width, and sort the data in multiple columns at one time. For more information, see Tenable
Vulnerability Management Workbench Tables.

Explore Tables
Explore tables are any tables within the Explore section in the Tenable Vulnerability Management
user interface. They include many of the features of Tenable Vulnerability Management Workbench
tables, but include additional customization and filtering capabilities. For more information, see
Filter Findings or Assets.

Tenable Vulnerability Management Workbench Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: Customizable tables also include the ability to access the actions buttons by right-clicking a table
row. To access your browser menu, press the Ctrl key and right-click.

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section.

To interact with a Tenable Vulnerability Management workbench table:

1. View a workbench table.

2. Do any of the following:

- 59 -
l
Navigate the table:
o To adjust the sort order, click a column title.

Tenable Vulnerability Management sorts all pages of the table by the data in the
column you selected.
o In Tenable Vulnerability Management, to increase or decrease the number of rows
displayed per page, click Results per page and select a number.

Tenable Vulnerability Management refreshes the table.

o To view all action buttons available in a table row, click the button.

This button appears instead of individual action buttons if 5 or more actions are
possible for the row.
o To navigate to another page of the table, click the arrows:

Button Action

Navigate to the first page of the table.

Navigate to the previous or next page of the table.

Navigate to the last page of the table.

Note: Due to limitations, the total number of findings is not always known past the 1000
limit. In this case, the table may display a modified interface, changes in pagination
labeling, and a disabled last page navigation button.

l
Search the table:
In the new interface, a search box appears above individual tables in various pages and
planes. In some cases, the search box appears next to the Filters box.

a. In the Search box, type your search criteria.

Your search criteria depends on the type of data in the table you want to search.

- 60 -
 b. Click the button.

Tenable Vulnerability Management filters the table by your search criteria.

l To change the column order, drag and drop a column header to another position in the
table.

l
Remove or add columns:
a. Roll over any column.

The button appears in the header.

b. Click the button.

A column selection box appears.

c. Select or clear the check box for any column you want to show or hide in the table.

Tip: Use the search box to quickly find a column name.

The table updates based on your selection.

l
Adjust column width:
a. Roll over the header between two columns until the resize cursor appears.

Click and drag the column width to the desired width.

Tip: To automatically resize a column to the width of its content, double-click the right
side of the column header.

l To sort data in the table, click a column header.

Tenable Vulnerability Management sorts all pages of the table by the data in the column
you selected.

l To sort data in the table by multiple columns, press Shift and click one or more column
headers.

Note: Not all tables or columns support sorting by multiple columns.

- 61 -
 Tenable Vulnerability Management sorts all pages of the table in the order in which you
selected the columns.

Filter a Table

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, a Filters box appears above individual tables in various pages
and planes.

To filter a table:

1. Next to Filters, click the button.

The filter settings appear.

2. (Optional) In Tenable Vulnerability Management, to quick-select filters, click Select Filters.

A drop-down list appears.

a. In the drop-down list, search for the filter you want to apply.

The list updates based on your search criteria.

b. Select the check box next to the filter or filters you want to apply.

The selected filters appear in the filter section.

3. In the Select Category drop-down box, select an attribute.

For example, you might select Severity if filtering findings or Asset ID if filtering assets.

4. In the Select Operator drop-down box, select an operator.

Note: When using the contains or does not contain operators, use the following best
practices:
l For the most accurate and complete search results, use full words in your search
value.
l Do not use periods in your search value.
l Remember that when filtering assets, the search values are case sensitive.

- 62 -
 l Where applicable, Tenable recommends using the contains or does not contain
instead of the is equal to or is not equal to operators.

5. In the Select Value box, do one of the following:

Value Type Action

Text Type the value on which you want to filter.

An example of the expected input is present in the box until you start
typing. If what you type is invalid for the attribute, a red outline appears
around the text box.

Single valid If a default value is associated with the attribute, Tenable Vulnerability
value Management selects the default value automatically.

To change the default value, or if there is not an associated default value

present:

a. Click the box to display the drop-down list.

b. Search for and select one of the listed values.

Multiple To select one or more values:

valid values
a. Click the box to display the drop-down list.

b. Search for and select a value.

The selected value appears in the box.

c. Repeat until you have selected all appropriate values

d. Click outside the drop-down list to close it.

To deselect values:

a. Roll over the value you want to remove.

The button appears over the value.

b. Click the button.

- 63 -
 The value disappears from the box.

6. (Optional) In the lower-left corner of the filter section:

l To add another filter, click the Add button.

l To clear all filters, click the Reset Filters button.

7. Click Apply.

Tenable Vulnerability Management applies your filter or filters to the table.

8. (Optional) Save your filter or filters for later use.

9. (Optional) Clear the filters you applied:

a. In the table header, click Clear All Filters.

Tenable Vulnerability Management clears all filters from the table, including saved
searches.

Note: Clearing filters does not change the date range selected in the upper-right corner of the
page. For more information, see Tenable Vulnerability Management Tables.

Get Started with Tenable Lumin

You can use Tenable Lumin to quickly and accurately assess your risk and compare your health and
remediation performance to other Tenable customers in your Salesforce industry and the larger
population. Tenable Lumin correlates raw vulnerability data with asset business criticality and
threat context data to support faster, more targeted analysis workflows than traditional
vulnerability management tools.

Tenable recommends the following to get started with Tenable Lumin data and functionality.

License and Enable

Acquire a Tenable Lumin license and enable Tenable Lumin in Tenable Vulnerability Management.

1. To add Tenable Lumin to your Tenable Vulnerability Management license, contact your
Tenable representative.

- 64 -
 2. In your browser, disable features that may prevent you from enabling Tenable Lumin:

l Ad blocker extensions

l Do Not Track (Mozilla Firefox, Google Chrome, Apple Safari, or Microsoft Internet
Explorer)

l Protected Mode (Microsoft Internet Explorer)

Tip: You can re-enable these features after you fully enable Tenable Lumin.

3. Log in to Tenable Vulnerability Management, as described in Log In to Tenable Lumin.

The Tenable Lumin welcome window appears.

4. Follow the wizard to enable Tenable Lumin.

The Lumin dashboard appears.

Prepare
Generate data and learn about Tenable Lumin terminology.

Tenable Security Center + Tenable

Tenable Vulnerability Management Only
Vulnerability Management Tenable Lumin

1. Run an authenticated assessment scan 1. Sync repositories to Tenable Lumin

in Tenable Vulnerability Management to from Tenable Security Center. All
generate vulnerability data. vulnerability data is synced immediately.

Note: You must run scans to start Note: Tenable Lumin does not support
seeing data in Tenable Lumin views; third-party integration data.
Tenable Lumin shows scan result data
generated after you licensed Tenable 2. Create assets in Tenable Security
Lumin. For more information, see
Center to add business context to your
Tenable Lumin Data Timing.
assets.

Note: Tenable Lumin does not support 3. Configure Tenable Security Center to
third-party integration data. Tenable Lumin synchronization.

2. Create tags in Tenable Vulnerability Allow sufficient time for the

Management to add business context to synchronization to complete. For more

- 65 -
 your assets. information, see Tenable Lumin Data
Timing.
3. Review the metrics terminology to
understand Vulnerability Priority Rating 4. View your assets as business context
(VPR) and Asset Criticality Rating (ACR) tags in Tenable Vulnerability
values and how they impact your Asset Management. For more information, see
Exposure Score (AES), Assessment Manage Asset Tags.
Maturity grade, and Cyber Exposure
5. Review the metrics terminology to
Score (CES).
understand Vulnerability Priority Rating
4. Allow sufficient time for your metrics to (VPR) and Asset Criticality Rating (ACR)
calculate. For more information, see values and how they impact your Asset
Tenable Lumin Data Timing. Exposure Score (AES), Assessment
Maturity grade, and Cyber Exposure
Score (CES).

6. Allow sufficient time for your metrics to

calculate. For more information, see
Tenable Lumin Data Timing.

Assess Your Exposure

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Review your CES and perform vulnerability management analysis.

1. Use the Tenable Lumin dashboard to understand your CES and access details pages.

l Cyber Exposure Score widget — How does your overall risk compare to other Tenable
customers in your Salesforce industry and the larger population?

l Cyber Exposure Score Trend widget — How has the overall risk for your entire
organization changed over time?

l Assessment Maturity widget — How frequently and thoroughly are you scanning your
assets?

- 66 -
 l Remediation Maturity widget — How quickly and thoroughly are you remediating
vulnerabilities on your assets?

l Reduce Cyber Exposure Score widget — What would the impact be if you addressed all
of your top 20 recommended actions?

l Asset Criticality Rating Breakdown widget — How critical are your assets?

l Asset Scan Distribution widget — What types of scans have run on your assets?

l Mitigations widget — What endpoint protection agents are running on your assets?

l Cyber Exposure Score by Business Context/Tag widget — How do assets with different
tags (unique business context) compare?

2. To browse the most critical vulnerabilities on your network, sort your vulnerabilities by VPR.

3. To browse the most critical assets on your network, sort your assets by ACR.

Customize Your ACR Values

Review the Tenable-provided ACR values and customize them to reflect the unique infrastructure or
concerns of your organization.

1. Use the Assets page to review the Tenable-provided ACR values for your assets.

l Do any of your assets have ACR values that seem too high for the relative criticality of
that asset?

l Do any of your assets have ACR values that seem too low for the relative criticality of
that asset?

2. If necessary, manually customize your asset ACR values.

Lower Your CES and AES

You must address vulnerabilities on your network to lower your CES and AES.

Important: Private findings are excluded from all scores in Tenable Lumin. For more information see
Findings.

- 67 -
 1. View lists of Tenable-recommended action items:

l Top recommended actions for all assets on your network.

Export your top recommended actions, as necessary.

l All solutions on your network.

Export your solutions, as necessary.

2. Follow the recommendations and take steps to address the vulnerabilities on your network.

Mature
Mature your vulnerability management strategy.

l Continue monitoring and addressing vulnerabilities to lower your CES and AES.

l Continue exporting and sharing recommended actions (solutions) data with others in your
organization to refine your vulnerability management strategy.

Error Messages
For Tenable Vulnerability Management API status codes, see the Tenable Developer Portal.

Scanning
The following table describes the scanning error messages that may appear in Tenable Vulnerability
Management.

Some scanning errors occur when you exceed the following Tenable Vulnerability Management
scanning limitations:

Scan Limitations

The following table describes scanning limitations in Tenable Vulnerability Management:

Limitation Description

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single assessment scan (for more

- 68 -
hostnames per information, see Discovery Scans vs. Assessment Scans). The host target
assessment scan limit is 10 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
10,000 hostnames or IP addresses in a single assessment scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single discovery scan (for more information,
hostnames per see Discovery Scans vs. Assessment Scans). The host target limit is 1,000
discovery scan times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
1,000,000 hostnames or IP addresses in a single discovery scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Host scan results Tenable Vulnerability Management limits the number of live hosts for
per scan which a single scan can generate scan results for. The live host scan
results limit is 1.1 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 1,100 live hosts from a single scan. If you exceed the
limit, Tenable Vulnerability Management aborts the scan. Tenable
Vulnerability Management does not apply the live host scan result limit to
discovery scans.

Tenable Vulnerability Management also limits the number of dead hosts

for which a single scan can generate scan results for. The dead host scan
results limit is 100 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 100,000 dead hosts from a single scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

- 69 -
 Targeted IP You cannot specify more than 300,000 comma-separated IP addresses or
addresses or ranges when configuring a scan’s targets.
ranges per scan

Active scans You cannot have more than 25 scans running in your container
simultaneously.

Scan chunks Tenable Vulnerability Management limits scan chunks to 10,000 hosts or
150,000 findings. If a scan chunk exceeds either value, Tenable
Vulnerability Management does not process the scan and eventually
aborts it.

Note: This limits items like MDM assessments, importing Nessus files, and
very large Auto Discovery scenarios like VMware to individual scans with less
than 10,000 assessed targets.

Scan Tenable Vulnerability Management limits the number of scan

configurations configurations you can create to 10,000 scans. Tenable recommends re-
using scheduled scans instead of creating new scans. This approach
helps to avoid latency issues in the user interface.

For more information about creating, modifying, and launching scans, see Manage Scans. For more
information about scan status values, see Scan Status.

Warning Message Recommended Action

Account Target The target count exceeds the limit You reached the maximum scan
Limit for this account. Please contact target limit. To increase your scan
customer support to upgrade your target limit by upgrading your
license. license, contact Tenable Support.

Agent Group Unexpected error retrieving the

Error agent groups.

Agent Group The owner does not have access to You do not have access to all the
Permissions all of the configured agent groups. agent groups selected for this scan.
Select the correct groups. For more
information, see Agent Groups.

- 70 -
Warning Message Recommended Action

Agent Scan Tenable Vulnerability Management Re-scan the affected agent.

Indexing Error aborted a scan task after an
unexpected error during indexing.
You may need to re-scan the
agent: [agent name].

All Inactive All targets were routed to scanner

Scanners groups with no active scanners.

All Scans All active scans were aborted. Tenable Vulnerability Management
Aborted aborted the scan due to a system
abort request. Re-run the scan.

Auto Routed Custom scan targets are not Select a specific scanner to run
Custom Targets currently supported for auto routed scans on custom targets.
scans.

Auto Routing The scan is configured for auto

Disabled routing, but that feature is not
enabled.

Concurrent Scan Concurrent scan limit reached for You reached the maximum
Limit this account. Please contact concurrent scan limit. Re-run the
customer support to upgrade your scan later.
license.

Concurrent Scan Scan could not be completed: You reached the maximum
Limit Reached concurrent scan limit reached for concurrent scan limit. Re-run the
this account. Please contact scan later.
customer support to upgrade your
license.

Conflict Transition for indexing to pausing The scan is completed and is now
not supported. in the process of indexing. Wait for
the indexing to complete.

Empty Scanner The scan is configured to use a Confirm the scanner group contains

- 71 -
Warning Message Recommended Action

Group scanner group with no assigned functioning scanners, then re-run

scanners. the scan. For more information, see
Scanner Groups.

Empty Targets No targets are configured for the Confirm the scan configuration
scan. contains one or more valid targets,
then re-run the scan.

Inactive The scan is configured to use a Confirm the scanner group contains
Scanners scanner group with no active functioning scanners, then re-run
scanners. the scan. For more information, see
Scanner Groups.

Indexing Error Unexpected error during task Re-run the scan for unscanned
processing. Targets may need to targets or targets that need to be
be rescanned : [scan targets] re-scanned.

Initialization Unexpected error during Tenable Vulnerability Management

Error initialization. aborted the scan. Re-run the scan.

Invalid AWS No valid AWS targets are Confirm the scan contains valid
Targets configured for the scan. AWS scan targets and re-run the
scan. For more information, see
Targets.

Invalid PCI The PCI scan can only be launched Use a Tenable cloud sensor to run a
Scanner using Tenable Cloud Scanners Tenable PCI ASV scan. For more
information, see Cloud Sensors.

Invalid Tag Failed to resolve a target FQDN or One or more assets in a tag
Target IP from an asset in the configured configured for the scan requires an
tags. associated scan target. Confirm the
tag configuration, then re-run the
scan. For more information, see
Tags.

Invalid Tag Rule Tags with the "Match All" filter can Adjust your tag rules, then re-run

- 72 -
Warning Message Recommended Action

As Target only have one rule for scans with the scan.
the "Targets defined by tags"
option enabled. Tag category: [tag
category], Tag value: [tag value].

Invalid Target Can't resolve target. Confirm your scan includes valid
scan targets, then re-run the scan.
For more information, see Targets.

Invalid Target An invalid target range is Correct or remove the invalid scan
Range configured for the scan: [scan target range, then re-run the scan.
targets] For more information, see Targets.

Invalid Targets No valid targets are configured for Confirm the scan targets meet the
the scan. following criteria:

l IP addresses use a valid

format

l Use commas to separate lists

of IP addresses

l IP addresses in target groups

use a valid format

For more information, see Targets

and Target Groups.

For more troubleshooting

assistance, see the knowledge base
article.

Job Initialization Unexpected error during Re-run the scan.

Error initialization. Please check the
scan targets and settings for
irregularities and contact support if
the problem persists.

- 73 -
Warning Message Recommended Action

Log4j DNS Unable to resolve DNS [scan Re-run the scan for unscanned
Failed Request target] to check Log4j targets or targets that need to be
Vulnerability. re-scanned.

Max Findings The maximum number of findings Review the Tenable Vulnerability
Error was reached. Management scan limitations and
adjust the scan configuration to
produce an allowed number of
findings.

Max Hosts Scan has exceeded the maximum Review the Tenable Vulnerability
Reached Error number of allowed hosts. Management scan limitations and
adjust the scan configuration to
scan an allowed number of hosts.

Network Some network congestion was To reduce the risk of congestion:

Congestion detected during the scan. This may
l Reduce max hosts to a lower
Detected indicate that one or more of the
value
remote hosts are connected
through a connection that does not l Increase the network read
have enough bandwidth to handle timeout in your policy
the network traffic generated while
scanning.

No Available Unable to find a scanner that is Confirm you selected the correct
Scanner able to run the scan. scanner, then re-run the scan.

No Configured The scan has no configured Agent Add at least one Agent Group to the
Agent Groups Groups. scan.

No Scan Policy The scan must be configured with The scan requires a scan policy.
a scan policy. Configure a scan policy, then re-run
the scan.

No Tag Targets No valid targets were found from

the configured tags.

- 74 -
Warning Message Recommended Action

Notification Notifications for this scan may not The scan completed, but failed to
Error have been sent. send a notification.

Owner Disabled The owner of the scan is disabled. Enable the owner of the scan or
transfer ownership to an enabled
user. For more information, see
Permissions.

Paused Scan Paused scan exceeded timeout of The paused scan exceeded the
Timeout [maximum allowed pause] days. maximum pause duration. Re-run
Some tasks were aborted. Targets the scan for all incomplete scan
may need to be rescanned. targets.

Pending Scan The scan was unable to transition Confirm the selected scanner group
Timeout to running within the expected has sufficient capacity, then re-run
timeout. the scan. For more information, see
Scanner Groups.

Policy The owner of the scan does not You do not have access to the scan
Permissions have access to the configured policy for this scan. Re-run the
policy. scan with correct permissions. For
more information, see Permissions.

Portscanner Max Portscanners have found more Since this negatively impacts both
Ports Exceeded than [number] ports open for scan accuracy and performance,
target [target name], and the you may want to adjust your
number of reported ports has been network security configuration to
truncated to [number] (threshold disable this behavior for
controlled by scanner preference vulnerability scans.
portscanner.max_ports). Usually
this is due to intervening network
equipment intercepting and
responding to connection requests
as a countermeasure against
portscanning or other potentially

- 75 -
Warning Message Recommended Action

malicious activity.

Processing Error Unexpected error in processing. Tenable Vulnerability Management

aborted the scan. Re-run the scan.

Routed To The following targets were routed Confirm the scanner group contains
Inactive to a scanner group with no active functioning scanners, then re-run
Scanners scanners: [scan targets] the scan. For more information, see
Scanner Groups.

Running Scan The scan exceeded the maximum The scan may be taking too long to
Timeout allowed runtime. scan some scan targets. Re-run the
scan.

Scan Aborted Scan aborted because it stalled in Tenable Vulnerability Management

initializing. aborted the scan. Re-run the scan.

Scan Aborted An error occurred while initializing Tenable Vulnerability Management

the scan. failed to initialize the scan. Re-run
the scan.

Scan Aborted Failed to obtain plugin set Tenable Vulnerability Management

information from Tenable Nessus. failed to download the plugin set.
Re-run the scan.

Scan Aborted The assigned scanner was not Tenable Vulnerability Management
found. could not find the selected scanner.
Select a different scanner and re-
run the scan.

Scan Extraction An error occurred during the scan

Error extraction.

Scan Extraction The scan extraction timed out.

Timeout Error

Scan Forbidden Rejected attempt to scan [scan The scan target is excluded from
target], as it violates user-defined scans. If you want to scan this

- 76 -
Warning Message Recommended Action

rules. target, remove it from the exclusion

and re-run the scan. For more
information, see Exclusions.

Alternatively, you many not have

the correct user permissions to run
the scan. Check your user
permissions and re-run the scan.
For more information, see
Permissions.

Scan Job The scan could not be initialized. Tenable Vulnerability Management
Initialization Please check the scan targets failed to launch the scan. Re-run
Error setting for irregularities and the scan with the correct scan
contact support if the problem target. For more information, see
persists. Targets.

Scanner The assigned scanner is disabled. A user disabled the selected

Disabled scanner. Select a different scanner
and re-run the scan.

Scanner Error Unexpected error retrieving the

assigned scanner.

Scanner Group Unable to load scanner group for Confirm the scan configuration
Error scanner [scanner ID]. contains one or more valid targets,
then re-run the scan.

Scanner Due to detection of scanner This error occurs when a Tenable

Interruptions interruptions during the scan, this Nessus scanner is unable to
scan might have run longer than complete a scan task, and Tenable
expected. Scanner name: [scanner Vulnerability Management reassigns
name] the scan task to another scanner.
This usually happens when the
original scanner goes offline
intentionally (for example, a user

- 77 -
Warning Message Recommended Action

stops, powers off, or unlinks the

scanner) or experiences an
unexpected failure while
completing the scan task (for
example, power or network loss).

Adjust the Tenable Nessus scanner

as needed to prevent interruptions.

Scanner Not The assigned scanner was not Tenable Vulnerability Management
Found found. could not find the selected scanner.
Select a valid scanner and re-run
the scan.

Scanner The owner of the scan does not You do not have access to the
Permissions have access to the assigned selected scanner. Select a different
scanner. scanner and re-run the scan. For
more information, see Permissions.

Stalled Task A task was automatically aborted Confirm the scanners are
after stalling on scanner. Targets functioning properly and have
may need to be rescanned: [scan enough capacity for your scans,
targets] then re-run the scan for unscanned
targets or targets that need to be
re-scanned.

Tag Not Found Tenable Vulnerability Management Open the scan configuration in
could not process the tag. The tag Tenable Vulnerability Management
either did not exist at the time of to automatically remove any tags
scanning or the user does not have that no longer existing. Save the
access to the tag. Tag UUID: [tag scan configuration and re-run the
uuid]. scan.

Tag Targets Failed to obtain tag targets Tenable Vulnerability Management

- 78 -
Warning Message Recommended Action

Error associated with scan. could not obtain the scan targets.
Verify the targets and re-run the
scan. For more information, see
Targets.

Target Access The owner of the scan does not You do not have the correct user
Error have access to any configured permissions to run the scan. Check
targets. your user permissions and re-run
the scan. For more information, see
Permissions.

Target Group The owner of the scan does not Confirm the scan owner's
Permissions have access to all of the configured permissions, then re-run the scan.
target groups. For more information, see Target
Groups.

Target Limit The target count exceeds the The scan target range is too large.
maximum allowed for Tenable Confirm the scan configuration
Vulnerability Management. includes a valid target range, then
re-run the scan. For more
information, see Targets.

Target Range A target range exceeds the Confirm or reduce the configured
Limit maximum allowed targets: [scan scan target range and re-run the
targets] scan. For more information, see
Targets.

Targets Unable The following targets are not able Re-run the scan for unscanned
To Complete to complete scanning in the targets or targets that need to be
allowed scan time and will need to scanned again.
be rescanned: [scan targets]

Task Unexpected error during Re-run the scan for unscanned

Initialization initialization. Targets may need to targets or targets that need to be
Error be rescanned: [scan targets] re-scanned.

- 79 -
Warning Message Recommended Action

Task Processing Unexpected error in processing. Re-run the scan for unscanned
Error Targets may need to be rescanned: targets or targets that need to be
[scan targets] re-scanned.

Transition Some tasks stalled when being Failed to complete scan on some
Timeout [resumed, paused, or stopped] and scan targets. Re-run the scan for all
were aborted. Targets may need to unscanned scan targets.
be rescanned.

Unable To Route Unable to find a matching scanner Tenable Vulnerability Management

Targets route for the following targets: could not find one or more scan
[scan targets] targets specified in the scan
configuration. Do the following,
then re-run the scan:

l Confirm the scan

configuration specifies the
correct network.

l Confirm the scan routing

configuration of the scanner
groups in that network.

The total number of scan Review and remove any scan

configurations cannot exceed configurations that your
10,000 organization no longer uses.

- 80 -
Dashboards
Dashboards are interactive, graphical interfaces that often provide at-a-glance views of key
performance indicators (KPIs) relevant to a particular objective or business process.

The Dashboards page contains tiles that represent:

l Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

Note: Depending on your license, more dashboards are included. For example, the Tenable Lumin
dashboard.

l Dashboards you have created. To create a template-based or custom dashboard with

Tenable-provided or custom widgets, see Create a Dashboard.

l Dashboards that other users have shared with you. Click the Shared with Me tab to view
dashboards that others have shared with you.

Vulnerability Management Dashboard

This Tenable-provided dashboard visualizes actionable insights for your vulnerability management
program. Tenable Vulnerability Management updates dashboard data every time you run a scan.

Note: There may be a delay between when a scan completes and when the dashboard data updates while
Tenable Vulnerability Management indexes the data.

To access the Vulnerability Management Overview dashboard:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Management.

The Vulnerability Management Overview dashboard appears.

You can roll over individual items to reveal additional information or click on items to drill down into
details behind the data.

- 81 -
 Tip: All charts on the Vulnerability Management Overview show New, Active, and Resurfaced vulnerability
data. However, the counts or data displayed on each chart may differ for other reasons. For example, the
Vulnerability Priority Rating (VPR) widget organizes vulnerabilities by VPR category, but the Vulnerability
Trending widget graphs vulnerabilities by CVSS-based severity category. For more information about how
severity and VPR metrics compare, see CVSS vs. VPR.

In the Vulnerability Management Overview, you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Statistics This widget summarizes the highest severity vulnerabilities on

for your network during the last 30 days.

l View a count of your total vulnerabilities and counts for the

highest severity vulnerabilities (Critical and High) during
the past 30 days.

l To view a list of vulnerabilities, click one of the counts.

The Vulnerabilities page appears, filtered by a severity if

you selected the Critical or High count. For more
information, see View Vulnerabilities by Plugin.

l View a count of your total licensed assets, your assets

discovered during the last 7 days, and your assets
discovered during the last and 30 days.

If necessary, onboard your newly discovered assets.

l To view a list of assets, click one of the counts.

The Assets page appears, filtered by a time range if you

selected the 7 days or 30 days count. For more

- 82 -
 information, see View Asset Details.

l View a count of your scans run during the last 90 days and
the percentage that succeeded and failed.

To investigate your failed scans, review your scans with

the status Aborted or Canceled. For more information, see
View Scans.

l To export the data in the widget, click the button and

select a format.

CISA Alerts AA22-011A This widget provides a vulnerability count of risks associated
and AA22-047A with the CISA Alerts AA22-011A and AA22-047A vulnerabilities
that have been identified or mitigated.

l To view a list of related vulnerabilities by plugin, in the

Vulnerabilities column, click one of the tiles.

The Vulnerabilities page appears with results filtered by

vulnerability state. For more information, see View
Vulnerabilities by Plugin.

l To view a list of related vulnerabilities by asset, in the

Assets column, click one of the tiles.

The Vulnerabilities page appears, filtered by vulnerability

state. For more information, see View Vulnerabilities by
Asset.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget summarizes the number of vulnerabilities on your

Rating (VPR) network, organized by VPR. For more information, see CVSS vs.
VPR.

l To view a list of vulnerabilities filtered by a VPR range,

click one of the tiles.

- 83 -
 The Vulnerabilities page appears, filtered by the range you
selected. For more information, see View Vulnerabilities by
Plugin.

l To export the data in the widget, click the button and

select a format.

SLA This widget visualizes vulnerability counts by severity and by

Progress: Vulnerability compliance with your Service Level Agreements (SLAs). To
Age modify how Tenable Vulnerability Management calculates SLA
severity, see General Settings.

l To view a list of vulnerabilities, click one of the tiles.

The Vulnerabilities page appears, filtered by severity. For

more information, see View Vulnerabilities by Plugin.

l To export the data in the widget, click the button and

select a format.

Vulnerability Trending This widget shows the cumulative number of Critical, High,
Medium, and Low severity vulnerabilities on your network over
time. For more information, see CVSS vs. VPR.

l To show or hide data for a severity, click the boxes in the

graph legend.

The system updates the widget to show or hide the data

you selected.

l To view historical vulnerability count and severity data, roll

over a point on the graph.

l To view a list of current vulnerabilities, click a point on the

graph.

The Vulnerabilities page appears, filtered by the severity

you selected and by New, Active, or Resurfaced state. For
more information, see View Vulnerabilities by Plugin.

- 84 -
 l To export the data in the widget, click the button and
select a format.

Critical and High This widget summarizes the number of Critical and High severity
Exploitable Vulnerabilities vulnerabilities on your network, organized by exploitability
characteristic category. A single vulnerability may have multiple
exploitability characteristics and count towards multiple
categories.

l To view the counts of your vulnerabilities by decreasing

priority, view the categories and counts from left to right.

l To view a list of vulnerabilities, click one of the bars on the

graph.

The Vulnerabilities page appears, filtered by Critical and

High severity and the exploitability characteristic you
selected. For more information, see View Vulnerabilities by
Plugin.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget summarizes the vulnerabilities that are not yet
Exploitable Vulnerabilities exploitable, determined by their Exploit Code Maturity and
Vulnerability Publication Date.

l To view the counts of your vulnerabilities by decreasing

priority, view the categories and counts from upper left to
lower right. Tenable recommends addressing
vulnerabilities with proof-of-concept before those with no
known exploit.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age This widget summarizes the age of your vulnerabilities (by
Vulnerability First Seen date), organized by severity, to help you
manage your SLAs. For more information about severity, see

- 85 -
 CVSS vs. VPR.

l To view a list of vulnerabilities, click one of the

vulnerability counts.

The Vulnerabilities page appears, filtered by the

Vulnerability First Seen date and severity you selected.
For more information, see View Vulnerabilities by Plugin.

l To export the data in the widget, click the button and

select a format.

Vulnerability Management Overview (Explore)

The Vulnerability Management Overview (Explore) dashboard provides executive management with a
summary of risk information at a glance, while enabling security analysts to drill down into technical
details by clicking on the widgets. Tenable Vulnerability Management updates the dashboard data
each time you run a scan.

Note: There may be a delay between the time when a scan completes and when the dashboard data
updates while Tenable Vulnerability Management indexes the data.

Hovering over individual items reveals a data summary that you can click to drill down for further
details.

In the Vulnerability Management Overview (Explore), you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Severity Statistics by The widget provides a count of vulnerabilities collected through

Source multiple sources: Tenable Nessus scan, Tenable Nessus Agents,

- 86 -
 and Frictionless Assessment. The numbers displayed in this
widget use severity to determine the precedence of
vulnerabilities to mitigate.

l To view the list of assets for a specific category, click on

the summary information in the relevant category.

The Findings page appears with details about the assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Tenable Research This widget provides two indicators for current major threats
Advisory discovered by Tenable Research. The red indicator signifies the
presence of the relevant vulnerabilities, while the green
indicator is enabled when these vulnerabilities are patched.

l Click on the tiles to display a Findings page with details

about the assets detected for Missing Patches and
Applied Patches.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget displays vulnerabilities grouped by Vulnerability

Rating (VPR) Priority Rating (VPR). VPR is the output of Tenable's predictive
prioritization process which it is continually updates to
accommodate the evolving threat landscape.

Following the initial scan of an asset on the network, Tenable

computes an initial VPR using a machine-learning algorithm that
analyzes more than 150 different aspects of each vulnerability to
determine the level of risk. Vulnerabilities listed on the left have
the highest VPR, while those on the right have the lowest. For
more information, see CVSS vs. VPR.

l To view the asset details detected in a specific range, click

on a VPR range.

- 87 -
 The Findings page appears with details about the assets
detected in the selected range.

l To export the data in the widget, click the button and

select a format.

SLA This widget helps organizations manage Service Level

Progress: Vulnerability Agreements (SLAs) by providing a vulnerability view organized by
Age Vulnerability Priority Rating (VPR) Score and Vulnerability Age.

Tenable calculates the vulnerabilities that do not meet SLAs

using a date filter for within the last X days. The vulnerabilities
that meet SLAs use a date filter for older than X days.

When you apply default SLA settings:

l Critical: row uses VPR greater than 9.0.

l High: row uses VPR between 7.0-8.9.

l Medium: row uses VPR between 4.0-6.9.

l Low: row uses VPR between 0-3.9.

To know how Tenable Vulnerability Management calculates SLA

severity, see General Settings.

l To view the list of assets detected for a specific category,

click on the summary information under the
SLA categories.

The Findings page appears with details about the assets.

l To export the data in the widget, click the button and

select a format.

Critical and High This widget focuses on the most severe current threats, critical,
Exploitable Vulnerabilities and high exploitable vulnerabilities to help prioritize remediation.
Each bar represents vulnerabilities grouped by an exploitability
characteristic.

- 88 -
 l Exploited by Malware: Vulnerabilities that can be exploited
by malicious software, such as viruses, worms, spyware,
adware, and ransomware.

l Remotely Exploitable (Low Complexity): Vulnerabilities

that can easily be exploited remotely and require little skill
or information gathering to exploit.

l Locally Exploitable (Low Complexity): Vulnerabilities that

can easily be exploited with local access and require little
skill or information gathering to exploit.

l Exploited by Framework (Metasploit): Vulnerabilities that

have publicly available exploit code imported into various
exploit frameworks, such as Metasploit, pose risks. These
common exploit frameworks are easily accessible, which
both security researchers and malicious attackers use.

l Remotely Exploitable (High Complexity): Vulnerabilities

that can be exploited remotely, but require a high degree
of skill and information gathering to exploit.

Note: These groupings are not mutually exclusive, as a single

vulnerability can fall into multiple exploitability categories. Tenable
recommends prioritizing remediation starting with vulnerabilities in
the left-most column, Exploited by Malware.

l To view details about assets for a specific category, click

one of the bars on the graph.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget provides a view of vulnerabilities based on exploit
Exploitable Vulnerabilities code maturity and vulnerability publication date. The columns
display counts of published vulnerabilities within the specified

- 89 -
 time period present in the organization. The rows display the
exploit code maturity, where Proof of Concept is more serious
than Unproven Exploit.

l To view the list of assets for a specific category, click on

the counts under the Published categories.

The Findings page appears with details about the assets

detected for the category.

Tip: Tenable recommends addressing vulnerabilities with proof-of-

concept before those with no known exploit.

l To export the data in the widget, click the button and

select a format.

Scan Health This widget provides a summary of scan health in relation to

authentication success and failures. The five columns display
asset counts related to:

l Authentication Success - Scans authenticate successfully

with full administrator/root privileges. Scan results are the
most comprehensive.

l Success but Insufficient Access - Scans authenticate

successfully, but do not have privileged access. Scan
results are limited to the scope of a local non-privileged
user.

l Success but Intermittent Failure - Scan credentials

intermittently fail, which result from session rate limits,
session concurrency limits, or other issues preventing
consistent authentication success.

l Authentication Failure (Credentials) - Incorrect

credentials provided.

l To view the list of assets that falls in a specific category,

click the required category.

- 90 -
 The Findings page appears with details about assets
detected for the category.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age: This widget provides a view of vulnerabilities based on severity

Managing SLAs and age. The columns display counts of published vulnerabilities
within the specified time period present in the organization. The
rows display the severity level of the vulnerability.

l To view asset details for a specific category, click

vulnerability count in the required category.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Tenable Web App Scanning Dashboard

The default Web Applications Scanning dashboard displays data Tenable Web App Scanning
collects.

The tables below describes the sections and widgets displayed in the Web Applications Scanning
dashboard. You can view details about the data in a widget by clicking the widget.

Tenable Web App Scanning Statistics

The table below describes the widgets displayed in the Statistics section of the Web Applications
Scanning dashboard. You can view details about the data in a widget by clicking the widget.

Widget Description

Findings Number of findings Tenable Web App Scanning has discovered. The
findings are categorized by severity (Critical and High).

For information about vulnerability ratings and the severity metrics

Tenable uses to analyze risk, see Severity vs. VPR in the Tenable

- 91 -
 Widget Description

Vulnerability Management User Guide.

Web Assets Number of assets scanned over time.

Scanned

Incomplete Scans Number of incomplete scans in the past 90 days.

Non Number of non-authenticated scans in the past 90 days.

Authenticated
Scans

OWASP Top 10
This chart displays the vulnerabilities discovered by Tenable Web App Scanning that appear in the
latest Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application
Security Risks document.

View the Dashboards Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management updates dashboard data based on date filters you add when you
Create a Custom Widget for the dashboard.

To view the Dashboards page:

1. Access the Dashboards page in one of the following ways:

l On any Tenable-provided dashboard page, click the Dashboards button.

l On any other page, do the following:

- 92 -
 a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click Dashboards.

The Dashboards page appears. The page contains tiles that represent:

l Tenable-provided dashboards

l Dashboards you have created

l Dashboards that other users have shared with you

2. Do any of the following:

l In the upper-left corner, use the Search bar to search for specific dashboards.

l In the upper-left corner, use the drop-down to change the order in which dashboards
appear on the Dashboards page.

l In the Groups section, do any of the following:

o Use the Search Groups bar to search for specific dashboard groups.
o Click the Shared with Me tab to view dashboards that have been shared with you.
o Click the Updates Available tab to view dashboards that are eligible for auto-
update.

l Roll over individual dashboard tiles to reveal additional information.

l Toggle between the grid and list view.

l Set a default dashboard.

l Edit a dashboard.

l Share a dashboard.

l Export a dashboard.

l Duplicate a dashboard.

- 93 -
 l Delete a dashboard.

l Click a dashboard tile to view the individual dashboard.

Tenable-Provided Dashboards
On the Dashboards page, Tenable Vulnerability Management shows dashboards in the following
order:

1. Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

2. Dashboards you create and dashboards that have been shared with you.

Note: You can change the order in which dashboards appear by using the drop-down in the upper-right
corner of the Dashboards page.

The Tenable-provided dashboards you see depend on the licenses you have, but can include the
following:

Dashboard License

Vulnerability Management Overview Tenable Vulnerability Management

Lumin Tenable Lumin

Container Security Tenable Container Security

Web Application Scanning Tenable Web App Scanning

Note: You can export the Vulnerability Management Overview and Asset View dashboard landing pages,
or export individual widgets on those dashboards. For more information, see Export a Full Dashboard and
Export an Individual Dashboard Widget.

Note: If your dashboard fails to show data, you may be filtering the dashboard by a target group with too many
targets. Tenable recommends limiting the number of targets in any individual target group.

Export a Full Dashboard Landing Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 94 -
In Tenable Vulnerability Management, you can export the following dashboard landing pages:

l Vulnerability Management Overview

l Asset View

l Tenable Lumin

l Tenable Web App Scanning

To export a full dashboard landing page:

1. View the dashboard page you want to export.

2. In the upper-right corner, click Export.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Export an Individual Dashboard Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export individual widgets from the following
dashboard landing pages:

l Vulnerability Management Overview

l Asset View

- 95 -
 l Tenable Lumin

l Tenable Web App Scanning

To export an individual dashboard widget:

1. View the dashboard page that contains the widget you want to export.

2. In the header of the widget you want to export, click the button.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

View an Individual Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management updates dashboard data every time you run a scan.

To view an individual dashboard:

1. View the Dashboards page.

2. Do one of the following:

l In grid view, roll over the tile for the dashboard you want to view.

Dashboard information and options overlay the dashboard tile.

- 96 -
 l In list view, roll over the thumbnail dashboard image for the dashboard you want to view.

Dashboard options overlay the thumbnail dashboard image.

3. Click View.

The page for that dashboard appears.

4. Do one of the following:

l Change the dashboard you are viewing:

a. In the upper-right corner, click Jump to Dashboard.

A drop-down box appears.

b. Select the dashboard you want to view.

Tip: Use this option to view legacy versions of Explore dashboards. For more
information, see Enable Explore Dashboards

l Roll over individual widgets to reveal additional information.

l Click on widget elements to drill down into details behind the data.

l Share the dashboard.

l Export the dashboard.

l Edit the dashboard.

l Set the dashboard as default.

l Duplicate the dashboard.

l Create a new dashboard.

l Delete the dashboard.

View the Dashboard Template Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Template Library provides a selection of Tenable-provided dashboards.

- 97 -
To view the dashboard template library:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

On the Template Library page, you can:

l Sort the Template Library page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the page.

l In the upper-left corner, use the Search bar to search for specific dashboards.

l Click the New and Updated tab to view dashboards that are eligible for auto-update.

l Toggle between the grid and list view.

l Preview a dashboard.

l Create a dashboard.

Create a Dashboard
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can create a custom dashboard or use the Template Library to create a copy from the available
templates. Dashboards let you drill down to view the details of each widget.

Important: The Template Library in Tenable Vulnerability Management includes Explore dashboard
templates. The Explore dashboard templates are marked with Explore at the end of the template name.
For example: Vulnerability Management (Explore). From the dashboards that you create using these
templates, you can drill down to the Findings or Assets pages. To add an Explore dashboard, see Enable
Explore Dashboards.

To create a dashboard:

- 98 -
1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Do one of the following:

To create a dashboard from a template:

a. Click Template Library.

The Template Library page appears.

b. In the Groups panel on the left, click the group name to view the templates for the
category.

The following is not supported in Tenable FedRAMP Moderate environments. For more
information, see the Tenable FedRAMP Moderate Product Offering.

Category Description

Center for CIS Benchmarks are best practices for the secure configuration
Internet of a target system. Be sure to use the proper audit file for
Security (CIS) scans.

Defense The Defense Information Systems Agency (DISA) is a United

Information States Department of Defense combat support agency
Systems composed of military, federal civilians, and contractors.
Agency (DISA) Security Technical Implementation Guides (STIG) is a
configuration standard that consists of cybersecurity
requirements for a specific product. Be sure to use the proper
audit file for scans.

Compliance Tenable allows you to audit configuration compliance with a

Framework variety of standards including GDPR, ISO 27000, HIPAA, NIST
800-53, PCI DSS, and so on. These reports provide summary
and detailed information for all the supported frameworks. Be
sure to use the proper audit file for scans.

- 99 -
 Host Audit Organizations such as CIS, DISA, and some vendors create
Plugin Type golden configurations standards, known as benchmarks.
Tenable creates audit files that perform a detailed
configuration review. Scanning the assets with the Host Audit
Compliance Check plugins allows you to do detailed
configuration checks. These reports provide summary and
detailed information for all the Host Audit Compliance Check
plugins.

Tenable Best Allows you to implement best practice audits for new
Practice Audits technologies. Be sure to use the proper audit file for scans.

Vendor Based Allows you to implement vendor-specific guidance for new

Audits technologies. Vendors include: Vendor, IBM, Juniper, Microsoft,
NetApp, VMware, and others. Be sure to use the proper audit
file for scans.

Vulnerability Tenable Vulnerability Management provides the most

Management comprehensive vulnerability coverage with real-time
continuous assessment of the organization. These built-in
reports allow organizations to communicate risk based on
prioritization, threat intelligence and real-time insights to
prioritize remediation actions. These reports provide summary
and detailed information on data collected using Tenable
Vulnerability Management applications such as Tenable Nessus.

Web App Web application security provides the ability to detect and
Scanning mitigate threats and vulnerabilities that may compromise the
confidentiality, integrity, and availability of web applications.
These reports leverage data from Tenable Web App Scanning, a
comprehensive and automated vulnerability scanning tool for
modern web applications.

c. In the library, locate the template you want to use.

- 100 -
 d. Hover over the template.

An overlay of template information and options appears.

e. (Optional) To preview the dashboard template, click Preview. For more information, see
Preview a Dashboard.

f. Click Add.

An Added dashboard to Dashboards confirmation message appears.

The new dashboard appears on the Dashboards page with the name Copy of selected
dashboard.

To create a custom dashboard:

a. Click Custom Dashboard.

The Edit Dashboard page appears.

b. Name the dashboard:

a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the updated name.

c. Add a dashboard description:

a. Click the dashboard description.

The description becomes an editable text box.

b. Type a description for the dashboard.

d. Add widgets to the dashboard:

a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

- 101 -
 b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

e. Add dashboard filters:

a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

Note: The Edit Filter option does not appear if there are no widgets added to the
dashboard.

b. Configure your dashboard filters as described in Filter a Dashboard.

f. (Optional) Reorder widgets on the dashboard:

a. Hover over the widget you want to move.

b. Press and hold the mouse button to highlight the widget.

The edges of the widget become defined and exhibit a raised appearance.

c. Using the mouse, drag the widget to the new location.

d. Release the mouse button to drop the widget in the new location.

g. (Optional) Delete the dashboard:

o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management discards the newly created dashboard.

What to do next:
l Manage Dashboards

- 102 -
Preview a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When creating a new dashboard from a template, you can preview the dashboard before adding it to
the Dashboards page.

To preview a dashboard:

1. Create a dashboard.

2. In the Template Library, roll over the template you want to preview.

An overlay of template information and options appears.

3. Click Preview.

A preview of the dashboard appears.

4. To exit the preview, in the top navigation bar, click a link in the breadcrumb trail to return to
the Template Library, or the Dashboards page.

5. To add the template to the Dashboards page, click Add to Dashboards.

An Added dashboard to Dashboards confirmation message appears, and the new dashboard
appears on the Dashboards page with the name Copy of selected dashboard.

Enable Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To use Explore dashboards within Tenable Vulnerability Management, you must first add them to
your interface via the Template Library.

Note: The numerical data that appears on your Explore dashboards may not match the data on your legacy
Tenable Web App Scanning or VM dashboards.

Note: The data on your Explore Tenable Web App Scanning and VM dashboards reflects your complete
scanning history. This differs from the Tenable Web App Scanning and VM dashboards, which display data

- 103 -
 for only the last 30 calendar days.

To enable Explore dashboards:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

4. In the upper-left corner, in the Search bar, type "(Explore)".

All available Explore dashboards appear.

If Explore dashboards do not appear, your container may not have enabled them. Please contact
your Customer Success Manager.

5. For each Explore dashboard you want to add to your interface, do the following:

a. Roll over the Explore dashboard template.

An overlay of template information and options appears.

b. Click Add.

An Added dashboard to Dashboards confirmation message appears, and the Explore

dashboard appears on the Dashboards page.

Note: To reenable your Tenable Web App Scanning or VM dashboards, enable the corresponding
workbench.

Manage Dashboards
This section contains the following topics related to help you manage your Tenable Vulnerability
Management dashboards:

Dashboard Groups

- 104 -
In Tenable Vulnerability Management, you can organize dashboards into groups via the dashboard
Groups panel. This allows you to track different types of dashboards, and dashboards that others
have shared with you. You can also share a dashboard group with one or more users or user groups.

The Groups panel automatically expands when you view the Dashboards page. The panel is
separated by Tenable-provided dashboard groups and user-created dashboard groups.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Add a Dashboard Group

You can add a dashboard group via the Groups panel on the Dashboards page.

To add a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click Add.

The Edit Group pane appears.

3. In the Group Name box, type a name for your dashboard group.

4. In the Dashboards to Include section, select the check box next to any dashboards you want
to add to the dashboard group.

5. Click Save.

Tenable Vulnerability Management adds the dashboard group to the user-created dashboard
list in the Groups panel.

Share a Dashboard Group

In Tenable Vulnerability Management, you can share user-created dashboard group with other users
or user groups via the Groups panel.

Note: Dashboard groups are not automatically re-shared with a user after they have been updated. For
example:

- 105 -
User A shares a dashboard group with User B. User A then makes a change to the dashboard group. To see
the update, User A must re-share the dashboard group, with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to share.

The group and its included dashboards appears.

3. Click Share Group.

The Share Group pane appears.

4. Do one of the following:

l To share the dashboard group with all users, select the All Users check box.

l To share the dashboard group with specific users or user groups, from the drop-down
box, select the users or user groups with which you want to share the dashboard group.

Tip: You can share with multiple users or user groups.

5. Click Share.

A Group shared successfully message appears. Tenable Vulnerability Management shares the
dashboard group with the designated users or user groups and sends an email indicating that
you shared a dashboard with them.

Edit a Dashboard Group

In Tenable Vulnerability Management, you can edit user-created dashboard groups via the Groups
panel.

To edit a dashboard group:

- 106 -
 1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to edit.

The group and its included dashboards appears.

3. Click Edit Group.

The Edit Group pane appears.

4. (Optional) In the Group Name box, edit the name of the dashboard group.

5. (Optional) In the Dashboards to Include section, select or deselect the dashboards that
appear in the dashboard group.

6. Click Save.

Tenable Vulnerability Management saves your changes to the dashboard group.

Delete a Dashboard Group

In Tenable Vulnerability Management, you can delete user-created dashboard groups via the Groups
panel.

To delete a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to delete.

The group and its included dashboards appear.

3. Click Delete Group.

A confirmation message appears.

4. Click Delete.

Tenable Vulnerability Management deletes the dashboard group.

Note: Deleting dashboard groups does not delete the dashboards within the group.

- 107 -
Automatically Update Widgets on a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To provide the most up-to-date vulnerability information, Tenable updates or adds new dashboard
widgets when, for example, a new vulnerability is exposed or when Tenable Vulnerability
Management adds a new vulnerability filter. When Tenable updates these widgets, you can view and
automatically update them in one of the following ways:

l Dashboards page — On the Dashboards page, you can update all updated widgets on a
dashboard at one time.

l Dashboard Template Library — When creating a custom dashboard via the Template Library,
you can view new or updated widgets and add them to the custom dashboard.

Note: On predefined dashboard templates, Tenable Vulnerability Management always includes the
most recent version of widgets.

l Widget Library — In the Widget Library, you can view new or updated widgets and add them
to up to ten individual dashboards.

To update widgets automatically via the Dashboards page:

1. View the Dashboards page.

2. In the Groups section, click the Updates Available tab.

A list of dashboards with updated widgets appears.

Note: You can also see dashboards with new and updated widgets on the All tab. These dashboards
appear with a pulsing blue dot next to the dashboard name.

3. Roll over the dashboard for which you want to update widgets.

An overlay of options appears.

4. Click Apply.

An Update Available message appears that describes the updates to the widgets on the
dashboard.

- 108 -
 5. Click Update.

An Update Applied Successfully message appears and Tenable Vulnerability Management

updates the widgets on the dashboard.

To update widgets automatically via the dashboard Template Library:

1. View the dashboard Template Library.

2. Click the New and Updated tab.

A list of dashboard templates with new and updated widgets appears.

3. Roll over the dashboard template you want to add.

An overlay of options appears.

4. Click Add.

An Added Dashboard Template to Dashboards message appears, and the dashboard

template with the new or updated widget appears on the Dashboards page.

To update widgets automatically via the Widget Library:

1. View the Widget Library.

2. Click the New and Updated tab.

A list of new and updated widgets appears.

3. Roll over any widget you want to add to a dashboard.

4. Click Add to Dashboards.

The Add to Dashboards plane appears.

5. In the Dashboards drop-down, select the dashboard or dashboards to which you want to add
the new or updated widget.

6. Click Save.

A Successfully Added to Selected Dashboards message appears and Tenable Vulnerability

Management adds the new or updated widget to the selected dashboards.

Edit a Dashboard

- 109 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To edit a dashboard:

1. Do one of the following:

l Access the Edit Dashboard page via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Edit.

l Access the Edit Dashboard page via an individual dashboard:

a. View the dashboard you want to edit.

b. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

c. Click Edit dashboard.

The Edit Dashboard page appears.

2. On the Edit Dashboard page, do any of the following:

l
Rename the dashboard:
a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a new name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the name.

- 110 -
l
Edit the dashboard description:
a. Click the dashboard description.

The description becomes an editable text box.

b. Type a new description for the dashboard.

l
Edit the dashboard filters:
a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

b. Configure your dashboard filters as described in Filter a Dashboard.

l
Add widgets to the dashboard:
a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

l
Reorder widgets on the dashboard:
a. Roll over the top of the widget until the move cursor appears.

b. Click and drag the widget to the desired location.

l
Resize the widgets on the dashboard:

- 111 -
 a. Roll over the lower-right corner of the widget until the resize cursor appears.

b. Click and drag the widget to the desired size.

The widgets shift to accommodate the new widget size.

l
Delete the dashboard:
o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management removes the dashboard from the Dashboards

page.

3. Click Done Editing.

You return to the selected dashboard and Tenable Vulnerability Management applies your
changes.

Set a Default Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can set any dashboard as the default dashboard to make it your landing page. If you do not set
a default dashboard, Tenable Vulnerability Management uses the Tenable-provided Vulnerability
Management Overview dashboard as the default.

When you set a dashboard as default, on the Dashboards page, the Default label appears in the
header of the dashboard tile.

Note: If you delete a dashboard set as default, the product Tenable-provided dashboard becomes the
default.

To set a default dashboard:

- 112 -
 1. Do one of the following:

l Set a default dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

l Set a default dashboard via an individual dashboard:

a. View the dashboard you want to make the default.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Select Make Default.

A Successfully set as default dashboard confirmation message appears, and Tenable

Vulnerability Management sets the dashboard as the default.

Note: You may have to log out and log back in to see the updated default dashboard.

Rename a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To rename a dashboard:

1. View the dashboard you want to rename.

2. On the dashboard page, roll over the dashboard name.

The name becomes highlighted and shows a button.

3. Click the button or double-click the name.

The name field becomes a text box.

4. Enter a new name for the dashboard.

5. Click the button to confirm the name change.

- 113 -
 A confirmation appears at the top of the page.

The new name appears.

Duplicate a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a dashboard:

1. Do one of the following:

l To duplicate a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

l To duplicate a dashboard via an individual dashboard:

a. View the dashboard you want to duplicate.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Duplicate.

A Successfully copied the dashboard confirmation message appears, and Tenable

Vulnerability Management copies the dashboard on the Dashboards page.

Filter a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can apply filters at the dashboard level to all widgets within that dashboard.

- 114 -
 Note: You can apply configurations to individual widgets. The widget-level configuration takes precedence
over dashboard-level configuration.

To filter a dashboard in the new interface:

1. View the dashboard you want to filter.

2. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

3. Click Filter.

The Filter plane appears.

4. In the Select Filter Type drop-down, select the assets you want the dashboard to analyze. See
the following table for options and requirements.

Option Description Requirement

All Assets (Default) This option includes This is the default option and
all the assets in the includes all assets in the dashboard.
dashboard. There is not a requirement for this
option.

Target Group This option only includes An extra field for Select Target
assets in a specific target Groups appears when you select this
group. option. Select the desired target
group from the drop-down list.

Custom This option only includes A text box appears when you select
assets with a specific this option. Enter one or more of the
hostname, IP address, FQDN, custom option formats (hostname, IP
or CIDR. address, FQDN, or CIDR). Separate
multiple items with commas.

Important: Make sure that the

- 115 -
 number of IP addresses in your
search filter is less than or equal to
25.

Important: Make sure that the

number of Hostnames in your search
filter is less than or equal to 300.

5. Click Apply.

The icon appears in the header of all the dashboard widgets.

6. In the widgets section, roll over the icon to view the added filter.

Note: The following are the filtering limitations for Explore widgets:

l Explore widgets do not support Target Groups.

l Cloud Misconfigurations widgets do not support filtering by IP or hostname.
l Cloud Misconfigurations and Web Application Findings widgets do not support tags.

Note: You can filter only with the tags you can access. You cannot apply tags that you do not have access
to.

Filter a Dashboard by Time

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can filter a dashboard to show only vulnerabilities within a specific timeframe — in hours, days,
months, or years. Filters are available only for custom dashboards or dashboards created using the
template library.

Note: Filter by time option is available only for Explore dashboards and Explore widgets.

To filter a dashboard by a specific timeframe:

1. View the dashboard you want to filter.

2. To filter your dashboard data for a specific timeframe, do one of the following:

- 116 -
 l In the All drop-down box, select the required timeframe: All, 7 days ago, 14 days ago, 30
days ago, 60 days ago, 90 days ago.

l For a custom timeframe, in the Last Seen box, type the value to view the data within the
last number of days, hours, years, or months.

Tenable Vulnerability Management displays the vulnerabilities for the selected timeframe on
the dashboard.

Share a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management users can share a dashboard with one or more users, or one or
more user groups. Shared dashboards appear automatically for the users or groups with which they
are shared.

Note: You cannot edit dashboards that are shared with you. You can, however, duplicate or delete a
dashboard that is shared with you.

Note: Dashboards are not automatically re-shared with a user after they have been updated. For example:
User A shares a dashboard with User B. User A then makes a change to the dashboard. To see the update,
User A must re-share the dashboard with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard:

1. Do one of the following:

l To share a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

A drop-down list appears.

- 117 -
 c. Click Share.

l To share a dashboard via an individual dashboard:

a. View the dashboard you want to share.

b. In the upper-right corner, click Share.

The Share panel appears,

2. Do one of the following:

l To share the dashboard with all users, select the All Users check box.

l To share the dashboard with specific users or user groups, from the drop-down box,
select the users or user groups with which you want to share the dashboard.

Tip: You can share with multiple users or user groups.

3. Click Share.

A Dashboard shared successfully message appears. Tenable Vulnerability Management

shares the dashboard with the designated users or user groups and sends an email indicating
that a dashboard has been shared with them.

Manage Dashboard Exports

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

With the export feature, you can export dashboard data in CSV, PDF, and detailed PDF formats. You
can create dashboard exports on demand or schedule automated exports to specified recipients.

You can also manage your dashboard exports. You can download them, view your export history,
delete your exports, or delete their configuration.

Note: While you cannot export the Vulnerability Management Overview and Asset View dashboards, you
can export their associated landing pages, or export individual widgets on those dashboards. For more
information, see Export a Full Dashboard Landing Page and Export an Individual Dashboard Widget.

Export a Dashboard

- 118 -
To export a dashboard in CSV format:
1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to CSV.

l Export the dashboard while viewing the individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click CSV.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To export a dashboard in PDF format:

You can use the Export PDF feature to share customized dashboards externally. The exported
PDF is a generated report of the selected dashboard.

To export a PDF:

- 119 -
1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to PDF or, where available, Export to PDF - Detailed.

Note: By default, the following dashboards support PDF-Detailed exports:

l Executive Summary
l Exploitable by Malware
l Exploitable Framework Analysis
l Measuring Vulnerability Management
l Mitigation Summary
l Outstanding Remediation Tracking
l Prioritize Assets
l Vulnerabilities by Common Ports
l Vulnerability Management
l Web Services

l Export the dashboard via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information that is included in the report.

- 120 -
 The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To schedule a dashboard export:

The Schedule Export option allows you to export a dashboard at specified times.

To schedule an export:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Schedule Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

- 121 -
 The Schedule Export plane appears.

2. Do one of the following:

l If you have never exported and/or scheduled an export for the dashboard, the Schedule
options automatically appear.

l If you have already exported the dashboard, in the Schedule section, click Add New.

The Schedule options appear.

l If you have already scheduled an export for the dashboard, you cannot create another
one. You must first cancel the scheduled dashboard export.

3. Select CSV, PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information included in the report.

The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

4. In the Schedule section, set the following parameters:

Option Description

Name A name for the scheduled export.

Start Date and Time The date and time that you want the export to begin.

Repeat The frequency that you want Tenable Vulnerability Management

to send the export:

l Daily — The export occurs daily at the time specified.

l Weekly — The export occurs every week on the same day

at the time specified (for example, Weekly on Tuesday).

- 122 -
 l Monthly — The export occurs once a month on the day of
the week and time specified (for example Monthly on Last
Tuesday)

l Custom — The export occurs at a custom interval. If you

select Custom, more options appear:

a. In the Repeat Every section, in the drop-down, select

how often you want the export to repeat. For
example, if you want the export to repeat every 2
days, then in the first drop-down box, select 2 and in
the second drop-down box, select Days.

l Does not Repeat — The export does not repeat.

Password Protection Specifies the export as encrypted or unencrypted.

If you toggle this option on, an Encryption Password box

appears. Type the password you want to use to encrypt the
export file.

Note: Once you save the scheduled export, you cannot edit the
Encryption Password. Instead, you must create a copy of the
dashboard, create a scheduled export, and then select the desired
password.

Add Recipients (Optional) The email address for the person that receives the
report. You can specify multiple email addresses as a comma-
separated list.

5. Click Schedule.

The scheduled export appears in the Schedule Export plane.

Download a Dashboard Export

To download a dashboard export:

- 123 -
 1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard with the export you want to download.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, next to the export download you want to download, click the
button.

Tenable Vulnerability Management downloads the export file to your computer.

View Dashboard Export History

To view dashboard export history:

1. View the dashboard for which you want to view export history.

2. In the upper-right corner, click Export.

A drop-down list appears.

3. In the drop-down list, click History.

The Export History plane appears.

On the Export History plane, you can view:

- 124 -
 l The schedule for the dashboard export.

l Available downloads of previous dashboard exports.

You cannot access the Export History plane if the dashboard has not yet been exported.

Delete a Dashboard Export Download

To delete a dashboard export download:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete an export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, roll over the export download you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Delete.

A Download deleted successfully message appears and Tenable Vulnerability Management

removes the export download from the Schedule Export plane.

Delete a Dashboard Export Configuration

- 125 -
To delete a dashboard export configuration:
1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete a scheduled export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Schedule section, roll over the scheduled export configuration you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Confirm.

A Successfully deleted export configuration message appears and Tenable Vulnerability

Management removes the export configuration from the Schedule section of the Schedule
Export plane.

Delete a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: In Tenable Vulnerability Management, you can only delete custom dashboards. You cannot delete
Tenable-Provided Dashboards.

- 126 -
To delete a dashboard:

1. Do one of the following:

l Delete a dashboard from the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

l Delete a dashboard from the individual dashboard:

a. View the dashboard page you want to delete.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Delete.

A Confirm Deletion confirmation message appears.

3. Click Delete.

A Successfully deleted the dashboard confirmation message appears and Tenable

Vulnerability Management removes the dashboard from the Dashboards page.

Manage Widgets
You can use the widget library to create and edit widgets to use across your dashboards.

To manage widgets in the widget library:

l View the Widget Library

l Create a Custom Widget

l Edit a Custom Widget

l Add a Widget to a Dashboard

On your dashboards, you can further configure widgets to modify your dashboards.

To manage widgets on a dashboard:

- 127 -
 l Configure a Widget

l Duplicate a Widget

l Rename a Widget

l Delete a Widget from a Dashboard

View the Widget Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The widget library provides a selection of Tenable-provided widgets to add to your template-based
or custom dashboard.

Note: The Tenable-provided Vulnerability Trending widget is not available in the widget library. All other
Tenable-provided widgets appear in the widget library.

To view the widget library:

1. View the Dashboards page.

2. In the upper-right corner of the page, click the Widget Library button.

The Widgets page appears.

3. (Optional) In the upper-left corner of the page, click the tab for the dashboard widgets you
want to view. For example, if you want to only widgets associated with Tenable Vulnerability
Management, click the Vulnerability Management tab.

Note: The tabs that appear on the Widgets page depend on the licenses (for example, Tenable
Lumin, Tenable Web App Scanning) you have enabled in Tenable Vulnerability Management.

On the Widgets page you can:

l Sort the Widgets page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the widgets page.

l In the upper-left corner, use the Search bar to search for specific widgets.

- 128 -
 l Click the New and Updated tab to view dashboard widgets that are eligible for auto-
update.

l Add the widget to a dashboard.

l Delete a widget from the widget library.

Delete a Widget from the Widget Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: You can only delete custom widgets. You cannot delete pre-configured Tenable Vulnerability
Management widgets.

To delete a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the header of the widget you want to delete, click the button.

A drop-down menu appears.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Vulnerability Management removes the widget from the widget plane, and a message
confirming the deletion appears at the top of the plane.

Create a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add
to any user-defined dashboards.

- 129 -
To create a custom widget:

1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the upper-right corner of the page, click Add Widgets.

A menu appears.

3. Click Custom Widget.

The Widgets page appears.

4. In the charts section, select the chart type for your custom widget:

l Table

l Ring chart (Vulnerabilities dataset only)

l Bar chart (Vulnerabilities dataset only)

5. In the dataset drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

- 130 -
 l Vulnerabilities

l Assets

Note: If you selected ring chart or bar chart in the charts section, selecting the Assets
dataset resets the chart selection to a table.

The chart type, Data Grouping, and Display Fields options update based on your selection.

6. In the Data Grouping drop-down box, select how you want to group the data:

l By Plugin (Vulnerabilities dataset only)

l By Asset (Vulnerabilities dataset only)

l By CVE (Vulnerabilities dataset only)

l Asset List (Assets dataset only)

7. (Optional) To filter the widget data using filters:

a. Click the button to expand the filter options.

b. In the drop-down box, select category, operator, and value types.

c. (Optional) Click the Add button to specify more filters.

Note: If you previously created a tag, it appears in the custom widget's list of filters.

Note: If you exceed the current asset query limitation of 5,000, a message appears in your interface.
Refine the query to a smaller set of asset tags.

Note: Tenable Vulnerability Management does not currently support tag filters in exports.

8. (Optional) To filter the widget data using an existing saved search, in the Saved Searches
drop-down box, select the saved search you want to use to filter your widget data.

Note: If you do not have any saved searches, this option does not appear. To create a new saved
search, see Saved Search.

9. In the Name box, type a name for the custom widget.

- 131 -
 In the Widget Preview, the title updates automatically.

10. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the description hover text updates
automatically.

11. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

12. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Create a Custom Widget for Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add
to any user-defined Explore dashboards. You can create custom widgets with vulnerabilities and
assets data. Vulnerabilities can include host vulnerabilities, Tenable Web App Scanning
vulnerabilities, and vulnerabilities from Legacy Tenable Cloud Security. Adding a mix of these
custom widgets to your dashboard provides you with a holistic view of the vulnerability
environment.

You can drill down from the custom widgets to the Findings and Assets pages.

To create a custom widget:

- 132 -
1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the New Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the Chart Type section, select the chart type for your custom widget:

l Chart types for vulnerabilities:

l Bar

l Column

l Doughnut

l Matrix

l Multi-series Bar

l Multi-series Column

l Stacked Bar

l Stacked Column

l Table

- 133 -
 l Chart types for assets:

l Column

l Bar

l Doughnut

l Table

3. In the Name box, type a name for the custom widget.

In the Widget Preview, the title updates automatically.

4. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the contextual description updates
automatically.

5. In the Data Set drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

l Findings

l Assets

The Chart Type, Group By, and Sort Fields options update based on your selection.

If you
Options
selected...

Findings Provide the following details:

a. In the Entity drop-down box, select the type of vulnerability for

which you want to create a widget. You can select from the
following:

l Vulnerabilities — Includes the list of findings.

l Web Application Findings — Includes vulnerabilities from

Tenable Web App Scanning.

l Cloud Misconfigurations— Includes vulnerabilities from

Legacy Tenable Cloud Security.

- 134 -
 b. In the Limit drop-down box, select the number of records you
want to show on the widget. The default value is 5 and maximum
value is 20.

c. In the Group By drop-down box, select how you want to group the
data. The values in the Group By drop-down changes based on the
Entity you select.

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group vulnerabilities. For Matrix,
Multi-series Bar, Multi-series Column, Stacked Bar, and
Stacked Column chart types, you must select two options for
grouping vulnerabilities.

For more information about all filters, see Findings Filters.

d. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

e. In the Sort Fields drop-down box, select how you want to sort the
data on the widget. You can sort by one of these options:

l Count

l Value in Group By

f. In the Sort Order drop-down box, select whether you want the sort
in ascending or descending order.

Assets Provide the following details:

a. In the Limit drop-down box, select the number of records you

want to show on the widget. The default value is 5 and maximum
value is 20.

- 135 -
 b. In the Group By drop-down box, select how you want to group the
data:

l System Type

l Name

l Operating System

l SSH Fingerprint

l Fully Qualified Domain

l Mac Addresses

l Asset Types

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group assets. For Matrix, Multi-
series Bar, Multi-series Column, Stacked Bar, and Stacked
Column chart types, you must select two options for grouping
assets.

c. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

6. For each filter you want to use, do the following:

Note: Tenable recommends that you use simple instead of complex queries or one level of nested
filters when creating your custom widgets. Widgets can only have a maximum of one level of nested
filters, provided no additional context filters are applied when the widgets are added to the
dashboards. An example of a query with one level of nesting:
(CVSSv3 Base Score is greater than 8.9 OR VPR is greater than 8.9) AND State is
not equal to Fixed

a. Click Select Filters.

The Select Filters drop-down box appears.

- 136 -
 b. Click the filter you want to apply.

The filter appears in the box.

c. In the filter, click the ˅ button.

A list of filter value and operator options appears.

d. In the first drop-down box, select the operator you want to apply to the filter.

e. In the second drop-down box, select one or more values to apply to the filter.

f. Select Match All from the drop-down box. By default, Tenable Vulnerability Management
sets the filter to Match All.

7. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

8. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Edit a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: You cannot edit Tenable-provided widgets.

To edit a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the upper-right corner of the widget you want to edit, click the button.

A menu appears.

- 137 -
 4. Click Edit.

The widget options appear.

5. Edit the widget options.

6. Click Save and Exit.

A confirmation appears.

Note: A custom widget that was previously included in dashboards before you edited the widget does not
update to reflect your edits. To include the edited widget, you must add the widget again as described in
Add a Widget to a Dashboard.

Add a Widget to a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Use the following steps to add a widget to your template-based and custom dashboards.

You can add custom widgets, widgets from Tenable-provided dashboards, and other general
purpose Tenable-provided widgets.

To add a widget to a dashboard:

Note: These steps describe how to add a template widget to a dashboard. See custom widgets for
information on how to create custom widgets and add them to your dashboard.

1. View the widget library.

2. For each widget you want to add:

a. Do one of the following:

l Scroll through the list of widgets.

l Use the Search box to find a specific widget.

Tip: You can hover over a widget tile for brief descriptions of each widget. For detailed
descriptions about widgets originating from Tenable-provided dashboards, see Tenable-
Provided Dashboards.

- 138 -
 b. Roll over the widget you want to add.

The Add to Dashboards button appears.

c. Click Add to Dashboards.

The Add to Dashboards plane appears.

d. In the Dashboards drop-down box, select the dashboard or dashboards to which you
want to add the widget.

e. Click Save.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard or dashboards.

f. Click Add.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard.

3. Click Done.

You return to the Dashboards page.

Configure a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To configure a widget:

1. View the dashboard page that contains the widget you want to configure.

2. In the upper-right corner of the widget you want to change, click the button.

A menu appears.

3. Click Configure.

The widget summary plane appears.

4. On the widget summary plane, do any of the following:

- 139 -
l
Rename the widget:
a. Do one of the following:

l Click the name of the widget.

l In the widget summary plane, roll over the widget name and click the
button.

The name field becomes an editable text box.

b. Type a new name for the widget.

c. Click the button to confirm the name change.

A confirmation message appears at the top of the page, and the new name
appears in the widget header.

l
Edit the widget description:
a. Do one of the following:

l Click the widget description.

l In the widget summary plane, roll over the widget description and click the
button.

The description field becomes an editable text box.

b. Type a new description for the widget.

c. Click the button to confirm the change.

A confirmation message appears at the top of the page, and the new description
appears in the widget header.

l
Duplicate the widget:
o In the Actions row, click the button.

A confirmation message appears and Tenable Vulnerability Management adds the

duplicated widget to the dashboard.

- 140 -
l
Delete the widget from the dashboard:
a. In the Actions row, click the button.

A Confirm Deletion message appears.

b. Click Delete.

A confirmation message appears and Tenable Vulnerability Management removes

the dashboard from the Dashboards page.

l
Apply filters to the widget:

Option Description Requirement

All Assets (Default) This option This is the default option and
includes all the assets in the includes all assets in the
dashboard. dashboard. There is not a
requirement for this option.

Custom This option only includes When you select this option, a
assets with a specific text box appears. Enter one or
hostname, IP address, FQDN, more of the custom option
or CIDR. formats (hostname, IP address,
FQDN, or CIDR). You must
separate multiple items with a
comma.

Tags This option uses tags to When you select this option, a
filter asset results or drop-down box appears. Select or
vulnerability results. type the tag name by which you
want to filter results. Tenable
Note: Because the Vulnerability Management filters
ACR Widget uses Tenable
Lumin data, this widget
the results by the selected tags.
does not support filtering
by tag. Note: Tenable Vulnerability
Management supports a
maximum of 100 filters.

- 141 -
 Note: Once you apply a filter to a widget, a icon appears in the widget header. Roll over the
icon to view the applied filter.

5. Click Apply.

A confirmation message appears and Tenable Vulnerability Management applies your changes
to the widget.

Duplicate a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a widget:

1. View the dashboard page that contains the widget you want to duplicate.

2. In the upper-right corner of the widget you want to duplicate, click the button.

A menu appears.

3. Click Duplicate.

The duplicated widget appears at the bottom of the page.

4. (Optional) Change the name of the widget.

5. (Optional) Reorder the widget sections.

Rename a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To rename a widget:

1. View the dashboard page that contains the widget you want to change.

2. In the upper-right corner of the widget you want to rename, click the button.

A menu appears.

- 142 -
 3. Click Configure.

The widget summary plane appears.

4. In the widget summary plane, roll over the widget name.

The button appears next to the name.

5. Click the button or double-click the name.

The name field becomes an editable text box.

6. Type a new name for the widget.

7. Click the button to confirm the name change.

A confirmation message appears at the top of the page.

The new name appears in the widget header.

Delete a Widget from a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To remove a widget from a dashboard:

1. View the dashboard page that contains the widget you want to remove.

2. In the upper-right corner of the widget you want to remove, click the button.

A menu appears.

3. Click Delete.

Tenable Vulnerability Management prompts you to confirm the removal.

4. Click Delete.

A confirmation message appears at the top of the page.

Tenable Vulnerability Management removes the widget from the dashboard. Remaining
widgets adjust to fill the new space.

- 143 -
Welcome to Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can use Tenable Lumin to quickly and accurately assess your risk and compare your health and
remediation performance to other Tenable customers in your Salesforce industry and the larger
population. Tenable Lumin correlates raw vulnerability data with asset business criticality and
threat context data to support faster, more targeted analysis workflows than traditional
vulnerability management tools.

Tenable-provided metrics help you quantify your risk to make informed remediation and strategic
security decisions. For more information about the metrics used in Tenable Lumin analysis, see
Tenable Lumin Metrics.

For information on how to prepare, install, and configure Tenable Lumin, see Get Started with
Tenable Lumin.

Important! Tenable One customers can access Tenable Lumin directly from the Workspace page.

Tenable Lumin Metrics

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Tenable Lumin uses several metrics to help you assess your risk.

l Cyber Exposure Score (CES)

l Vulnerability Priority Rating (VPR)

l Asset Criticality Rating (ACR)

l Asset Exposure Score (AES)

l Assessment Maturity Grade

l Remediation Maturity Grade

For information about improving the accuracy of your Tenable Lumin metrics and increasing your
overall vulnerability management health, see Improve Your Tenable Lumin Metrics.

- 144 -
 Important: Private findings are excluded from all scores in Tenable Lumin. For more information see
Findings.

Cyber Exposure Score (CES)

Tenable calculates a dynamic CES that represents exposure risk as an integer between 0 and 1000,
based on the Asset Exposure Score (AES) values for assets scanned in the last 90 days. Higher CES
values indicate higher risk.

You can view CES for different groups of assets, including:

l the overall CES for your entire organization (for example, the CES displayed in the Cyber
Exposure Score widget)

l the tag-level CES for assets in a specific business context (for example, the CES displayed in
the Cyber Exposure Score by Business Context/Tag widget).

CES Category CES Range

High 650 to 1000

Medium 350 to 649

Low 0 to 349

To view the CES for your entire organization or for a group of assets, view the widgets on the View
the Tenable Lumin Dashboard.

For more information about how long Tenable Vulnerability Management takes to calculate or
recalculate your CES, see Tenable Lumin Data Timing.

Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher
likelihood of exploit.

VPR Category VPR Range

- 145 -
 Critical 9.0 to 10.0

High 7.0 to 8.9

Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many
vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these
vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on
your network. Then, Tenable Vulnerability Management automatically provides new and updated
VPR values daily.

Tenable recommends prioritizing vulnerabilities with the highest VPRs that are present on your
assets with the highest ACRs.

To view the VPR for a specific vulnerability, view vulnerabilities as described in View Vulnerabilities
by Plugin.

VPR Key Drivers

Tenable uses the following key drivers to calculate a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Age of Vuln The number of days since the National Vulnerability Database (NVD) published
the vulnerability.

CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact not provide a score, Tenable Vulnerability Management displays a Tenable-
Score predicted score.

- 146 -
 Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal
and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The
possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit
Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.

Threat The relative intensity based on the number and frequency of recently observed
Intensity threat events related to this vulnerability: Very Low, Low, Medium, High, or
Very High.

Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

l A discussion of the vulnerability on hacker forums

Asset Criticality Rating (ACR)

- 147 -
Tenable assigns an ACR to each asset on your network to represent the asset's relative criticality as
an integer from 1 to 10. A higher ACR indicates higher criticality.

ACR Category ACR Range

Critical 9 to 10

High 7 to 8

Medium 4 to 6

Low 1 to 3

Because Tenable Vulnerability Management calculates ACR values every 24 hours, you may need to
wait up to 24 hours to view the ACR after scanning the asset on your network.

Note: Tenable recommends reviewing your Tenable-provided ACR values and overriding them, if
necessary. You can customize ACR values to reflect the unique infrastructure or needs of your
organization, as described in Edit an ACR.

If an asset receives multiple ACR values, Tenable Vulnerability Management prioritizes the values in
the following order:

1. If set, the manually overridden ACR value.

2. The Tenable-provided ACR value.

To view the ACR for a specific asset, view the asset details as described in View Asset Details.

ACR Key Drivers

Tenable uses the following key drivers to calculate an asset's Tenable-provided ACR.

Note: Tenable does not customize these values for your organization; ACR key drivers reflect the global
threat landscape associated with the asset's characteristics.

Note: Running unauthenticated scans may result in limited or incomplete ACR key drivers.

Key Driver Types:

Key Driver Description

- 148 -
 device_type The device type. For example:

l hypervisor — The device is a Type-1 hypervisor that hosts a virtual

machine (e.g., Microsoft Hyper-V, VMware ESX/ESXi, or Xen).

l printer — The device is a networked printer or a printing server.

device_ The device's business purpose. For example:

capability
l file_server — The device is a server that provides file sharing services
(e.g., an FTP, SMB, NFS, or NAS server).

l mail_server — The device is a server designated for sending and

receiving emails.

internet_ The device's location on your network and proximity to the internet. For
exposure example:

l internal — The device is located within your local area network (LAN),
possibly behind a firewall.

l external — The device is located outside your LAN and not behind a
firewall.

ACR Device Capabilities:

Part of ACR device capabilities are defined by which software is installed on the target host.

Software or
Capability Description
Services

accounting_ An accounting solution is installed on the target Intuit Quickbooks

system asset.

backup_agent A backup solution agent is installed on the target Amanda backup

asset. (agent)

- 149 -
analytics_system A software solution for data analytics and reporting QlikView
is installed on the target host.
TIBCO Spotfire

IBM SPSS

SharePoint 2013

SOLR

Elasticsearch

Enterprise Search

Google Search
Appliance

Lucene

SQL Server
Reporting
Services

Oracle BI
publisher

SAP Business
Object

- 150 -
backup_server An enterprise backup solution is installed or Acronis Backup
running on the target host.
Quest NetVault

Unitrends
Enterprise Backup

Veritas Backup
Exec

Spectrum Protect
(formerly Tivoli
Storage Manager)

crm_system A Customer Relation Management (CRM) solution is SugarCRM

installed or running on the target host
Bitrix24 CRM

Siebel CRM

- 151 -
database_server A database system is installed on the target host or PostgreSQL
a database server is running on the target host.
Microsoft SQL
Server

MongoDB

Oracle Database

Db2 Hosted

Percona XtraDB
Cluster

IBM Informix

PostgreSQL

Percona Server

MariaDB Cluster

MySQL

Microsoft SQL
Server

SAP Adaptive
Server Enterprise
(ASE)

MariaDB Server

SQLite

Apache Derby
Network Server

SAP DB

Cogent Datahub
Server

- 152 -
directory_server The target asset is an authentication server. McAfee Stonegate
Authentication
Server

Kerberos
Ticketing Server

LDAP protocol

IBM Tivoli

Stonegate Auth
Server

dns_server A DNS server is running on the target asset. DNS Service on

Port 53

erp_system An Enterprise Resource Planning Suite server is Microsoft

running or is installed on the target asset. Dynamics AX

Oracle E-Business
Suite

SAP ERP

Microsoft
Dynamics GP

SAP DB

SAPControl

SAP RMI-P4
Protocol Service

SAP Host Control

Apache OFBiz

erp_system_ The target asset has installed a client software for SAP GUI
client accessing ERP systems.

- 153 -
file_server The target asset is used for file sharing purposes. WebCenter
The file sharing here is a narrow sense. SMB server
ownCloud
is not considered as a file server in this
classification. Sharepoint

Oracle WebCenter
Content

Sharepoint

FTP service

Apple File
Protocol (AFP)
service

Network File
System (NFS)
Server Detection

helpdesk_system A help desk ticketing server is installed or running SugarCRM

on the target asset.
Track-It!

ServiceDesk Plus

OTRS

ManageEngine
Service Desk

it_management_ The target asset performs some types of IT Application

system management function. It can be IT infrastructure Insight
management, including managing a single or a
Solarwinds Server
group of devices or services, or IT service
& Application
management such as software provisioning,
Monitor
device, or software repository management.
ManageEngine
Application

- 154 -
 Performance
Monitoring

System Center
Operations
Manager

Applications
Manager-
ManageEngine

ManageEngine
Desktop Central

Ghost Solution
Suite

ZENworks -
Configuration
Management

IBM BigFix

System Center
Configuration
Manager

CA Unified
Infrastructure
Management

Centreon

VMware vRealize
Operations

OpManager

Nagios XI

- 155 -
 SCOM

- 156 -
 PRTG Network
Monitor

Zabbix

SolarWinds
Storage Resource
Monitor

GroundWork
Monitor

Pandora FMS

Tivoli Monitoring

OP5 Monitor

NetFlow Traffic
Analyzer

PRTG Network
Monitor

Cisco Prime
Infrastructure

H3C Intelligent
Management
Center

ZENworks Asset
Management

ManageEngine
Desktop Central

Unified Endpoint
Manager

- 157 -
 Google Analytics

Cisco Prime
Infrastructure

H3C Intelligent
Management
Center

HP 3PAR
Management
Server

Ghost Solution
Suite

Fortigate Firewall
Management
Console

Barracuda Spam
& Virus Firewall
Management Web
Console

mail_server The target asset is a mail server. IBM Domino

IMAP Service
Detection

CCProxy SMTP
Server Detection

SMTP Service
Detection

POP Service
Detection

- 158 -
pci The target asset has PCI sensitive information. PCI Plugin Fired

pci-target The target asset is a PCI scan target. "pci" Keyword

Found in Scan
Name

proxy_server The target asset is a proxy server. Oracle iPlanet

Web Proxy Server

HTTP proxy
Detected in
Service Banner

McAfee Email
Gateway

reverse_proxy_ The target asset is a reverse proxy that directs NetApp SANtricity
server external client requests to internal servers. A Web Services
reverse proxy can be an ADC or a load-balancer. Proxy

Foreman Smart-
Proxy TFTP

rnd_software The target asset is for development purposes Red Hat Mobile
because product development software is installed Application
on it. Platform

Application
Testing Suite

Windows Visual
Studio

AutoCAD

MAC OS Xcode IDE

Autodesk DWG
TrueView

- 159 -
 Detection

scada Software systems used for managing industrial AVEVA InduSoft

processes are installed or running on the target Web Studio /
asset. InTouch Edge HMI
TCP/IP Server

Trihedral VTScada
Detection

upnp The target asset supports UPnP. It is likely to be an UPnP service

appliance. detection

- 160 -
 web_application_ There is a web application server running or Geronimo
server installed on the target asset. Having a web
Resin
application server running on the target asset does
not necessarily indicate its criticality. But it can Tuxedo
hint criticality when used in together with some
Tomcat
properties, e.g. web application server + external +
server device type = high criticality. Jetty

Red Hat OpenShift

Microsoft .NET
Platform

Red Hat Jboss

EAP

WebLogic Server

Magento

WebSphere
Commerce

Cobalt

DNN Platform

Umbraco

Oracle WebCenter
Sites

Glassfish

nginx

Microsoft IIS

Asset Exposure Score (AES)

- 161 -
Tenable calculates a dynamic AES for each asset on your network to represent the asset's relative
exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current ACR (Tenable-provided or custom) and the VPRs
associated with the asset.

AES Category AES Range

High 650 to 1000

Medium 350 to 649

Low 0 to 349

To view the AES for a specific asset, see View Assets.

Assessment Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

Assessment Maturity provides a high-level summary of how effectively you are scanning for
vulnerabilities on your licensed assets. Tenable calculates a dynamic Assessment Maturity grade
that represents your assessment scanning health as a letter grade between A and F. An A grade
indicates you are assessing your assets frequently and thoroughly.

Tenable provides an Assessment Maturity grade the first time you scan. Then, Tenable Vulnerability
Management automatically provides an updated Assessment Maturity grade daily.

Assessment Maturity Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

How is my Assessment Maturity calculated?

- 162 -
 l
For asset scores:
o Scan Frequency score — How often the asset was scanned within the last 90 days
o Scan Depth score — Whether or not the asset was in an authenticated scan within the
last 90 days
o Assessment Maturity score — A calculation of (Scan Frequency score + Scan Depth
score) / 2

l
For a container/business context score:
o Scan Frequency score — the average of the asset Scan Frequency scores
o Scan Depth score — the average of the asset Scan Depth scores
o Assessment Maturity score — the average of the asset Assessment Maturity scores

Scan Depth Score

A high depth grade indicates you are running authenticated scans on these assets.

Depth Grade Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

Scan Frequency Score

Tenable calculates your frequency grade based on how often you scan assets on your network. A
high frequency grade indicates you are scanning your assets often.

Frequency Grade Letter Grade Numerical Range

A 75 to 100

B 55 to 74

- 163 -
 C 30 to 54

D 15 to 29

F 0 to 14

To view your Assessment Maturity grade, depth grade, and frequency grade, see View Assessment
Maturity Details.

For more information about how long Tenable Vulnerability Management takes to calculate or
recalculate your Assessment Maturity grade, see Tenable Lumin Data Timing.

Remediation Maturity Grade

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

Remediation Maturity provides a high-level summary of how effectively you are remediating
vulnerabilities on your licensed assets. Tenable calculates a dynamic Remediation Maturity grade
that represents your remediation health as a letter grade between A and F. An A grade indicates
you are remediating the vulnerabilities on your assets quickly and thoroughly.

Remediation Maturity Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

Your Remediation Maturity grade is the combination of your Remediation Maturityremediation

responsiveness grade and your Remediation Maturityremediation coverage grade.

Tenable provides a Remediation Maturity grade the first time you remediate a vulnerability. Then,
Tenable Lumin automatically provides an updated Remediation Maturity grade daily.

Remediation Responsiveness Grade

- 164 -
Tenable calculates your remediation responsiveness grade based on how long it takes you to
remediate a vulnerability after it is first discovered (the First Seen date).

A high remediation responsiveness grade indicates you are quickly remediating the vulnerabilities
on your assets.

Remediation Responsiveness Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

Remediation Coverage Grade

Tenable calculates your remediation coverage grade based on the percentage of remediated
vulnerabilities on your assets.

A high remediation coverage grade indicates you are remediating a high percentage of the
vulnerabilities on your assets.

Remediation Coverage Letter Grade Numerical Range

A 75 to 100

B 55 to 74

C 30 to 54

D 15 to 29

F 0 to 14

To view your Remediation Maturity grade, remediation responsiveness grade, and remediation
coverage grade, see View Remediation Maturity Details.

For more information about how long Tenable Lumin takes to calculate or recalculate your
Remediation Maturity grade, see Tenable Lumin Data Timing.

- 165 -
Improve Your Tenable Lumin Metrics

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

If you want to improve the accuracy of your Tenable Lumin metrics and increase your overall
vulnerability management health, evaluate your Tenable-provided values and your scanning
strategy.

Important: Private findings are excluded from all scores in Tenable Lumin. For more information see
Findings.

To improve the accuracy of your Tenable Lumin metrics:

1. On the Assessment Maturity Details page, review your Assessment Maturity grade to evaluate
your overall scanning health.

Do any of the following, depending on what your data shows:

l Perform any actions described in the Recommended Actions widget.

l View details about your Assessment Maturity depth grade in the Depth Grade widget. If
necessary, improve your depth grade by increasing the number of plugins enabled in
your user-defined templates or scans, or by increasing the number of authenticated or
agent scans. For more information, see Configure Plugins in Tenable Vulnerability
Management Scans, Credentials in Tenable Vulnerability Management Scans, or Scan
Templates.

Better overall scanning health results in a higher Assessment Maturity score.

If you improve your Assessment Maturity score, you improve the accuracy of your Tenable-
provided ACR and VPR values. Then, more accurate ACR and VPR values improve the accuracy
of your AES and CES values.

2. In the Assets table, review your Tenable-provided ACR values to evaluate the
characterizations of the assets on your network. If the ACR values do not reflect the unique
infrastructure or needs of your organization, you can override them. For more information,
see Edit an ACR Manually.

More accurate ACR values improve the accuracy of your AES and CES values.

- 166 -
 3. On the Remediation Maturity Details page, review your Remediation Maturity grade to evaluate
your overall vulnerability remediation health.

Do any of the following, depending on what your data shows:

l Perform any actions described in the Recommended Actions widget.

l View details about your Remediation Maturity remediation responsiveness grade in the
Remediation Responsiveness Grade widget. If necessary, improve your remediation
responsiveness grade by quickly remediating your most critical (highest VPR)
vulnerabilities. For more information, see View Recommended Actions.

l View details about your Remediation Maturity remediation coverage grade in the
Remediation Coverage Grade widget. If necessary, improve your remediation coverage
grade by increasing the number of vulnerabilities you remediate. For more information
on the assets with the most critical vulnerabilities, see the Vulnerability Priority Rating
(VPR) widget described in Vulnerability Management Dashboard.

Better overall remediation health results in a higher Remediation Maturity score.

Edit an ACR Manually

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required User Role: Administrator

You can customize an asset's Asset Criticality Rating (ACR) value to reflect the unique infrastructure
or needs of your organization. You can edit the ACR for a single asset independently or multiple
assets simultaneously.

Tip: Changes to an ACR value (and recalculations for your AES and CES values) take effect within 24 hours.

Tip: For information about how Tenable Vulnerability Management prioritizes manually overridden ACR
values, see Asset Criticality Rating (ACR).

- 167 -
 Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

To edit the ACR for a single asset:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. Do one of the following:

Location Action

Asset Details page a. In the left navigation plane, in the Asset View section,
click Assets.

The Assets page appears.

b. Click an asset row.

The Asset Details page appears.

c. In the Asset Criticality Rating section, click the

button.

The Tenable Lumin Edit Asset Criticality Rating plane

appears.

Assets page a. In the left navigation plane, in the Asset View section,
click Assets.

The Assets page appears.

b. In the assets table, roll over the asset you want to edit.

c. Click the button.

d. Click the Edit ACR button.

The Edit Asset Criticality Rating plane appears.

- 168 -
 3. Do one of the following:

l To modify the ACR value, click or drag the Asset Criticality Rating slider to increase or
decrease the ACR.

l To reset an existing ACR value to the Tenable-provided ACR value, click Reset to
Tenable ACR.

4. (Optional) If you want to include a justification for your ACR change, in the Overwrite
Reasoning section, select one or more reasons.

For example, if an asset in your development lab environment received a Tenable-assigned

ACR appropriate for a more public asset, you could select Dev Only as the overwrite
reasoning.

5. (Optional) If you want to include a note about your ACR change, in the Notes section, type a
note.

6. Click Save.

Tenable Vulnerability Management saves the custom ACR.

To edit the ACR for multiple assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the Cyber Exposure Score by Business Context/Tag widget, click the tag for which you
want to view asset details.

The Tenable Lumin Business Context/Tag Asset Details page appears, filtered by the tag you
selected.

4. Access the Assets page through the Asset Criticality Rating Breakdown widget, the Asset
Scan Distribution widget, or the Asset Scan Frequency widget, as described in View Business
Context/Tag Asset Details.

The Assets page appears, filtered by your widget selection.

- 169 -
 5. In the table, select the check boxes next to the assets that you want to edit.

The action bar appears at the bottom of the page.

6. In the action bar, click the button.

The Tenable Lumin Edit Asset Criticality Rating plane appears.

7. Click and drag the Asset Criticality Rating slider to set the ACR.

8. (Optional) If you want to include a justification for your ACR change, in the Overwrite
Reasoning section, select one or more reasons.

9. (Optional) If you want to include a note about your ACR change, in the Notes section, type a
note.

10. Click Save.

Tenable Vulnerability Management saves the custom ACR for all selected assets.

Tenable Lumin Data Timing

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Run scans to generate vulnerability data for use in Tenable Lumin views.

l Time to Show Tenable Vulnerability Management Scan Result Data

l Time to Synchronize Data from Tenable Security Center

l Time to Calculate or Recalculate Your CES, Assessment Maturity, or Remediation Maturity

Grade

Time to Show Tenable Vulnerability Management Scan Result Data

Vulnerability data generated by Tenable Vulnerability Management scans appears in Tenable Lumin
views immediately upon scan completion.

Newly generated data does not immediately impact your Tenable Lumin metrics (for example, your
CES). Tenable requires more time to recalculate your metrics. For more information, see Time to
Calculate or Recalculate Your CES, Assessment Maturity, or Remediation Maturity Grade.

- 170 -
Time to Synchronize Data from Tenable Security Center
Vulnerability and asset data synchronize differently to Tenable Vulnerability Management.

Data Synchronization Method Timing

Vulnerability l Manual initial After you initiate a synchronization, Tenable

data synchronization. Security Center immediately begins
transferring data to Tenable Vulnerability
l Automatic
Management. After 10-15 minutes, data
subsequent
begins appearing in Tenable Vulnerability
synchronizations
Management.
when new scan
result data imports Newly transferred data does not immediately
to your impact your Tenable Lumin metrics (for
synchronized example, your CES). Tenable requires up to
repositories. 48 hours to recalculate your metrics.

Asset data (tags Manual (on-demand) All data and recalculated Tenable Lumin
in Tenable synchronizations only. metrics appear in Tenable Vulnerability
Vulnerability Management within 48 hours.
Management)

For more information about Tenable Security Center synchronization, see Tenable One
Synchronization in the Tenable Security Center User Guide.

Time to Calculate or Recalculate Your CES, Assessment Maturity, or

Remediation Maturity Grade
Tenable Lumin can take up to 24 hours to calculate or recalculate your metrics after any of the
following events:

l You run your first Tenable Vulnerability Management-configured scans after licensing Tenable
Lumin.

l You initiate your first Tenable Security Center synchronization after licensing Tenable Lumin.

l Tenable Vulnerability Management runs a scan.

l Tenable Security Center runs a scan that imports new data to a synchronized repository.

- 171 -
 Tip: Tenable Vulnerability Management calculates Tenable Lumin metrics based on your licensed assets seen
in the last 90 days. If you change your scanning configuration (for example, you perform a recommended
action to increase your Assessment Maturity grade), your changes influence the next scheduled
recalculation, but take more time over the next 90 days to impact significantly and overhaul your metrics.

View the Tenable Lumin Dashboard

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Tenable-provided Tenable Lumin dashboard visualizes exposure data for your organization. You
cannot customize the widgets on this Tenable-provided dashboard.

Important! Tenable One customers can access Tenable Lumin directly from the Workspace page.

To view summary data in the Tenable Lumin dashboard:

- 172 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability
Management instance.

Export the Tenable Lumin Dashboard Landing Page

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export the Tenable Lumin dashboard landing page.

To export the Tenable Lumin dashboard landing page:

1. View the Tenable Lumin dashboard.

2. In the upper-right corner, click Export.

A drop-down menu appears.

- 173 -
 3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Export a Widget from the Tenable Lumin Dashboard

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export individual widgets from the Tenable Lumin
dashboard.

Note: You cannot export the Cyber Exposure Score by Business Context widget.

To export a widget from the Tenable Lumin dashboard:

1. View the Tenable Lumin dashboard.

2. In the header of the widget you want to export, click the button.

A drop-down menu appears.

- 174 -
 3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Update the Tenable Lumin Industry Benchmark

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Larger organizations may have business units that span multiple industries, or that don't fit neatly
into one industry categorization. By selecting the most applicable industry benchmark in Tenable
Lumin, users can maximize the relevancy of their data and more accurately track how their Tenable
Lumin metrics compare with others across similar industries.

To update the Tenable Lumin industry benchmark:

- 175 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the upper-right corner, click Configure.

The Configure plane appears.

4. In the Benchmark section, from the Industry drop-down, select the industry benchmark you
want to use across the Tenable Lumin dashboard.

5. Click Save.

An Industry Updated confirmation message appears, and Tenable Vulnerability Management

applies the new industry across the Tenable Lumin dashboard.

(Optional) To reset the Tenable Lumin industry benchmark:

1. On the Configure Industry plane, click Reset to Default.

A confirmation message appears.

2. Click Confirm.

An Industry Updated confirmation message appears, and Tenable Vulnerability Management

resets the industry back to the industry selected upon account creation.

Tenable Lumin Dashboard Widgets

- 176 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

The Tenable Lumin dashboard consists of the following widgets:

l Cyber Exposure Score

l Cyber Exposure Score Trend

l Actions to Reduce CES

l Assessment Maturity

l Remediation Maturity

l Cyber Exposure Alerts

l Mitigations

l Cyber Exposure Score by Business Context/Tag

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Cyber Exposure Score

How does your overall risk compare to other Tenable customers in your Salesforce industry and the
larger population?

Time Frame Assets

Past 90 days Licensed assets for your entire organization

- 177 -
This widget summarizes the CES for your entire organization compared to Tenable customers in
your Salesforce industry and the larger population.

In this widget, you can perform the following actions:

l View a visual representation of your CES compared to the average CES for Tenable customers
in your Salesforce industry and the larger population.

l View a summary statement about whether your CES recently increased or decreased.

l To view details about your CES, click your CES value.

The Tenable Lumin Cyber Exposure Score details panel appears. For more information, see
CES Details.

l Export the dashboard widget.

Cyber Exposure Score Trend

How has the overall risk for your entire organization changed over time?

- 178 -
 Time Frame Assets

Past 90 days at each point on the graph, Licensed assets for your entire
recalculated daily organization

This widget graphs the increases and decreases to your CES and to the average CES for Tenable
customers in your Salesforce industry and the larger population.

In this widget, you can perform the following actions:

l To view details about an industry or population CES value on a specific date, hover over a
point on the graph.

The hover text provides historical data about the CES.

l To view details about your CES value on a specific date, click a point on the You line.

The Tenable Lumin Cyber Exposure Score details plane appears. For more information, see
CES Details.

l To show or hide data for your organization, the industry, or the population, click the boxes in
the graph legend.

The system updates the widget to show or hide the data you selected.

l Export the dashboard widget.

Actions to Reduce CES

What would the impact be if you addressed all of your top 20 recommended actions?

- 179 -
 Time Frame Assets

Past 90 days Licensed assets for your entire organization

This widget summarizes the impact of your top 20 recommended actions.

In this widget, you can perform the following actions:

l View the expected CES reduction if you address all top 20 recommended actions.

l View the number of vulnerability instances you would eliminate if you addressed all top 20
recommended actions.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified

uniquely by plugin ID, port, and protocol.

l View the number of assets affected by your top 20 recommended actions.

l To view details about your top 20 recommended actions, click See Top Recommended
Actions.

The Tenable Lumin Recommended Actions page appears. For more information, see View
Recommended Actions.

l Export the dashboard widget.

Assessment Maturity

- 180 -
How frequently and thoroughly are you scanning your assets?

Time Frame Assets

Past 90 days Licensed assets for your entire organization

This widget summarizes the Assessment Maturity grade for your entire organization compared to
Tenable customers in your Salesforce industry and the larger population.

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

In this widget, you can perform the following actions:

l View your Assessment Maturity grade compared to the average Assessment Maturity grade
for Tenable customers in your Salesforce industry and the larger population.

l View a summary statement about whether your Assessment Maturity grade recently increased
or decreased.

l To view historical details about your Assessment Maturity grade, hover over a point on the
graph.

The hover text provides historical data about the Assessment Maturity grade.

l To view more details about your Assessment Maturity grade, click More Details.

- 181 -
 The Tenable Lumin Assessment Maturity page appears. For more information, see View
Assessment Maturity Details.

l Export the dashboard widget.

Remediation Maturity
How quickly and thoroughly are you remediating vulnerabilities on your assets?

Time Frame Assets

Past 90 days Licensed assets for your entire organization

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

This widget summarizes the Remediation Maturity grade for your entire organization compared to
Tenable customers in your Salesforce industry and the larger population.

In this widget, you can perform the following actions:

l View your Remediation Maturity grade compared to the average Remediation Maturity grade
for Tenable customers in your Salesforce industry and the larger population.

l View a summary statement about whether your Remediation Maturity grade recently
increased or decreased.

- 182 -
 l To view historical details about your Remediation Maturity grade, hover over a point on the
graph.

The hover text provides historical data about the Remediation Maturity grade.

l To view more details about your Remediation Maturity grade, click More Details.

The Tenable Lumin Remediation Maturity page appears. For more information, see View
Remediation Maturity Details.

l Export the dashboard widget.

Cyber Exposure Alerts

What Tenable Research cyber security alerts should you be aware of?

Time Frame Assets

6 most recent alerts Licensed assets for your entire organization

This widget shows the 6 most recent cyber security alerts provided by the Tenable research team.
Tenable Lumin provides further details about how many assets are potentially impacted and a link
to the Tenable blog post for the alert, where you can view further information and any required
responses.

Note: To maintain an accurate CVE count, Tenable Lumin does not include entries from patch Tuesdays,
Oracle CPU, etc. as alerts within the Cyber Exposure Alerts widget.

- 183 -
To reduce noise within the Cyber Exposure Alerts widget, Tenable Lumin does not target specific
CVEs ( i.e., from Patch Tuesday/Oracle CPU)

In this widget, you can perform the following actions:

l View cyber exposure alerts with one of the following severities:

o Information (Low) — The alert contains information that may be of interest, but does not
require an immediate response.
o Advisory (Medium) — The alert contains warning information and may require a
response.
o Response (Critical) — The alert requires an immediate response.

l To view the severity of the alert, a brief description, and the date on which the alert was
published, roll over one of the alerts in the widget.

l To view the percentage of your assets affected by the alert (assets where one of the CVEs
associated with the alert is present as a vulnerability on the asset), roll over one of the rows in
the Assets Affected column.

If an alert has a CVE but no assets are affected, or you have not yet scanned your assets for
the vulnerability, then the Assets Affected column shows a value of 0%. If no CVE is currently
assigned to the alert, then the Assets Affected column shows a value of Pending. Once
Tenable Vulnerability Management calculates the CVE for the alert, Tenable Lumin updates
the column with the appropriate value.

l To view your vulnerabilities by asset automatically filtered by the CVE associated with the
alert, click one of the percentages in the widget.

l To view the Tenable blog post about the exposure alert, click one of the alerts in the widget.

l To view the Trending Threats page for an alert, click one of the alerts in the widget.

l Export the dashboard widget.

Mitigations
How are endpoint protection agents distributed on your assets?

- 184 -
 Time Frame Assets

Past 90 days Licensed assets for your entire organization

This widget summarizes the distribution of endpoint protection agents on your assets.

If you run an authenticated scan based on the Basic Network Scan template or Advanced Network
Scan template or an agent scan based on the Basic Agent Scan or Advanced Agent Scan template,
Tenable automatically enables the plugins required to detect mitigations present on your assets.
Tenable Lumin defines mitigations as endpoint protection agents, which include antivirus software,
Endpoint Protection Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

In this widget, you can perform the following actions:

l To view a list of assets in a Mitigations category, click one of the percentages in the widget.

The Assets page appears, filtered by licensed assets, the mitigations category you selected,
and the past 90 days. For more information, see View Assets.

Note: When accessing the Assets page from the Mitigations widget, you may see an asset count
notification at the top of the page. This notification indicates the number of assets you have
permission to view based on the access group to which you belong.

l To view details about the endpoint protection agents detected on your assets, click More
Details.

- 185 -
 The Tenable Lumin Mitigations page appears. For more information, see View Mitigations
Details in Tenable Lumin.

l Export the dashboard widget.

Cyber Exposure Score by Business Context/Tag

How do assets with different tags (unique business context) compare?

Time Frame Assets

Past 90 days All licensed assets to which the selected tags apply

This widget summarizes data about the CES calculated for your entire organization and for assets
with specific business context tags.

In this widget, you can perform the following actions:

l View data for the assets with each tag.

l CES — The average CES for assets with the tag. A value of N/A indicates Tenable is
calculating your CES.

l CES Trend — A visual representation of your CES change over the past 180 days. A value
of N/A indicates Tenable is processing your CES data or that there are 0 assets with
this tag.

l 14 Day Trend — A summary of how the CES increased ( ) or decreased ( ) in the past 14
days. A value of N/A indicates Tenable is processing your CES data or that there are 0
assets with this tag.

l Assessment Maturity — The Assessment Maturity grade for assets with the tag. A value
of N/A indicates there are 0 licensed assets with the tag.

To view details about your Assessment Maturity grade for assets with a specific tag, in
the Assessment Maturity column, click the grade.

- 186 -
 The Tenable Lumin Assessment Maturity page appears, filtered by the tag you selected.

l Remediation Maturity — The Remediation Maturity grade for assets with the tag.

To view details about your Remediation Maturity grade for assets with a specific tag, in
the Remediation Maturity column, click the grade.

The Tenable Lumin Remediation Maturity page appears, filtered by the tag you selected.
For more information, see View Remediation Maturity Details.

l Licensed Assets — The number of licensed assets with the tag.

l # Assets with High AES — The number of assets with the tag and a high AES.

l Reduce Tag CES — Your expected tag-level CES reduction if you resolve all the solutions
for assets with this specific tag. A value of N/A indicates your expected reduction is 5
or fewer. Typically, you cannot significantly reduce your CES if many assets were
scanned without authentication or if your assets are healthy and your risk is already low.

To view the recommended actions for assets with a specific tag, in the Reduce Tag CES
column, click See Actions.

The Tenable Lumin Recommended Actions page appears, filtered by licensed assets
and the tag you selected.

l To view details about the assets with a specific tag, click a row of the table.

The Tenable Lumin Business Context/Tag Asset Details page appears. For more information,
see View Business Context/Tag Asset Details.

l To modify the tags that appear in the widget:

1. Click the button.

2. Click the Configure button.

The widget editor plane appears.

3. Do one of the following:

- 187 -
 l To reorder the tags in the widget:

a. Click and hold the button next to the tag you want to move.

b. Drag the tag to the new location.

c. Release the mouse button to drop the tag in the new location.

l To delete a tag from the widget, click the button.

l To add a tag to the widget, click the Add Tag button and specify the tag you
want to add.

This widget can show data for up to 25 tags.

4. Click Save.

Tenable Vulnerability Management refreshes the widget.

l To sort the table, see Tenable Vulnerability Management Tables.

View the CES Details Panel

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Use this page to browse CES details for your organization, or for assets with a specific business
context tag.

To view CES details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

- 188 -
3. Do one of the following:

l To view CES details for your entire organization:

a. Do one of the following:

l To view current CES details, in the Cyber Exposure Score widget, click the
CES value.

l To view historical CES details, in the Cyber Exposure Score Trend widget,

- 189 -
 click a past point on the graph.

l To view CES details for assets with a specific business context tag:

a. In the Cyber Exposure Score by Business Context/Tag widget, click the tag for
which you want to view asset details.

The Tenable Lumin Business Context/Tag Asset Details page appears, filtered by
the tag you selected.

b. In the Cyber Exposure Score Trend widget, click a CES value.

The Tenable Lumin Cyber Exposure Score details plane appears.

- 190 -
Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability
Management instance.

Section Timeframe Assets Action

- 191 -
Score Past 90 days Licensed l View the CES for your
assets entire organization and
the average CES for
other Tenable customers
in your Salesforce
industry and the larger
population.

l View the amount by

which the score for your
entire organization
increased ( ) or
decreased ( ) in the past
14 days.

Change Factors Past 14 days Licensed l View the major events

for the Past 14 assets that contributed to your
Days score change. Tenable
Vulnerability
Management groups the
factors by the change
type:
o CES Algorithm —
Any changes
related to the CES
Algorithm Update.
For more
information, see
the Lumin FAQ.

Note: This
section only
appears if the
algorithm update

- 192 -
 affected your
CES score.

o Asset Composition
Change — Asset
license changes,
assets depth
changes, etc.
o Vulnerability
Composition
Change —
Remediation of
vulnerabilities, the
discovery of new
vulnerabilities, etc.
o Asset Exposure
and ACR Change —
Any changes to
your AES or ACR

l To view specific details

about what changed,
under any change factor
group, click More
Details.

Tenable Lumin shows

the amount by which
specific drivers
increased ( ) or
decreased ( ) in the past
14 days.

Assets (#) All time Licensed and l View the total number of

- 193 -
(Visible only when unlicensed assets.
viewing current assets l For each ACR category,
CES details)
view the following
information:
o The percentage of
assets with critical,
high, medium, and
low ACR values.

Tip: The
percentages do
not total to 100%
if any of your
assets are
unscored.

o The total number

of assets with
critical, high,
medium, and low
ACR values.
o If the number of
assets with critical,
high, medium, and
low ACR values has
increased or
decreased in the
past 14 days, the
amount by which
the percentage of
assets and the
total number of
assets increased (

- 194 -
 ) or decreased (
) during that time.

l To view a list of assets in

an ACR category, click a
percentage.

The Assets page

appears, filtered by
licensed assets and the
ACR category you
selected. For more
information, see View
Assets.

Vulnerabilities (#) All time Licensed and l View the total number of
unlicensed vulnerabilities present on
(Visible only when
assets the assets.
viewing current
CES details) l For each VPR category,
view the following
information:
o The percentage of
vulnerabilities with
critical, high,
medium, and low
VPR values.

Tip: The
percentages do
not total to 100%
if any of your
assets are
unscored.

o The total number

- 195 -
 of vulnerabilities
with critical, high,
medium, and low
VPR values.
o If the number of
vulnerabilities with
critical, high,
medium, and low
VPR values
increased or
decreased in the
past 14 days, the
amount by which
the percentage of
vulnerabilities and
the total number of
vulnerabilities has
increased ( ) or
decreased ( )
during that time.

l To view a list of
vulnerabilities in a VPR
category, click a
percentage.

The Vulnerabilities page

appears, filtered by
licensed assets and the
VPR category you
selected. For more
information, see View
Vulnerabilities by Plugin.

View Assessment Maturity Details

- 196 -
 The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable calculates a dynamic Assessment Maturity grade that represents your overall scanning
depth and frequency. For more information, see Assessment Maturity.

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

To view Assessment Maturity details for all assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Assessment Maturity.

The Assessment Maturity page appears and, by default, shows details for your entire
organization.

- 197 -
3. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section or Widget Timeframe Assets Action

Summary Past 90 days Licensed This section summarizes your

assets Assessment Maturity grade,
compared to Tenable customers in
your Salesforce industry and the
larger population.

l View a visual representation of

your Assessment Maturity
compared to the average
Assessment Maturity for
Tenable customers in your
Salesforce industry and the
larger population.

- 198 -
 l To view a list of your licensed
assets impacting your
Assessment Maturity, click
<count> Licensed Assets.

The Assets page appears,

filtered by licensed assets and
the past 90 days. For more
information, see View Assets.

l To view a list of your

unlicensed assets that do not
impact your Assessment
Maturity, click <count> Not
Licensed.

The Assets page appears,

filtered by unlicensed assets
and the past 90 days. For
more information, see View
Assets.

Maturity Score Past 90 days at Licensed This widget graphs the increases
Trend each point on assets and decreases to your Assessment
the graph, Maturity grade and to the average
How is your
recalculated Assessment Maturity grade for
Assessment
daily Tenable customers in your
Maturity grade
Salesforce industry and the larger
changing over
population.
time?
l To view details about an
Assessment Maturity grade on
a specific date, hover over a
point on the graph.

The hover text provides

historical data about the

- 199 -
 Assessment Maturity grade.

l To show or hide data for your

organization, the industry, or
the population, click the boxes
in the graph legend.

The system updates the

widget to show or hide the
data you selected.

Recommended Past 90 days Licensed This widget provides Tenable-

Actions assets recommended best practices to
improve your scanning health.
What general
actions can you l Review your recommended
take to improve best practices.
your scanning
l To take action, click the link
health?
next to the description.

Depth Grade Past 90 days Licensed This widget summarizes the

assets Assessment Maturity depth grade
Are you scanning
for your entire organization,
your assets
compared to Tenable customers in
thoroughly
your Salesforce industry and the
enough?
larger population.

l View a visual representation of

your depth grade compared to
the average depth grade for
Tenable customers in your
Salesforce industry and the
larger population.

l View a summary statement

about whether your depth
grade recently increased or

- 200 -
 decreased.

Authentication Past 90 days Licensed This widget graphs your percentage

Coverage assets of assets scanned with
authentication and without
How often are you
authentication, compared to
performing
Tenable customers in your
authenticated
Salesforce industry and the larger
scans?
population. You can optimize your
authentication coverage by ensuring
you scan with successful
authentication so that all plugins run
on your assets.

l View a visual representation of

your authentication coverage
compared to the average
depth grade for Tenable
customers in your Salesforce
industry and the larger
population.

l To view details, hover over a

scan type cluster on the
graph.

The hover text provides data

about the scan type.

l To show or hide data for your

organization, the industry, or
the population, click the boxes
in the graph legend.

The system updates the

widget to show or hide the
data you selected.

- 201 -
Frequency Grade Past 90 days Licensed This widget summarizes the
assets Assessment Maturity frequency
Are you scanning
grade for your entire organization,
your assets
compared to Tenable customers in
frequently
your Salesforce industry and the
enough?
larger population.

Tip: Tenable calculates your

frequency grade based on how
often you scan assets on your
network.

l View a visual representation of

your frequency grade
compared to the average
frequency grade for Tenable
customers in your Salesforce
industry and the larger
population.

l View a summary statement

about whether your frequency
grade recently increased or
decreased.

Scan Cycle Past 90 days Licensed This widget summarizes your

assets average scan frequency, in days,
How much time
compared to Tenable customers in
passes between
your Salesforce industry and the
your scans?
larger population. Your scan cycle is
the average number of days
between scans for your assets.

Asset Scan Past 90 days Licensed This widget graphs the percentage
Frequency assets of your assets that Tenable
Vulnerability Management scans
How often are you

- 202 -
 scanning your daily, weekly, monthly, and
assets? quarterly, compared to Tenable
customers in your Salesforce
industry and the larger population.

l To view details about a scan

frequency for a specific date
range, hover over a point on
the graph.

The hover text provides data

about the scan frequency.

l To show or hide data for your

organization, the industry, or
the population, click the boxes
in the graph legend.

The system updates the

widget to show or hide the
data you selected.

View Remediation Maturity Details

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable calculates a dynamic Remediation Maturity grade that represents your overall vulnerability
remediation responsiveness and coverage. For more information, see Remediation Maturity.

Important: Your Assessment Maturity and Remediation Maturity scores may have recently changed due to
data migration and algorithm changes within Tenable Lumin. This is expected behavior. For more
information, contact your Tenable representative.

- 203 -
To view Remediation Maturity details for all assets:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Remediation Maturity.

The Remediation Maturity page appears.

3. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section or Widget Timeframe Assets Action

Summary Past 90 days Licensed This section summarizes your

assets Remediation Maturity grade,
compared to Tenable customers
in your Salesforce industry and
the larger population.

- 204 -
 l View a visual representation
of your Remediation
Maturity compared to the
average Remediation
Maturity for Tenable
customers in your
Salesforce industry and the
larger population.

l To view a list of your

licensed assets impacting
your Remediation Maturity
grade, click <count>
Licensed Assets.

The Assets page appears,

filtered by licensed assets
and the past 90 days. For
more information, see View
Assets.

l To view a list of your

unlicensed assets that do
not impact your
Remediation Maturity grade,
click <count> Not Licensed.

The Assets page appears,

filtered by unlicensed
assets and the past 90 days.
For more information, see
View Assets.

Maturity Score Past 90 days at Licensed This widget graphs the increases
Trend each point on assets and decreases to your
the graph, Remediation Maturity grade and
How is your

- 205 -
Remediation Maturity recalculated to the average Remediation
grade changing over daily Maturity grade for Tenable
time? customers in your Salesforce
industry and the larger
population.

l To view details about a

Remediation Maturity grade
on a specific date, hover
over a point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the
data you selected.

Recommended Past 90 days Licensed This widget provides Tenable-

Actions assets recommended best practices to
improve your remediation health.
What general actions
can you take to l Review your recommended
improve your best practices.
remediation health?
l To take action, click the link
in the description.

Remediation Past 90 days Licensed This widget summarizes the

Responsiveness assets Remediation Maturity remediation
Grade responsiveness grade for your
entire organization, compared to
How quickly are you
Tenable customers in your
remediating
Salesforce industry and the larger
vulnerabilities?

- 206 -
 population.

l View a visual representation

of your remediation
responsiveness grade
compared to the average
remediation responsiveness
grade for Tenable
customers in your
Salesforce industry and the
larger population.

l View a summary statement

about whether your
remediation responsiveness
grade recently increased or
decreased.

Average Past 90 days Licensed This widget graphs the average

Remediation Time assets time, in days, you took to
Since Discovery remediate vulnerabilities in each
VPR category after the
How long does it
vulnerability was first discovered,
take you to
compared to Tenable customers
remediate a
in your Salesforce industry and
vulnerability after it
the larger population.
is first discovered
(the First Seen l To view details about the
date)? average time for a specific
VPR category, hover over a
point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph

- 207 -
 legend.

The system updates the

widget to show or hide the
data you selected.

Average Past 90 days Licensed This widget graphs the average

Remediation Time assets time, in days, you took to
Since Publication remediate vulnerabilities in each
VPR category after a plugin was
How long does it
first made available, compared to
take you to
Tenable customers in your
remediate a
Salesforce industry and the larger
vulnerability after a
population.
plugin is first made
available (the Plugin l To view details about the
Publication date)? average time for a specific
VPR category, hover over a
point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the
data you selected.

Remediation Past 90 days Licensed This widget summarizes the

Coverage Grade assets Remediation Maturity remediation
coverage grade for your entire
How thoroughly are
organization, compared to
you remediating
Tenable customers in your
vulnerabilities?
Salesforce industry and the larger
population.

- 208 -
 l View a visual representation
of your remediation
coverage grade compared
to the average remediation
coverage grade for Tenable
customers in your
Salesforce industry and the
larger population.

l View a summary statement

about whether your
remediation coverage grade
recently increased or
decreased.

Remediation Past 90 days Licensed This widget graphs the

Coverage assets percentage of your vulnerabilities
that are remediated (fixed) in
What percentage of
each VPR category, compared to
your vulnerabilities
Tenable customers in your
are remediated?
Salesforce industry and the larger
population.

l To view details about the

percentage for a specific
VPR category, hover over a
point on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the

- 209 -
 data you selected.

Average Past 90 days Licensed This widget graphs the average

Vulnerabilities Per assets number of vulnerabilities (active,
Asset fixed, or resurfaced) in each VPR
category present on your assets,
How many
compared to Tenable customers
vulnerabilities, on
in your Salesforce industry and
average, are present
the larger population.
on an asset?
l To view details about the
count for a specific VPR
category, hover over a point
on the graph.

l To show or hide data for

your organization, the
industry, or the population,
click the boxes in the graph
legend.

The system updates the

widget to show or hide the
data you selected.

View Business Context/Tag Asset Details

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can use this page to view details about assets with a specific business context tag.

Before you begin:

- 210 -
 l Add tags to assets, as described in Add a Tag to an Asset.

To view business context tag asset details:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Business Context.

The Business Context/Tag Asset Details page appears.

3. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section or
Timeframe Assets Action
Widget

Tag summary All time Licensed and l View the name of the tag.
unlicensed l View the CES calculated
assets with the
for assets with the tag.
tag applied

Cyber Exposure Past 90 days at Licensed assets This widget graphs the

- 211 -
Score Trend each point on the with the tag increases and decreases to your
graph, applied tag-specific CES compared to
How has the
recalculated daily the average organization-wide
overall risk for
CES for Tenable customers in
this business
your Salesforce industry and
context changed
the larger population.
over time?
Note: Newly added tags may
take up to 14 days before
displaying CES trending
information.

l To view details about an

organization-wide
industry or population CES
value on a specific date,
hover over a point on the
graph.

The hover text provides

historical data about the
CES.

l To view details about your

tag-specific CES value on
a specific date, click a
point on the You line.

The Tenable Lumin Cyber

Exposure Score details
plane appears. For more
information, see CES
Details.

l To show or hide data for

your organization, the
industry, or the

- 212 -
 population, click the
boxes in the graph legend.

The system updates the

widget to show or hide the
data you selected.

Asset Past 90 days Licensed assets This widget summarizes the

Distribution by with the tag number of vulnerabilities in
Asset Exposure applied and each AES category.
Score (AES) shared with your
l To view the recommended
user account via
How exposed are solutions for an AES
access groups
my assets? category, click one of the
<Category> AES Solutions
links.

The Solutions page

appears, filtered by the
tag, licensed assets, and
the AES category you
selected. For more
information, see View
Solutions.

l To view the recommended

solutions for all assets,
click the All Solutions link.

The Solutions page

appears, filtered by the
tag and licensed assets.
For more information, see
View Solutions.

Asset Criticality Past 90 days Licensed and This widget visualizes the
Rating unlicensed percentage of your assets in

- 213 -
Breakdown assets with the each ACR category.
tag applied
How critical are l View the total number of
my assets? scanned assets on your
network.

l View the percentage of

assets in each category:
Critical, High, Medium,
Low, and Unclassified.

l To view a list of assets,

click a category on the
graph.

The Assets page appears,

filtered by the tag,
licensed assets seen in
the past 90 days, and the
ACR category you
selected. For more
information, see View
Assets.

Asset Scan Past 90 days Licensed and This widget summarizes your
Distribution unlicensed asset scan distribution during
assets with the the past 90 days.
What percentage
tag applied
of your assets Authenticated Scans are run by
are scanned with a non-agent scanner with
different credentialed scanning
methods? configured. Agent Scans are
run by agent scanners. All other
scans are Unauthenticated
Scans.

l View the total number of

- 214 -
 assets scanned on your
network in the past 90
days.

l View the percentage of

assets where the system
performed authenticated,
unauthenticated, or agent
scans in the past 90 days.

l View the percentage of

assets the system has not
scanned in the past 90
days.

l To filter the data

displayed in the widget,
roll over the widget and
click the button. Click
the desired filter.

Tenable Vulnerability
Management refreshes
the widget.

l To view the assets list,

click a scan category.

The Assets page appears,

filtered by the tag,
licensed assets seen in
the past 90 days, the scan
type you selected, and the
ACR category filter
applied to the widget. For
more information, see
View Assets.

- 215 -
Asset Scan Past 90 days Licensed and This widget visualizes the
Frequency unlicensed percentage of assets scanned
assets with the on your network during periods
How often are
tag applied in the past 90 days, compared
you scanning
to others in your Salesforce
your assets?
industry and the population.

l View the percentage of

assets scanned on your
network at Daily, Weekly,
Monthly, or Quarterly
intervals.

l To show or hide data for

your organization, the
industry, or the
population, click the
boxes in the graph legend.

The system updates the

widget to show or hide the
data you selected.

l To filter the data

displayed in the widget,
roll over the widget and
click the button. Click
the desired filter.

Tenable Vulnerability
Management refreshes
the widget.

l To view the assets list,

click a bar on the graph.

The Assets page appears,

- 216 -
 filtered by the tag,
licensed assets, the time
period you selected, and
the ACR category filter
applied to the widget. For
more information, see
View Assets.

View Mitigations Details in Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

If you run an authenticated scan based on the Basic Network Scan template or Advanced Network
Scan template or an agent scan based on the Basic Agent Scan or Advanced Agent Scan template,
Tenable automatically enables the plugins required to detect mitigations present on your assets.
Tenable Lumin defines mitigations as endpoint protection agents, which include antivirus software,
Endpoint Protection Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

Then, you can use Tenable Lumin Mitigations data to assess whether your assets are covered
properly with the endpoint protection agent software.

You must enable certain plugins in your authenticated and agent scans to detect endpoint
protection agents on your assets. For more information, see Plugins for Mitigation Detection.

Before you begin:

l Enable the required plugins in your scans.

l Run your scans before checking the Mitigations page.

To view a list of endpoint protection agents on your assets:

- 217 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the Mitigations widget, click More Details.

The Tenable Lumin Mitigations page appears.

Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability Management
instance.

Section Action

Exports Download previously generated export files.

button

Date range Change the date range for the mitigations table. For more information, see
selector Tenable Vulnerability Management Tables.

Filters box Filter the data displayed in the mitigations table.

Search box Search the mitigations table by product name. For more information, see
Tenable Vulnerability Management Tables.

Mitigations In this table, you can:

table
l
View information about each endpoint protection agent.
o Product Name — The name of the endpoint protection agent.
o Vendor Name — The name of the vendor that maintains the
endpoint protection agent.

- 218 -
 o All Assets — The total number of assets with the endpoint
protection agent present.
o Critical Assets — The total number of Critical ACR assets with
the endpoint protection agent present.
o High Assets — The total number of High ACR assets with the
endpoint protection agent present.
o Version — The version of the endpoint protection agent.
o Last Detected — The date that a scan last detected the endpoint
protection agent on an asset.

l Sort, increase or decrease the number of rows per page, or navigate to

another page of the table. For more information, see Tenable
Vulnerability Management Tables.

l Export mitigations.

l To view a list of assets with a specific endpoint protection agent

present, click the asset count in the appropriate column:

l All Assets to view all assets regardless of the asset ACR

l Critical Assets to view Critical ACR assets

l High Assets to view High ACR assets

The Assets page appears, filtered by licensed assets, ACR severity, the
mitigation product name, the mitigation vendor name, the mitigation
version, and the past 90 days. For more information, see View Assets.

Plugins for Mitigation Detection

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

To detect mitigations, you must enable the following plugins in your scan.

- 219 -
Tip: Tenable Vulnerability Management enables these plugins automatically in the following Tenable-
provided scan templates: Advanced Network Scan, Basic Network Scan, Advanced Agent Scan, Basic
Agent Scan.

ID Name

12107 McAfee Antivirus Detection and Status

16192 Trend Micro Antivirus Detection and Status

20283 Panda Antivirus Detection and Status

20284 Kaspersky Anti-Virus Detection and Status

21162 Spybot Search & Destroy Detection

21608 NOD32 Antivirus Detection and Status

21725 Symantec Antivirus Software Detection and Status

21726 Webroot SpySweeper Enterprise Detection

24232 BitDefender Antivirus Detection and Status

52668 F-Secure Anti-Virus Detection and Status

54845 Sophos Anti-Virus for Mac OS X Detection

54846 Sophos Anti-Virus Detection and Status (Mac OS X)

56567 Mac OS X XProtect Detection

56568 Mac OS X XProtect Installed

58580 Trend Micro ServerProtect Detection and Status (credentialed check)

67119 McAfee ePolicy Orchestrator Installed (credentialed check)

68997 Check Point ZoneAlarm Detection and Status

74038 McAfee VirusScan Enterprise for Linux Detection and Status

84432 AVG Internet Security Detection

87777 Avast Antivirus Detection and Status

- 220 -
87923 McAfee Application Control / Change Control Installed

87955 McAfee Agent Detection

87989 McAfee Agent Detection (Linux/MacOS)

88598 Symantec Endpoint Protection Installed (Unix Credentialed Check)

95470 McAfee Host Intrusion Prevention Installed

100131 McAfee Security Scan Plus Detection

106757 CylancePROTECT Detection

106758 CylancePROTECT Detection (Mac OS X)

112279 Windows Defender Advanced Threat Protection Installed (Windows)

124366 McAfee Endpoint Security and Module Detection

131023 Windows Defender Installed

131725 Sophos Anti-Virus Installed (Windows)

133843 VMware Carbon Black Cloud Endpoint Standard Installed (Windows)

133962 Sophos Anti-Virus Installed (Linux)

134216 VMware Carbon Black Cloud Endpoint Standard Installed (macOS)

134871 Trend Micro Apex One Server Installed (Windows)

135408 Trend Micro Deep Security Agent Installed (Linux)

135409 Trend Micro Deep Security Agent Installed (Windows)

136760 BitDefender Endpoint Security Tools Status (Windows)

136761 BitDefender Endpoint Security Tools Detection (Windows)

138209 Symantec Critical System Protection/Data Center Security Agent (Windows)

138853 F-Secure PSB Computer Protection (Windows)

139913 Check Point Endpoint Security SandBlast Agent Installed (Windows)

- 221 -
 139918 ClamAV Installed (Linux)

140633 CrowdStrike Falcon Sensor Installed (Windows)

152356 Cybereason Endpoint Agent Installed (Windows)

Export Mitigations

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can export a list of mitigations and affected assets, if needed, to share the data with others in
your organization.

To export mitigations and affected assets:

1. View mitigation details for your organization.

2. In the mitigations table, select the check boxes next to the mitigation or mitigations that you
want to include in the export file.

The action bar appears at the top of the table.

3. In the action bar, click Export.

The Tenable Lumin mitigations Export plane appears.

4. In the Type section, click the type of export you want to perform.

- 222 -
 l CSV - Mitigations — A single .csv file that includes the mitigations you selected.

l CSV - Mitigations & Assets Affected — Two .csv files that include the mitigations you
selected and the assets affected where those mitigations are present.

The export begins and Tenable Vulnerability Management downloads the export as a tar.gz
package. For more information about the data in the export files, see Mitigations Export File
Contents.

What to do next:
l To download previously exported mitigation data, see View and Download Exported
Mitigations.

Mitigations Export File Contents

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can export mitigations from the Mitigations page. Your export files contain the following data.

Export Field Description

mitigations_summary.csv — the Mitigations file

product_name The name of the endpoint protection agent.

vendor_name The name of the vendor that maintains the endpoint protection agent.

all_assets The total number of assets with the endpoint protection agent
present.

critical_assets The total number of Critical ACR assets with the endpoint protection
agent present.

high_assets The total number of High ACR assets with the endpoint protection
agent present.

version The version of the endpoint protection agent.

last_detected The date that a scan last detected the endpoint protection agent on an
asset.

- 223 -
 mitigations_detail.csv — the Affected Assets file

product_name The name of the endpoint protection agent.

vendor_name The name of the vendor that maintains the endpoint protection agent.

version The version of the endpoint protection agent.

last_detected The date that a scan last detected the endpoint protection agent on an
asset.

asset_uuid The asset's UUID.

hostname The asset's hostname.

ipv4 The asset's IPv4 address.

operating_system The asset's operating system.

acr_score The asset's ACR.

acr_severity The ACR category of the ACR calculated for the asset.

aes_score The AES for the asset.

aes_severity The AES category of the AES calculated for the asset.

View and Download Exported Mitigations

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

After you export mitigation or affected assets files, you can view and download them. You cannot
view or download export files generated by other users.

Before you begin:

l Export a mitigation or affected assets file.

- 224 -
To view and download mitigation and affected asset exports files:

1. View mitigation details for your organization.

2. In the upper-right corner of the page, click Export.

The Tenable Lumin mitigations Export plane appears.

3. In the exports table, click the row for the export you want to download.

Tenable Vulnerability Management downloads the export file as a tar.gz package. For
information about the data in the export files, see Mitigations Export File Contents.

View Recommended Actions

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable provides a list of top recommended actions (solutions) for assets on your network,
regardless of your access group permissions. You can identify solutions, then drill into the solution
details to understand the steps to address the vulnerability on your network.

To generate the top recommended actions, Tenable Lumin looks for the plugins that, if remediated
for all licensed assets, have the biggest effect on your CES. If plugins are related, remediating one
may affect other plugins.

Addressing vulnerabilities on your network lowers your CES and AES metrics.

To view the top recommended solutions for all assets on your network:

1. In the upper-left corner, click the button.

The left navigation plane appears.

- 225 -
2. In the left navigation plane, click Lumin.

The Lumin dashboard appears.

3. In the Actions to Reduce CES widget, click See Top Recommended Actions.

The Tenable Lumin Recommended Actions page appears. The table sorts your top solutions
(up to 20) by VPR category (Critical to Low) and then by decreasing Assets Affected.

4. (Optional) To change the tag filter applied to the page, in the upper left corner, select a tag
from the drop-down list.

Tenable Lumin filters the page by the tag you selected.

Section Action

Summary bar View summary statistics about the expected impact if you address all the
solutions in the Recommended Actions table.

l Expected CES reduction if you resolve all the top solutions.

l Number of vulnerability instances eliminated by the top solutions.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

l Number of assets affected by the top solutions.

Recommended l View information about each solution.

Actions table l Solution — A description for the solution.

l Licensed Assets — The total number of assets affected by

the vulnerabilities addressed by the solution.

- 226 -
 l CVEs — The number of individual Common Vulnerabilities and
Exposures (CVEs) addressed by the solution.

l CVE Instances — The total number of Common Vulnerabilities

and Exposures (CVEs), including duplicates, addressed by the
solution.

l Exploit Code Maturity — The key driver value for the highest
VPR for the vulnerabilities addressed by the solution.

l VPR — The highest VPR for the vulnerabilities addressed by

the solution.

l CVSS — The highest CVSSv2 score (or CVSSv3 score, when

available) for the vulnerabilities addressed by the solution.

l To view details for a solution, click a solution row.

The Solution Details page appears. For more information, see View
Solution Details.

l To export solution data, see Export Recommended Actions.

Export Recommended Actions

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can export a list of recommended actions (solutions) and affected assets, if needed, to share
the data with others in your organization.

To export recommended actions and affected assets:

- 227 -
 1. Navigate to one the Tenable Lumin Recommended Actions page, as described in View
Recommended Actions.

The Tenable Lumin Recommended Actions page appears.

2. In the table, select the check boxes next to the recommended actions that you want to
include in the export file.

The action bar appears at the top of the table.

3. In the action bar, click Export.

The Exports plane appears.

4. In the CSV section, select the check box for the recommended action data you want to
export:

l Solutions — A .csv file that includes the recommended actions you selected. This check
box is selected by default.

l Details — A .csv file that includes the recommended actions you selected as well as
additional details about those solutions.

The export begins and Tenable Vulnerability Management downloads the export as a tar.gz
package. For information about the data in the export files, see Recommended Actions Export
File Contents.

Recommended Actions Export File Contents

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

You can export recommended actions (solutions) from two recommended action pages. The export
contents from each page are unique to that page.

- 228 -
Recommended Actions Export for a Group of Assets
If you export recommended actions and assets affected files from the Recommended Actions page
for a group of assets, your export files contain the following data.

Export Field Description

detail.csv — the Assets Affected file

solution_id The solution's UUID.

solution_title A description for the solution.

asset_uuid The asset's UUID.

hostname The asset's hostname.

ipv4 The asset's IPv4 address.

operating_ The asset's operating system.

system

cve_count The number of vulnerabilities on this asset addressed by the solution.

cve_instance_ The total number of vulnerability instances on this asset addressed by the
count solution.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an

asset, identified uniquely by plugin ID, port, and protocol.

solution.csv — the Selected Actions file

solution_id The solution's UUID.

solution_title A description for the solution.

assets_ The total number of assets affected by the vulnerabilities addressed by the
affected solution.

cve_count The total number of vulnerabilities addressed by the solution.

vpr The highest VPR for the vulnerabilities addressed by the solution.

cvss The highest CVSSv2 score (or CVSSv3 score, when available) for the

- 229 -
 vulnerabilities addressed by the solution.

Recommended Actions Export for All Assets

If you export recommended actions and assets affected files from the Recommended Actions page
for all assets, your export files contain the following data.

Export Field Description

detail.csv — the Assets Affected file

solution_id The solution's UUID.

solution_title A description for the solution.

asset_uuid The asset's UUID.

hostname The asset's hostname.

ipv4 The asset's IPv4 address.

operating_ The asset's operating system.

system

acr_score The asset's ACR.

acr_severity The ACR category of the ACR calculated for the asset.

aes_score The AES for the asset.

aes_severity The AES category of the AES calculated for the asset.

vuln_count The number of vulnerabilities on this asset addressed by the solution.

vuln_instance_ The total number of vulnerability instances on this asset addressed by the
count solution.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on

an asset, identified uniquely by plugin ID, port, and protocol.

summary.csv — the Selected Actions file

solution The solution's UUID.

- 230 -
summary A description for the solution.

assets_affected The total number of assets affected by the vulnerabilities addressed by

the solution.

vulnerabilities The total number of vulnerabilities addressed by the solution.

exploit_code_ The key driver value for the highest VPR for the vulnerabilities addressed
maturity by the solution.

vpr The highest VPR for the vulnerabilities addressed by the solution.

cvss The highest CVSSv2 score (or CVSSv3 score, when available) for the
vulnerabilities addressed by the solution.

- 231 -
Scans
You can create, configure, and manage scans in Tenable Vulnerability Management.

Section Description

Manage Scans Create, import, and launch scans. View and manage scans and scan
results.

Scans (Unified Create, launch, and manage Tenable Vulnerability Management and
Configuration) Tenable Web App Scanning scans in the Tenable Vulnerability
Overview Management unified user interface.

Scan Templates Use a Tenable-provided scanner template, agent template or a user-

and Settings defined template to configure scan settings.

Sensors Link your sensors, such as Tenable Nessus scanners, Tenable Nessus
Agents, and Tenable Nessus Network Monitors, to Tenable Vulnerability
Management.

Note: For information about scanning in Tenable Web App Scanning, see the Tenable Web App Scanning
Getting Started Guide.

Note: For information about scanning in Tenable Container Security, see Tenable Container Security
Scanner Scanning Overview.

Manage Scans
To manage your Tenable Vulnerability Management and Tenable Web App Scanning scans in the
unified Scans user interface, see Scans Overview.

To manage your Tenable Web App Scanning scans in Tenable Web App Scanning, see the Tenable
Web App Scanning Getting Started Guide.

Scans Overview
The Scans page allows you to create, launch, and configure Tenable Vulnerability Management
scans and Tenable Web App Scanning scans.

- 232 -
Many of the Scans workflows and procedures are similar to the legacy Vulnerability Management >
Scans and Web App Scanning > Scans pages, but we have provided updated help topics that match
the new Scans user interface:

Create a Scan
In Tenable Vulnerability Management, you can create scans using scan templates. For general
information about templates and settings, see Scan Templates and Settings.

When you create a scan, Tenable Vulnerability Management assigns you owner permissions for the
scan.

Tip: To quickly target specific vulnerabilities that previous scans have identified on your assets, create a
Tenable Vulnerability Management remediation scan.

Note: Tenable Vulnerability Management excludes PCI Quarterly External scan data from dashboards,
reports, and workbenches intentionally. This is due to the scan's paranoid nature, which may lead to false
positives that Tenable Vulnerability Management would otherwise not detect. For more information, see
Tenable PCI ASV Scans.

Before you begin:

l (Optional) View Tenable Vulnerability Management scan limitations.

l If you want to create a scan from a user-defined template, create a user-defined template as
described in Create a User-Defined Template.

l Create an access group for any targets you want to use in the scan and assign Can Scan
permissions to the appropriate users.

To create a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

- 233 -
 This also determines whether you are creating a Tenable Vulnerability Management or Tenable
Web App Scanning scan.

4. In the upper-right corner of the page, click the Create a Scan button.

The Select a Scan Template page appears.

5. Do one of the following:

l If you are creating a Tenable Vulnerability Management scan, use the following
procedure:

a. Click the Nessus Scanner, Nessus Agent, or User Defined tab to view available
templates for your scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

- 234 -
 l Assessment Settings — Specifies how a scan
identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

Plugins Select security checks by plugin family or individual

plugin.

d. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option
is not available.

Tenable Vulnerability Management saves and launches the scan.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

- 235 -
a. Click the Web Application or User Defined tab to view available templates for your
scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

d. Do one of the following:

- 236 -
 l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option
is not available.

Tenable Vulnerability Management saves and launches the scan.

View Scans

Required Scan Permissions: Can View

Tenable Vulnerability Management defines Archived as any individual scan results that are older
than 35 days. For scan results that are younger than 35 days, you can view and export the results in
Tenable Vulnerability Management. For archived scan results, you can export the results, but cannot
view them in Tenable Vulnerability Management. This limitation applies to both imported scan
results and scan results that Tenable Vulnerability Management collects directly from scanners.
After 15 months, Tenable Vulnerability Management removes the scan data entirely.

You can view configured and imported scans. If you have appropriate permissions, you can also
perform actions to manage the scans.

Before you begin:

l Create or import one or more scans.

To view scans in the Scans section:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

- 237 -
 The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

5. Do any of the following:

Section Action

Search box Search the table by scan name or status. For more information, see
Tenable Vulnerability Management Tables.

Filter Filter the table with Tenable-provided scan filters.

Create In the upper-right corner, click the Create Scan button to create a new
Scan scan.
button

Tools In the upper-right corner, click the Tools button. A menu appears with
button the following options:

l Import Scan (Tenable Vulnerability Management scans only)

l Manage Sensors

l Manage Credentials

l Manage Exclusions

Scans l View summary information about each scan:

table l Name — The scan name.

If you have assigned permissions for the scan to other users,

the label Shared appears next to the scan name.

l Schedule — The scan schedule.

l Last Modified — (Tenable Web App Scanning scans only) The

date and time the scan was last modified.

l Last Run — The date and time the scan was last run.

l Status — The status of the scan.

- 238 -
 l Sort, increase or decrease the number of rows per page, or navigate
to another page of the table. For more information, see Tenable
Vulnerability Management Tables.

l View details for a scan.

l Launch a scan.

l Change the read status for a scan.

l Export scan results.

l Move a scan to the trash.

l Delete a scan permanently.

l Move a scan to a different folder.

View Scan Details

Required Scan Permissions: Can View

You can view scan results for scans you own and scans that were shared with you.

Consider the following when viewing scan results:

l You can view details for an individual scan based on the permissions configured for the scan.
However, when you view aggregated scan results in dashboards and other analysis views (for
example, the Vulnerabilities or Assets tables), your access is based on the access groups you
belong to.

l Tenable Vulnerability Management defines Archived as any individual scan results that are
older than 35 days. For scan results that are younger than 35 days, you can view and export
the results in Tenable Vulnerability Management. For archived scan results, you can export the
results, but cannot view them in Tenable Vulnerability Management. This limitation applies to
both imported scan results and scan results that Tenable Vulnerability Management collects
directly from scanners. After 15 months, Tenable Vulnerability Management removes the scan
data entirely.

l When you view results from the latest run of the scan, Tenable Vulnerability Management
categorizes the scan as Read. The Read status is specific to your user account only. You can

- 239 -
 also manually change the read status.

l Tenable Vulnerability Management retains scan data for 15 months. If you want to store scan
data for longer than 15 months, you can export the scan data for storage outside of Tenable
Vulnerability Management.

l You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

To view scan details for an individual scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. In the scan table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

6. Do any of the following:

Section Action

Scan Actions menu l Launch a scan.

l Edit a scan configuration.

l Export scan results.

l Move a scan to a different folder.

l Change the read status for a scan.

l Delete a scan permanently.

- 240 -
 l Copy a scan.

l Move a scan to the trash.

See All Details button Click the See All Details button to open the Scan
Details page and view the scan's vulnerabilities and
affected assets, target information, and scan history.
You can also use the Scan Details page to export the
scan, edit the scan configuration, move the scan to the
trash folder, and submit the scan for PCI validation.

The scan details page includes the following features

and information:

Table header
l (Rollover scans only) Download a list of a rollover
scan's remaining targets.

l Export the currently visible scan results.

l Edit the scan configuration.

l Move a scan to the trash folder.

Severity summaries
The number of vulnerabilities with a Critical, High,
Medium, and Low severity in the scan results.

Scan Details section

View details about the scan run:

l Status — The status of the scan.

l Start Time — The start date and time for the

scan.

l Template — The Tenable-provided template on

which the scan configuration is based.

- 241 -
 l Scanner — The scanner that performed the scan.

l Scanner Groups — The scanner group or groups

to which Tenable Vulnerability Management
assigned the scan. This detail appears only if
scan routing is enabled for the scan.

l Targets — The targets that the scan evaluated.

Vulns by Plugin tab

View the vulnerabilities in the scan results, organized
by plugin.

Note: This tab does not appear for scan results older
than 35 days.

l View information about each vulnerability:

l Severity icon — The severity of the

vulnerability.

l Name — The name of the plugin that

identified the vulnerability.

l Family — The family of the plugin that

identified the vulnerability.

l Instances — The number of vulnerability

instances.

Tip: A vulnerability instance is a single

instance of a vulnerability appearing on an
asset, identified uniquely by plugin ID, port,
and protocol.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

- 242 -
 per page, or navigate to another page of the
table, see Tenable Vulnerability Management
Tables.

l To view details for a vulnerability, click a row of

the table.

The Vulnerability Details page appears. For more

information, see Vulnerability Details.

Audit tab
View compliance audit check results. This tab only
appears if the scan results include data from
compliance audit checks.

Tip: This tab does not appear for scan results older than
35 days.

On this tab, you can view:

l View tiles representing the number of audit

checks identified the last time the scan was
completed organized by severity level.

l View a table of audits detected during the scan.

Each row represents a specific audit, and
includes the following information:
o Status — The status of the audit, for
example Passed, Warning, or Failed.
o Name — The name of the compliance
check.
o Family — The compliance check family to
which the audit belongs.
o Count — The number of times the audit was

- 243 -
 identified.

l To view additional information about a specific

audit check, click a row in the audits table.

The Audit Details page appears.

l Overview — Information about the audit

check, including a description of the check
and the audit file used for the check.

l Assets — A list of assets where the scan

performed the audit check.

Summary tab
(Rule-based scans only) Shows the scan's description,
triggers, an explanation of rule-based scanning, and a
link to the vulnerabilities workbench.

Vulns by Asset tab

View the vulnerabilities in the scan results, organized
by asset. By default, assets in the table are sorted by
decreasing number of vulnerabilities, then by
decreasing severity.

Tip: This tab does not appear for scan results older than
35 days.

l View information about each vulnerability:

l Assets — The asset identifier. Tenable

Vulnerability Management assigns this
identifier based on the presence of certain
asset attributes in the following order:
o Agent Name (if agent-scanned)
o NetBIOS Name

- 244 -
 o FQDN
o IPv4 address

For example, if scans identify a NetBIOS

name and an IPv4 address for an asset, the
NetBIOS name appears as the Asset Name.

l Vulnerabilities — A visual summary of the

vulnerabilities on the asset, organized by
severity.

l Vuln Count — The total number of

vulnerabilities on the asset.

l Critical — The total number of

vulnerabilities on the asset with a critical
severity.

l High — The total number of vulnerabilities

on the asset with a high severity.

l Audits — A visual summary of the audits on

the vulnerability, organized by severity.

l Audit Count — The total number of audits

on the asset.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

per page, or navigate to another page of the
table, see Tenable Vulnerability Management
Tables.

l To view details for an asset, click a row of the

table.

The Asset Details page appears. For more

- 245 -
 information, see View Asset Details.

Warnings tab
View warnings about problems Tenable Vulnerability
Management or the scanner encountered while running
the scan. This tab only appears if Tenable Vulnerability
Management or the scanner encountered an issue
while running the scan.

Review the warnings to determine how to resolve the

scan problem. For example, if an Invalid Target note is
present, check the target parameters in the scan
configuration.

Tip: This tab does not appear for scan results older than
35 days.

Remediations tab
View remediation details.

Note: The Remediation tab only appears if there are

known remediations for the scan.

This tab contains a table listing each remediation

action. On this tab, you can view:

l Vulnerabilities — The number of vulnerabilities

resolved by the recommended remediation.

l Assets — The number of assets scanned.

History tab
View the scan history.

This tab contains a table listing each time the scan has
run. For the scan run currently displaying in the Scan

- 246 -
Details page, Tenable Vulnerability Management adds
the label Current to the run. By default, the latest scan
run is labeled Current.

Note: Scan history is unavailable for imported scans,

configured scans that have not yet run, and triggered
scans.

Note: For triggered scan histories, Tenable Vulnerability

Management shows a scan history entry for each 12-hour
window of the past 7 days. Tenable Vulnerability
Management only retains up to 15 triggered scan
histories at a time for each scan.

On this tab, you can:

l View summary information about each time the

scan was run:

l Start Time — The start date and time for

the scan.

l End Time — The end date and time for the

scan.

l Duration — The duration of the scan .

l Status — The status of the scan.

l Filter the data displayed in the table.

l Sort, increase or decrease the number of rows

per page, or navigate to another page of the
table. For more information, see Tenable
Vulnerability Management Tables.

l View details for a historical scan by clicking a row

in the table.

Tenable Vulnerability Management marks the run

- 247 -
 you selected as Current and updates the Scan
Details section to show data for the selected run.

If the historical scan results are younger than 35

days, Tenable Vulnerability Management also
updates the tabs on the Scan Details page.

If the historical scan results are older than 35

days, the additional tabs are absent from the
Scan Details page. Use export instead to obtain
the results.

Activity section A history of the scan's activity.

In this section, you can view the date and time when
the scan Started, Completed, and when it was
Modified, Canceled, or manually Aborted.

Vulnerabilities by The number of vulnerabilities with a Critical, High,

Severity/VPR Breakdown Medium, and Low severity in the scan results.
section

Scan Duration section The amount of time elapsed between the start and end
of the scan.

Targets section The number of targets scanned.

Type section The scan type.

Template section The scan template used.

Schedule section The scan schedule.

View Scan Vulnerability Details

You can view a scan's vulnerability details by plugin or by asset (Tenable Vulnerability Management
scans only) from the Scans section.

To view a scan's vulnerability details from the Scans section:

- 248 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. In the scans table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

6. In the scan details plane, click the See All Details button.

The Scan Details page appears. The Vulns by Plugin tab shows by default.

7. If you would rather view vulnerabilities by the affected asset, click the Vulns by Asset tab.

The vulnerabilities by asset table appears.

Note: You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

8. From either the Vulns by Plugin tab or the Vulns by Asset tab, do one of the following:

l Filter the plugins table by vulnerability attributes.

l Search the plugins table.

l View the number of plugin results, next to the Search box.

l On the Vulns by Plugin tab, click a vulnerability to view its details. For more information,
see View Vulnerability Details.

l On the Vulns by Asset tab, click an asset row to view its vulnerability details. For more
information, see View Asset Details.

Scan Filters

- 249 -
On the Scans page, you can filter scans using Tenable-provided filters. The Tenable Vulnerability
Management scan view allows you to filter by scan status, and the Tenable Web App Scanning scan
view allows you to filter by multiple values.

Filter Description

Status The status of the scan. For more information about

scan statuses, see Scan Status.

Created Date (Tenable Web App The date the scan configuration was created.
Scanning scans only)

Description (Tenable Web App The description of the scan configuration.

Scanning scans only)

Finalized Date (Tenable Web App The date on which the scan last completed.
Scanning scans only)

Last Modified Date (Tenable Web App The date on which the scan configuration was last
Scanning scans only) modified.

Last Scanned Date (Tenable Web App The date on which the scan was last ran.
Scanning scans only)

Name (Tenable Web App Scanning The name of the scan configuration.
scans only)

Schedule (Tenable Web App Scanning Whether a scan schedule is enabled or on demand.
scans only)

Target (Tenable Web App Scanning The target URL used to launch the scan.
scans only)

Template (Tenable Web App The Tenable-provided scan template the scan
Scanning scans only) configuration was based on.

User Template (Tenable Web App The user-defined scan template the scan
Scanning scans only) configuration was based on.

Launch a Scan

- 250 -
In addition to configuring a scan's Schedule settings to launch the scan at scheduled times, you can
launch a scan manually. You can only launch a new scan when the previous scan has the Completed,
Aborted, or Canceled status (for more information, see Scan Status).

To launch a standard scan manually, see Launch a Scan.

Alternatively, you can launch a rollover scan to scan the remaining targets of a previous scan that
ended prematurely (for more information, see Launch a Rollover Scan). You can also launch a
remediation scan to run a follow-up scan against existing scan results (for more information, see
Launch a Remediation Scan).

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

Launch a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

Use the following steps to launch a scan manually. You can launch the scan using the targets as
configured in the scan, or you can launch the scan with custom targets that override the configured
targets.

To launch a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

- 251 -
 5. In the scans table, roll over the scan you want to launch.

The action buttons appear in the row.

6. Do one of the following:

l To launch the scan using the targets as configured in the scan, click the button in the
row.

l If you have previously launched the scan and want to use custom targets that override
the configured targets:

a. In the row, click the button.

The Custom Launch Scan plane opens.

b. In the Targets box, type a comma-separated string of targets.

c. Click Launch.

Tenable Vulnerability Management launches the scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Rollover Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

When you launch a rollover scan, the scan runs only against targets and hosts that Tenable
Vulnerability Management did not scan previously. This happens when a scan ends before scanning
all the assigned targets, which can occur when:

l A user manually stops the scan

l The scan times out due to the Scan Window setting

l The scanner aborts scan tasks or does not initialize properly

- 252 -
In some cases, you may see Completed scans that you can perform rollover scans for. This
indicates that even though all the assigned targets were scanned, some individual scan tasks may
have failed.

Rollover scans allow you to achieve complete scan coverage for all your assets, and you can use the
rollover feature to split up large, network-impacting scans. You can launch a rollover scan from
Scans page. Tenable Vulnerability Management marks scans that you can launch a rollover scan for
in the scan table with the Rollover tag in the Name column.

To view the remaining targets that the rollover scan will run against, see Download Rollover Targets.
If you want to restart the scan and rescan all the targets, see Launch a Scan.

Note: You cannot launch rollover Web Application scans.

To launch a rollover scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

5. In the scans table, roll over the scan you want to launch.

6. In the row, click the button.

A menu appears.

7. Click the Launch Rollover option.

Tenable Vulnerability Management launches the rollover scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

- 253 -
Launch a Remediation Scan

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Access Group Permissions: Can Scan

You can create a remediation scan to run a follow-up scan against existing scan results. A
remediation scan evaluates a specific plugin against a specific scan target or targets where a
vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan
targets have been successful. If a remediation scan cannot identify a vulnerability on targets where
the vulnerability was previously identified, the system changes the status of the vulnerability to
Fixed.

You can perform remediation scans for scan results from certain sensors only:

Sensor Type Supported?

Tenable Vulnerability Management Cloud Sensor yes

On-premises Tenable Nessus yes

Tenable Nessus scanner for Amazon Web Services (AWS) yes

Tenable Web App Scanning no

Tenable Nessus Network Monitor no

Tenable Nessus Agent no

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a remediation scan:

- 254 -
1. Set the scope for the remediation scan:

Remediation Scan Scope Action

All vulnerabilities on all affected This scope is not supported.

assets

All vulnerabilities on an To set this scope:

individual asset
a. View asset details.

b. On the Asset Details page, click the

Vulnerabilities tab.

The Vulnerabilities tab appears.

c. In the upper-right corner, click the Actions

button.

The actions menu appears.

d. In the actions menu, click Launch

Remediation Scan.

All vulnerabilities on multiple This scope is not supported.

assets

An individual vulnerability on the To set this scope:

top 500 affected assets
a. View vulnerability details.

b. Click the Assets Affected tab.

The assets table appears.

c. In the upper-right corner, click the Actions

button.

The actions menu appears.

d. Click Launch Remediation Scan.

- 255 -
An individual vulnerability on an To set this scope:
individual asset
a. View vulnerability details.

b. Click the Assets Affected tab.

The assets table appears.

c. In the assets table, select the checkbox for the

asset you want to select.

The action bar appears at the bottom of the

page.

d. In the action bar, click Launch Remediation

Scan.

An individual vulnerability on To set this scope:

multiple assets
a. View vulnerability details.

b. Click the Assets Affected tab.

The assets table appears.

c. In the assets table, select the checkbox next to

each asset you want to select.

The action bar appears at the bottom of the

page.

d. In the action bar, click Launch Remediation

Scan.

Multiple vulnerabilities on all This scope is not supported.

affected assets

Multiple vulnerabilities on an To set this scope:

individual asset
a. View asset details.

b. On the Asset Details page, click the

- 256 -
 Vulnerabilities tab.

The Vulnerabilities tab appears.

c. In the vulnerabilities table, select the checkbox

next to each vulnerability you want to select.

The action bar appears at the bottom of the

page.

d. In the action bar, click Launch Remediation

Scan.

Multiple vulnerabilities on This scope is not supported.

multiple assets

An individual finding To set this scope:

a. View findings details for a host vulnerability

finding or web application vulnerability finding.

b. On the Findings Details page, in the upper-right

corner, click the Actions button.

The actions menu appears.

c. In the actions menu, click Launch

Remediation Scan.

The Create a Scan - Remediation Scan appears.

Tenable Vulnerability Management automatically creates the remediation scan from the
Tenable-provided Advanced Network Scan template and populates certain settings based on
the assets and vulnerabilities you selected.

2. On the Create a Scan page:

a. Verify the settings that Tenable Vulnerability Management populated based on the
vulnerabilities and assets you selected.

- 257 -
 b. Configure additional settings for the scan.

The number of manual changes you must make depends on the plugins involved in the
remediation scan.

The following table defines the inherited and default values for settings in the remediation
scan.

Setting
Setting Remediation Scan Value
Category

Basic Name Specifies an editable scan name in the format

"Remediation scan of plugin # number" where
number is the number of the plugin that identified
the vulnerability.

Folder Cannot be configured. Remediation scans appear

in the Remediation Scans folder only.

Scanner Specifies the scanner that performs the scan.

The scanner you select depends on the location

of the targets included in the remediation scan.
For example:

l By default, this value is the cloud scanner

for your geographical region (for example,
US Cloud Scanner). However, a cloud
scanner cannot scan non-routable IP
addresses. If the scan targets include non-
routable IP addresses, select a linked
scanner instead.

l Select a scanner group if you want to:

o Improve scan speed by balancing the
scan load among multiple scanners.

- 258 -
 o Rebuild scanners and link new
scanners in the future without having
to update scanner designations in
scan configurations.

Network (Required if the scanner is set to Auto-Select) Do

one of the following:

l If your scans involve separate environments

with overlapping IP ranges, select the
network that contains the scanner groups
that you configured for scan routing.

l If your scans do not involve separate

environments with overlapping IP ranges,
retain the Default network.

Targets Specifies the scan targets based on the assets

you selected for the remediation scan.

User Specifies default settings for the Advanced

Permissions Network Scan template.

By default, only you have access to the individual

scan results for the remediation scan. The
Default user permissions are set to No Access. If
you want to share the remediation scan with
other users, configure the user permissions.

Schedule Cannot be configured. If you do not launch a

remediation scan when you create it, you can
launch the scan manually later.

all other Specifies default settings for the Advanced

settings Network Scan template.

Discovery all Specifies default settings for the Advanced

- 259 -
 Network Scan template.

Note: The default Port Scan Range scans common

ports only. If the plugins used in the remediation
scan require specific ports, configure this setting
for a range that includes those ports.

Assessment all Specifies default settings for the Advanced

Network Scan template.

Report all Specifies default settings for the Advanced

Network Scan template.

Advanced all Specifies default settings for the Advanced

Network Scan template.

Credentials all By default, there are no credentials configured. If

the plugins in the remediation scan require
credentials, configure them in the remediation
scan.

Note: Remediation scans work best for un-

credentialed network scan results. Use caution
when running a remediation scan for a plugin that
requires scan credentials. If you neglect to add
scan credentials when required for a specific
plugin, or if you type the credentials incorrectly,
the system may identify the related vulnerabilities
as fixed. In fact, the vulnerabilities do not appear in
the scan results because the system could not
complete the credentialed scan.

Compliance all By default, no compliance audits are configured.

If the plugins in the remediation scan require
compliance audit settings, configure the
appropriate settings.

Plugins limited Specifies plugins limited to the following:

- 260 -
 l the plugins you selected for remediation
scanning

l any plugins on which the selected plugins

are dependent

3. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

What to do next:
l In the Remediation Scans folder on the Scans page:
o View the scan status to determine when the scan completes.
o Edit the scan configuration.
o Change the read status of the scan results.
o Launch the scan.

l Once the scan completes:

a. On the Vulnerabilities page, search on the plugin.

b. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the
remediation scan targeted.

Stop a Running Scan

Required Scan Permissions: Can Control

- 261 -
When you stop a scan, Tenable Vulnerability Management terminates all tasks for the scan and
categorizes the scan as canceled. The scan results associated with the scan reflect only the
completed tasks. You cannot stop individual tasks, only the scan as a whole.

To stop a running scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the scans table, roll over the scan you want to stop.

4. In the row, click the button.

A menu appears.

5. Click Stop.

A confirmation window appears.

6. In the confirmation window, click Stop.

Tenable Vulnerability Management stops the scan. The Status column updates to reflect the
status of the scan.

Pause or Resume a Scan

Required Scan Permissions: Can Control

You can pause scans that you want to stop temporarily. When you pause a scan, Tenable
Vulnerability Management pauses all active tasks for that scan and concludes the scanner's local
scan task. Paused scans do not consume scanner resources, and other scans can run while there is
a paused scan. Tenable Vulnerability Management does not dispatch new tasks from a paused scan
job. If the scan remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management terminates the related tasks on the scanner and categorizes the scan as
aborted.

You can resume scans that you previously paused. When you resume a scan, Tenable Vulnerability
Management instructs the scanner to start the tasks from the point at which the scan was paused.

- 262 -
If Tenable Vulnerability Management encounters problems when resuming the scan, the scan fails,
and Tenable Vulnerability Management categorizes the scan as aborted. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan remains in a paused
state for more than 14 days, the scan times out. Tenable Vulnerability Management terminates the
related tasks on the scanner and categorizes the scan as aborted.

Note: You can only pause and resume Tenable Vulnerability Management scans.

To pause or resume a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the scans table, roll over the scan.

4. Do one of the following:

l To pause the scan, click the button in the row.

l To resume the scan, click the button in the row.

A confirmation window appears.

5. In the confirmation window, click Pause or Resume as appropriate.

Tenable Vulnerability Management pauses or resumes the scan.

Change Scan Ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Scan Permissions: Owner

Before you begin:

- 263 -
 l If the scan is based on a user-defined template, assign the new owner at least Can View
permissions for that template. Otherwise, the new owner cannot view the scan configuration.

Note: Only the scan owner can change scan ownership. Therefore, if an administrator needs to change the
ownership of another user's scan, they must first assist the user with their account and then assign
ownership to the appropriate user.

To change the ownership of a scan in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. (Optional) Search for the scan you want to edit. For more information, see Tenable
Vulnerability Management Tables.

6. In the scans table, click the scan you want to edit.

The scan details appear.

7. Click the button next to the scan name.

The Edit a Scan page appears.

8. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

9. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

- 264 -
 10. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

11. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

12. (Optional) Edit the Tenable Vulnerability Management permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

13. Click Save.

Tenable Vulnerability Management assigns ownership to the selected user and assigns your
user account the permissions you selected. If you removed all permissions for your user
account from the scan, the scan no longer appears in any of your scan folders.

Change the Scan Read Status

Required Scan Permissions: Can View

On the Scans page, a scan appears in bold in the scans table if you have not yet viewed (read) the
results of the latest run of the scan.

If you view the scan results, Tenable Vulnerability Management categorizes the scan as "read" and
removes the bold formatting from the scan in the scans table.

You can also manually change the scan read status.

To change the scan read status:

1. View your scans.

2. In the scans table, roll over the scan you want to change.

- 265 -
 3. Click the button.

A menu appears.

4. Do one of the following:

l If you have already read the scan, click Mark Unread.

l If you have not read the scan, click Mark Read.

Tenable Vulnerability Management changes the read status for the scan.

Edit a Scan Configuration

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

To edit a scan configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. (Optional) Search for the scan you want to edit. For more information, see Tenable
Vulnerability Management Tables.

6. In the scans table, click the scan you want to edit.

The scan details appear.

- 266 -
 7. Click the button next to the scan name.

The Edit a Scan page appears.

8. Change the scan configuration. For more information about scan configuration settings, see
Scan Settings.

9. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Configure vSphere Scanning

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can configure a scan to scan the following virtual environments:

l ESXi/vSphere that vCenter manages

l ESXi/vSphere that vCenter does not manage

l Virtual machines

Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.

Scenario 1: Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

- 267 -
 3. In the Targets section, type the IP address or addresses of the ESXi host or hosts.

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware ESX SOAP API.

7. In the Username box, type the username associated with the local ESXi account.

8. In the Password box, type the password associated with the local ESXi account.

9. If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do
not verify SSL Certificate toggle. Otherwise, leave the toggle enabled.

10. Click Save.

11. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin
always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication
was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks:
Yes in the scan results of the ESXis.

Scenario 2: Scanning vCenter-Managed ESXI/vSpheres

- 268 -
 Note: The SOAP API requires a vCenter admin account with read and write permissions. The REST API
requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle manager
account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the Targets section, type the IP addresses of:

l the vCenter host

l the ESXi host or hosts

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware vCenter SOAP API.

7. In the vCenter Host box, type the IP address of the vCenter host.

8. In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.

9. In the Username box, type the username associated with the vCenter account.

10. In the Password box, type the password associated with the vCenter account.

11. If the vCenter host is SSL enabled, enable the HTTPS toggle.

12. If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the
Verify SSL Certificate toggle. Otherwise, leave the toggle disabled.

13. Click Save.

14. Do one of the following:

- 269 -
 l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Section 3: Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP
address or addresses of your virtual machines in the Targets text box. For more information, see
Create a Scan.

Copy a Scan Configuration

Required Scan Permissions: Owner

When you copy a scan configuration, Tenable Vulnerability Management assigns you owner
permissions for the copy and assigns the copy scan permissions from the original scan.

Note: You cannot copy a scan from the Remediation Scans folder.

To copy a scan configuration:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

- 270 -
 5. In the scans table, roll over the scan you want to copy.

6. In the row, click the button.

A menu appears.

7. Click Copy.

The Copy to Folder plane appears, which contains a list of your scan folders.

8. Click the folder where you want to save the copy.

9. Click Copy.

Tenable Vulnerability Management creates a copy of the scan with Copy of prepended to the
name and assigns you owner permissions for the copy. The copy appears in the scans table of
the folder you selected.

Export Scan Results

Required Scan Permissions: Can View

You can export both imported scan results and results that Tenable Vulnerability Management
collects directly from scanners.

Tenable Vulnerability Management retains individual scan results until the results are 15 months old.

Notes:
l Filters are not applicable for Tenable Web App Scanning exports, All results will are
exported.
l For archived scan results (that is, results older than 45 days), Tenable Vulnerability
Management limits export types to .nessus and .csv files.
l When a scan is actively running, the Export button does not appear in the Tenable
Vulnerability Management interface. Wait until the scan completes, then export the scan
results.

To export results for an individual scan:

- 271 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

5. Do one of the following:

Location Scope of Export

Scans table a. In the scans table, roll over the scan you want to export.

b. Click the button.

A menu appears.

c. Click Export.

The Export plane appears.

Note: You cannot export scan results from the Scans table if the scan has
multiple targets. For scans with multiple targets, you can export scan results
for each target from the Scan Details page.

Scan Details a. In the scans table, click the scan you want to export.

The scan details plane appears below the scan table.

b. Click the Scan Actions button.

A menu appears.

c. Click Export.

The Export plane appears.

6. Select an export format:

- 272 -
 Supported for
Format Description Archived
Scan Results

Tenable Vulnerability Management Scans

PDF - An Adobe .pdf file. No

Custom
Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

PDF - An Adobe .pdf file. No

Executive
Summary Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

HTML - A web-based .html file. No

Custom

HTML - A web-based .html file. No

Executive
Summary

Nessus A .nessus file in XML format that contains the list of Yes
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML. If you import a .nessus file as a
user-defined scan template, you must re-apply your
passwords to any credentials.

Unlike other export formats, the .nessus file includes

individual open port findings. This ensures that you
can still view open port findings in Tenable Security
Center if your organization integrates Tenable

- 273 -
 Vulnerability Management with Tenable Security
Center.

CSV A .csv text file with only scan results. Yes

Note: When exporting scan results as a .csv file,

the severities always show CVSSv2 scores
regardless of your configured severity metric.
When exporting compliance scan results as a .csv
file, the Risk column results are replaced with the
following values:
l PASSED results show as None
l WARNING results show as Medium
l FAILED results show as High

Tenable Web App Scanning Scans

HTML A web-based .html file that contains the list of n/a

targets, scan results, and scan notes.

PDF An Adobe .pdf file that contains the list of targets, n/a
scan results, and scan notes.

Note:Tenable Vulnerability Management cannot export

PDF files with more than 400,000 individual scan
results.

Nessus A .nessus file in XML format that contains the list of n/a
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML.

CSV A .csv text file with only scan results. n/a

JSON A .json file that contains the list of targets, scan n/a

- 274 -
 settings defined by the user, scan results, and scan
notes. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the JSON file.

7. For Tenable Vulnerability Management scans, if you select the PDF - Custom or HTML -
Custom formats:

l Retain the default Data setting (Vulnerabilities selected).

l Select either Assets or Plugin from the Group By list, depending on how you want to
group the scan results in the export file.

8. Click Export.

Tenable Vulnerability Management generates the export file. Depending on your browser
settings, your browser may automatically download the export file to your computer, or may
prompt you to confirm the download before continuing.

Import a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can import scan results into Tenable Vulnerability Management. You cannot import results from
scans run more than 15 months ago.

Imported scans always belong to the default network. For more information, see Networks.

Note: You can only import Tenable Vulnerability Management scans.

Note: Tenable Vulnerability Management supports scan imports up to 4GB in size.

To import a scan in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

- 275 -
 The Scans page appears.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Click Import Scan.

Your file directory appears.

5. Browse to and select the scan file you want to import.

If the scan file is a .nessus or .db file, the Import plane appears.

Note: To learn more about the .nessus file format, see Nessus File Format.

If the scan file is any other file type, the Scan Import window appears.

6. Do one of the following:

l If the scan file is a .nessus or .db file:

a. In the Password box, type the password to allow Tenable Vulnerability

Management to view the scan.

b. (Optional) To show the scan results in dashboards, select the Show in Dashboard?
check box.

c. Click Import.

l If the scan file is any other file type, specify if you want the scan results to appear in
dashboards:
o Click Yes to show the scan results in dashboards.
o Click No to prevent the scan results from appearing in dashboards.

Note: Clicking Cancel cancels the import.

The Scans page appears, and the imported scan appears in the scans table.

Tenable Vulnerability Management begins processing the imported scan results. Once this
process is complete, the imported data appears in the individual scan details and aggregated

- 276 -
 data views (such as dashboards). This process can take up to 30 minutes, depending on the
size of the import file.

Tip: If the imported data does not appear in the individual scan results or aggregated data views
after a reasonable processing time, verify that you are assigned adequate permissions for the
imported targets in access groups.

Organize Scans by Folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, the Scans page contains a Folders section that automatically
groups your configured and imported scans into default folders. To organize your scans further, you
can create custom folders.

To organize your scans by folder:

1. View scans in default folders.

Note: You cannot rename or delete the default folders.

By default, Tenable Vulnerability Management provides the following folders:

Folder Description

My Scans Contains scans that you have created or imported.

This folder appears by default when you access the Scans page.

All Scans l (Administrators) Contains scans created by any users.

l (All other users) Contains:

o Scans that you have created
o Any shared scans for which you have Can View
permissions or higher

Remediation Contains any remediation scans you own or that another user has

- 277 -
 Scans shared with you.

Trash Contains scans that you have moved to the trash. If you have Can
Configure permissions for a scan in this folder, you can permanently
delete the scan for all users.

If you delete a custom folder that contains scans, Tenable

Vulnerability Management automatically moves any scans in the
deleted folder to the Trash folder.

2. (Optional) Manage custom folders using the following procedures:

Manage scan folders

Use the following procedures to manage your custom scan folders:

Create a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The custom scan folders you create appear only to you and cannot be shared with other users. You
are the only user who can view, rename, or delete the scan folders you create.

Note: The custom folders you create appear only to you and cannot be shared with other users.

To create a scan folder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. Next to Folders, click the button.

The New Folder box appears at the bottom of the folder list.

4. In the New Folder box, type a name for the folder.

- 278 -
 5. Click the button.

A Folder added successfully message appears and the new folder appears in the Folders
section.

Move a scan to a scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can View

You can move a scan from a default folder to either the My Scans default folder or a custom scan
folder. You can also move a scan from a custom folder to the My Scans default folder or a different
custom folder.

If you move a scan from the All Scans default folder, the scan appears in both the folder you select
and the All Scans folder.

If you move a scan from the My Scans default folder, the scan appears in the custom folder only.

For information about moving a scan to the trash, see Move a Scan to the Trash Folder.

Note: You cannot move scans to or from the Remediation Scans folder.

To move a scan to a scan folder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scan table, roll over the scan you want to move.

The action buttons appear in the row.

- 279 -
 5. Do one of the following:

l Tenable Vulnerability Management scans:

a. In the row, click the button.

A menu appears.

b. In the menu, click Move.

The Move to Folder plane appears. This plane contains a list of your scan folders.

l Tenable Web App Scanning scans:

a. In the row, click the button.

The Move to Folder plane appears. This plane contains a list of your scan folders.

6. Search for a folder:

a. In the search box, type the folder name.

b. Click the button.

Tenable Vulnerability Management limits the list to folders that match your search.

7. In the folder list, click the folder where you want to move the scan.

8. Click Move.

Tenable Vulnerability Management moves the scan to the selected folder.

Rename a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can rename custom scan folders only. You cannot rename the default scan folders.

Renaming a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

To rename a scan folder:

- 280 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, roll over the folder you want to rename.

The action buttons appear in the row.

4. In the row, click the button.

An editable box replaces the folder name.

5. In the box, type a new name for the folder.

6. Click the button.

Tenable Vulnerability Management updates the folder name and a Folder updated
successfully message appears.

Delete a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can delete custom scan folders only. You cannot delete the default scan folders that Tenable
Vulnerability Management provides (All Scans, My Scans, and Trash).

Deleting a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

If you delete a scan folder that contains inactive scans, Tenable Vulnerability Management moves
the folder's scans to the Trash folder. If you delete a scan folder that contains at least one active
(Pending or Running) scan, Tenable Vulnerability Management moves the folder's scans to the My
Scans folder.

To delete a scan folder:

- 281 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, roll over the folder you want to delete.

The action buttons appear in the row.

4. In the row, click the button.

A confirmation window appears.

5. Click Delete to confirm the action.

A Folder deleted successfully message appears, and Tenable Vulnerability Management

deletes the folder.

Move a Scan to the Trash Folder

Required Scan Permissions: Can View

When you move a shared scan to the Trash folder, Tenable Vulnerability Management moves the
scan for your account only. The scan remains in the original folder for all other users who have Can
View permissions or higher for the scan.

Scans moved to the Trash folder also appear in the All Scans folder, marked with the label, Trash.

Note: After you move a scan to the Trash folder, the scan remains in the Trash folder until a user with Can
Edit permissions permanently deletes the scan.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.
l For more information about Tenable Vulnerability Management scan schedules, see
Schedule.
l For more information about Tenable Web App Scanning scan schedules, see Schedule.

Note: You cannot move scans from the Remediation Scans folder to the Trash folder. Instead, delete
remediation scans directly in the folder.

- 282 -
To move a scan or scans to the Trash folder:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click the folder that contains the scan you want to move.

The scans table lists scans in the selected folder.

5. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to move.

b. Click the button.

A menu appears.

c. Click Trash.

l
Select multiple scans:
a. In the scans table, select the check box next to each scan you want to move.

The action bar appears at the top of the table.

b. In the action bar, click Trash.

Tenable Vulnerability Management moves the scan or scans you selected to the Trash
folder.

Delete a Scan

Required Scan Permissions: Can Configure

When you permanently delete a scan, you delete the scan configuration and scan results for all
users the scan is shared with.

- 283 -
The workflow for deleting a remediation scan differs from the workflow described in this procedure.
For more information, see the Delete a remediation scan steps at the end of this topic.

Caution: After you delete a scan, you cannot recover the scan or any scan data associated with the scan.
Delete only scans you are certain you no longer need to view or run.

Before you begin:

l Move the scan to the Trash folder.

To delete a scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the Folders section, click the Trash folder.

The scan table updates to show the scans in the trash folder.

5. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:

- 284 -
 a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Delete a remediation scan

Required Scan Permissions: Can Configure

When you delete a remediation scan, you delete the scan configuration and scan results for all
users the scan is shared with.

Note:Tenable Vulnerability Management deletes scan results older than 90 days.

To delete a remediation scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the Folders section, click the Remediation Scans folder.

Note: The Remediation Scans folder only shows for Tenable Vulnerability Management scans.

The scan table updates to show remediation scans that you own or that other users have
shared with you. By default, the rows are sorted by Created Date.

4. Do one of the following:

- 285 -
 l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:
a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Note: Tenable Vulnerability Management keeps up to 10,000 of the most recent remediation scan
results. Once you have more than 10,000 remediation scan results, Tenable Vulnerability
Management deletes the scan results, starting with the oldest result.

Discovery Scans vs. Assessment Scans

You can perform two types of scans using Tenable products: discovery scans and assessment
scans. Tenable recommends performing discovery scans to get an accurate picture of the assets on
your network and assessment scans to understand the vulnerabilities on your assets.

For information about how discovered and assessed assets are counted towards your license, see
Tenable Vulnerability Management Licenses.

Type Description Licensing

Discovery scans Find assets on your network. Assets identified by

discovery scans do
For example:
not count toward

- 286 -
 l a scan configured with the your license.
Host Discovery template.

l a scan configured to use only

discovery plugins.

l a scan configured to use

Tenable Nessus Network
Monitor in discovery mode.

Assessment scans Find vulnerabilities on your assets. In general, assets

assessed by
For example, run an authenticated or
assessment scans
unauthenticated scan using a
count toward your
Tenable Nessus scanner or Tenable
license.
Nessus Agent.

Authenticated Scans

Configure authenticated scans, also

known as credentialed scans, by
adding access credentials to your
assessment scan configuration.

Credentialed scans can perform a

wider variety of checks than non-
credentialed scans, which can result
in more accurate scan results. This
facilitates scanning of a very large
network to determine local
exposures or compliance violations.

Credentialed scans can perform any

operation that a local user can
perform. The level of scanning
depends on the privileges granted to
the user account. The more
privileges the scanner has via the

- 287 -
 login account (e.g., root or
administrator access), the more
thorough the scan results.

For more information, see

Credentials in Tenable Vulnerability
Management Scans.

Unauthenticated Scans

If you do not add access credentials

to your assessment scan
configuration, Tenable Vulnerability
Management performs a limited
number of checks when scanning
your assets.

Identify Assets That Have Not Been Assessed

Tenable Vulnerability Management can discover, or see, assets without assessing the assets for
vulnerabilities (for example, via a host discovery scan, Tenable Nessus Network Monitor running in
discovery mode, or connectors). Assets that have been seen but not assessed do not count towards
your asset license limit. For a list of conditions that cause an asset to be assessed, see How Assets
are Counted. However, once assessed, the asset is always categorized as assessed, even if it ages
out of the license count.

This licensing exception allows you to discover assets on your network without the large number of
assets counting towards your license limit. After you discover your assets, you can then identify
which assets have not yet been assessed for vulnerabilities, and choose which of those assets you
want to scan and manage going forward.

To identify assets that have not been assessed:

- 288 -
1. Discover assets using any of the following methods:

l Create and launch a host discovery scan in Tenable Vulnerability Management.

l Configure Tenable Nessus Network Monitor with discovery mode enabled, linked to
Tenable Vulnerability Management.

l Configure a connector.

Assets discovered by these methods do not count towards your asset license limit until they
have been assessed for vulnerabilities.

2. Filter for assets that have not been assessed.

a. In the assets table, create a filter with the following settings:

l In the Category box, select Asset Assessed.

l In the Operator box, select is equal to.

l In the Value box, select false.

a. Click Apply.

Tenable Vulnerability Management filters for assets that have not yet been assessed for
vulnerabilities.

Note: Unassessed assets (where Asset Assessed is equal to false) can differ from unlicensed
assets (where Is Licensed (VM) is equal to false). Once you scan an asset for vulnerabilities,
Tenable Vulnerability Management categorizes the asset as assessed from that point on, but
the licensing status of an asset can change over time as assets are deleted or age out of your
organization's license count.

b. (Optional) Save the search for later use.

3. (Optional) Tag assets to identify assets that have not been assessed.

a. Create tags to identify assets that have not been assessed.

For example, Assets:NotYetAssessed.

b. Manually apply the tag to assets, or create tag rules that automatically filter for assets
that have not been assessed.

- 289 -
 For example, to create a dynamic tag for assets that have not yet been assessed, set
the tag rules to filter for Asset Assessed is equal to false.

4. (Optional) Create a scan to target assets using the tag you created.

Scan Failovers
If Tenable Vulnerability Management assigns a scan job to a scanner, and the scanner goes offline
while scanning, the following happens:

1. The scan job times out if the assigned scanner does not respond to Tenable Vulnerability
Management after two hours.

2. Tenable Vulnerability Management removes the scan job from the scanner and attempts the
scan job on another scanner in the same scanner group, or on the same scanner if it comes
back online.

3. Tenable Vulnerability Management attempts steps 1 and 2 three times. If the scan job is not
completed after three attempts, Tenable Vulnerability Management aborts the scan job.

Scan Status
Tenable Vulnerability Management provides a scan status for each of your configured scans.

If the scan is in progress, Tenable Vulnerability Management shows the number of scan tasks
completed as a percentage.

For example, if you scan less than 120 IP addresses in a single scan, Tenable Vulnerability
Management creates a single scan task and the progress percentage changes from 0% to 100%
when it completes.

However, if you target more than 120 IP addresses, Tenable Vulnerability Management creates
multiple scan tasks. After each task completes, the percentage changes to reflect the number of
completed tasks. For example, a scan that targets 300 IP addresses is split into three scan tasks,
and as each task completes, the progress bar updates the percentage to reflect the completed
tasks.

Note: Pausing a scan causes Tenable Vulnerability Management to move any completed results to
processing. When you resume the scan, Tenable Vulnerability Management creates a new scan task or
tasks for incomplete results. Therefore, pausing a scan can cause the progress percentage to update.

- 290 -
 Tip: For Tenable Vulnerability Management scans, you can hover over the scan status to view more status
information in a pop-up window, such as the number of targets scanned and the elapsed or final scan time.
The window shows different information based on the scan's current status.

Tenable Vulnerability Management scans can have the following status values:

Status Description

Tenable Vulnerability Management Scans

Tip: The typical Tenable Vulnerability Management scan status flow is as follows: Initializing, Running,
Publishing Results, Completed.

Aborted Either the latest run of the scan is incomplete because Tenable Vulnerability
Management or the scanner encountered problems during the run, or the
scan remained queued without running for four or more hours. For more
information about the problems encountered during the run, view the scan
warnings.

Canceled At user request, Tenable Vulnerability Management successfully stopped the

latest run of the scan.

Completed The latest run of the scan is complete.

Empty The scan is either empty (the scan is new or has yet to run) or pending
(Tenable Vulnerability Management is processing a request to run the scan).

Imported A user imported the scan. You cannot run imported scans. Scan history is
unavailable for imported scans.

Pausing A user paused the scan, and Tenable Vulnerability Management is processing
the action.

Paused At user request, Tenable Vulnerability Management successfully paused

active tasks related to the scan. The paused tasks continue to fill the task
capacity of the scanner that the tasks were assigned to. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan
remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management then aborts the related tasks on the scanner and
categorizes the scan as aborted.

- 291 -
 Status Description

Pending Tenable Vulnerability Management has the scan queued to launch and is
assigning scan tasks to the assigned sensors.

Note: Tenable Vulnerability Management aborts scans that remain in

Pending status for more than four hours. If Tenable Vulnerability
Management aborts your scan, modify your scan schedule to reduce the
number of overlapping scans. If you still have issues, contact Tenable
Support.

Publishing Tenable Vulnerability Management processes and stores the scan results
Results data for you to view and use in the Tenable Vulnerability Management user
interface. The Publishing Results status begins once the Running status
reaches 100%.

Resuming Tenable Vulnerability Management is in the process of restarting tasks after

the user resumed the scan. Tenable Vulnerability Management instructs the
scanner to start the tasks from the point at which the scan was paused. If
Tenable Vulnerability Management or the scanner encounters problems when
resuming the scan, the scan fails, and Tenable Vulnerability Management
updates the scan status to aborted.

Running The scan is currently running. While this status is shown, the scan's sensors
complete their assigned scan tasks, and Tenable Vulnerability Management
processes the scan results. The progress bar shows next to the status when
a scan is running. The progress bar shows the percentage of the completed
tasks.

Stopping A user stopped the scan, the scan timed out, or Tenable Vulnerability
Management is stopping the scan after all associated scan tasks are
complete.

Scan Templates

- 292 -
Scan templates contain granular configuration settings for your scans. You can use Tenable's scan
templates to create custom scan configurations for your organization. Then, you can run scans
based on Tenable's scan templates or your custom configurations' settings.

When you create a scan configuration, the Select a Scan Template page appears. Tenable
Vulnerability Management provides separate templates for Tenable Vulnerability Management and
Tenable Web App Scanning. Within Tenable Vulnerability Management scanning, Tenable
Vulnerability Management provides separate templates for scanners and agents, depending on
which sensor you want to use for scanning:

If you have custom configurations, they appear in the User Defined tab. For more information about
user-defined templates, see User-Defined Templates.

When you configure a Tenable-provided scan template, you can modify only the settings included
for the scan template type. When you create a user-defined scan template, you can modify a
custom set of settings for your scan.

For descriptions of all scan template settings, see Scan Settings.

Tip: For information and tips on optimizing your Tenable Vulnerability Management scan configurations,
see the Tenable Vulnerability Management Scan Tuning Guide.

Tenable-Provided Tenable Nessus Scanner Templates

There are three scanner template categories in Tenable Vulnerability Management:

l Vulnerability Scans (Common) — Tenable recommends using vulnerability scan templates for
most of your organization's standard, day-to-day scanning needs.

l Configuration Scans — Tenable recommends using configuration scan templates to check

whether host configurations are compliant with various industry standards. Configuration
scans are sometimes referred to as compliance scans. For more information about the checks
that compliance scans can perform, see Compliance in Tenable Vulnerability Management
Scans and SCAP Settings in Tenable Vulnerability Management Scans.

l Tactical Scans — Tenable recommends using the tactical scan templates to scan your network
for a specific vulnerability or group of vulnerabilities. Tactical scans are lightweight, timely
scan templates that you can use to scan your assets for a particular vulnerability. Tenable

- 293 -
 frequently updates the Tenable Vulnerability Management Tactical Scans library with
templates that detect the latest vulnerabilities of public interest, such as Log4Shell.

The following table describes the available Tenable Nessus Scanner templates:

Template Description

Vulnerability Scans (Common)

Advanced Network The most configurable scan type. You can configure this scan template
Scan to match any policy. This template has the same default settings as the
basic scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow Tenable Vulnerability Management

experts to scan more deeply using custom configuration, such as faster or
slower checks, but misconfigurations can cause asset outages or network
saturation. Use the advanced templates with caution.

Basic Network Performs a full system scan that is suitable for any host. Use this
Scan template to scan an asset or assets with all of Nessus's plugins enabled.
For example, you can perform an internal vulnerability scan on your
organization's systems.

Credentialed Patch Authenticates hosts and enumerates missing updates.

Audit
Use this template with credentials to give Tenable Vulnerability
Management direct access to the host, scan the target hosts, and
enumerate missing patch updates.

Host Discovery Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated
information such as IP address, FQDN, operating systems, and open
ports, if available. After you have a list of hosts, you can choose what
hosts you want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive

network monitor, such as Tenable Nessus Network Monitor, run this scan
weekly to discover new assets on your network.

- 294 -
 Note: Assets identified by discovery scans do not count toward your license.

Internal PCI Performs an internal PCI DSS (11.2.1) vulnerability scan.

Network Scan
This template creates scans that you can use to satisfy internal (PCI DSS
11.2.1) scanning requirements for ongoing vulnerability management
programs that satisfy PCI compliance requirements. You can use these
scans for ongoing vulnerability management and to perform rescans until
passing or clean results are achieved. You can provide credentials to
enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or
"clean" scans on at least a quarterly basis, you must also perform scans after
any significant changes to your network (PCI DSS 11.2.3).

Legacy Web App Uses a Tenable Nessus scanner to scan your web applications.
Scan
Note: Unlike the Tenable Web App Scanning scanner, the Tenable Nessus
scanner does not use a browser to scan your web applications. Therefore, a
Legacy Web App Scan is not as comprehensive as Tenable Web App Scanning.

Mobile Device Assesses mobile devices via Microsoft Exchange or an MDM.

Scan

PCI Quarterly Performs quarterly external scans as required by PCI.

External Scan
Note: Because the nature of a PCI ASV scan is more paranoid and may lead
to false positives, the scan data is not included in the aggregate Tenable
Vulnerability Management data. This is by design.

Configuration Scans

Audit Cloud Audits the configuration of third-party cloud services.

Infrastructure
You can use this template to scan the configuration of Amazon Web
Service (AWS), Google Cloud Platform, Microsoft Azure, Rackspace,
Salesforce.com, and Zoom, given that you provide credentials for the
service you want to audit.

MDM Config Audit Audits the configuration of mobile device managers.

- 295 -
 The MDM Config Audit template reports on a variety of MDM
vulnerabilities, such as password requirements, remote wipe settings,
and the use of insecure features, such as tethering and Bluetooth.

Offline Config Audits the configuration of network devices.

Audit
Offline configuration audits allow Tenable Vulnerability Management to
scan hosts without the need to scan over the network or use credentials.
Organizational policies may not allow you to scan devices or know
credentials for devices on the network for security reasons. Offline
configuration audits use host configuration files from hosts to scan
instead. Through scanning these files, you can ensure that devices'
settings comply with audits without the need to scan the host directly.

Tenable recommends using offline configuration audits to scan devices

that do not support secure remote access and devices that scanners
cannot access.

Policy Compliance Audits system configurations against a known baseline.

Auditing
Note: The maximum number of audit files you can include in a single Policy
Compliance Auditing scan is limited by the total runtime and memory that
the audit files require. Exceeding this limit may lead to incomplete or failed
scan results. To limit the possible impact, Tenable recommends that audit
selection in your scan policies be targeted and specific for the scan's scope
and compliance requirements.

The compliance checks can audit against custom security policies, such
as password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can
test for a large percentage of anything that can be described in a
Windows policy file. For Unix systems, the compliance audits test for
running processes, user security policy, and content of files.

SCAP and OVAL Audits systems using SCAP and OVAL definitions.
Auditing
The National Institute of Standards and Technology (NIST) Security
Content Automation Protocol (SCAP) is a set of policies for managing
vulnerabilities and policy compliance in government agencies. It relies on

- 296 -
 multiple open standards and policies, including OVAL, CVE, CVSS, CPE,
and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable
required for auditing. For those systems, you must make an
exception for either the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can
perform Linux and Windows SCAP CHECKS to test compliance
standards as specified in NIST’s Special Publication 800-126.

Tactical Scans

2022 Threat Detects vulnerabilities featured in Tenable's 2022 Threat Landscape

Landscape Retrospective report.
Restrospective
(TLR)

Active Directory Use a Domain User account to query AD identity information. This policy
Identity enumerates Active Directory identity information via LDAPS. It requires
Domain User credentials, LDAPS configuration, and an Active Directory
Domain Controller as the scan target.

Active Directory Scans for misconfigurations in Active Directory.

Starter Scan
Use this template to check Active Directory for Kerberoasting, Weak
Kerberos encryption, Kerberos pre-authentication validation, non-
expiring account passwords, unconstrained delegation, null sessions,
Kerberos KRBTGT, dangerous trust relationships, Primary Group ID
integrity, and blank passwords.

CISA Alerts AA22- Performs remote and local checks for vulnerabilities from recent CISA
011A and AA22- alerts.
047A

- 297 -
ContiLeaks Performs remote and local checks for ContiLeaks vulnerabilities.

GHOST (glibc) Performs remote and local checks for CVE-2015-0235.

Detection

Intel AMT Security Performs remote and local checks for CVE-2017-5689.
Bypass

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

via local checks.

Log4Shell Remote Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Checks via remote checks.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Vulnerability via local and remote checks. This template is dynamic and is regularly
Ecosystem updated with new plugins as third-party vendors patch their software.

Malware Scan Scans for malware on Windows and Unix systems.

PrintNightmare Performs local checks for CVE-2021-34527, the PrintNightmare Windows

Print Spooler vulnerability.

ProxyLogon: Performs remote and local checks to detect Microsoft Exchange Server
MS Exchange vulnerabilities related to CVE-2021-26855, CVE-2021-26857, CVE-2021-
26858, and CVE-2021-27065.

Ransomware Performs local and remote checks for common ransomware

Ecosystem vulnerabilities.

Ripple20 Remote Detects hosts running the Treck stack in the network, which may be
Scan affected by Ripple20 vulnerabilities.

Solarigate Detects SolarWinds Solorigate vulnerabilities using remote and local

checks.

Spectre and Performs remote and local checks for CVE-2017-5753, CVE-2017-5715,
Meltdown and CVE-2017-5754.

WannaCry Scans for the WannaCry ransomware (MS17-010).

Ransomware

- 298 -
 Zerologon Remote Detects Microsoft Netlogon elevation of privilege vulnerability
Scan (Zerologon).

Tenable-Provided Tenable Nessus Agent Templates

There are two agent template categories in Tenable Vulnerability Management:

l Vulnerability Scans — Tenable recommends using vulnerability scan templates for most of
your organization's standard, day-to-day scanning needs.

l Inventory Collection — Unlike standard Tenable Nessus Agent vulnerability scans, the Collect
Inventory template uses Tenable's Frictionless Assessment technology to provide faster scan
results and reduce the scan's system footprint. Agent-based inventory scans gather basic
information from a host and upload it to Tenable Vulnerability Management. Then, Tenable
Vulnerability Management analyzes the information against missing patches and
vulnerabilities as Tenable releases coverage. This reduces the performance impact on the
target host while also reducing the time it takes for an analyst to see the impact of a recent
patch.

Note: If a plugin requires authentication or settings to communicate with another system, the
plugin is not available on agents. This includes, but is not limited to:
l Patch management
l Mobile device management
l Cloud infrastructure audit
l Database checks that require authentication

The following table describes the available Tenable Nessus Agent templates:

Template Description

Vulnerability Scans

Advanced An agent scan without any recommendations, so that you can fully
Agent Scan customize the scan settings. In Tenable Vulnerability Management, the
Advanced Agent Scan template allows for two scanning methods:

l Scan Window - Specify the timeframe during which the agent must

- 299 -
Template Description

report to be included and visible in vulnerability reports.

l Triggered Scans - Provide the agent with specific criteria that

indicates when to launch a scan. The agent launches the scan when
one (or more) of the criteria are met. For more information, see Basic
Settings in the Tenable Vulnerability Management User Guide.

Note: When you create an agent scan using the Advanced Agent Scan template,
you must also select the plugins you want to use for the scan.

Agent Agent detection of Apache Log4j CVE-2021-44228.

Log4Shell

Basic Agent Scans systems connected via Tenable Nessus Agents.

Scan

Malware Scan Scans for malware on systems connected via Tenable Nessus Agents.

Tenable Nessus Agent detects malware using a combined allow list and
block list approach to monitor known good processes, alert on known bad
processes, and identify coverage gaps between the two by flagging unknown
processes for further inspection.

Policy Audits system configurations against a known baseline for systems

Compliance connected via Tenable Nessus Agents.
Auditing
The compliance checks can audit against custom security policies, such as
password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can test
for a large percentage of anything that can be described in a Windows policy
file. For Unix systems, the compliance audits test for running processes,
user security policy, and content of files.

SCAP and Audits systems using SCAP and OVAL definitions for systems connected via
OVAL Agent Tenable Nessus Agents.
Auditing
The National Institute of Standards and Technology (NIST) Security Content
Automation Protocol (SCAP) is a set of policies for managing vulnerabilities

- 300 -
Template Description

and policy compliance in government agencies. It relies on multiple open

standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable required
for auditing. For those systems, you must make an exception for either
the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can perform
Linux and Windows SCAP CHECKS to test compliance standards as
specified in NIST’s Special Publication 800-126.

Inventory Collection

Collect Scans a compiled inventory via Frictionless Assessment Tenable Nessus

Inventory Agents.

The Collect Inventory agent scan template uses Frictionless Assessment to

provide faster scan results and a reduced system footprint. It does so by
performing vulnerability checks via Frictionless Assessment, while the agent
only performs checks that collect asset information (for example, installed
software and IP addresses). This scanning method is sometimes referred to
as inventory scanning in the Tenable Vulnerability Management user
interface and documentation.

Collect Inventory scans provide coverage for:

l RedHat local security checks

l CentOS local security checks

l Amazon Linux local security checks

l Debian local security checks

l Fedora local security checks

- 301 -
 Template Description

l SUSE local security checks

l Ubuntu local security checks

l Windows/Microsoft bulletin checks (All Windows roll-up checks since

2017)

Collect Inventory scans do not currently provide coverage for:

l Malware and compliance checks

l Third-party Linux application detection (for example, Apache HTTP or

Postgres) for instances not installed via dpkg or rpm

l Third-party Windows applications (for example, Google Chrome or

Mozilla Firefox)

l Microsoft product Patch Tuesday updates (for example, Exchange or

Sharepoint)

Tenable-Provided Tenable Web App Scanning Templates

The following table describes the available Tenable Web App Scanning scan templates:

Template Description

API A scan that checks an API for vulnerabilities. This scan analyzes RESTful APIs
described via an OpenAPI (Swagger) specification file. File attachment size is
limited to 1 MB.

Tip: If the API you want to scan requires keys or a token for authentication, you
can add the expected custom headers in the Advanced settings in the HTTP
Settings section.

Note: The API scan template is available as a public beta. Its functionality is
subject to change as ongoing improvements are made throughout the beta period.

Note: API scans support only one target at a time.

- 302 -
Config Audit A high-level scan that analyzes HTTP security headers and other externally
facing configurations on a web application to determine if the application is
compliant with common security industry standards.

If you create a scan using the Config Audit scan template, Tenable Web App
Scanning analyzes your web application only for plugins related to security
industry standards compliance.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local
checks.

Overview A high-level preliminary scan that determines which URLs in a web application
Tenable Web App Scanning scans by default.

The Overview scan template does not analyze the web application for active
vulnerabilities. Therefore, this scan template does not offer as many plugin
family options as the Scan template.

PCI A scan that assesses web applications for compliance with Payment Card
Industry Data Security Standards (PCI DSS) for Tenable PCI ASV.

Quick Scan A high-level scan similar to the Config Audit scan template that analyzes
HTTP security headers and other externally facing configurations on a web
application to determine if the application is compliant with common security
industry standards. Does not include scheduling.

If you create a scan using the Quick Scan scan template, Tenable Vulnerability
Management analyzes your web application only for plugins related to security
industry standards compliance.

Scan A comprehensive scan that assesses web applications for a wide range of
vulnerabilities.

The Scan template provides plugin family options for all active web
application plugins.

If you create a scan using the Scan template, Tenable Web App Scanning
analyzes your web application for all plugins that the scanner checks for when
you create a scan using the Config Audit, Overview, or SSL TLS templates, as
well as additional plugins to detect specific vulnerabilities.

- 303 -
 A scan run with this scan template provides a more detailed assessment of a
web application and take longer to complete that other Tenable Web App
Scanning scans.

SSL TLS A scan to determine if a web application uses SSL/TLS public-key encryption
and, if so, how the encryption is configured.

When you create a scan using the SSL TLS template, Tenable Web App
Scanning analyzes your web application only for plugins related to SSL/TLS
implementation. The scanner does not crawl URLs or assess individual pages
for vulnerabilities.

User-Defined Templates

Required Template Permissions: Owner

Tenable provides a variety of scan templates for specific scanning purposes. If you want to
customize a Tenable-provided scan template and share it with other users, you can create a user-
defined scan template.

For information about any scan settings, see Scan Settings.

You can create, edit, copy, export, or delete user-defined Tenable Vulnerability Management and
Tenable Web App Scanning Scan templates from the Scans page. You can also import and export
Tenable Vulnerability Management scan templates.

To manage your user-defined scan templates:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

- 304 -
 The Scan Templates page appears.

5. Below Scan Templates, choose to view Vulnerability Management Scan Templates or Web
Application Scan Templates.

The scan template table updates based on your selection.

Click a template to view or edit its settings and parameters, or use the following procedures to
further manage your user-defined templates:

Create a user-defined template

You can create user-defined scan templates to save and share custom scan settings with other
Tenable Vulnerability Management users.

When you define a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

To create a user-defined scan template:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Create Template button.

The Select a Template page appears.

5. Click the tile for the template you want to use as the base for your user-defined scan
template.

The Create a Template page appears.

6. Do one of the following:

- 305 -
l If you are creating a Tenable Vulnerability Management scan template, use the following
procedure:

- 306 -
a. Configure the scan template:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

- 307 -
 Plugins Select security checks by plugin family or individual
plugin.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

a. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

7. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of scan templates on the Scan Templates page.

Edit a user-defined template

Required Template Permissions: Can Configure

- 308 -
To edit a user-defined scan template:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the scan templates table, click the scan template you want to edit.

The Edit a Scan Template page appears.

7. Do one of the following:

l If you are editing a Tenable Vulnerability Management scan template, use the following
procedure:

- 309 -
a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

- 310 -
 Plugins Select security checks by plugin family or individual
plugin.

l If you are editing a Tenable Web App Scanning scan template, use the following
procedure:

a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

8. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of templates on the Scan Templates page.

Copy a user-defined template

- 311 -
When you copy a user-defined scan template, Tenable Vulnerability Management assigns you owner
permissions for the copy. You can share the copy by assigning template permissions to other users,
but only you can delete the copied scan template.

To copy a user-defined scan template:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the scans table, roll over the scan you want to launch.

7. In the row, click the button.

A menu appears.

8. In the menu, click the button.

A Template copied message appears. Tenable Vulnerability Management creates a copy of

the scan template with Copy of prepended to the name and assigns you owner permissions for
the copy. The copy appears in the scan templates table.

Export a user-defined template (Tenable Vulnerability Management only)

You can export a user-defined scan template for later import.

Note: Tenable Vulnerability Management does not export passwords, credentials, and file-based settings
(for example, .audit files and the SSH known_hosts file) in user-defined scan templates.

To export a user-defined scan template:

- 312 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the scans table, roll over the scan template you want to export.

7. In the row, click the button.

A menu appears.

8. In the row, click the button.

Tenable Vulnerability Management exports the user-defined scan template as a .nessus file.

Note: To learn more about the .nessus file format, see Nessus File Format.

Import a user-defined template (Tenable Vulnerability Management only)

When you import a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

Tenable Vulnerability Management does not include passwords or compliance audit files in exported
user-defined scan templates. You must add these settings in manually after importing the scan
template.

To import a user-defined scan template:

- 313 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. In the upper-right corner of the page, click the Import button.

Your file manager appears.

7. Select the scan template you want to import.

8. Click Open.

A Template uploaded message appears, and the scan template appears on the Scan
Templates page.

What to do next:
l As needed, add passwords and compliance audit files to the imported template.

Delete a user-defined template

If you delete a user-defined scan template, Tenable Vulnerability Management deletes it from all
user accounts.

Before you begin:

l Delete any scans that use the template you want to delete. You cannot delete a scan template
if a scan is using the template.

To delete a user-defined scan template or templates:

- 314 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

4. In the upper-right corner of the page, click the Tools button.

A menu appears.

5. Select Manage Scan Templates.

The Scan Templates page appears.

6. Select the scan template or templates you want to delete:

l
Select a single scan template:
a. In the scans table, roll over the scan you want to launch.

b. In the row, click the button.

A menu appears.

c. In the menu, click the button.

A confirmation window appears.

l
Select multiple scan templates:
a. In the scan templates table, select the check box for each scan template you want
to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

7. In the confirmation window, click Delete.

- 315 -
 Tenable Vulnerability Management deletes the user-defined scan template or templates you
selected.

Change user-defined template ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Template Permissions: Owner

To change the ownership of a user-defined scan template in the new interface:

1. Edit a user-defined template.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

4. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

5. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

6. (Optional) Edit permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

7. Click Save.

- 316 -
 Tenable assigns ownership to the selected user and assigns your user account the
permissions you selected. If you removed all permissions for your user account from the
template, the template no longer appears in the templates table.

Scan Settings
Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Scan settings are organized into the following categories:

Tenable Vulnerability Management Scans Tenable Web App Scanning Scans

l Basic Settings in User-Defined Templates l Basic Settings in User-Defined

Templates
l Basic Settings in Tenable Vulnerability
Management Scans l Basic Settings in Tenable Web App
Scanning Scans
l Discovery Settings in Tenable Vulnerability
Management Scans l Scope Settings in Tenable Web App
Scanning Scans
l Assessment Settings in Tenable
Vulnerability Management Scans l Report Settings in Tenable Web App
Scanning Scans
l Report Settings in Tenable Vulnerability
Management Scans l Assessment Settings in Tenable Web
App Scanning Scans
l Advanced Settings in Tenable Vulnerability
Management Scans l Advanced Settings in Tenable Web
App Scanning Scans
l Credentials in Tenable Vulnerability
Management Scans l Credentials in Tenable Web App
Scanning Scans
l Compliance in Tenable Vulnerability
Management Scans l Plugin Settings in Tenable Web App
Scanning Scans
l SCAP Settings in Tenable Vulnerability
Management Scans

- 317 -
 l Configure Plugins in Tenable Vulnerability
Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those
settings in an individual scan based on a user-defined template. These settings include
Discovery, Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to
modify these settings for individual scans, create individual scans based on a Tenable-
provided template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Tenable Vulnerability Management Scan Settings

Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Tenable Vulnerability Management scan settings are organized into the following categories:

l Basic Settings in User-Defined Templates

l Basic Settings in Tenable Vulnerability Management Scans

- 318 -
 l Discovery Settings in Tenable Vulnerability Management Scans

l Assessment Settings in Tenable Vulnerability Management Scans

l Report Settings in Tenable Vulnerability Management Scans

l Advanced Settings in Tenable Vulnerability Management Scans

l Credentials in Tenable Vulnerability Management Scans

l Compliance in Tenable Vulnerability Management Scans

l SCAP Settings in Tenable Vulnerability Management Scans

l Configure Plugins in Tenable Vulnerability Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those
settings in an individual scan based on a user-defined template. These settings include
Discovery, Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to
modify these settings for individual scans, create individual scans based on a Tenable-
provided template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Basic Settings in Tenable Vulnerability Management Scans

- 319 -
 Note: This topic describes Basic settings you can set in individual scans. For Basic settings in user-
defined templates, see Basic Settings in User-Defined Templates.

You can use Basic settings to specify organizational and security-related aspects of a scan
configuration. This includes specifying the name of the scan, its targets, whether the scan is
scheduled, and who has access to the scan.

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

The Basic settings include the following sections:

l General

l Schedule

l Notifications

l User Permissions

General
The general settings for a scan.

Setting Default Value Description

Name None Specifies the name of the scan.

Description None (Optional) Specifies a description of the scan.

Scan Results Show in Specifies whether the results of the scan should
dashboard appear in workbenches, dashboards, and reports, or
be kept private.

When set to Keep private, the scan results Last Seen

dates do not update and you must access the scan
directly to view the results.

Private scan results do not show new Active findings

in the workbenches, dashboards, and reports, and
they do not transition the vulnerability states of
previously discovered findings to Fixed or

- 320 -
 Resurfaced.

Note: Show in dashboard is always enabled for

triggered scans.

Folder My Scans Specifies the folder where the scan appears after
being saved.

You cannot specify a folder when you launch a

remediation scan. All remediation scans appear in the
Remediation Scans folder only.

Agent Groups None (Tenable Nessus Agent templates only) Specifies the
agent group or groups you want the scan to target. In
the drop-down box, select an existing agent group, or
create a new agent group.

Scanner Type Internal Scanner Specifies whether a local, internal scanner or a cloud-
managed scanner performs the scan, and determines
whether the Scanner field lists local or cloud-
managed scanners to choose from.

Scanner Auto-Select Specifies the scanner that performs the scan.

Select a scanner based on the location of the targets

you want to scan. For example:

l Select a linked scanner to scan non-routable

IP addresses.

Note: Auto-select is not available for cloud

scanners.

l Select a scanner group if you want to:

o Improve scan speed by balancing the scan
load among multiple scanners.
o Rebuild scanners and link new scanners in
the future without having to update

- 321 -
 scanner designations in scan
configurations.

l Select Auto-Select to enable scan routing for

the targets.

Tags None Select one or more tags to scan all assets that have
any of the specified tags applied. To see a list of
assets identified by the specified tags, click View
Assets.

IP Selection Internal (Required) Select whether to run a tag-based scan on

Internal or External IP addresses.

l Internal — RFC 1918 (private) IP addresses.

l External — Non-RFC 1918 (public) IP addresses.

Note: You can use your organization's non-cloud

scanners to scan both Internal and External targets.
Cloud scanners can only be used to scan External
targets.

Tip: If you need to scan both External and Internal

targets with the same tag or tags, create two different
scan configurations; one scan that targets External IPs,
and one scan that targets Internal IPs.

Tenable Vulnerability Management evaluates the

identifiers to determine a single target in the following
order:

1. Last scan target

2. Most recent IPv4

3. Most recent IPv6

4. Most recent FQDN added

Note: Scan routing is available for linked scanners only.

- 322 -
Use Tag Rules Existing tagged (Required) Specifies whether Tenable Vulnerability
as Targets assets only Management scans tagged assets only, or any assets
that which the selected tags' rules apply to.

l Existing tagged assets only — Tenable

Vulnerability Management scans all existing
assets that have any of the specified tags
applied.

l Targets defined by tags — Tenable Vulnerability

Management scans all assets whose IP address
or DNS matches the rules of the specified tag.
The Targets defined by tags option only works
for the following tag rules: IPv4, IPv6, and DNS.

Note: If you select the Match All filter, you

can have only one tag rule. Otherwise, the
tag resolves to empty targets.
If you select the Match Any filter, you are
allowed to have more than one tag rule. All
tag rules resolve as targets as long as the
rules are for IPv4, IPv6, and DNS.

For example, you create a scan policy that scans for a

tag with a tag rule that specifies a certain IPv4 range.
The example tag name is My IPv4s.

l If you choose Existing tagged assets only,

Tenable Vulnerability Management only scans
assets that are already tagged with the My IPv4s
tag.

l If you choose Targets defined by tags, Tenable

Vulnerability Management scans any assets
whose IPv4 addresses are within the range
specified in the My IPv4s tag rule.

For more information about tags and tag rules, see

- 323 -
 Tags and Tag Rules.

Scan Window Disabled (Tenable Nessus Scanner templates only) Specifies

the timeframe after which the scan automatically
stops. Use the drop-down box to select an interval of
time, or click to type a custom scan window.

Note: The scan window timeframe only applies to the

scan job. After the scan job completes within the
timeframe, or once the scan job stops due to the scan
window ending, Tenable Vulnerability Management may
still need to index the scan job. This can cause the scan
not to show as Completed after the scan window is
complete. Once Tenable Vulnerability Management
indexes the scan, it shows as Completed.

Scan Type Scan Window (Tenable Nessus Agent templates only) (Required)
Specifies whether the agent scans occur based on a
scan window or triggers:

l Scan Window — Specifies the timeframe during

which agents must report in order to be included
and visible in vulnerability reports. Use the drop-
down box to select an interval of time, or click
to type a custom scan window.

Window scans must be explicitly launched or

scheduled to launch at a particular time.

l Triggered Scan — Specifies the triggers that

cause agents to report in. Use the drop-down
boxes to select from the following trigger types:

l Interval — The time interval (hours)

between each scan (for example, every 12
hours).

l File Name — The file name that triggers

the agent scan. The scan triggers when the

- 324 -
 file name is detected in the trigger
directory.

Tip: You can set multiple triggers for a single

scan, and the scan searches for the triggers in
their listed order (in other words, if the first
trigger does not trigger the scan, it searches for
the second trigger).

To learn more about triggered agent scanning,

see Triggered Agent Scans.

Info-level Triggered agent (Tenable Nessus Agent vulnerability templates only)

Reporting scans — After 10 (Required) Specifies how often the agent scan should
scans report unchanged Info-severity vulnerability findings.
To learn more about this setting, see Info-level
Scan Window
Reporting.
agent scans —
After 10 days You can configure the agent scan to report all severity
findings by launching a new baseline scan after one of
Note: Tenable the following intervals:
highly
recommends l After number of scans — The agent scan
using the
reports all findings every x number of scans. You
default values.
Only lower the choose from the following increments: 7, 10, 15,
value if doing or 20 scans.
so is necessary
for your
l After number of days — The agent scan reports
organization. all findings after a set number of days after the
previous day on which the agent scan last
reported all findings. You choose from the
following increments: 7, 10, 20, 30, 60, or 90
days.

You can only set triggered agent scans to After

number of scans. You can set Scan Window
scans to either After number of scans or After
number of days.

- 325 -
Target Groups None You can select or add a new target group to which the
scan applies. Assets in the target group are used as
scan targets.

Note: Tenable plans to deprecate target groups in the

near future. Currently, you can still create and manage
target groups. However, Tenable recommends that you
instead use tags to group and scan assets on your
Tenable Vulnerability Management instance.

Targets None Specifies one or more targets to be scanned. If you

select a target group or upload a target file, you are
not required to specify additional targets.

Targets can be specified using a number of different

formats.

The targets you specify must be appropriate to the

scanner you select for the scan. For example, cloud
scanners cannot scan non-routable IP addresses.
Select an internal scanner instead.

Tip: You can force Tenable Vulnerability Management to

use a given hostname for a server during a scan by using
the hostname[ip] syntax (for example,
www.example.com[192.168.1.1]). However, you
cannot use this approach if you enable scan routing for
the scan.

Note: You cannot apply more than 300,000 IP address

targets to a scan. To learn more about scan limitations
in Tenable Vulnerability Management, see Scan
Limitations.

Note: See Permissions for more information on how

permissions affect targets.

Upload Targets None Uploads a text file that specifies the targets.

- 326 -
 The targets file must be formatted in the following
manner:

l ASCII file format

l Only one target per line

l No extra spaces at the end of a line

l No extra lines following the last target

Note: Unicode/UTF-8 encoding is not supported.

Policy None This setting appears only when the scan owner edits
an existing scan that is based on a user-defined scan
template.

Note: After scan creation, you cannot change the

Tenable-provided scan template on which a scan is
based.

In the drop-down box, select a user-defined scan

template on which to base the scan. You can select
user-defined scan templates for which you have Can
View or higher permissions.

In most cases, you set the user-defined scan template

at scan creation, then keep the same template each
time you run the scan. However, you may want to
change the user-defined scan template when
troubleshooting or debugging a scan. For example,
changing the template makes it easy to enable or
disable different plugin families, change performance
settings, or apply dedicated debugging templates with
more verbose logging.

When you change the user-defined scan template for

a scan, the scan history retains the results of scans
run under the previously assigned template.

- 327 -
Schedule
The scan schedule settings.

By default, scans are not scheduled. When you first access the Schedule section, the Enable
Schedule setting appears, set to Off. To modify the settings listed on the following table, click the
Off button. The rest of the settings appear.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.

Default
Setting Description
Value

Frequency Once Specifies how often the scan is launched.

l Once: Schedule the scan at a specific time.

l Daily: Schedule the scan to occur every 1-20

days, at a specific time.

l Weekly: Schedule the scan to occur every 1-

20 weeks, by time and day or days of the
week.

l Monthly: Schedule the scan to occur every 1-

20 months, by:

l Day of Month: The scan repeats monthly

on a specific day of the month at the
selected time. For example, if you select
a start date of October 3, the scan
repeats on the 3rd of each subsequent
month at the selected time.

l Week of Month: The scan repeats

monthly on a specific day of the week.
For example, if you select a start date of
the first Monday of the month, the scan
runs on the first Monday of each
subsequent month at the selected time.

- 328 -
 Note: If you schedule your scan to recur
monthly and by time and day of the month,
Tenable recommends setting a start date no
later than the 28th day. If you select a start
date that does not exist in some months (for
example, the 29th), Tenable Vulnerability
Management cannot run the scan on those
days.

l Yearly: Schedule the scan to occur every 1-20

years, by time and date.

Starts Varies Specifies the exact date and time when a scan
launches.

The starting date defaults to the date when you are

creating the scan. The starting time is the nearest
half-hour interval. For example, if you create your
scan on 09/08/2023 at 9:16 AM, the default starting
date and time is set to 09/08/2023 and 09:30.

Timezone Zulu Specifies the timezone of the value set for Starts.

Repeat Every Varies Specifies the interval at which a scan is relaunched.

The default value of this item varies based on the
frequency you choose.

Repeat On Varies Specifies what day of the week a scan repeats. This
item appears only if you specify Weekly for
Frequency.

The value for Repeat On defaults to the day of the

week on which you create the scan.

Repeat By Day of the Specifies when a monthly scan is relaunched. This

Month item appears only if you specify Monthly for
Frequency.

Summary N/A Provides a summary of the schedule for your scan

based on the values you have specified for the

- 329 -
 available settings.

Notifications
The notification settings for a scan.

Default
Setting Description
Value

Email None Specifies zero or more email addresses (separated by commas)

Recipient(s) that are alerted when a scan completes and the results are
available.

Result Filters None Defines the type of information to be emailed.

User Permissions
You can share the scan with other users by setting permissions for users or groups. When you
assign a permission to a group, that permission applies to all users within the group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Can View Groups and users with this permission can view the results of the scan,
export the scan results, and move the scan to the Trash folder. They cannot
view the scan configuration or permanently delete the scan.

Can Execute In addition to the tasks allowed by Can View, groups and users with this
permission can launch, pause, and stop a scan. They cannot view the scan
configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or

- 330 -
 the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting for the
scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of
the permissions assigned to that user in the individual scan.
l An administrator always has the equivalent of Can Edit permissions,
regardless of the permissions set for the administrator account in
the individual scan. This does not apply to user-defined scan
templates.

Basic Settings in User-Defined Templates

Note: This topic describes Basic settings you can set in user-defined templates. For Basic settings in
individual scans, see Basic Settings in Tenable Vulnerability Management Scans .

You can use Basic settings to specify basic aspects of a user-defined template, including who has
access to the user-defined template.

The Basic settings include the following sections:

l General

l Permissions

General
The general settings for a user-defined template.

Default
Setting Description
Value

Name None Specifies the name of the user-defined template.

- 331 -
 Description None (Optional) Specifies a description of the user-defined
template.

Permissions
You can share the user-defined template with other users by setting permissions for users or
groups. When you assign a permission to a group, that permission applies to all users within the
group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Can View Groups and users with this permission can view the results of the scan,
export the scan results, and move the scan to the Trash folder. They cannot
view the scan configuration or permanently delete the scan.

Can Execute In addition to the tasks allowed by Can View, groups and users with this
permission can launch, pause, and stop a scan. They cannot view the scan
configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or
the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting for the
scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of

- 332 -
 the permissions assigned to that user in the individual scan.
l An administrator always has the equivalent of Can Edit permissions,
regardless of the permissions set for the administrator account in
the individual scan. This does not apply to user-defined scan
templates.

Authentication
In user-defined templates, you can use Authentication settings to configure the authentication
Tenable Vulnerability Management performs for credentialed scanning.

Tip: The Authentication settings are equivalent to the Scan-wide Credential Type Settings in Tenable-
provided scan templates.

Setting Default Value Description

SNMPv1/v2c

equivalent to Scans > Credentials > Plaintext Authentication > SNMPv1/v2c

UDP Port 161 Ports where Tenable Vulnerability Management

attempts to authenticate on the host device.
Additional 161
UDP port #1

Additional UDP 161

port #2

Additional UDP 161

port #3

HTTP

equivalent to Scans > Credentials > Plaintext Authentication > HTTP

Login method POST Specify if the login action is performed via a GET or
POST request.

Re-authenticate 0 The time delay between authentication attempts.

delay (seconds) Setting a time delay is useful to avoid triggering brute

- 333 -
 force lockout mechanisms.

Follow 30x 0 If a 30x redirect code is received from a web server,

redirections (# of this setting directs Tenable Vulnerability Management
levels) to follow the link provided or not.

Invert Disabled A regex pattern to look for on the login page, that if
authenticated found, tells Tenable Vulnerability Management that
regex authentication was not successful (e.g., Authentication
failed!).

Use Disabled Rather than search the body of a response, Tenable

authenticated Vulnerability Management can search the HTTP
regex on HTTP response headers for a given regex pattern to better
headers determine authentication state.

Case insensitive Disabled he regex searches are case sensitive by default. This
authenticated instructs Tenable Vulnerability Management to ignore
regex case.

telnet/rsh/rexec

equivalent to Scans > Credentials > Plaintext Authentication > telnet/ssh/rexec

Perform patch Disabled Tenable Vulnerability Management uses telnet to

audits over telnet connect to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rsh to connect

audits over rsh to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rexec to

audits over rexec connect to the host device for patch audits.

Windows

equivalent to Scans > Credentials > Host > Windows

Never send Enabled By default, for security reasons, this option is enabled.
credentials in the
clear

- 334 -
Do not use Enabled If the Do not use NTLMv1 authentication option is
NTLMv1 disabled, then it is theoretically possible to trick
authentication Tenable Vulnerability Management into attempting to
log into a Windows server with domain credentials via
the NTLM version 1 protocol. This provides the remote
attacker with the ability to use a hash obtained from
Tenable Vulnerability Management. This hash can be
potentially cracked to reveal a username or password.
It may also be used to directly log into other servers.
Force Tenable Vulnerability Management to use
NTLMv2 by enabling the Only use NTLMv2 setting at
scan time. This prevents a hostile Windows server from
using NTLM and receiving a hash. Because NTLMv1 is
an insecure protocol, this option is enabled by default.

Start the Remote Disabled This option tells Tenable Vulnerability Management to
Registry service start the Remote Registry service on computers being
during the scan scanned if it is not running. This service must be
running in order for Tenable Vulnerability Management
to execute some Windows local check plugins.

Note: This option is disabled by default to improve

default scan performance. Additionally, enabling this
option can have implications depending on your network
security implementation. For example, certain access
control configurations for your network firewall might
blacklist your scanner for attempting to negotiate Server
Message Block Protocol (SMB protocol) connections.

Enable Disabled This option allows Tenable Vulnerability Management to

administrative access certain registry entries that can be read with
shares during the administrator privileges.
scan
Note: This option is disabled by default to improve
default scan performance. Additionally, enabling this
option can have implications depending on your network
security implementation. For example, certain access

- 335 -
 control configurations for your network firewall might
blacklist your scanner for attempting to negotiate Server
Message Block Protocol (SMB protocol) connections.

SSH

equivalent to Scans > Credentials > Host > SSH

known_hosts file None If you upload an SSH known_hosts file, Tenable

Vulnerability Management only attempts to log in to
hosts in this file. This can ensure that the same
username and password you are using to audit your
known SSH servers is not used to attempt a log into a
system that may not be under your control.

Preferred port 22 The port on which SSH is running on the target system.

Client version OpenSSH_5.0 The type of SSH client Tenable Vulnerability

Management impersonates while scanning.

Attempt least Cleared Enables or disables dynamic privilege escalation. When

privilege enabled, Tenable Vulnerability Management attempts to
run the scan with an account with lesser privileges,
even if the Elevate privileges with option is enabled. If
a command fails, Tenable Vulnerability Management
escalates privileges. Plugins 101975 and 101976 report
which plugins ran with or without escalated privileges.

Note: Enabling this option may increase scan run time by

up to 30%.

Amazon AWS

equivalent to Scans > Credentials > Cloud Services > Amazon AWS

Regions to access Rest of the In order for Tenable Vulnerability Management to audit
World an Amazon AWS account, you must define the regions
you want to scan. Per Amazon policy, you need
different credentials to audit account configuration for

- 336 -
 the China region than you do for the rest of the world.

Possible regions include:

l GovCloud — If you select this region, you

automatically select the government cloud (e.g.,
us-gov-west-1).

l Rest of the World — If you select this region, the

following additional options appear:

l us-east-1

l us-east-2

l us-west-1

l us-west-2

l ca-central-1

l eu-west-1

l eu-west-2

l eu-central-1

l ap-northeast-1

l ap-northeast-2

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l China — If you select this region, the following

additional options appear:

l cn-north-1

l cn-northwest-1

HTTPS Enabled Whether Tenable Vulnerability Management

- 337 -
 authenticates over an encrypted (HTTPS) or an
unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management verifies the

Certificate validity of the SSL digital certificate.

Rackspace

equivalent to Scans > Credentials > Cloud Services > Rackspace

Location – Location of the Rackspace Cloud instance. Possible

locations include:

l Dallas-Fort Worth (DFW)

l Chicago (ORD)

l Northern Virginia (IAD)

l London (LON)

l Syndney (SYD)

l Hong Kong (HKG)

Microsoft Azure

equivalent to Scans > Credentials > Cloud Services > Amazon AWS

Subscription IDs – List subscription IDs to scan, separated by a comma. If

this field is blank, all subscriptions are audited.

Triggered Agent Scans

When you configure a Tenable Nessus Agent scan in Tenable Vulnerability Management, Tenable
Vulnerability Management offers two agent scan types: Scan Window and Triggered Scan.

For window scans, Tenable Vulnerability Management creates a timeframe (for example, the default
is three hours) in which an agent group must report in order to be included in the scan results. You
must schedule Tenable Vulnerability Management to launch window scan at a scheduled time, or
you must manually launch the scan from the Tenable Vulnerability Management user interface (for
example, if you schedule a three-hour agent window scan for every Monday, Tenable Vulnerability
Management pulls data updates from the agent group for three hours every Monday).

- 338 -
Triggered scans differ from window agent scans in that the agent or agent group launches the scan
without any Tenable Vulnerability Management or user intervention. Agents can launch triggered
scans using three different methods:

l Interval trigger — Configure agents to scan at a certain time interval (for example, every 12
hours or every 24 hours).

l File Name trigger — Configure agents to scan whenever a file with a specific file name is
added to the agent trigger directory. The trigger file disappears after the scan begins. The
agent trigger directory location varies by operating system:

Operating System Location

Windows C:\ProgramData\Tenable\Nessus Agent\nessus\triggers

macOS /Library/NessusAgent/run/var/nessus/triggers

Linux /opt/nessus_agent/var/nessus/triggers

l Nessuscli trigger — Launch an existing triggered scan manually by running the following
command in the Tenable Nessus Agent nessuscli utility:

# nessuscli scan-triggers --start --UUID=<scan-uuid>

You can also set multiple triggers for a single scan, and the scan searches for the triggers in their
listed order (in other words, if the first trigger does not trigger the scan, it searches for the second
trigger).

Triggered vs. Window Scans

Tenable recommends using triggered agent scans over window agent scans in many cases. Due to
the scanning independence from Tenable Vulnerability Management or user intervention and the
multiple trigger options, triggered scanning offers more flexibility to meet the needs of your
workflow, especially if you have a mobile workforce in multiple time zones.

Triggered scans can provide more consistent coverage than window scans and help overcome
connectivity issues between Tenable Vulnerability Management and linked agents. While window
scans can create gaps in data coverage due to unresponsive or offline agents, triggered scans allow
agents to scan and send data to Tenable Vulnerability Management whenever the triggers occur;
Tenable Vulnerability Management accepts and processes data from triggered scans at any time.

- 339 -
Tenable recommends using scan windows if you need to export individual scan results, as you can
only export triggered scan data by using the bulk vulnerability export API.

Find Triggered Scan Details

To view triggered scan results, see View Tenable Vulnerability Management Scan Details.

Note: For triggered scan histories, Tenable Vulnerability Management shows a scan history entry for each
12-hour window of the past 7 days. Tenable Vulnerability Management only retains up to 15 triggered scan
histories at a time for each scan.

In addition to managing triggered scans from Tenable Vulnerability Management, you can view
triggered scan details by running the following command in the Tenable Nessus Agent nessuscli
utility:

# nessuscli scan-triggers --list

The --list command returns the agent's triggered scan details. These details include:

l Scan name

l Status (for example, uploaded)

l Time of last activity (shown next to the status)

l Scan description

l Time of last policy modification

l Time of last run

l Scan trigger description

l Scan configuration template

For more information about the Tenable Nessus Agent nessuscli utility, see Nessuscli Agent
in the Tenable Nessus User Guide.

You can also view your agent trigger information in the agent trigger directory:

Operating System Location

Windows C:\ProgramData\Tenable\Nessus Agent\nessus\triggers

- 340 -
 macOS /Library/NessusAgent/run/var/nessus/triggers

Linux /opt/nessus_agent/var/nessus/triggers

Scan Targets

In Tenable Vulnerability Management, you can use a number of different formats when specifying
targets for a scan. The following tables contain target formats, examples, and a short explanation of
what occurs when Tenable Vulnerability Management scans that target type.

Note: Tenable limits the number of targets that you can scan in a single scan. For more information, see
Scan Limitations.

Note: For previously scanned assets, you can configure scan targets based on host attributes like
operating system or installed software, instead of host identifiers like IP address.

Tip: If a hostname target looks like either a link6 target (start with the text "link6") or one of the two IPv6
range forms, put single quotes around the target to ensure that Tenable Vulnerability Management
processes it as a hostname.

Target
Example Explanation
Description

A single IPv4 192.168.0.1 Scans the single IPv4 address.

address

A single IPv6 2001:db8::2120:17ff:fe56:333b Scans the single IPv6 address.

address

A single link fe80:0:0:0:216:cbff:fe92:88d0%eth0 Scans the single IPv6 address.

local IPv6 Note that you must use
address with a interface indexes, not interface
scope names, for the scope identifier
identifier on Windows platforms.

A list of IPv4 192.168.0.1, 192.168.0.32, 192.168.0.200, Scans a list of different IPv4

addresses 192.168.0.255 addresses.

An IPv4 range 192.168.0.1-192.168.0.255 Scans all IPv4 addresses

- 341 -
Target
Example Explanation
Description

with a start between the start address and

and end end address, including both
address addresses.

An IPv4 192.168.0-1.3-5 Scans all combinations of the

address with values given in the octet
the last octet ranges. In this example, scans:
range replaced 192.168.0.3, 192.168.0.4,
with numeric 192.168.0.5, 192.168.1.3,
ranges 192.168.1.4 and 192.168.1.5

An IPv4 subnet 192.168.0.0/24 Scans all addresses within the

with CIDR specified subnet. The address
notation given is not the start address.
Specifying any address within
the subnet with the same CIDR
scans the same set of hosts.

An IPv4 subnet 192.168.0.0/255.255.255.128 Scans all addresses within the

with netmask specified subnet. The address
notation is not a start address.
Specifying any address within
the subnet with the same
netmask scans the same hosts.

A host www.yourdomain.com Scans the single host.

resolvable to
If Tenable Vulnerability
either an IPv4
Management can resolve the
or an IPv6
hostname to multiple
address
addresses, Tenable Vulnerability
Management scans the first
resolved IPv4 address or, if
Tenable Vulnerability

- 342 -
Target
Example Explanation
Description

Management cannot resolve an

IPv4 address, the first resolved
IPv6 address.

A host www.yourdomain.com/24 Resolves the hostname to an

resolvable to IPv4 address, then scans all
an IPv4 addresses within the specified
address with subnet.
CIDR notation
Tenable Vulnerability
Management treats this format
like any other IPv4 address with
CIDR notation.

A host www.yourdomain.com/255.255.252.0 Resolves the hostname to an

resolvable to IPv4 address, then scans all
an IPv4 addresses within the specified
address with subnet.
netmask
Tenable Vulnerability
notation
Management treats this format
like any other IPv4 address with
netmask notation.

The text 'link6' link6 Scans all hosts that respond to

optionally or multicast ICMPv6 echo requests
followed by an link6%16 sent out on the interface
IPv6 scope specified by the scope identifier
identifier to the ff02::1 address. If no IPv6
scope identifier is given, the
requests are sent out on all
interfaces. Note that you must
use interface indexes, not
interface names, for the scope

- 343 -
 Target
Example Explanation
Description

identifier on Windows
platforms.

Some text with Test Host 1[10.0.1.1] Scans the IPv4 or IPv6 address
either a single or within the brackets, like a
IPv4 or IPv6 Test Host 2[2001:db8::abcd] normal single target.
address within
square
brackets

Target Groups

You can still use target groups to manage your scan targets. However, Tenable recommends that you
instead use tags to group and scan your assets when possible. In the future, when tagging features and
options match those currently available in target groups, Tenable will convert your target groups into tags
and retire your existing target groups. No action is required on your part, and Tenable will provide you with
60 calendar days notice before converting and retiring your target groups. For more information, contact
your Tenable representative.

A target group allows you to construct a list of scan targets by FQDN, CIDR notation, or IP address
range. You can then specify which users in your organization can use the target group in scan
configurations or filtering dashboards (including workbenches).

Note: Tenable recommends limiting the number of targets in any single target group. When filtering a
dashboard by a target group with too many targets, Tenable Vulnerability Management may fail to show
data.

Note: Scan targets listed by CIDR notation must be in one of the following formats:

l xx.xx.0.0/16
l xx.xx.xx.0/24

If you grant a user permissions in a target group, the user can use the target group in the Target
Groups option for scan configuration. However, you must also grant the user Can Scan permissions
in an access group for the targets, or Tenable Vulnerability Management excludes the targets from
the scan results. For more information, see Permissions.

- 344 -
To manage target groups, use the following procedures:

Create a target group

System target groups:

Required User Role: Administrator

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To create a target group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to edit a user target group, click User. Otherwise, stay on the System target
groups tab.

5. In the upper-right corner of the page, click the Create Target Group button.

The Create a Target Group page appears.

6. Configure the General settings:

Setting Description

Name A name for the target group.

Targets A comma-separated list of FQDNs, CIDR notation, or IP address ranges

- 345 -
 Setting Description

that you want to scan.

Note: Scan targets listed by CIDR notation must be in one of the following
formats:
l xx.xx.0.0/16
l xx.xx.xx.0/24

Note: For the IP address range format (example: 192.168.0.1-192.168.0.255 ),

Tenable Vulnerability Management supports a maximum count of "-" to 1023.

Upload A text file containing a comma-separated list of FQDNs or IP address

Targets ranges that you want to scan.

The system adds the uploaded targets to the Targets box after you save
the target group.

7. Configure the user permissions for the group.

Note: If you grant a user permissions in a target group, the user can use the target group in the
Target Groups option for scan configurations. However, you must also grant the user Can Scan
permissions in an access group for the targets, or Tenable Vulnerability Management excludes the
targets from the scan results. For more information, see Access Groups.

8. Click Save.

One of the following occurs:

l If you configured user permissions for the target group, Tenable Vulnerability
Management creates the target group and adds it to the table on the Target Groups
page.

l If you retained the default No Access permissions for the target group, a confirmation
window appears.

In response, do one of the following:

- 346 -
 l If the default configuration is appropriate for the target group, click Continue to
confirm your action.

l If the default configuration is not appropriate for the target group, click Cancel to
return to user permissions configuration for the target group.

Configure user permissions for a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

Note: For auditing cloud infrastructure, Tenable Vulnerability Management requires a target group with
Can Scan permissions to be present on 127.0.0.1.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must
also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable
Vulnerability Management excludes the targets from the scan results. For more information, see Access
Groups.

To configure permissions for a target group:

1. Create or edit a target group.

2. In the User Permissions section, do one of the following:

l
Change the permissions for the Default user

Note: The Default user represents any users that have not been specifically added to the
target group.

- 347 -
 a. Next to the permission drop-down for the Default user, click the button.

b. Select a permissions level.

c. Click Save.

l
Add permissions
a. Next to User Permissions, click the button.

The Add User Permission plane appears.

b. In the Add users or groups box, type the name of a user or group.

As you type, a filtered list of users and groups appears.

c. Select a user or group from the search results.

The selected user or group appears in the list of users and groups.

By default, Tenable Vulnerability Management assigns Can Use permissions to the

new user or group.

d. Next to the permission drop-down for the user or group, click the button.

e. Select a permissions level.

f. Click Save.

l
Edit permissions
a. Next to the permission drop-down for the user or group, click the button.

b. Select a permissions level.

c. Click Save.

l
Delete permissions
a. In the list of users, roll over the user or group you want to delete.

b. Click the button next to the user or user group.

The user or group disappears from the permissions list.

- 348 -
 c. Click Save.

Edit a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

Note: System target groups and related functionality asset isolation are deprecated. To control
scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in scan
configurations and dashboard filters. However, Tenable recommends using user target groups
instead.

To edit a target group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to edit a user target group, click User. Otherwise, stay on the System target
groups tab.

- 349 -
 5. In the target groups table, click the target group you want to edit.

The Update a Target Group page appears.

6. Edit the General settings for the target group:

Setting Description

Name A name for the target group.

Targets A comma-separated list of FQDNs, CIDR notation, or IP address ranges

that you want to scan.

Upload A text file containing a comma-separated list of FQDNs or IP address

Targets ranges that you want to scan.

The system adds the uploaded targets to the Targets box after you save
the target group.

7. Configure user permissions for the target group.

8. Click Save.

A confirmation window appears.

9. In the confirmation window, click Continue.

Tenable Vulnerability Management saves the changes to the target group.

Import a target group

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can import a target group as a .csv file.

Tip: To create or modify the .csv file, Tenable recommends using a robust editor such as Microsoft Excel.

Before you begin:

l Create a .csv file in the specified format.

To import a target group:

- 350 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to import a user target group, click User. Otherwise, stay on the System target
groups page.

Note: System target groups and related functionality asset isolation are deprecated. To
control scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in
scan configurations and dashboard filters. However, Tenable recommends using user
target groups instead.

5. In the upper-right corner of the page, click the Import button.

Your operating system's file manager appears.

6. Select a .csv file to import.

Tenable Vulnerability Management imports the file and adds the target groups to the target
groups box.

Target Group Import File Format

Each line of the target group import file must have the following fields:

Field Name Description

id Numeric field used to identify the target group.

name Field used to identify the name of the target group. You can use any
combination of alphanumeric characters or symbols in the name field.

- 351 -
 members Field used to identify the host address or addresses to include in the
target group.

creation_date Numeric field in UNIX timestamp format.

last_ Numeric field in UNIX timestamp format.

modification_
date

Export a target group

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Target Group Permissions: Can Use

You can export a target group as a .csv file. Depending on your browser, the target group may
download automatically.

To export a target group or groups in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to export a user target group, click User. Otherwise, stay on the System target
groups tab.

Note: System target groups and related functionality asset isolation are deprecated. To
control scan permissions, use access groups instead.

- 352 -
 You can still create and edit system target groups, as well as use system target groups in
scan configurations and dashboard filters. However, Tenable recommends using user
target groups instead.

5. Select the target group or groups you want to export.

l
Select a single target group.
a. In the target groups table, roll over the target group you want to export.

The action buttons appear in the row.

b. In the row, click the button.

Tenable Vulnerability Management automatically exports the target group or

groups you selected as a single .csv file.

l
Select multiple target groups.
a. In the target groups table, select the check boxes for each target group you want
to export.

The action bar appears at the bottom of the page.

b. Next to Target Groups, click the button.

Target Group Export File Header Fields

The following table describes the headers that appear in the exclusion export file.

Field Name Description

id Numeric identifier for the target group.

name Alphanumeric name of the target group.

members Host address(es) to be included in the target group.

creation_date Date (in UNIX timestamp format) when the target group was created.

last_modification_ Date (in UNIX timestamp format) when the target group was last
date modified.

- 353 -
 Delete a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

To delete a target group in the new interface:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

4. If you want to delete a user target group, click User. Otherwise, stay on the System target
groups tab.

5. Select the target group or groups you want to delete:

l
Select a single target group.
a. In the target groups table, roll over the target group you want to delete.

The action buttons appear in the row.

- 354 -
 b. In the row, click the button.

A confirmation window appears.

l
Select multiple target groups.
a. In the target groups table, select the check box for each target group you want to
delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the target group or groups you selected.

Target group permissions

The following table describes user permissions for both system and user target groups.

Permission Description

System Target Group

No Access (Default user only) Users assigned this permission cannot use the system
target group to filter dashboards.

Can Use Note: System target groups are deprecated; Tenable recommends using user
target groups instead.

Users assigned this permission can use hosts in the user target groups to
filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for
scan configurations, you must also grant the user Can Scan permissions in an
access group for the targets. If you do not, Tenable Vulnerability Management
excludes the targets from the scan results. For more information, see Access
Groups.

- 355 -
 User Target Group

No Access (Default user only) Users assigned this permission cannot configure scans for
hosts in the user target group or use hosts in the user target group to filter
dashboards.

Can Use Users assigned this permission can use hosts in the user target groups to
filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for
scan configurations, you must also grant the user Can Scan permissions in an
access group for the targets. If you do not, Tenable Vulnerability Management
excludes the targets from the scan results. For more information, see Access
Groups.

Can Change In addition to using hosts in this user target group when configuring scans
and filtering dashboards, users assigned this permission can modify any
setting for the target group except permissions.

Info-level Reporting

Info-level Reporting is a scan setting available for Nessus Agent vulnerability scan templates. The
setting specifies how often the agent scan should report unchanged Info-severity vulnerability
findings.

Description

Info-severity findings can account for up to 90% of agent scan findings. Most Info-level findings do
not change from scan to scan and have minimal impact on your overall network exposure.
Configuring Info-level Reporting can help minimize your scan processing times by decreasing the
number of unchanged Info-severity findings that Tenable Vulnerability Management processes after
every agent scan.

After you configure an agent scan, the first execution of that scan always reports all detected
findings regardless of severity level. This is known as a baseline scan. Subsequent scans return all
vulnerability findings with a severity of Low or higher, and any new or changed Info-level findings.
Agents do not re-report existing, unchanged Info-level findings to Tenable Vulnerability
Management until a new baseline scan is performed.

- 356 -
When you view agent vulnerability scan results in the Tenable Vulnerability Management user
interface, baseline scans are indicated with the baseline icon ( ). For example:

Note: The baseline icon does not appear for triggered scans, regardless of whether or not the
scan was a baseline scan.
The baseline icon always appears for scans whose scan configurations do not have the Info-
level Reporting setting. This is because every execution of that scan includes all findings and is,
therefore, a baseline scan.
The baseline icon does not appear for scans whose configurations have the Info-level Reporting
setting, but were run before the Info-level Reporting feature was released.

Configuration

You can configure the agent scan to report all severity findings by launching a new baseline scan
after one of the following intervals:

l After number of scans — The agent scan reports all findings every x number of scans. You
choose from the following increments: 7, 10, 15, or 20 scans.

For example, if you set the value to the default of 10, the agent scan reports all findings in its
next scan and then reports all findings again during every 10th scan. All interim scans only

- 357 -
 return findings with a severity of Low or higher, as well as any new or changed Info-level
findings.

l After number of days — The agent scan reports all findings after a set number of days after
the previous day on which the agent scan last reported all findings. You choose from the
following increments: 7, 10, 20, 30, 60, or 90 days.

For example, if you set the value to the default of 10, the agent scan reports all findings in its
next scan. For 10 days, all interim scans return all findings with a severity of Low or higher and
any new or changed Info-level findings. After the 10-day period passes, the agent scan reports
all findings again in its next scan.

You can only set triggered agent scans to After number of scans. You can set Scan Window
scans to either After number of scans or After number of days.

The default value for triggered agent scans is After 10 scans, and the default value for Scan
Window agent scans is After 10 days. Tenable recommends using the default values. Only
lower the value if doing so is necessary for your organization.

In addition to Info-level Reporting, you can enable Force refresh of all Info-severity vulnerabilities
on next scan to force the agent scan to report all findings in the next scan. After the next scan
completes and reports all findings, the Info-level Reporting setting determines how often the scan
reports Info-severity findings.

Note: All vulnerability findings with a severity of Low or higher and new or changed Info-severity
vulnerabilities are always reported after every scan.

Limitations and Considerations

l Only agents version 10.5.0 and later can use the Info-level Reporting setting. Any agents on
earlier versions always perform baseline scans.

l The Info-level Reporting setting is not supported when Tenable Vulnerability Management is
connected to Tenable Security Center.

l Agent scans with configured Compliance settings do not support the Info-level Reporting
setting. All agent scans with Compliance settings configured are baseline scans.

l If you recast an Info-level plugin to a higher severity level (for example, Low or Medium), the
plugin is still affected by Info-level Reporting and excluded from non-baseline scans if the

- 358 -
 plugin output has not changed.

l Each individual agent calculates the After number of scans value separately. Therefore,
triggered scans can return a combination of baseline and non-baseline results.

l Plugins 19506 (Nessus Scan Information) and 42980 (SSL Certificate Expiry) are always
reported in full with every scan.

Discovery Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Discovery settings in the scan.
You can only modify these settings in the related user-defined template.

The Discovery settings relate to discovery and port scanning, including port ranges and methods.

Certain Tenable-provided scanner templates include preconfigured discovery settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured discovery settings, you can manually configure Discovery settings
in the following categories:

l Host Discovery

l Port Scanning

l Service Discovery

l Identity

Host Discovery
By default, some settings in the Host Discovery section are enabled. When you first access the
Host Discovery section, the Ping the remote host option appears and is set to On.

Default
Setting Description
Value

Ping the Remote On If set to On, the scanner pings remote hosts on multiple
Host ports to determine if they are alive. Additional options
General Settings and Ping Methods appear.

If set to Off, the scanner does not ping remote hosts on

- 359 -
 multiple ports during the scan.

Note: To scan VMware guest systems, Ping the remote

host must be set to Off.

Scan Unresponsive Disabled Specifies whether the Nessus scanner scans hosts that
Hosts do not respond to any ping methods. This option is only
available for scans using the PCI Quarterly External Scan
template.

General Settings

Use Fast Network Disabled When disabled, if a host responds to ping, Tenable
Discovery Vulnerability Management attempts to avoid false
positives, performing additional tests to verify the
response did not come from a proxy or load balancer.
These checks can take some time, especially if the
remote host is firewalled.

When enabled, Tenable Vulnerability Management does

not perform these checks.

Ping Methods

ARP Enabled Ping a host using its hardware address via Address
Resolution Protocol (ARP). This only works on a local
network.

TCP Enabled Ping a host using TCP.

Destination Ports Built-In Destination ports can be configured to use specific

(TCP) ports for TCP ping. This specifies the list of ports that
are checked via TCP ping.

Type one of the following: built-in, a single port, or a

comma-separated list of ports.

For more information about which ports built-in

specifies, see the knowledge base article.

- 360 -
ICMP Enabled Ping a host using the Internet Control Message Protocol
(ICMP).

Assume ICMP Disabled Assume ICMP unreachable from the gateway means the
Unreachable From host is down. When a ping is sent to a host that is down,
the Gateway its gateway may return an ICMP unreachable message.
Means the Host is When this option is enabled, when the scanner receives
Down an ICMP Unreachable message, it considers the targeted
host dead. This approach helps speed up discovery on
some networks.

Note: Some firewalls and packet filters use this same

behavior for hosts that are up, but connected to a port or
protocol that is filtered. With this option enabled, this
leads to the scan considering the host is down when it is
indeed up.

UDP Disabled Ping a host using the User Datagram Protocol (UDP). UDP
is a stateless protocol, meaning that communication is
not performed with handshake dialogues. UDP-based
communication is not always reliable, and because of
the nature of UDP services and screening devices, they
are not always remotely detectable.

Maximum Number 2 Specifies the number of attempts to retry pinging the

of Retries remote host.

Fragile Devices

Scan Network Disabled When enabled, the scanner scans network printers.
Printers

Scan Novell Disabled When enabled, the scanner scans Novell NetWare hosts.
Netware Hosts

Scan Operational Disabled When enabled, the scanner performs a full scan of
Technology Operational Technology (OT) devices such as
Devices programmable logic controllers (PLCs) and remote

- 361 -
 terminal units (RTUs) that monitor environmental factors
and the activity and state of machinery.

When disabled, the scanner uses ICS/SCADA Smart

Scanning to cautiously identify OT devices and stops
scanning them once they are discovered.

Wake-on-LAN

List of None The Wake-on-LAN (WOL) menu controls which hosts to

MAC Addresses send WOL magic packets to before performing a scan.

Hosts that you want to start prior to scanning are

provided by uploading a text file that lists one MAC
address per line.

For example:

33:24:4C:03:CC:C7
FF:5C:2C:71:57:79

Boot Time Wait (In 5 minutes The amount of time to wait for hosts to start before
Minutes) performing the scan.

Port Scanning
The Port Scanning section includes settings that define how the port scanner behaves and which
ports to scan.

Default
Setting Description
Value

Ports

Consider Disabled When enabled, if a port is not scanned with a selected port
Unscanned scanner (for example, the port falls outside of the specified
Ports as Closed range), the scanner considers it closed.

Port Scan Range Default Specifies the range of ports to be scanned.

- 362 -
 Default
Setting Description
Value

Supported keyword values are:

l default instructs the scanner to scan approximately

4,790 commonly used ports.

l all instructs the scanner to scan all 65,536 ports,

including port 0.

Additionally, you can indicate a custom list of ports by

using a comma-separated list of ports or port ranges. For
example, 21,23,25,80,110 or 1-1024,8080,9000-9200.
If you wanted to scan all ports excluding port 0, you would
type 1-65535.

The custom range specified for a port scan is applied to

the protocols you have selected in the Network Port
Scanners group of settings.

If scanning both TCP and UDP, you can specify a split range
specific to each protocol. For example, if you want to scan
a different range of ports for TCP and UDP in the same
policy, you would type T:1-1024,U:300-500.

You can also specify a set of ports to scan for both

protocols, as well as individual ranges for each separate
protocol. For example, 1-1024,T:1024-65535,U:1025.

Local Port Enumerators

SSH (netstat) Enabled When enabled, the scanner uses netstat to check for open
ports from the local machine. It relies on the netstat
command being available via an SSH connection to the
target. This scan is intended for Linux-based systems and
requires authentication credentials.

WMI (netstat) Enabled When enabled, the scanner uses netstat to determine open

- 363 -
 Default
Setting Description
Value

ports while performing a WMI-based scan.

In addition, the scanner:

l Ignores any custom range specified in the Port Scan

Range setting.

l Continues to treat unscanned ports as closed if the

Consider unscanned ports as closed setting is
enabled.

If any port enumerator (netstat or SNMP) is successful, the

port range becomes all.

SNMP Enabled When enabled, if the appropriate credentials are provided

by the user, the scanner can better test the remote host
and produce more detailed audit results. For example,
there are many Cisco router checks that determine the
vulnerabilities present by examining the version of the
returned SNMP string. This information is necessary for
these audits.

Only Run Enabled If a local port enumerator runs, all network port scanners
Network Port will be disabled for that asset.
Scanners if
Local Port
Enumeration
Failed

Verify Open TCP Disabled When enabled, if a local port enumerator (for example, WMI
Ports Found By or netstat) finds a port, the scanner also verifies that the
Local Port port is open remotely. This approach helps determine if
Enumerators some form of access control is being used (for example,
TCP wrappers or a firewall).

Network Port Scanners

- 364 -
 Default
Setting Description
Value

TCP Disabled Use the built-in Tenable Nessus TCP scanner to identify
open TCP ports on the targets, using a full TCP three-way
handshake. If you enable this option, you can also set the
Override Automatic Firewall Detection option.

SYN Enabled Use the built-in Tenable Nessus SYN scanner to identify
open TCP ports on the target hosts. SYN scans do not
initiate a full TCP three-way handshake. The scanner sends
a SYN packet to the port, waits for SYN-ACK reply, and
determines the port state based on a response or lack of
response.

If you enable this option, you can also set the Override
Automatic Firewall Detection option.

Override Disabled This setting can be enabled if you enable either the TCP or
Automatic SYN option.
Firewall
When enabled, this setting overrides automatic firewall
Detection
detection.

This setting has three options:

l Use aggressive detection attempts to run plugins

even if the port appears to be closed. It is
recommended that this option not be used on a
production network.

l Use soft detection disables the ability to monitor

how often resets are set and to determine if there is
a limitation configured by a downstream network
device.

l Disable detection disables the firewall detection

feature.

- 365 -
 Default
Setting Description
Value

UDP Disabled This option engages the built-in Tenable Nessus UDP
scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not

possible for a port scanner to tell the difference between
open and filtered UDP ports. Enabling the UDP port
scanner may dramatically increase the scan time and
produce unreliable results. Consider using the netstat or
SNMP port enumeration options instead if possible.

Service Discovery
The Service Discovery section includes settings that attempt to map each open port with the
service that is running on that port.

Default
Setting Description
Value

General Settings

Probe All Ports Enabled When enabled, the scanner attempts to map each open
to Find Services port with the service that is running on that port, as
defined by the Port scan range option.

Caution: In some rare cases, probing might disrupt some

services and cause unforeseen side effects.

Search for On Controls how the scanner tests SSL-based services.

SSL/TLS Based
Services Caution: Testing for SSL capability on all ports may be
disruptive for the tested host.

Search for SSL/TLS/DTLS Services (enabled)

Search for Known Specifies which ports on target hosts the scanner searches
SSL/TLS On SSL/TLS for SSL/TLS services.

- 366 -
 Default
Setting Description
Value

ports This setting has two options:

l Known SSL/TLS ports

l All TCP ports

Search for None Specifies which ports on target hosts the scanner searches
DTLS On for DTLS services.

This setting has the following options:

l None

l Known SSL/TLS ports

l All TCP ports

Identify 60 When enabled, the scanner identifies SSL and TLS

Certificates certificates that are within the specified number of days of
Expiring Within expiring.
x Days

Enumerate All True When enabled, the scanner ignores the list of ciphers
SSL/TLS advertised by SSL/TLS services and enumerates them by
Ciphers attempting to establish connections using all possible
ciphers.

Enable CRL False When enabled, the scanner checks that none of the
Checking identified certificates have been revoked.
(Connects to
the Internet)

Identity
The Identity section allows you to enable or disable the collection of Active Directory data.

Note: This section is only applicable in Tenable One Enterprise environments.

- 367 -
 General Settings

Collect Identity Disabled Enable this setting to allow Tenable Vulnerability

Data from Management to gather user, computer, and group objects
Active from Active Directory.
Directory
This setting requires that you specify an Active Directory
user account for the scan. You also need to enable LDAPS
on the Domain Controller that the scan is targeting.

Preconfigured Discovery Settings

Certain Tenable-provided scanner templates include preconfigured discovery settings, described in

the following table. The preconfigured discovery settings are determined by both the template and
the Scan Type that you select.

Template Scan Type Preconfigured Settings

Vulnerability Scans (Common)

Advanced Network – All defaults

Scan

Basic Network Scan Port scan (common ports) l General Settings:

(default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

- 368 -
 l Ping hosts using:
o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Credentialed Patch Port scan (common ports) l General Settings:

Audit (default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

- 369 -
 o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Host Discovery Host enumeration (default) l General Settings:

- 370 -
 o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

OS Identification l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP

Port scan (common ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided

- 371 -
 o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Internal PCI Network Port scan (common ports) l General Settings:

Scan (default) o Always test the local
Nessus host
o Use fast network

- 372 -
 discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

- 373 -
 Custom All defaults

Legacy Web App Scan Port scan (common ports) l General Settings:
(default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided
o Use SYN scanner if
necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port Scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)
o Use netstat if
credentials are provided
o Use SYN scanner if

- 374 -
 necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Mobile Device Scan – –

PCI Quarterly External – Scan unresponsive hosts default

Scan

Configuration Scans

Audit Cloud – –
Infrastructure

MDM Config Audit – –

Offline Config Audit – –

Policy Compliance Default (default) l General Settings:

Auditing o Ping the remote host
o Always test the local
Tenable Nessus host

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

SCAP and OVAL Host enumeration (default) l General Settings:

Auditing o Always test the local
Nessus host

- 375 -
 o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Tactical Scans

Badlock Detection Quick l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports

- 376 -
 where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Bash Shellshock Quick l General Settings:

Detection o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Normal (default) l General Settings:

o Ping the remote host

- 377 -
 o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

DROWN Detection Quick l General Settings:

o Ping the remote host
o Always test the local

- 378 -
 Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

- 379 -
Intel AMT Security Quick l General Settings:
Bypass o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 16992,
16993, 623, 80, and 443
o Detect SSL/TLS on ports
where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports

- 380 -
 o Detect SSL on all open
ports

Custom All defaults

Malware Scan Host enumeration (default) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Host enumeration (include l General Settings:

fragile hosts) o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

- 381 -
Shadow Brokers Scan Normal (default) l General Settings:
o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

Spectre and Meltdown Normal (default) l General Settings:

- 382 -
Detection o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

WannaCry Quick l General Settings:

Ransomware o Ping the remote host
Detection
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 139 and
445
o Detect SSL/TLS on ports

- 383 -
 where it is commonly
used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/TLS on ports
where it is commonly
used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Assessment Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Assessment settings in the
scan. You can only modify these settings in the related user-defined template.

You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a
system to brute force attacks, and the susceptibility of web applications.

- 384 -
Certain Tenable-provided scanner templates include preconfigured assessment settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured assessment settings, you can manually configure Assessment
settings in the following categories:

l General

l Brute Force

l SCADA

l Web Applications

l Windows

l Malware

l Databases

Note: The following tables include settings for the Advanced Network Scan template. Depending on the
template you select, certain settings may not be available, and default values may vary.

General
The General section includes the following groups of settings:

l Accuracy

l Antivirus

l SMTP

Setting Default Value Description

Accuracy

Override Disabled In some cases, Tenable Vulnerability Management cannot

Normal remotely determine whether a flaw is present or not. If
Accuracy report paranoia is set to Show potential false alarms, a flaw
is reported every time, even when there is a doubt about the
remote host being affected. Conversely, a paranoia setting
of Avoid potential false alarms causes Tenable Vulnerability

- 385 -
 Management to not report any flaw whenever there is a hint
of uncertainty about the remote host. As a middle ground
between these two settings, disable this setting.

Perform Disabled Causes various plugins to work harder. For example, when
thorough looking through SMB file shares, a plugin analyzes 3
tests (may directory levels deep instead of 1. This could cause much
disrupt your more network traffic and analysis in some cases. By being
network or more thorough, the scan is more intrusive and is more likely
impact scan to disrupt the network, while potentially providing better
speed) audit results.

Antivirus

Antivirus 0 Configure the delay of the Antivirus software check for a set
definition number of days (0-7). The Antivirus Software Check menu
grace period allows you to direct Tenable Vulnerability Management to
(in days) allow for a specific grace time in reporting when antivirus
signatures are considered out of date. By default, Tenable
Vulnerability Management considers signatures out of date
regardless of how long ago an update became available (e.g.,
a few hours ago). You can configure this option to allow for
up to 7 days before reporting them out of date.

SMTP

Third party Tenable Vulnerability Management attempts to send spam through each SMTP
domain device to the address listed in this field. This third party domain address must
be outside the range of the site being scanned or the site performing the scan.
Otherwise, the test may be aborted by the SMTP server.

From The test messages sent to the SMTP server(s) appear as if the messages
address originated from the address specified in this field.

To address Tenable Vulnerability Management attempts to send messages addressed to

the mail recipient listed in this field. The postmaster address is the default
value since it is a valid address on most mail servers.

- 386 -
Brute Force
The Brute Force section includes the following groups of settings:

l General Settings

l Oracle Database

Default
Setting Description
Value

General Settings

Only use Enabled In some cases, Tenable Vulnerability Management can test
credentials default accounts and known default passwords. This can
provided by cause the account to be locked out if too many consecutive
the user invalid attempts trigger security protocols on the operating
system or application. By default, this setting is enabled to
prevent Tenable Vulnerability Management from performing
these tests.

Oracle Database

Test default Disabled Test for known default accounts in Oracle software.
accounts
(slow)

SCADA
Default
Setting Description
Value

ICCP/COTP TSAP The ICCP/COTP TSAP Addressing menu determines a Connection

Addressing Weakness Oriented Transport Protocol (COTP) Transport Service Access
Points (TSAP) value on an ICCP server by trying possible values.

Web Applications
The Web Applications section includes the following groups of settings:

- 387 -
 l General Settings

l Web Crawler

l Application Test Settings

Setting Default Value Description

Scan web Disabled By default, Tenable Vulnerability

applications Management does not scan web
applications. To edit the following
settings, enable this setting.

Use a custom Mozilla/4.0 (compatible; MSIE Specifies which type of web browser
User-Agent 8.0; Windows NT 5.1; Tenable Vulnerability Management
Trident/4.0) impersonates while scanning.

Web Crawler

Start crawling / The URL of the first page that is tested. If

from multiple pages are required, use a colon
delimiter to separate them (e.g.,
/:/php4:/base).

Excluded /server_privileges\.php|logout Specifies portions of the web site to

pages (regex) exclude from being crawled. For example,
to exclude the /manual directory and all
Perl CGI, set this field to: (^/manual) <>
(\.pl(\?.*)?$).

Tenable Vulnerability Management

supports POSIX regular expressions for
string matching and handling, as well as
Perl-compatible regular expressions
(PCRE).

Maximum 1000 The maximum number of pages to crawl.

pages to crawl

Maximum 6 Limit the number of links Tenable

- 388 -
Setting Default Value Description

depth to crawl Vulnerability Management follows for each

start page.

Follow Disabled If selected, Tenable Vulnerability

dynamically Management follows dynamic links and
generated may exceed the parameters set above.
pages

Application Test Settings

Enable generic Disabled Enables the following settings.

web
application
tests

Abort web Disabled If Tenable Vulnerability Management

application cannot log in to the target via HTTP, then
tests if HTTP do not run any web application tests.
login fails

Try all HTTP Disabled This option instructs Tenable Vulnerability

methods Management to also use POST requests
for enhanced web form testing. By
default, the web application tests only use
GET requests, unless you enable this
option. Generally, more complex
applications use the POST method when a
user submits data to the application.
When enabled, Tenable Vulnerability
Management tests each script or variable
with both GET and POST requests. This
setting provides more thorough testing,
but may considerably increase the time
required.

- 389 -
Setting Default Value Description

Attempt HTTP Disabled When performing web application tests,

Parameter attempt to bypass filtering mechanisms
Pollution by injecting content into a variable while
also supplying the same variable with valid
content. For example, a normal SQL
injecton test may look like
/target.cgi?a='&b=2. With HTTP Parameter
Pollution (HPP) enabled, the request may
look like /target.cgi?a='&a=1&b=2.

Test embedded Disabled Embedded web servers are often static

web servers and contain no customizable CGI scripts.
In addition, embedded web servers may
be prone to crash or become non-
responsive when scanned. Tenable
recommends scanning embedded web
servers separately from other web servers
using this option.

Test more than Disabled This setting manages the combination of

one parameter argument values used in the HTTP
at a time per requests. The default, without checking
form this option, is testing one parameter at a
time with an attack string, without trying
non-attack variations for additional
parameters. For example, Tenable
Vulnerability Management would attempt
/test.php?arg1=XSS&b=1&c=1, where b
and c allow other values, without testing
each combination. This is the quickest
method of testing with the smallest result
set generated.

This setting has four options:

- 390 -
Setting Default Value Description

l Test random pairs of parameters:

This form of testing randomly
checks a combination of random
pairs of parameters. This is the
fastest way to test multiple
parameters.

l Test all pairs of parameters (slow):

This form of testing is slightly slower
but more efficient than the one
value test. While testing multiple
parameters, it tests an attack string,
variations for a single variable and
then use the first value for all other
variables. For example, Tenable
Vulnerability Management would
attempt
/test.php?a=XSS&b=1&c=1&d=1
and then cycle through the variables
so that one is given the attack
string, one is cycled through all
possible values (as discovered
during the mirror process) and any
other variables are given the first
value. In this case, Tenable
Vulnerability Management would
never test for
/test.php?a=XSS&b=3&c=3&d=3
when the first value of each variable
is 1.

l Test random combinations of three

or more parameters (slower): This

- 391 -
Setting Default Value Description

form of testing randomly checks a

combination of three or more
parameters. This is more thorough
than testing only pairs of
parameters. Increasing the amount
of combinations by three or more
increases the web application test
time.

l Test all combinations of

parameters (slowest): This method
of testing checks all possible
combinations of attack strings with
valid input to variables. Where all
pairs testing seeks to create a
smaller data set as a tradeoff for
speed, all combinations makes no
compromise on time and uses a
complete data set of tests. This
testing method may take a long time
to complete.

Do not stop Stop after one flaw is found This setting determines when a new flaw
after first flaw per web server (fastest) is targeted. This applies at the script level.
is found per Finding an XSS flaw does not disable
web page searching for SQL injection or header
injection, but unless otherwise specified,
there is at most one report for each type
on a given port. Note that several flaws of
the same type (for example, XSS or SQLi)
may be reported if they were caught by
the same attack.

If this option is disabled, as soon as a flaw

- 392 -
Setting Default Value Description

is found on a web page, the scan moves

on to the next web page.

If you enable this option, select one of the

following options:

l Stop after one flaw is found per

web server (fastest) — (Default) As
soon as a flaw is found on a web
server by a script, Tenable
Vulnerability Management stops and
switches to another web server on a
different port.

l Stop after one flaw is found per

parameter (slow) — As soon as one
type of flaw is found in a parameter
of a CGI (for example, XSS), Tenable
Vulnerability Management switches
to the next parameter of the same
CGI, the next known CGI, or to the
next port or server.

l Look for all flaws (slowest) —

Perform extensive tests regardless
of flaws found. This option can
produce a very verbose report and is
not recommend in most cases.

URL for http://rfi.nessus.org/rfi.txt During Remote File Inclusion (RFI) testing,

Remote File this setting specifies a file on a remote
Inclusion host to use for tests. By default, Tenable
Vulnerability Management uses a safe file
hosted by Tenable for RFI testing. If the
scanner cannot reach the Internet, you

- 393 -
 Setting Default Value Description

can use an internally hosted file for more

accurate RFI testing.

Maximum run 5 This option manages the amount of time

time (min) in minutes spent performing web
application tests. This option defaults to
60 minutes and applies to all ports and
CGIs for a given website. Scanning the
local network for web sites with small
applications typically completes in under
an hour, however web sites with large
applications may require a higher value.

Windows
The Windows section contains the following groups of settings:

l General Settings

l User Enumeration Methods

Default
Setting Description
Value

General Settings

Request Enabled If enabled, domain users are queried instead of local users.
information
about the SMB
Domain

User Enumeration Methods

You can enable as many of the user enumeration methods as appropriate for user discovery.

SAM Registry Enabled Tenable Vulnerability Management enumerates users via

the Security Account Manager (SAM) registry.

- 394 -
 ADSI Query Enabled Tenable Vulnerability Management enumerates users via
Active Directory Service Interfaces (ADSI). To use ADSI, you
must configure credentials under Credentials >
Miscellaneous > ADSI.

WMI Query Enabled Tenable Vulnerability Management enumerates users via

Windows Management Interface (WMI).

RID Brute Enabled Tenable Vulnerability Management enumerates users via

Forcing relative identifier (RID) brute forcing. Enabling this setting
enables the Enumerate Domain Users and Enumerate
Local User settings.

Enumerate Domain Users (available with RID Brute Forcing enabled)

Start UID 1000 The beginning of a range of IDs where Tenable Vulnerability
Management attempts to enumerate domain users.

End UID 1200 The end of a range of IDs where Tenable Vulnerability
Management attempts to enumerate domain users.

Enumerate Local User (available with RID Brute Forcing enabled)

Start UID 1000 The beginning of a range of IDs where Tenable Vulnerability
Management attempts to enumerate local users.

End UID 1200 The end of a range of IDs where Tenable Vulnerability
Management attempts to enumerate local users.

Malware
The Malware section contains the following groups of settings:

l General Settings

l Hash and Whitelist Files

l Yara Rules

l File System Scanning

- 395 -
 Default
Setting Description
Value

Hash and Allow List Files

Custom Netstat IP None A text file that contains a list of known bad IP
Threat List addresses that you want to detect.

Each line in the file must begin with an IPv4 address.

Optionally, you can add a description by adding a
comma after the IP address, followed by the
description. You can also use hash-delimited
comments (e.g., #) in addition to comma-delimited
comments.

Note: Tenable does not detect private IP ranges in the

text file.

Provide your own list None A text file with one MD5 hash per line that specifies
of known bad MD5 additional known bad MD5 hashes.
hashes
Optionally, you can include a description for a hash by
adding a comma after the hash, followed by the
description. If any matches are found when scanning a
target, the description appears in the scan results. You
can also use hash-delimited comments (for example,
fop) in addition to comma-delimited comments.

Provide your own list None A text file with one MD5 hash per line that specifies
of known good MD5 additional known good MD5 hashes.
hashes
Optionally, you can include a description for each hash
by adding a comma after the hash, followed by the
description. If any matches are found when scanning a
target, and a description was provided for the hash,
the description appears in the scan results. You can
also use hash-delimited comments (for example, #) in
addition to comma-delimited comments.

- 396 -
Hosts file allow list None Tenable Vulnerability Management checks system
hosts files for signs of a compromise (for example,
Plugin ID 23910 titled Compromised Windows System
(hosts File Check)). This option allows you to upload a
file containing a list of IPs and hostnames you want
Tenable Vulnerability Management to ignore during a
scan. Include one IP and one hostname (formatted
identically to your hosts file on the target) per line in a
regular text file.

Yara Rules

Yara Rules None A .yar file containing the YARA rules to be applied in
the scan. You can only upload one file per scan, so
include all rules in a single file. For more information,
see yara.readthedocs.io.

File System Scanning

Scan file system Disabled If enabled, Tenable Vulnerability Management can scan
system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or

more hosts could result in performance degradation.

Windows Directories (available if Scan file system is enabled)

Scan Disabled Enables file system scanning to scan %Systemroot%.

%Systemroot%

Scan Disabled Enables file system scanning to scan %ProgramFiles%.

%ProgramFiles%

Scan %ProgramFiles Disabled Enables file system scanning to scan %ProgramFiles

(x86)% (x86)%.

Scan Disabled Enables file system scanning to scan %ProgramData%.

%ProgramData%

- 397 -
 Scan User Profiles Disabled Enables file system scanning to scan user profiles.

Custom Filescan None A custom file that lists directories to be scanned by

Directories malware file scanning. List each directory on one line.

Linux Directories

Scan $PATH Disabled Enables file system scanning to scan $PATH.

Scan /home Disabled Enables file system scanning to scan /home.

MacOS Directories

Scan $PATH Disabled Enables file system scanning to scan $PATH.

Scan /Users Disabled Enables file system scanning to scan /Users.

Scan /Applications Disabled Enables file system scanning to scan /Applications.

Scan /Library Disabled Enables file system scanning to scan /Library.

Databases
Default
Setting Description
Value

Oracle Database

Use Disabled When enabled, if at least one host credential and one
detected SIDs Oracle database credential are configured, the scanner
authenticates to scan targets using the host credentials,
and then attempts to detect Oracle System IDs (SIDs)
locally. The scanner then attempts to authenticate using
the specified Oracle database credentials and the
detected SIDs.

If the scanner cannot authenticate to scan targets using

host credentials or does not detect any SIDs locally, the
scanner authenticates to the Oracle database using the
manually specified SIDs in the Oracle database
credentials.

- 398 -
Preconfigured Assessment Settings

Certain Tenable-provided Tenable Nessus templates include preconfigured assessment settings,

described in the following table. The preconfigured assessment settings are determined by both the
template and the Mode that you select.

Template Mode Preconfigured Settings

Vulnerability Scans (Common)

Advanced Network – All defaults

Scan

Basic Network Default l General Settings:

Scan o Avoid false alarms
o Disable CGI scanning

l Web Applications:
o Disable web application
scanning

Scan for known web l General Settings:

vulnerabilities o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Generic web application

- 399 -
 tests disabled

- 400 -
Scan for all web l General Settings:
vulnerabilities (quick) o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes (max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web

- 401 -
 app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

Credentialed Patch – All defaults

Audit

Host Discovery – –

Internal PCI Default l General Settings:

Network Scan o Avoid false alarms
o Disable CGI scanning

l Web Applications:
o Disable web application
scanning

Scan for known web l General Settings:

vulnerabilities o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications

- 402 -
 o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes (max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly

- 403 -
 used web applications
o Perform each generic web
app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

Legacy Web App Scan for known web l General Settings:

Scan vulnerabilities o Avoid potential false alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false alarms
(Default)
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"

- 404 -
 o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes (max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories (max)

o Test for known

vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

- 405 -
Mobile Device Scan – –

PCI Quarterly – –
External Scan

Configuration
Scans

Audit Cloud – –
Infrastructure

MDM Config Audit – –

Offline Config Audit – –

Policy Compliance – –
Auditing

SCAP and OVAL – –

Auditing

Tactical Scans

Badlock Detection – Web Crawler defaults

Bash Shellshock – Web Crawler defaults

Detection

DROWN Detection – –

Intel AMT Security – –

Bypass

Malware Scan – Malware defaults

Shadow Brokers – –
Scan

Spectre and –
Meltdown
Detection – –

- 406 -
 WannaCry – –
Ransomware
Detection

Report Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Report settings in the scan. You
can only modify these settings in the related user-defined template.

The Report settings include the following groups of settings:

l Processing

l Output

Default
Setting Description
Value

Processing

Override normal Disabled When disabled, provides the standard level of plugin
verbosity activity in the report. The output does not include the
informational plugins 56310, 64582, and 58651.

When enabled, this setting has two options:

l I have limited disk space. Report as little

information as possible — Provides less
information about plugin activity in the report to
minimize impact on disk space.

l Report as much information as possible —

Provides more information about plugin activity in
the report. When this option is selected, the
output includes the informational plugins 56310,
64582, and 58651.

Show missing Enabled When enabled, includes superseded patch information

patches that have in the scan report.
been superseded

- 407 -
 Default
Setting Description
Value

Hide results from Enabled When enabled, the list of dependencies is not included
plugins initiated as in the report. If you want to include the list of
a dependency dependencies in the report, disable this setting.

Output

Designate hosts by Disabled Uses the host name rather than IP address for report
their DNS name output.

Display hosts that Disabled Reports hosts that successfully respond to a ping.
respond to ping

Display Disabled When enabled, hosts that did not reply to the ping
unreachable hosts request are included in the security report as dead
hosts. Do not enable this option for large IP blocks.

Caution: Enabling this setting causes the scan to create a

finding for every target in the scan, whether responsive or
not. This may cause the scan to abort if the number of
hosts returned exceeds your license limit. For more
information, see Scan Limitations.

Display Unicode Disabled When enabled, Unicode characters appear in plugin

characters output such as usernames, installed application names,
and SSL certificate information.

Note: Plugin output may sometimes incorrectly parse or

truncate strings with Unicode characters. If this issue
causes problems with regular expressions in plugins or
custom audits, disable this setting and scan again.

Advanced Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Advanced settings in the scan.
You can only modify these settings in the related user-defined template.

- 408 -
The Advanced settings provide increased control over scan efficiency and the operations of a scan,
as well as the ability to enable plugin debugging.

Certain Tenable-provided scanner templates include preconfigured advanced settings.

If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner
template that does not include preconfigured advanced settings, you can manually configure
Advanced settings in the following categories:

l General Settings

l Performance Options

l Unix Find Command Options

l Windows File Search Options

l Debug Settings

l Stagger Scan Start (Agent scans only)

l Compliance Output Settings

Note: The following tables include settings for the Advanced Network Scan template. Depending on the
template you select, certain settings may not be available, and default values may vary.

Default
Setting Description
Value

General Settings

Enable Safe Enabled When enabled, disables all plugins that may have an
Checks adverse effect on the remote host.

Scan for Disabled Determines whether the scan searches for unpatched
unpatched vulnerabilities. This includes CVEs marked as "Will Not
vulnerabilities (no Fix" by the related vendor.
patches or
Enabling this setting may increase your overall findings
mitigations
count; each platform and package combination results in
available)
an individual plugin. If additional CVEs are found to affect
a platform and package combination, the CVEs are added

- 409 -
 Default
Setting Description
Value

to the existing plugin.

Note: If you configure a scan to produce findings for

unpatched vulnerabilities and then the setting is unchecked,
Tenable Vulnerability Management remediates unpatched
findings in the next scan. Additionally, if multiple scans
target the same device and one has enabled findings for
unpatched vulnerabilities and another does not, the findings
results may vary per scan.

Stop scanning Disabled When enabled, Tenable Vulnerability Management stops

hosts that scanning if it detects that the host has become
become unresponsive. This may occur if users turn off their PCs
unresponsive during a scan, a host has stopped responding after a
during the scan denial of service plugin, or a security mechanism (for
example, an IDS) has started to block traffic to a server.
Normally, continuing scans on these machines sends
unnecessary traffic across the network and delay the
scan.

Scan IP Disabled By default, Tenable Vulnerability Management scans a list

addresses in a of IP addresses in sequential order. When this option is
random order enabled, Tenable Vulnerability Management scans the list
of hosts in a random order within an IP address range.
This approach is typically useful in helping to distribute
the network traffic during large scans.

Automatically Disabled When enabled, if a credentialed scan tries to connect via

accept detected SSH to a FortiOS host that presents a disclaimer prompt,
SSH disclaimer the scanner provides the necessary text input to accept
prompts the disclaimer prompt and continue the scan.

The scan initially sends a bad ssh request to the target in

order to retrieve the supported authorization methods.
This allows you to determine how to connect to the

- 410 -
 Default
Setting Description
Value

target, which is helpful when you configure a custom ssh

banner and then try to determine how to connect to the
host.

When disabled, credentialed scans on hosts that present

a disclaimer prompt fail because the scanner cannot
connect to the device and accept the disclaimer. The
error appears in the plugin output.

Scan targets with Disabled When disabled, to avoid overwhelming a host, Tenable
multiple domain Vulnerability Management prevents a single scanner from
names in parallel simultaneously scanning multiple targets that resolve to a
single IP address. Instead, Tenable Vulnerability
Management scanners serialize attempts to scan the IP
address, whether it appears more than once in the same
scan task or in multiple scan tasks on that scanner. Scans
may take longer to complete.

When enabled, a Tenable Vulnerability Management

scanner can simultaneously scan multiple targets that
resolve to a single IP address within a single scan task or
across multiple scan tasks. Scans complete more quickly,
but hosts could potentially become overwhelmed, causing
timeouts and incomplete results.

Create unique Enabled When enabled, the scanner creates a unique identifier
identifier on (Tenable UUID) . Tenable Vulnerability Management and
hosts scanned Tenable Security Center use the Tenable UUID to merge
using credentials incoming scan data with historical results for the asset
and ensure that license counts are accurately reflected.

For more information, see Why Tenable Tags and Agent

IDs are created during authenticated scans.

Trusted CAs None Specifies CA certificates that the scan considers as

- 411 -
 Default
Setting Description
Value

trusted. This allows you to use self-signed certificates for

SSL authentication without triggering plugin 51192 as a
vulnerability in your Tenable Vulnerability Management
environment.

Note: In addition to this setting, you can configure trusted

CAs at the individual scanner level (for more information,
see Trust a Custom CA in the Tenable Nessus User Guide).
There is no precedence or hierarchy between trusted CAs
configured in the Tenable Vulnerability Management scan
configuration and trusted CAs configured on the Tenable
Nessus scanner. Tenable Vulnerability Management uses the
correct certificate needed to complete the scan and ignores
irrelevant certificates, regardless of which product you
configure them in.

Performance Options

Slow down the Disabled When enabled, Tenable detects when it is sending too
scan when many packets and the network pipe is approaching
network capacity. If network congestion is detected, throttles the
congestion is scan to accommodate and alleviate the congestion. Once
detected the congestion has subsided, Tenable automatically
attempts to use the available space within the network
pipe again.

Use Linux kernel Disabled When enabled, Tenable Vulnerability Management uses
congestion the Linux kernel to detect when it sends too many
detection packets and the network pipe approaches capacity. If
detected, Tenable Vulnerability Management throttles the
scan to accommodate and alleviate the congestion. Once
the congestion subsides, Tenable Vulnerability
Management automatically attempts to use the available
space within the network pipe again.

- 412 -
 Default
Setting Description
Value

Network timeout 5 Specifies the time that Tenable waits for a response from
(in seconds) a host unless otherwise specified within a plugin. If you
are scanning over a slow connection, you may want to set
this to a higher number of seconds.

Max 5 Specifies the maximum number of checks a Tenable

simultaneous scanner will perform against a single host at one time.
checks per host

Max Depends on Specifies the maximum number of hosts that Tenable

simultaneous the Tenable- Vulnerability Management submits for scanning at the
hosts per scan provided same time in an individual scan task.
template
To further refine scan performance using host limits,
used for the
Tenable recommends adjusting Advanced settings for
scan
your individual scanners (for example, max_hosts,
global.max_hosts, and global.max_scans). For more
information, see Advanced Settings in the Tenable Nessus
User Guide.

If you set Max simultaneous hosts per scan to more than

scanner’s max_hosts setting, Tenable Vulnerability
Management caps Max simultaneous hosts per scan at
the max_hosts value. For example, if you set the Max
simultaneous hosts per scan to 150 and scanner's max_
hosts is set to 100, with more than 100 targets, Tenable
Vulnerability Management scans 100 hosts
simultaneously.

Note: You can only adjust individual scanner settings for

your organization's managed scanners. You cannot modify
the settings of Tenable-hosted scanners.

Max number of None Specifies the maximum number of established TCP

concurrent TCP

- 413 -
 Default
Setting Description
Value

sessions per host sessions for a single host.

This TCP throttling option also controls the number of

packets per second the SYN scanner sends, which is 10
times the number of TCP sessions. For example, if this
option is set to 15, the SYN scanner sends 150 packets
per second at most.

Max number of None Specifies the maximum number of established TCP

concurrent TCP sessions for each scan task, regardless of the number of
sessions per hosts being scanned.
scan
For scanners installed on any Windows host, you must set
this value to 19 or less to get accurate results.

Unix Find Command Options

Exclude Filepath None A plain text file containing a list of filepaths to exclude
from all plugins that search using the find command on
Unix systems.

In the file, enter one filepath per line, formatted per

patterns allowed by the Unix find command -path
argument. For more information, see the find command
man page.

Exclude None A plain text file containing a list of filesystems to exclude

Filesystem from all plugins that search using the find command on
Unix systems.

In the file, enter one filesystem per line, using filesystem

types supported by the Unix find command -fstype
argument. For more information, see the find command
man page.

Include Filepath None A plain text file containing a list of filepaths to include

- 414 -
 Default
Setting Description
Value

from all plugins that search using the find command on

Unix systems.

In the file, enter one filepath per line, formatted per

patterns allowed by the Unix find command -path
argument. For more information, see the find command
man page.

Including filepaths increases the locations that are

searched by plugins, which extends the duration of the
scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath and

Exclude Filepath. This conflict may result in the filepath
being excluded from the search, though results may vary by
operating system.

Windows File Search Options

Windows Exclude None A plain text file containing a list of filepaths to exclude
Filepath from any search on Windows systems.

In the file, enter one filepath per line. This setting

overrides and removes default exclusions.

Note: Windows file exclusions do not apply to any plugins

that are managed by the operating system.

Windows Include None A plain text file containing a list of filepaths to include in
Filepath any use of Recursive search on Windows systems.

In the file, enter one filepath per line. This setting

replaces any defaults entirely.

Debug Settings

Enable plugin Disabled Attaches available debug logs from plugins to the

- 415 -
 Default
Setting Description
Value

debugging vulnerability output of this scan.

Audit Trail Default Controls verbosity of the plugin audit trail.

Verbosity
Options include:

l No audit trail — (Default) Tenable Vulnerability

Management does not generate a plugin audit trail.

l All audit trail data — The audit trail includes the

reason why plugins were not included in the scan.

l Only scan errors — The audit trail includes only

errors encountered during the scan.

Stagger Scan Start

Maximum delay 0 (Agents 8.2 and later) If set, each agent in the agent
(minutes) group delays starting the scan for a random number of
minutes, up to the specified maximum. Staggered starts
can reduce the impact of agents that use a shared
resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window,

Tenable shortens your maximum delay to ensure that
agents begin scanning at least 30 minutes before the
scan window closes.

Compliance Output Settings

Maximum 128,000 KB Controls the maximum output length for each individual
Compliance compliance check value that the target returns. If a
Output Length in compliance check value that is greater than this setting's
KB value, Tenable Vulnerability Management truncates the
result.

Note: If you notice that your compliance scan processing is

- 416 -
 Default
Setting Description
Value

slow, Tenable recommends reducing this setting to increase

the processing speed.

Generate gold Disabled Determines whether Tenable Vulnerability Management

image .audit attaches a compliance gold image .audit file to the scan
results. You can download the gold image audit from the
vulnerabilities tab labeled Compliance Export Gold Image
Audit.

For more information, see Compliance Export Gold Image.

Generate XCCDF Disabled Determines whether Tenable Vulnerability Management

result file attaches XCCDF results files to the scan results. You can
download the generated XCCDF result files from the
vulnerabilities tab labeled Export compliance results to
XCCDF.

For more information, see Compliance Export XCCDF

Results.

Generate JSON Disabled Determines whether Tenable Vulnerability Management

result file attaches a .audit JSON file to the scan results. You can
download the JSON files from the vulnerabilities tab
labeled Export compliance results to JSON.

For more information, see Compliance Export

JSON Results.

Preconfigured Advanced Settings

Certain Tenable-provided Nessus Scanner templates include preconfigured advanced settings,

described in the following table. The preconfigured advanced settings are determined by both the
template and the Mode that you select.

Template Scan Type Preconfigured Settings

- 417 -
Vulnerability Scans (Common)

Advanced Network Scan – All defaults

Basic Network Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

l Performance options:
o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

- 418 -
 o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Credentialed Patch Default (default) l Performance options:

Audit o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Host Discovery – –

Internal PCI Network Default (default) l Performance options:

Scan o 30 simultaneous hosts (max)

- 419 -
 o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Legacy Web App Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

- 420 -
 bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Mobile Device Scan – Debug Settings defaults

PCI Quarterly External Default (default) l Performance options:

Scan o 20 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

- 421 -
 o Create unique identifier on
hosts scanned using credentials

Custom l Performance Options (default options)

l Unix Find Command Exclusions

(default options)

Configuration Scans

Audit Cloud – Debug Settings defaults

Infrastructure

MDM Config Audit – –

Offline Config Audit – Debug Settings defaults

Policy Compliance Default (default) l Performance options:

Auditing o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

- 422 -
 l Asset identification options:
o Create unique identifier on
hosts scanned using credentials

Custom All defaults

SCAP and OVAL Auditing Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Tactical Scans

Badlock Detection – All defaults

- 423 -
Bash Shellshock – All defaults
Detection

DROWN Detection – All defaults

Intel AMT Security – All defaults

Bypass

Malware Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using credentials

Custom All defaults

Shadow Brokers Scan – All defaults

Spectre and Meltdown – All defaults

- 424 -
 Detection

WannaCry Ransomware – All defaults

Detection

Credentials in Tenable Vulnerability Management Scans

You can use credentials to grant a Tenable Vulnerability Management scanner local access to scan a
target system without requiring an agent. Credentialed scans can perform a wider variety of checks
than non-credentialed scans, which can result in more accurate scan results. This approach
facilitates scanning of a very large network to determine local exposures or compliance violations.

Credentialed scans can perform any operation that a local user can perform. The level of scanning
depends on the privileges granted to the user account. The more privileges the scanner has via the
login account (for example, root or administrator access), the more thorough the scan results.

In Tenable Vulnerability Management, you can create credentials for use in scans in the following
ways:

Category Description Permissions

Scan-specific l You configure and store these credentials in an User

individual scan. Permissions in
Basic settings
l If you delete the scan, you also delete the
in the scan
credentials.

l If you want to use the credentials in a different

scan, you must either convert the scan-specific
credential to a managed credential or recreate the
scan-specific credential settings in the other scan.

Template- l You configure and store these credentials in a user- User

specific defined template. You can then use the template to Permissions in
create individual scans. Basic settings
in the template
l If you add credentials to a user-defined template,
other users can override those credentials by
adding scan-specific or managed credentials to
scans created from the template. Tenable

- 425 -
 recommends adding managed credentials to scans,
instead of adding credentials to user-defined
templates.

l If you delete the template, you also delete the

template-specific credentials. However, Tenable
Vulnerability Management retains the credentials in
any scans you used the template to create before
deletion.

l If you want to use the credentials in a different

template, you must recreate the template-specific
credentials in the other template.

Managed l Tenable Vulnerability Management stores managed Configure User

credentials centrally in the credential manager. You Permissions for
can configure managed credentials directly in the a Credential
credential manager or during scan configuration.
You can also convert a scan-specific credential to a
managed credential during scan configuration.

l You can use managed credentials in multiple scans.

You can also grant other users permissions to use
managed credentials in scans.

l You cannot use managed credentials in templates.

The settings you configure for a credential vary based on the credential type. Credential types
include:

l Cloud Services

l Database

l Host

l Miscellaneous

l Mobile Device Management

- 426 -
 l Patch Management

l Plaintext authentication

For more information, see:

l Add a Credential to a Scan

l Edit a Credential in a Scan

l Convert a Scan-specific Credential to a Managed Credential

l Add a Credential to a User-defined Template

l Edit a Credential in a User-defined Template

Note: Tenable Vulnerability Management opens several concurrent authenticated connections. Ensure that
the host being audited does not have a strict account lockout policy based on concurrent sessions.

Note: By default, when creating credentialed scans or user-defined templates, hosts are
identified and marked with a Tenable Asset Identifier (TAI). This globally unique identifier is
written to the host's registry or file system, and subsequent scans can retrieve and use the TAI.
This option is enabled (by default) or disabled in the Advanced -> General Settings of a scan
configuration or template: Create unique identifier on hosts scanned using credentials.

Add a Credential to a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

In the event that a scan contains multiple instances of a single type of credential (SSH logins, SMB
logins, etc.), Tenable Vulnerability Management attempts to use them on a valid target in the order
that they were added to the scan configuration.

Note: The first credential that allows successful login is used to perform credentialed checks on the
target. After a credential provides successful login, Tenable Vulnerability Management does not try any of
the other credentials in the list, even if one of the latter credentials has a greater degree of access or
privileges.

- 427 -
To add a credential to a scan:

1. Create or edit a scan.

2. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

3. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

4. Do one of the following:

Add an existing managed credential.

The Managed Credentials section of the Select Credential Type plane contains any
credentials where you have Can Use or Can Edit permissions.

a. (Optional) Search for a managed credential in the list by typing your search criteria in the
text box and clicking the button.

b. In the Managed Credentials section, click the button to display all managed
credentials.

c. Click each managed credential you want to add.

The Select Credential Type plane remains open.

d. To close the Select Credential Type plane, click the button in the upper-right corner
of the plane.

Add a scan-specific credential.

a. In the Select Credential Type plane, in any section except Managed Credentials, click
the button to display the credentials for that type.

b. Click each credential you want to add.

The settings plane for that credential type appears.

c. Configure the settings for the individual credential configuration.

- 428 -
 Add a new managed credential.
a. In any section of the Select Credential Type plane except the Managed Credentials
section, click the button to display the credentials for that type.

b. Click each credential you want to add.

The settings plane for that credential type appears.

c. Configure the settings for the new managed credential.

d. Click the Save to Managed Credentials toggle.

The managed credential settings appear.

e. In the first text box, type a name for the managed credential.

f. (Optional) In the second text box, type a brief description of the managed credential.

g. Configure user permissions for the managed credential.

5. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the scan.

Note: Upon saving, Tenable Vulnerability Management automatically orders the credentials by
ascending ID and groups the credentials by type.

6. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

Edit a Credential in a Scan

- 429 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

To edit a credential in a scan:

1. Edit a scan.

2. In the left navigation menu, click Credentials.

A table of credentials configured for the scan appears.

3. In the credentials table, click the credential you want to edit.

The credential settings plane appears.

4. Do one of the following:

l For scan-specific credentials, configure the settings for the credential.

l For managed credentials:

a. Edit the name or description.

b. Configure the credential settings.

c. Configure user permissions for the managed credential.

l
Note: You can only view or edit settings for managed credentials where you have Can Edit
permissions.

5. Click Save to save your changes to the credential.

If you edited a managed credential, Tenable Vulnerability Management determines whether

any other scans use the managed credential and prompts you to confirm the changes.

6. (Managed credentials only) Click Yes to save the changes to the managed credential.

7. Click Save to save your scan changes.

Add a Credential to a User-defined Template

- 430 -
 Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Template Permissions: Can Configure

Before you add credentials to a user-defined template, consider the following:

l Other users can override template-specific credentials by adding scan-specific or managed

credentials to scans created from the template. Tenable recommends adding managed
credentials to scans, instead of adding credentials to user-defined templates.

l You cannot use managed credentials in user-defined templates. To use a single set of
credentials for multiple scans, add managed credentials to scans, instead of adding
credentials to user-defined templates.

Note: In scan configurations, the Scan-wide Credential Type settings are located in individual credentials.
In user-defined templates, these settings are located in the Authentication section of the Basic settings
for the template.

To add a template-specific credential:

1. Create or edit a template.

2. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
template.

3. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

4. In the Select Credential Type plane, click a credential type.

The settings plane for that credential type appears.

5. Configure the settings for the individual credential configuration.

6. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the template.

- 431 -
 7. Click Save to save your template changes.

Tenable Vulnerability Management adds the credential to the credentials table for the
template.

Edit a Credential in a User-defined Template

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Template Permissions: Can Configure

To edit a credential in a user-defined template:

1. Edit a user-defined template.

2. In the left navigation menu, click Credentials.

A table of credentials configured for the template appears.

3. In the credentials table, click the credential you want to edit.

The credential settings plane appears.

4. Configure the settings for the credential.

5. Click Save to save your changes to the credential.

6. Click Save to save your changes to the template.

Convert a Scan-specific Credential to a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Owner

A scan-specific credential can only be used in a single scan. To reuse a scan-specific credential in
multiple scans, convert it to a managed credential.

To convert a scan-specific credential:

- 432 -
 1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, in the Vulnerability Management section, click Scans.

The Scans page appears.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scans table, click the scan you want to edit.

The Scan Details page appears.

5. Next to the scan name, click the button.

The Update a Scan page appears.

6. In the left navigation menu, click Credentials.

A table of credentials configured for the scan appears.

7. In the credentials table, click the scan-specific credential you want to convert.

The credential settings plane appears.

8. Click the Save to Managed Credentials toggle.

The managed credential settings appear.

9. In the first text box, type a name for the managed credential.

10. (Optional) In the second text box, type a brief description of the managed credential.

11. Configure user permissions for the managed credential.

12. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the scan.

13. Click Save to save your scan changes.

Cloud Services

- 433 -
Tenable Vulnerability Management can authenticate a scan using accounts in the cloud services
listed below.

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

AWS

Default
Option Description Required
Value

AWS Access – The AWS access key ID string. yes

Key IDS

AWS Secret – AWS secret key that provides the yes

Key authentication for AWS Access Key ID.

Scan-wide Credential Type Settings

Regions to Rest of the In order for Tenable Vulnerability yes

access World Management to audit an Amazon AWS
account, you must define the regions you
want to scan. Per Amazon policy, you need
different credentials to audit account
configuration for the China region than you
do for the rest of the world.

Possible regions include:

l GovCloud — If you select this region,

you automatically select the
government cloud (e.g., us-gov-west-1).

l Rest of the World — If you select this

region, the following additional options
appear:

l us-east-1

l us-east-2

- 434 -
 l us-west-1

l us-west-2

l ca-central-1

l eu-west-1

l eu-west-2

l eu-central-1

l ap-northeast-1

l ap-northeast-2

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l China — If you select this region, the

following additional options appear:

l cn-north-1

l cn-northwest-1

HTTPS Enabled Whether Tenable Vulnerability Management no

authenticates over an encrypted (HTTPS) or
an unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management no

Certificate verifies the validity of the SSL digital
certificate.

Microsoft Azure

Default
Option Description Required
Value

Username – Username required to log in to Microsoft yes

Azure.

- 435 -
 Password – Password associated with the username. yes

Client Id – The application ID (also known as client yes

ID) for your registered application.

Scan-wide Credential Type Settings

Subscription IDs – List subscription IDs to scan, separated by no

a comma. If this field is blank, all
subscriptions are audited.

Rackspace

Option Default Value Description Required

Username – Username to log in. yes

Password or API – Password or API key associated yes

Key with the username.

Authentication API-Key Select Password or API-Key from yes

Method the drop-down box.

Scan-wide all locations Location of the Rackspace Cloud no

Credential Type selected instance. Possible locations
Settings include:

l Dallas-Fort Worth (