0% found this document useful (0 votes)

192 views1,335 pages

Tenable Vulnerability Management-User Guide

Uploaded by

ELVIN TORRES C

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

192 views1,335 pages

Tenable Vulnerability Management-User Guide

Uploaded by

ELVIN TORRES C

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1335

Tenable Vulnerability Management

User Guide
Last Revised: December 03, 2024

Copyright © 2024 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other
products or services are trademarks of their respective owners.
Table of Contents

Tenable Vulnerability Management User Guide 1

Welcome to Tenable Vulnerability Management 27

Get Started with Tenable Vulnerability Management 29

Prepare a Deployment Plan 30

Install and Link Scanners 30

Configure Scans 31

Additional Tenable Vulnerability Management Configurations 32

Review and Analyze 33

Expand 33

Expand into Tenable One 33

Tenable Vulnerability Management Licenses 35

System Requirements 41

Sensor Connection Requirements 41

Log in to Tenable Vulnerability Management 42

CVSS vs. VPR 43

CVSS 43

CVSS-Based Severity 44

CVSS-Based Risk Factor 45

Vulnerability Priority Rating 45

VPR Key Drivers 46

Vulnerability Severity Indicators 47

Vulnerability Mitigation 48

Vulnerability States 49

-2-
Log Out of Tenable Vulnerability Management 50

Navigate Tenable Vulnerability Management 51

Navigate Breadcrumbs 57

Navigate Planes 58

Tenable Vulnerability Management Tables 59

Tenable Vulnerability Management Workbench Tables 59

Filter a Table 62

Export Findings or Assets 64

Error Messages 67

Dashboards 80

Vulnerability Management Dashboard 80

Vulnerability Management Overview (Explore) 85

Tenable Web App Scanning Dashboard 90

View the Dashboards Page 91

Tenable-Provided Dashboards 92

Export a Full Dashboard Landing Page 93

Export an Individual Dashboard Widget 94

View an Individual Dashboard 94

View the Dashboard Template Library 96

Create a Dashboard 96

Preview a Dashboard 101

Enable Explore Dashboards 101

Manage Dashboards 103

Dashboard Groups 103

-3-
Add a Dashboard Group 103

Share a Dashboard Group 104

Edit a Dashboard Group 105

Delete a Dashboard Group 105

Automatically Update Widgets on a Dashboard 106

Edit a Dashboard 108

Set a Default Dashboard 110

Rename a Dashboard 111

Duplicate a Dashboard 112

Filter a Dashboard 113

Filter a Dashboard by Time 115

Share a Dashboard 115

Manage Dashboard Exports 117

Export a Dashboard 117

Download a Dashboard Export 122

View Dashboard Export History 123

Delete a Dashboard Export Download 123

Delete a Dashboard Export Configuration 124

Delete a Dashboard 125

Manage Widgets 126

View the Widget Library 126

Delete a Widget from the Widget Library 127

Create a Custom Widget 128

Create a Custom Widget for Explore Dashboards 131

-4-
Edit a Custom Widget 136

Add a Widget to a Dashboard 137

Configure a Widget 138

Duplicate a Widget 141

Rename a Widget 141

Delete a Widget from a Dashboard 142

Vulnerability Intelligence 143

Search Known Vulnerabilities 144

View Vulnerability Profiles 144

Vulnerability Information 145

How Does This Affect Me 149

Sources 150

Vulnerability Metrics 151

Identify Your Exposure 153

Use the Query Builder 154

Vulnerability Management Filters 157

Use Saved Queries 160

Export Results 162

CVEs 163

My Findings 165

My Affected Assets 166

Plugins 167

Tag Affected Assets 167

Vulnerability Categories 169

-5-
Exposure Response 171

Create Initiatives 171

Edit or Delete Initiatives 173

Review Initiatives 174

Findings on Assets 175

How Am I Doing? 176

What's New? 177

My Findings and Affected Assets 178

Export from Exposure Response 179

Tag Affected Assets 180

My Findings 182

My Affected Assets 183

Plugins 184

View the Combination Timeline 185

Manage Combinations 186

Create Combinations 187

Edit or Delete Combinations 188

Copy Shared Combinations 189

Use the Query Builder 189

Query Builder Filters 192

Use Saved Queries 196

Use Report Cards 198

Assets 201

Use the Assets Workbench 202

-6-
Host Assets 203

Cloud Resources 207

Web Applications 209

Domain Inventory 211

View Asset Details 213

Host Asset Details 214

Cloud Resource Details 220

Web Application Details 224

Domain Inventory Preview 227

Asset Filters 228

Open Ports and the Assets workbench 250

Working with Ports 251

Supported Plugins 251

Asset Widgets 252

Edit the ACR for Host Assets 253

Move Assets to Another Network 255

Remove and Prevent Duplicate Assets 256

Download Inventory Data 257

Delete Assets 258

Findings 260

Use the Findings Workbench 261

Vulnerabilities 262

Cloud Misconfigurations 265

Host Audits 267

-7-
Web Application Findings 268

View Finding Details 270

Vulnerability Details 271

Cloud Misconfiguration Details 281

Host Audit Details 286

Web Application Findings Details 290

Findings Filters 296

Group Your Findings 312

Create Recast Rules from Findings 318

Generate a Findings Report 321

Solutions 323

View Solutions 323

Solutions Filters 324

Export Solutions 326

View Solution Details 327

Scans 330

Manage Scans 330

Scans Overview 330

Create a Scan 331

View Scans 335

View Scan Details 337

View Scan Vulnerability Details 346

Scan Filters 347

Launch a Scan 348

-8-
Launch a Scan 349

Launch a Rollover Scan 350

Launch a Remediation Scan 351

Stop a Running Scan 358

Pause or Resume a Scan 359

Change Scan Ownership 360

Change the Scan Read Status 362

Edit a Scan Configuration 362

Configure vSphere Scanning 364

VMware vCenter Support Matrix 367

Copy a Scan Configuration 367

Export Scan Results 368

Import a Scan 372

Organize Scans by Folder 374

Move a Scan to the Trash Folder 378

Delete a Scan 380

Discovery Scans vs. Assessment Scans 382

Identify Assets That Have Not Been Assessed 384

Scan Failovers 386

Scan Status 386

Scan Templates 388

Tenable-Provided Tenable Nessus Scanner Templates 389

Tenable-Provided Tenable Nessus Agent Templates 394

Tenable-Provided Tenable Web App Scanning Templates 397

-9-
User-Defined Templates 399

Scan Settings 410

Tenable Vulnerability Management Scan Settings 412

Basic Settings in Tenable Vulnerability Management Scans 413

Basic Settings in User-Defined Templates 425

Triggered Agent Scans 433

Triggered vs. Window Scans 434

Find Triggered Scan Details 434

Scan Targets 435

Target Groups 439

Info-level Reporting 451

Description 451

Configuration 452

Limitations and Considerations 453

Discovery Settings in Tenable Vulnerability Management Scans 454

Preconfigured Discovery Settings 463

Assessment Settings in Tenable Vulnerability Management Scans 480

Preconfigured Assessment Settings 494

Report Settings in Tenable Vulnerability Management Scans 501

Advanced Settings in Tenable Vulnerability Management Scans 503

Preconfigured Advanced Settings 514

Credentials in Tenable Vulnerability Management Scans 522

Add a Credential to a Scan 524

Edit a Credential in a Scan 527

- 10 -
Add a Credential to a User-defined Template 528

Edit a Credential in a User-defined Template 529

Convert a Scan-specific Credential to a Managed Credential 529

Cloud Services 531

Database Credentials 534

DB2 534

MySQL 535

Oracle 535

PostgreSQL 536

SQL Server 537

Sybase ASE 538

Cassandra 538

MongoDB 539

Database Credentials Authentication Types 540

Client Certificate 540

Password 540

Import 542

BeyondTrust 542

CyberArk 543

CyberArk (Legacy) 545

Delinea 548

HashiCorp Vault 549

Lieberman 552

QiAnXin 555

- 11 -
Senhasegura 556

Host 557

Privilege Escalation 616

Miscellaneous 622

Mobile 629

Patch Management 634

Plaintext Authentication 644

Compliance in Tenable Vulnerability Management Scans 650

SCAP Settings in Tenable Vulnerability Management Scans 653

Configure Plugins in Tenable Vulnerability Management Scans 655

Tenable Web App Scanning Scan Settings 657

Basic Settings in Tenable Web App Scanning Scans 658

Scope Settings in Tenable Web App Scanning Scans 663

Assessment Settings in Tenable Web App Scanning Scans 667

Report Settings in Tenable Web App Scanning Scans 672

Advanced Settings in Tenable Web App Scanning Scans 673

Credentials in Tenable Web App Scanning Scans 679

Tenable Web App Scanning Selenium Commands 680

HTTP Server Authentication Settings in Tenable Web App Scanning Scans 683

Web Application Authentication 684

Client Certificate Authentication 688

Plugin Settings in Tenable Web App Scanning Scans 689

Scan Distribution 691

Scanner Capacity 693

- 12 -
Job Queues 693

Dispatching Tasks 694

Configure Scan Routing 695

Scan Best Practices 699

Introduction 699

General Best Practices 699

Role-Based Access Control (RBAC) 699

Credentialed Scanning 699

Proper Inventory of Assets 699

Deleting Assets 699

Agent Scanning 700

Scan Hygiene 700

API Scan Creation Best Practices 701

Duplication Challenges and Remedies 701

Server with Multiple NICs 701

Firewall and Layer 3 Switches 702

Agents and Non-Credentialed Scans 702

Ephemeral Assets 703

Scan Limitations 703

Agent Continuous Assessment Scanning 705

Reports 709

Report Templates 710

Report Settings 710

Create a Report 711

- 13 -
Generate a Report 713

View Report Details 714

Share Report Templates 716

Edit an Existing Report 717

Filter Reports 719

Schedule a Report 720

Email Report Results 725

Edit a Report Schedule 727

Delete a Report 728

Remediation 730

View Remediations 730

Remediation Filters 732

Remediation Projects 733

Create a New Remediation Project 734

Create a New Remediation Project From Findings 737

View Remediation Project Details 740

Remediation Project Details 741

Edit a Remediation Project 743

Activate a Remediation Project 744

Suspend a Remediation Project 745

Close a Remediation Project 747

Export Remediation Projects 748

Delete a Remediation Project 751

Remediation Goals 753

- 14 -
Fixed-Scope and Ongoing Remediation Goals 754

Create a New Remediation Goal 755

View Remediation Goal Details 758

Edit a Remediation Goal 759

Activate a Remediation Goal 761

Suspend a Remediation Goal 763

Close a Remediation Goal 764

Export Remediation Goals 766

Delete a Remediation Goal 770

Settings 773

General Settings 774

My Account 781

View Your Account Details 783

Update Your Account 786

Change Your Password 787

Configure Two-Factor Authentication 788

Generate API Keys 791

Unlock Your Account 793

SAML 793

View SAML Configurations 795

Add a SAML Configuration 797

Edit a SAML Configuration 801

Disable a SAML Configuration 805

Enable a SAML Configuration 806

- 15 -
Enable Automatic Account Provisioning 807

Disable Automatic Account Provisioning 808

Delete a SAML Configuration 809

License Information 810

Access Control 815

Users 815

Create a User Account 817

Edit a User Account 821

View Your List of Users 823

Tenable Vulnerability Management Password Requirements 825

Change Another User's Password 825

Assist a User with Their Account 826

Generate Another User's API Keys 827

Unlock a User Account 828

Disable a User Account 829

Enable a User Account 830

Manage User Access Authorizations 831

Audit User Activity 832

Export Users 833

Delete a User Account 836

User Groups 839

Create a User Group 840

Edit a User Group 842

Export Groups 844

- 16 -
Delete a Group 848

Permissions 849

Create and Add a Permission Configuration 852

Add a Permission Configuration to a User or Group 855

Edit a Permission Configuration 856

Export Permission Configurations 858

Remove a Permission Configuration from a User or Group 861

Delete a Permission Configuration 864

Roles 865

Tenable-Provided Roles and Privileges 867

Custom Roles 875

Create a Custom Role 880

Duplicate a Role 882

Edit a Custom Role 883

Delete a Custom Role 884

Export Roles 885

API Access Security 888

Activity Logs 890

Export Activity Logs 891

Access Groups 894

Transition to Permission Configurations 896

Convert an Access Group to a Permission Configuration 897

Access Group Types 899

Restrict Users for All Assets Group 899

- 17 -
Create an Access Group 901

Configure User Permissions for an Access Group 903

Edit an Access Group 907

View Assets Not Assigned to an Access Group 908

View Your Assigned Access Groups 909

Delete an Access Group 911

Access Group Rule Filters 912

Scan Permissions Migration 916

Language 917

Exports 918

Scheduled Exports 919

View Your Scheduled Exports 920

Disable a Scheduled Export 922

Enable a Disabled Scheduled Export 923

Edit a Scheduled Export 924

Delete a Scheduled Export 926

Export Activity 927

Filter your Exports 930

Export Filters 932

Renew an Export Expiration Date 934

Stop an Export 935

Download Export Activity 936

Export your Export Activity 937

Delete an Export 941

- 18 -
Recast Rules 942

About Recast and Accept Rules 943

About Change Result and Accept Rules 945

Create Recast Rules from Settings 946

Manage Recast Rules 949

Tags 952

Examples: Asset Tagging 955

Tag Format and Application 957

Create a Manual or Automatic Tag 958

Considerations for Tags with Rules 961

Tag Rules 962

Create a Tag Rule 962

Edit a Tag Rule 968

Delete A Tag Rule 970

Tag Rules Filters 971

Create a Tag via Asset Filters 979

Edit a Tag or Tag Category 980

Edit a Tag via Asset Filters 982

Add a Tag to an Asset 984

Remove a Tag from an Asset 987

Export Tags 990

Delete a Tag Category 995

Delete a Tag 996

Search for Assets by Tag from the Tags Table 998

- 19 -
Sensors 999

Agents 999

Agent Settings 1001

Modify Remote Agent Settings 1001

Modify Global Agent Settings 1011

Agent Groups 1012

Create an Agent Group 1013

Add an Agent to an Agent Group 1013

Edit an Agent Group 1015

Delete an Agent Group 1017

Remove an Agent from an Agent Group 1018

View Agents in an Agent Group 1019

Agent Group Filters 1020

Agent Profiles 1021

Add or Remove Agents from Agent Profiles 1031

Freeze Windows 1034

Create a Freeze Window 1035

Edit a Freeze Window 1035

Enable or Disable a Freeze Window 1036

Export Freeze Windows 1037

Delete a Freeze Window 1040

Retrieve the Tenable Nessus Agent Linking Key 1041

Download Linked Agent Logs 1042

Restart an Agent 1043

- 20 -
Unlink an Agent 1045

Rename an Agent 1046

View Linked Agent Health Events 1047

Health Event Troubleshooting 1051

Export Linked Agents 1053

Export Linked Agent Details 1056

Filter Agents 1059

Agent Filters 1061

Agent Status 1063

Plugin Updates 1063

Connection Disruptions 1064

Networks 1064

Create a Network 1066

View or Edit a Network 1067

Add a Scanner to a Network 1067

Remove a Scanner from a Network 1069

Add an Agent to a Network 1070

Remove an Agent from a Network 1073

Move Assets to a Network via Settings 1075

Delete Assets in a Network 1079

Delete Assets Manually 1079

Delete Assets Automatically 1080

Export Networks 1080

Delete a Network 1083

- 21 -
Linked Scanners 1085

View Linked Scanners 1086

Rename a Linked Scanner 1087

Download Linked Scanner Logs 1088

Export Linked Scanners 1089

Export Linked Scanner Details 1093

Differential Plugin Updates 1095

Scanner Groups 1096

Create a Scanner Group 1097

Modify a Scanner Group 1098

Configure User Permissions for a Scanner Group 1100

Delete a Scanner Group 1102

Add a Sensor to a Scanner Group 1103

Remove a Sensor from a Scanner Group 1105

View Sensors in a Scanner Group 1107

View All Running Scans for a Sensor 1107

OT Connectors 1108

Cloud Sensors 1111

Tenable FedRAMP Moderate Cloud Sensors 1114

Sensor Security 1115

Link a Sensor 1118

Regenerate a Linking Key 1125

View Sensors and Sensor Groups 1127

View Sensor Details 1129

- 22 -
Edit Sensor Settings 1130

Edit Sensor Permissions 1131

Enable or Disable a Sensor 1133

Remove a Sensor 1133

Credentials 1135

Create a Managed Credential 1135

Edit a Managed Credential 1138

Configure User Permissions for a Managed Credential 1139

Export Credentials 1141

Delete a Managed Credential 1144

Exclusions 1146

Create an Exclusion 1146

Edit an Exclusion 1147

Import an Exclusion 1147

Exclusion Import File 1148

Export an Exclusion 1150

Delete an Exclusion 1153

Exclusion Settings 1154

Connectors 1157

Amazon Web Services Connector 1158

Frictionless Assessment for AWS 1159

Operating System Coverage 1160

Licensing Considerations 1161

Supported Regions 1161

- 23 -
Limitations 1162

Get Started 1162

Configure AWS for Frictionless Assessment 1163

Create an AWS Connector for Frictionless Assessment 1165

Edit an AWS Frictionless Assessment Connector 1168

Manually Delete Connector Artifacts in AWS 1169

Update AWS Frictionless Assessment Connectors to Detect Log4j 1170

AWS Cloud Connector (Discovery Only) 1172

AWS Connector with Keyless Authentication (Discovery Only) 1173

Configure AWS for Keyless Authentication (Discovery Only) 1176

Create an AWS Connector with Keyless Authentication (Discovery Only) 1179

AWS Connector with Key-based Authentication 1181

Configure AWS for Key-based Authentication 1183

Configure Linked AWS Accounts for Key-based Authentication 1185

Create an AWS Connector with Key-based Authentication 1188

Microsoft Azure Connector 1189

Frictionless Assessment for Azure 1190

Create an Azure Connector for Frictionless Assessment 1193

Manually Delete Connector Artifacts from Azure Frictionless Assessment 1196

Azure Runbook Information 1197

Configure Microsoft Azure (Discovery Only) 1199

Create Azure Application 1199

Obtain Azure Tenant ID (Directory ID) 1205

Obtain Azure Subscription ID 1206

- 24 -
Grant the Azure Application Reader Role Permissions 1208

Link Azure Subscriptions 1213

Create a Microsoft Azure Connector 1217

Google Cloud Platform Connector 1220

Configure Google Cloud Platform (GCP) 1220

Create a Google Cloud Platform Connector (Discovery Only) 1225

Manage Existing Connectors 1227

Launch a Connector Import Manually 1227

View Connectors Details 1228

View Connector Event History 1230

Edit a Connector 1231

Delete a Connector 1234

Remove Frictionless Assessment 1235

Remove AWS Frictionless Assessment 1236

Remove Azure Frictionless Assessment 1238

Welcome to Tenable Lumin 1239

Get Started with Tenable Lumin 1239

Tenable Lumin Metrics 1243

Improve Your Tenable Lumin Metrics 1265

Edit an ACR Manually 1267

Tenable Lumin Data Timing 1270

View the Tenable Lumin Dashboard 1272

Export the Tenable Lumin Dashboard Landing Page 1274

Export a Widget from the Tenable Lumin Dashboard 1276

- 25 -
Update the Tenable Lumin Industry Benchmark 1278

Tenable Lumin Dashboard Widgets 1280

View the CES Details Panel 1291

View Assessment Maturity Details 1299

View Remediation Maturity Details 1306

View Business Context/Tag Asset Details 1313

View Mitigations Details in Tenable Lumin 1319

Plugins for Mitigation Detection 1323

Export Mitigations 1325

Mitigations Export File Contents 1326

View and Download Exported Mitigations 1327

View Recommended Actions 1328

Export Recommended Actions 1331

l Tenable Vulnerability Management Self Help Guide

l Tenable Vulnerability Management Introduction (Tenable University)

Tenable One Exposure Management Platform

Tenable One is an Exposure Management Platform to help organizations gain visibility across the
modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber
risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources,
containers, web apps, and identity systems, builds on the speed and breadth of vulnerability
coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and
communicate cyber risk. Tenable One allows organizations to:

l Gain comprehensive visibility across the modern attack surface

l Anticipate threats and prioritize efforts to prevent attacks

l Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of

the Tenable One Exposure Management platform.

Tip: For additional information on getting started with Tenable One products, check out the Tenable One
Deployment Guide.

- 27 -
Tenable Vulnerability Management
Video: Introduction to Tenable Vulnerability Management

Get Started with Tenable Vulnerability Management

By making different resources available for sharing among users and groups, Tenable Vulnerability
Management provides endless possibilities for creating customized workflows for vulnerability
management programs, regardless of any of the numerous regulatory or compliance drivers that
demand keeping your business secure.

Tenable Vulnerability Management can schedule scans, push policies, view scan findings, and
control multiple Tenable Nessus scanners from the cloud. This enables the deployment of Tenable
Nessus scanners throughout networks to both public and private clouds as well as multiple physical
locations.

Tenable Lumin
Get Started with Tenable Lumin

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Tenable Lumin features augment Tenable Vulnerability Management data. Use Tenable Lumin to
quickly and accurately assess your exposure risk and compare your health and remediation
performance to other Tenable customers in your Salesforce industry and the larger population.

Tenable Lumin correlates raw vulnerability data with asset business criticality and threat context
data to support faster, more targeted analysis workflows than traditional vulnerability management
tools.

Tenable Web App Scanning

Tenable Web App Scanning offers significant improvements over the existing Web Application
Tests policy template provided by the Tenable Nessus scanner, which is incompatible with modern
web applications that rely on Javascript and are built on HTML5. This leaves you with an incomplete
understanding of your web application security posture.

- 28 -
Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web
applications. Tenable Web App Scanning's accurate vulnerability coverage minimizes false positives
and false negatives, ensuring that security teams understand the true security risks in their web
applications. The product offers safe external scanning that ensures production web applications
are not disrupted or delayed, including those built using HTML5 and AJAX frameworks.

Tenable Container Security

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the
Tenable FedRAMP Moderate Product Offering.

Video: Introducing Tenable Container Security

Tenble Container Security stores and scans container images as the images are built, before
production. It provides vulnerability and malware detection, along with continuous monitoring of
container images. By integrating with the continuous integration and continuous deployment
(CI/CD) systems that build container images, Tenable Container Security ensures every container
reaching production is secure and compliant with enterprise policy.

Tenable Vulnerability Management API

See the API

The Tenable Vulnerability Management API can be leveraged to develop your own applications using
various features of the Tenable Vulnerability Management platform, including scanning, creating
policies, and user management.

Get Started with Tenable Vulnerability Management

Use the following getting started sequence to configure and mature your Tenable
Vulnerability Management deployment.

1. Prepare a Deployment Plan

2. Install and Link Scanners

3. Configure Scans

- 29 -
4. Additional Tenable Vulnerability Management Configurations

5. Review and Analyze

6. Expand

Tip: For additional information on Tenable Vulnerability Management, review the following customer
education materials:

l Tenable Vulnerability Management Self Help Guide

l Tenable Vulnerability Management Introduction (Tenable University)

Prepare a Deployment Plan

To establish a deployment plan and analysis workflow:

1. Review principles of the TCP/IP internet protocol suite. Tenable Vulnerability Management
documentation assumes you know basic networking concepts and principles.

2. Get your Tenable Vulnerability Management access information and starter account
credentials from your Tenable representative.

3. If necessary, access Tenable Support and training resources for Tenable Vulnerability
Management, including the Professional Services Scan Strategy guide.

4. Design a deployment plan by identifying your organization's objectives and analyzing your
network topology. Consider Tenable-recommended best practices for your environment.

For more information about environment requirements, see the guidelines provided for your
scanner in the General Requirements Guide. For more information about supported browsers
for Tenable Vulnerability Management, see System Requirements.

5. Design an internal scanning and external scanning plan. Identify the scans you intend to run
and ensure that you have sufficient network coverage.

6. Design an analysis workflow. Identify key stakeholders in your management and operational
groups, considering the data you intend to share with each stakeholder.

Install and Link Scanners

To install your scanners and link them to Tenable Vulnerability Management:

- 30 -
1. Log in to the Tenable Vulnerability Management user interface.

2. Set up your linked scanners:

l If your deployment plan includes Tenable Nessus scanners, install Tenable Nessus as
described in Install Tenable Nessus in the Tenable Nessus User Guide.

l If your deployment plan includes Tenable Nessus Agents, install agents as described in
Install Tenable Nessus Agents in the Tenable Nessus Agent Deployment and User Guide.

l If your deployment plan includes Tenable Nessus Network Monitor, install Tenable
Nessus Network Monitor as described in Install NNM in the Tenable Nessus Network
Monitor User Guide.
o Then, configure Tenable Nessus Network Monitor to communicate with Tenable
Vulnerability Management, as described in Configure NNM in the Tenable Nessus
Network Monitor User Guide.

l If your deployment plan includes Tenable Web App Scanning, install web applications as
described in Deploy or Install Tenable Core + Tenable Web App Scanning in the Tenable
Core User Guide.

Then, link your first scanners to Tenable Vulnerability Management, as described in Link a
Sensor.

Configure Scans

Configure and run basic scans to begin evaluating the effectiveness of your deployment
plan and analysis workflow:

Note: For information on how to configure scans based on your environment and business needs, see the
Tenable Vulnerability Management Scan Tuning Guide.

1. Configure your first active scan using the Basic Network Scan template:

a. Create a scanner group, as described in Create a Scanner Group.

b. Create a scan using the Basic Network Scan template, as described in Create a Scan.

2. Configure your first agent scan using the Basic Agent Scan template:

- 31 -
a. Create an agent group, as described in Create an Agent Group.

b. Create an agent scan using the Basic Agent Scan template, as described in Create a
Scan.

3. Launch your first Tenable Nessus scan and agent scan, as described in Launch a Scan.

4. Confirm your Tenable Nessus scan and agent scan completed, accessing all targeted areas of
your network. Review your discovered assets to assess your knowledge of your network.

Additional Tenable Vulnerability Management Configurations

Configure other features, if necessary, and refine your existing configurations:

1. Create user accounts and create user groups within your Tenable Vulnerability Management
container.

2. Create access groups to manage view and scan permissions for assets and targets.

3. Configure tags to organize, group, and control access to assets.

4. Set up asset discovery with connectors, Professional Services integrations, or integrated

products. For more information, see Connectors, the Custom Integration Services page, or
the Integration Guides section of the Tenable Vulnerability Management Documentation page.

5. Configure managed credentials, scan-specific credentials, or policy-specific credentials for a

Tenable Nessus scan, as described in Credentials. For more information about configuring
and troubleshooting credentialed scans, see Tenable Nessus Credentialed Checks.

a. Launch your credentialed Tenable Nessus scan and credentialed agent scan, as
described in Launch a Scan.

b. Confirm your credentialed scan completed, accessing all targeted areas of your
network.

6. If you want to assess your exposure, obtain a Tenable Lumin license.

7. If you want to perform web application scanning, obtain a Tenable Web App Scanning license.

8. If you want to evaluate risk on your containers, obtain a Tenable Container Security license.

9. Configure user Access Control to control what objects users can and cannot view and interact
with within Tenable Vulnerability Management.

- 32 -
Review and Analyze

Tip: Tenable recommends frequently reviewing your scan results and scan coverage. You may need to
modify your scan configurations to suit your organization's objectives and reach all areas of your network.

To review and analyze your data further, you can:

1. View your scans and individual scan details.

2. View and analyze your vulnerability and asset findings via the Findings and Assets pages.

3. Create a dashboard to gain immediate insight and quickly analyze vulnerabilities in your
network. Use interactive widgets and customizable tables to explore your data.

4. Filter your dashboards, assets, and findings to drill into data and investigate your progress.

5. Create recast or accept rules to recast or accept vulnerabilities discovered by scans.

6. Create a report to share scan and vulnerability information with others in your organization.

Expand

Tenable recommends the following as best practices to keep up to date with your
deployment plan and analysis workflow:
l Conduct weekly meetings to review your organization's responses to identified vulnerabilities.
Conduct weekly management meetings to oversee your teams executing the analysis
workflow.

l Review your scan results and scan coverage. You may need to modify your scan
configurations to suit your organization's objectives and reach all areas of your network.

l Consider API integrations, as described in the Tenable Vulnerability Management API

Documentation.

Expand into Tenable One

Note: This requires a Tenable One license. For more information about trying Tenable One, see Tenable One.

Integrate Tenable Vulnerability Management with Tenable One and leverage the following features:

- 33 -
l Review and customize your assets' ACR.

l Create new tags either in Tenable Vulnerability Management or within Tenable Inventory to
group your assets by how you want them to be reported on

l In Lumin Exposure View, gain critical business context by getting business-aligned cyber
exposure score for critical business services, processes and functions, and track delivery
against SLAs. Track overall VM risk to understand the risk contribution of assets to your
overall Cyber Exposure Score, including by asset class, vendor, or by tags.
o Review the Global exposure card to understand your holistic score. Click Per Exposure
to understand what factors are driving your score, and by how much.
o Review the Computing Resources exposure card.
o Configure the exposure view settings to set your Remediation SLA and SLA Efficiency
based on your company policy.
o Create a custom exposure card based on business context (for example, Business units,
Operating Systems, Asset Criticality, Physical Location, or Application).

l In Tenable Inventory, enhance asset intelligence by accessing deeper asset insights, including
related attack paths, tags, exposure cards, users, relationships, and more. Improve risk
scoring by gaining a more complete view of asset exposure, with an asset exposure score that
assesses total asset risk and asset criticality.
o Review your Tenable Vulnerability Management assets to understand the strategic
nature of the interface. This should help set your expectations on what features to use
within Tenable Inventory, and when.
o Review the Tenable Queries that you can use, edit, and bookmark.
o Familiarize yourself with the Global Search query builder and its objects and properties.
Bookmark custom queries for later use.

Tip: To get a quick view of what properties are available:

l In the query builder, type has. A list of suggested asset properties appears.
l Customize the list by adding a column. A list of available columns/properties appears.

- 34 -
o Drill down into the asset details page to view asset properties and all associated context
views.
o (Optional) Create a tag that combines different asset classes.

l In Attack Path Analysis, optimize risk prioritization by exposing risky attack paths that
traverse the attack surface, including web apps, IT, OT, IoT, identities, ASM, and prevent
material impact. Streamline mitigation by identifying choke points to disrupt attack paths with
mitigation guidance, and gain deep expertise with AI insights.
o View the Attack Path Analysis Dashboard for a high-level view of your vulnerable assets
such as the number of attack paths leading to these critical assets, the number of open
findings and their severity, a matrix to view paths with different source node exposure
score and ACR target value combinations, and a list of trending attack paths.
n Review the Top Attack Path Matrix and click the Top Attack Paths tile to view
more information about paths leading to your “Crown Jewels”, or assets with an
ACR of 7 or above.

You can adjust these if needed to ensure you’re viewing the most critical attack path
data and findings.
o On the Findings page, view all attack techniques that exist in one or more attack paths
that lead to one or more critical assets by pairing your data with advanced graph
analytics and the MITRE ATT&CK® Framework to create Findings, which allow you to
understand and act on the unknowns that enable and amplify threat impact on your
assets and information.
o On the Discover page, generate attack path queries to view your assets as part of
potential attack paths:
n Generate an Attack Path using a Built-in Query
n Generate an Asset Query using the Asset Query Builder
n Generate an Attack Path Query using the Attack Path Query Builder

Then, you can view and interact with the Attack Path Query and Asset Query data via the
query result list and the interactive graph.

Tenable Vulnerability Management Licenses

- 35 -
This topic breaks down the licensing process for Tenable Vulnerability Management as a standalone
product. It also explains how assets are counted, lists add-on components you can purchase,
explains how licenses are reclaimed, and notes plugins whose output is excluded from your license
count.

Licensing Tenable Vulnerability Management

To use Tenable Vulnerability Management, you purchase licenses based on your organizational
needs and environmental details. Tenable Vulnerability Management then assigns those licenses to
your assets: assessed resources from the past 90 days, either identified on scans or imported with
vulnerabilities (for example, servers, storage devices, network devices, virtual machines, or
containers).

When your environment expands, so does your asset count, so you purchase more licenses to
account for the change. Tenable licenses use progressive pricing, so the more you purchase, the
lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click
and then click License Information. To learn more, see License Information Page.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more,
contact your Tenable representative.

How Assets Are Counted

When Tenable Vulnerability Management scans an asset, it compares it to previously discovered
assets. In general, if the new asset does not match a previously discovered asset and has been
assessed for vulnerabilities, it counts towards your license.

Tenable Vulnerability Management uses a complex algorithm to identify new assets without creating
duplicates. The algorithm looks at the asset’s BIOS UUID, MAC address, NetBIOS name, fully
qualified domain name (FQDN), and more. Authenticated scanners or agents also assign a Tenable
UUID to each asset to mark it as unique. For more information, see the Tenable Vulnerability
Management FAQ.

The following table describes when assets count towards your license.

- 36 -
Counted Towards Your License Not Counted Towards Your License

l An asset identified by an active scan. l A scan configured with the Host

Discovery template or configured to
l An asset identified by an agent scan.
use only the discovery plugins.
l An asset import containing
l An asset import containing no
vulnerabilities (for example, a scan result
vulnerabilities (for example,
from Tenable Nessus Professional).
ServiceNow data).
l Host and Tenable Web App Scanning
l A linked instance of Tenable Nessus
asset types, if the last licensed scan was
Network Monitor running in discovery
within the past 90 days.
mode.
l An asset identified by a scan with plugin
l A discovery-only connector, until and
debugging enabled. To prevent such
unless the asset is scanned for
assets from counting against your
vulnerabilities Scanned Mobile Device
license, delete them.
Management assets.

l Some plugin output, as described in

Excluded Plugin Output.

Tenable Vulnerability Management Components

You can customize Tenable Vulnerability Management for your use case by adding components.
Some components are add-ons that you purchase.

Included with Purchase Add-on Component

l Unlimited Tenable Nessus scanners. l Tenable PCI ASV.

l Unlimited Tenable Nessus Agents. l Tenable Attack Surface

Management.
l Unlimited Tenable Nessus Network Monitors with
vulnerability detection.

l Access to the Tenable Vulnerability Management API.

Reclaiming Licenses

- 37 -
When you purchase licenses, your total license count is static for the length of your contract unless
you purchase more licenses. However, Tenable Vulnerability Management reclaims licenses under
some conditions—and then reassigns them to new assets so that you do not run out of licenses.

The following table explains how Tenable Vulnerability Management reclaims licenses.

Asset Type License Reclamation Process

Deleted assets Tenable Vulnerability Management removes deleted assets from the Assets
workbench and reclaims their licenses within 24 hours.

Aged out In Settings > Sensors > Networks, if you enable Asset Age Out, Tenable
assets Vulnerability Management reclaims assets after they have not been scanned
for a period you specify.

Assets from Tenable Vulnerability Management reclaims assets from connectors the day
connectors after they are terminated. You can observe this event in each connector.

All other Tenable Vulnerability Management reclaims all other assets—such as those
assets imported from other products or assets with no age-out setting—after they
have not been scanned for 90 days.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated
threats, Tenable licenses are elastic. However, when you scan more assets than you have licensed,
Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario Result

You scan more assets than are A message appears in Tenable Vulnerability
licensed for three consecutive days. Management.

You scan more assets than are A message and warning about reduced functionality
licensed for 15+ days. appears in Tenable Vulnerability Management.

You scan more assets than are A message appears in Tenable Vulnerability
licensed for 45+ days. Management; scan and export features are disabled.

- 38 -
Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated
asset counts. To learn more, see Scan Best Practices.

Expired Licenses
The Tenable Vulnerability Management licenses you purchase are valid for the length of your
contract. 30 days before your license expires, a warning appears in the user interface. During this
renewal period, work with your Tenable representative to add or remove products or change your
license count.

After your license expires, you can no longer sign in to the Tenable platform.

Excluded Plugin Output

The plugins listed in this section do not count towards your license limit.

Note: Plugin IDs are static, but Tenable products may sometimes update plugin names. For the latest
information on plugins, see Tenable Plugins.

Tenable Nessus Plugins in Discovery Settings

Configure the following Tenable Nessus plugins in Discovery Settings. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

10180 Ping the remote host

10335 Nessus TCP scanner

11219 Nessus SYN scanner

14274 Nessus SNMP Scanner

14272 Netstat Portscanner (SSH)

34220 Netstat Portscanner (WMI)

34277 Nessus UDP Scanner

Tenable Nessus Plugins on the Plugins Page

- 39 -
Configure the following Tenable Nessus plugins on the Plugins page. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

45590 Common Platform Enumeration (CPE)

54615 Device Type

12053 Host Fully Qualified Domain Name (FQDN)

11936 OS Identification

10287 Traceroute Information

22964 Service Detection

11933 Do not scan printers

87413 Host Tagging

19506 Nessus Scan Information

33812 Port scanners settings

33813 Port scanner dependency

209654 OS Fingerprints Detected

Tenable Nessus Network Monitor Plugins

The following Tenable Nessus Network Monitor plugins do not count towards your license.

Tenable Nessus Network Monitor Plugin ID Plugin Name

0 Open Ports

12 Host TTL discovered

18 Generic Protocol Detection

19 VLAN ID Detection

20 Generic IPv6 Tunnel Traffic Detection

- 40 -
113 VXLAN ID Detection

132 Host Attribute Enumeration

System Requirements

Display Settings
Minimum screen resolution: 1440 x 1024

Supported Browsers
Tenable Vulnerability Management supports the latest versions of the following browsers.

Note: Before reporting issues with Tenable Vulnerability Management, ensure your browser is up to date.

l Google Chrome

l Apple Safari

l Mozilla Firefox

l Microsoft Edge

Note: Tenable Vulnerability Management is not supported on mobile browsers.

Sensor Connection Requirements

Tenable Vulnerability Management requires access to specific addresses and ports for inbound and
outbound traffic with Tenable Nessus scanners, Tenable Nessus Agents, and Tenable Sensor Proxy:

l [Link]/32

l [Link]

- 41 -
l [Link]

l [Link]

l *.[Link] with the wildcard character (*) to allow [Link] and all
subdomains, such as [Link]

Tip: For information about the port requirements for Tenable Security Center, Tenable Nessus
scanners, and Tenable Nessus Agents, see the following topics:
l Tenable Security Center Port Requirements
l Tenable Nessus Port Requirements
l Tenable Nessus Agent Port Requirements

Log in to Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: If you bookmark a Tenable Vulnerability Management page within your browser, you must still log in
before accessing the bookmarked page.
In some cases, you may also need to navigate through the Workspace page and navigate to the Tenable
Vulnerability Management application before accessing the bookmarked page.

Before you begin:

l Obtain credentials for your Tenable Vulnerability Management user account.

Note: If you are an administrator logging in to your Tenable Vulnerability Management instance for
the first time, Tenable provides your first-time credentials during setup. After you log in for the first
time, you can set your new password. If you are logging in to Tenable Vulnerability Management after
initial setup, your username is the email address you used to register for your Tenable Vulnerability
Management account.

l Review the System Requirements in the General Requirements User Guide and confirm that
your computer and browser meet the requirements.

Note: If your account is configured to use SAML, you can log in to Tenable Vulnerability Management
directly through your SAML provider. For more information, see SAML.

- 42 -
To log in to Tenable Vulnerability Management:

1. In a supported browser, navigate to [Link]

The Tenable Vulnerability Management login page appears.

2. In the username box, type your Tenable Vulnerability Management username.

3. In the password box, type the Tenable Vulnerability Management password you created during
registration.

4. (Optional) To retain your username for later sessions, select the Remember Me check box.

5. Click Sign In.

The Workspace page appears.

Note:Tenable Vulnerability Management logs you out after a period of inactivity (typically, 30
minutes).

CVSS vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to
quantify the risk and urgency of a vulnerability.

Note: When you view these metrics on an analysis page organized by plugin (for example, the
Vulnerabilities by Plugin page), the metrics represent the highest value assigned or calculated
for a vulnerability associated with the plugin.
For Tenable Lumin-specific information about VPR and the other Tenable Lumin metrics, see
Tenable Lumin Metrics.

CVSS
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved
from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities. CVSS
scores power a vulnerability's Severity and Risk Factor values.

Note: If a vulnerability's related plugin has CVSS vectors, the Risk Factor is calculated based on the
CVSSv2 vector and equates to the CVSSv2 score Severity. If a plugin does not have CVSS vectors, Tenable
independently calculates the Risk Factor.

Tenable Vulnerability Management imports a CVSS score every time a scan sees a vulnerability.

- 43 -
CVSS-Based Severity

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Configure Your Severity Metric.

Tenable Vulnerability Management analysis pages provide summary information about

vulnerabilities using the following CVSS categories. For more information about the icons used for
each severity, see Vulnerability Severity Indicators.

Severity CVSSv2 Range CVSSv3 Range CVSSv4 Range

Critical The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is 10.0. score is between 9.0 score is between 9.0
and 10.0. and 10.0.

High The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 7.0 score is between 7.0 score is between 7.0
and 9.9. and 8.9. and 8.9.

Medium The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 4.0 score is between 4.0 score is between 4.0
and 6.9. and 6.9. and 6.9.

Low The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 0.1 score is between 0.1 score is between 0.1
and 3.9. and 3.9. and 3.9.

Info The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv3
score is 0. score is 0. score is 0.

- or - - or - - or -

The plugin does not The plugin does not The plugin does not
search for search for search for

- 44 -
vulnerabilities. vulnerabilities. vulnerabilities.

CVSS-Based Risk Factor

For each plugin, Tenable interprets CVSS scores for the vulnerabilities associated with the plugin
and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The Vulnerability
Details page shows the highest risk factor value for all the plugins associated with a vulnerability.

Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS
scores. In these cases, Tenable determines the risk factor based on vendor advisories.

Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a
custom risk factor based on information provided in related security advisories.

Vulnerability Priority Rating

Video: Vulnerability Priority Rating in Tenable Vulnerability Management

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher
likelihood of exploit.

VPR Category VPR Range

Critical 9.0 to 10.0

High 7.0 to 8.9

Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs (for example, many vulnerabilities with the Info severity) do not receive
a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

- 45 -
Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on
your network. Then, Tenable Vulnerability Management automatically provides new and updated
VPR values daily.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores
and summary data in:

l The Tenable-provided Vulnerability Management Overview dashboard

l The Vulnerabilities by Plugin plane

l The Vulnerabilities by Plugin (Classic) page

VPR Key Drivers

You can view the following key drivers to explain a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Age of Vuln The number of days since the National Vulnerability Database (NVD) published
the vulnerability.

CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact not provide a score, Tenable Vulnerability Management displays a Tenable-
Score predicted score.

Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal
and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The
possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit
Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No

- 46 -
recorded events.

Threat The relative intensity based on the number and frequency of recently observed
Intensity threat events related to this vulnerability: Very Low, Low, Medium, High, or
Very High.

Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

l A discussion of the vulnerability on hacker forums

Vulnerability Severity Indicators

The Tenable Vulnerability Management interface uses different icons for each severity category and
accepted or recasted status.

Icon Category And

Critical You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Critical.

- 47 -
High You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to High.

Medium You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Medium.

Low You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Low.

Info You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Info.

Vulnerability Mitigation
Tenable Vulnerability Management vulnerabilities exist in one of two categories: Active or Fixed.
When Tenable Vulnerability Management discovers a vulnerability on an asset, the vulnerability
remains in the Active category until it is mitigated or fixed. Then, the vulnerability moves to the
Fixed category.

Active Vulnerabilities
Active vulnerabilities are any vulnerabilities in the New, Active, or Resurfaced states. For more
information, see Vulnerability States.

Fixed Vulnerabilities
The Fixed category contains vulnerabilities that Tenable Vulnerability Management determines are
not vulnerable, based on the scan definition, the results of the scan, and authentication

- 48 -
information. To be considered for mitigation, a vulnerability must be active and successfully
authenticated.

A vulnerability is mitigated when:

l The vulnerability's IP address or another combination of identifying attributes (IAs) is on the

scan's target list. For more information on IAs, see the Tenable Community.

l The vulnerability's plugin ID is listed in the scan policy.

l The vulnerability's port is on the list of scanned ports.

l A vulnerability with that combination of IP address, port, protocol, and plugin ID is not listed in
the scan results.

Mitigation Exceptions
Note the following exceptions for vulnerability mitigation:

l Vulnerabilities identified during a thorough scan by a plugin with the thorough_tests attribute
can only be mitigated by another thorough scan.

l Vulnerabilities identified during a paranoid scan by a plugin with the requires_paranoid_

scanning attribute can only be mitigated by another paranoid scan.

l Vulnerabilities discovered by a local or combined plugin reported on port 0 or 445 via a

credential scan can only be mitigated by another credential scan.

l The list of scanned ports can be expanded to “all” ports when one of the following plugins
triggered the host:14272 (SSH netstat), 34220 (WMI netstat), 14274 (SNMP).

l Agent scans cannot mitigate vulnerabilities discovered by a combined type plugin reported on
a remote port (not 0/445).

Vulnerability States
Tenable assigns a state to vulnerabilities detected on your network. You can track and filter by
vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.
To filter for vulnerabilities by their state, use the Findings workbench.

- 49 -
Vulnerability
Description
State

New Indicates that Tenable Vulnerability Management detected the vulnerability

once.

Active Indicates that Tenable Vulnerability Management detected the vulnerability

more than once.

Note: When you filter for Active vulnerabilities, Tenable Vulnerability

Management also returns New vulnerabilities. For filtering purposes, New is a
subcategory of Active.

Fixed Indicates that Tenable Vulnerability Management detected the vulnerability

on a host, but no longer detects it.

Note: To view Fixed vulnerabilities by date range, use the Last Fixed filter.

Resurfaced Indicates that Tenable Vulnerability Management previously marked the

vulnerability as Fixed, but has detected it again. When a vulnerability is
Resurfaced, it remains in this state until a scan identifies the vulnerability
as remediated. Then, the vulnerability returns to Fixed.

Note: The API uses different terms for vulnerability states than the user interface. In the API, the new and
active states are both labeled as open. The resurfaced state is labeled as reopened. The fixed state is the
same.

Log Out of Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To log out of Tenable Vulnerability Management:

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

- 50 -
2. Click Sign Out.

Navigate Tenable Vulnerability Management

Tenable Vulnerability Management includes several helpful shortcuts and tools that highlight
important information and help you to navigate the user interface more efficiently:

Quick Actions Menu

The quick actions menu displays a list of the most commonly performed actions.

To access the quick actions menu:

1. In the upper-right corner, click the Quick Actions button.

The quick actions menu appears.

2. Click a link to begin one of the listed actions.

Resource Center

The Resource Center displays a list of informational resources including product announcements,
Tenable blog posts, and user guide documentation.

To access the Resource Center:

- 51 -
1. In the upper-right corner, click the button.

The Resource Center menu appears.

2. Click a resource link to navigate to that resource.

Notifications

In Tenable Vulnerability Management, the Notifications panel displays a list of system notifications.
The button shows the current number of unseen notifications. When you open the Notifications
panel, Tenable Vulnerability Management marks those notifications as seen. Once you have seen a
notification, you can clear it to remove it from the Notifications panel.

- 52 -
Note:Tenable Vulnerability Management groups similar notifications together.

To view notifications:

l In the upper-right corner, click the button.

The Notifications panel appears and displays a list of system notifications.

In the Notifications panel, you can do the following:

o To clear one notification, next to the notification, click the button.

o To expand a group of notifications, at the bottom of the grouped notification, click More
Notifications.
o To collapse an expanded group of notifications, at the top of the expanded notifications,
click Show Less.
o To clear an expanded group of notifications, at the top of the expanded notifications,
click Clear Group.
o To clear all notifications, at the bottom of the panel, click Clear All.

Settings Icon

Click the button to navigate directly to the Settings page, where you can configure your system
settings.

Workspace

When you log in to Tenable, the Workspace page appears by default. On the Workspace page, you
can switch between your Tenable applications or set a default application to skip the Workspace
page in the future. You can also switch between your applications from the Workspace menu,
which appears in the top navigation bar.

Important: Tenable disables application tiles for expired applications. Tenable removes expired application
tiles from the Workspace page and menu 30 days after expiration.

Open the Workspace Menu

- 53 -
To open the Workspace menu:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. Click an application tile to open it.

View the Workspace Page

To view the Workspace page:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. In the Workspace menu, click Workspace.

- 54 -
The Workspace page appears.

Set a Default Application

When you log in to Tenable, the Workspace page appears by default. However, you can set a default
application to skip the Workspace page in the future.

By default, users with the Administrator, Scan Manager, Scan Operator, Standard, and Basic roles can set
a default application. If you have another role, contact your administrator and request the Manage
permission under My Account. For more information, see Custom Roles.

To set a default login application:

1. Log in to Tenable.

The Workspace page appears.

2. In the top-right corner of the application to choose, click the button.

A menu appears.

- 55 -
3. In the menu, click Make Default Login Page.

This application now appears when you log in.

Remove a Default Application

To remove a default login application:

1. Log in to Tenable.

The Workspace page appears.

2. In the top-right corner of the application to remove, click the button.

A menu appears.

3. Click Remove Default Login Page.

The Workspace page now appears when you log in.

User Account Menu

The user account menu provides several quick actions for your user account.

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

- 56 -
2. Do one of the following:

l Click My Profile to configure your own user account. You navigate directly to the My
Account settings page. See My Account for more information.

l Click Sign out to sign out of Tenable Vulnerability Management.

l Click What's new to navigate directly to the Tenable Vulnerability Management Release
Notes.

l Click View Documentation to navigate directly to the Tenable Vulnerability Management

User Guide documentation.

For additional information about navigating the Tenable Vulnerability Management interface, see
the following topics:

Navigate Breadcrumbs

Navigate Planes

Tenable Vulnerability Management Tables

Export Findings or Assets

Navigate Breadcrumbs

- 57 -
In the Tenable Vulnerability Management interface, certain pages display breadcrumbs in the top
navigation bar. From left to right, the breadcrumbs show the path of pages you visited to reach your
current page:

To navigate breadcrumbs:
l In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Navigate Planes
Tenable Vulnerability Management combines fixed pages with overlapping planes.

To navigate planes in the new interface:

1. Access a plane using one of the following methods:

l Click a widget on a dashboard.

l
Use the left navigation plane as follows:
a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click a menu option.

With the exception of the left navigation plane, planes open from the right side of the screen.

2. Manipulate a plane using the following buttons at the left edge of the plane:

Button Short Name Action

expand Expand a plane. Some planes can expand to full screen.

retract Retract an expanded plane to its default size.

close Close a plane.

expand preview Expand a preview plane.

- 58 -
retract preview Retract an expanded plane to the preview plane.

3. Return to a previous plane or page (and close a new plane or planes) by clicking the previous
plane.

Tenable Vulnerability Management Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management Workbench Tables

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section. These tables feature search and navigational
capabilities. They also include the ability to drag and drop columns in any order, change column
width, and sort the data in multiple columns at one time. For more information, see Tenable
Vulnerability Management Workbench Tables.

Explore Tables
Explore tables are any tables within the Explore section in the Tenable Vulnerability Management
user interface. They include many of the features of Tenable Vulnerability Management Workbench
tables, but include additional customization and filtering capabilities. For more information, see
Explore Tables.

Tenable Vulnerability Management Workbench Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: Customizable tables also include the ability to access the actions buttons by right-clicking a table
row. To access your browser menu, press the Ctrl key and right-click.

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section.

To interact with a Tenable Vulnerability Management workbench table:

- 59 -
1. View a workbench table.

2. Do any of the following:

l
Navigate the table:
o To adjust the sort order, click a column title.

Tenable Vulnerability Management sorts all pages of the table by the data in the
column you selected.
o In Tenable Vulnerability Management, to increase or decrease the number of rows
displayed per page, click Results per page and select a number.

Tenable Vulnerability Management refreshes the table.

o To view all action buttons available in a table row, click the button.

This button appears instead of individual action buttons if 5 or more actions are
possible for the row.
o To navigate to another page of the table, click the arrows:

Button Action

Navigate to the first page of the table.

Navigate to the previous or next page of the table.

Navigate to the last page of the table.

Note: Due to limitations, the total number of findings is not always known past the 1000
limit. In this case, the table may display a modified interface, changes in pagination
labeling, and a disabled last page navigation button.

l
Search the table:
In the new interface, a search box appears above individual tables in various pages and
planes. In some cases, the search box appears next to the Filters box.

- 60 -
a. In the Search box, type your search criteria.

Your search criteria depends on the type of data in the table you want to search.

b. Click the button.

Tenable Vulnerability Management filters the table by your search criteria.

l To change the column order, drag and drop a column header to another position in the
table.

l
Remove or add columns:
a. Roll over any column.

The button appears in the header.

b. Click the button.

A column selection box appears.

c. Select or clear the check box for any column you want to show or hide in the table.

Tip: Use the search box to quickly find a column name.

The table updates based on your selection.

l
Adjust column width:
a. Roll over the header between two columns until the resize cursor appears.

Click and drag the column width to the desired width.

Tip: To automatically resize a column to the width of its content, double-click the right
side of the column header.

l To sort data in the table, click a column header.

Tenable Vulnerability Management sorts all pages of the table by the data in the column
you selected.

- 61 -
l To sort data in the table by multiple columns, press Shift and click one or more column
headers.

Note: Not all tables or columns support sorting by multiple columns.

Tenable Vulnerability Management sorts all pages of the table in the order in which you
selected the columns.

Filter a Table

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, a Filters box appears above individual tables in various pages
and planes.

To filter a table:

1. Next to Filters, click the button.

The filter settings appear.

2. (Optional) In Tenable Vulnerability Management, to quick-select filters, click Select Filters.

A drop-down list appears.

a. In the drop-down list, search for the filter you want to apply.

The list updates based on your search criteria.

b. Select the check box next to the filter or filters you want to apply.

The selected filters appear in the filter section.

3. In the Select Category drop-down box, select an attribute.

For example, you might select Severity if filtering findings or Asset ID if filtering assets.

4. In the Select Operator drop-down box, select an operator.

Note: When using the contains or does not contain operators, use the following best
practices:

- 62 -
l For the most accurate and complete search results, use full words in your search
value.
l Do not use periods in your search value.
l Remember that when filtering assets, the search values are case sensitive.
l Where applicable, Tenable recommends using the contains or does not contain
instead of the is equal to or is not equal to operators.

5. In the Select Value box, do one of the following:

Value Type Action

Text Type the value on which you want to filter.

An example of the expected input is present in the box until you start
typing. If what you type is invalid for the attribute, a red outline appears
around the text box.

Single valid If a default value is associated with the attribute, Tenable Vulnerability
value Management selects the default value automatically.

To change the default value, or if there is not an associated default value

present:

a. Click the box to display the drop-down list.

b. Search for and select one of the listed values.

Multiple To select one or more values:

valid values
a. Click the box to display the drop-down list.

b. Search for and select a value.

The selected value appears in the box.

c. Repeat until you have selected all appropriate values

d. Click outside the drop-down list to close it.

To deselect values:

- 63 -
a. Roll over the value you want to remove.

The button appears over the value.

b. Click the button.

The value disappears from the box.

6. (Optional) In the lower-left corner of the filter section:

l To add another filter, click the Add button.

l To clear all filters, click the Reset Filters button.

7. Click Apply.

Tenable Vulnerability Management applies your filter or filters to the table.

8. (Optional) Save your filter or filters for later use.

9. (Optional) Clear the filters you applied:

a. In the table header, click Clear All Filters.

Tenable Vulnerability Management clears all filters from the table, including saved
searches.

Note: Clearing filters does not change the date range selected in the upper-right corner of the
page. For more information, see Tenable Vulnerability Management Tables.

Export Findings or Assets

You can export data from the Findings and Assets workbenches to CSV or JSON. While these
workbenches contain different data, the basic export process is the same.

To export findings or assets:

1. Do one of the following:

l In the left navigation, click Findings.

The Findings workbench appears.

- 64 -
l In the left navigation, click Assets.

The Assets workbench appears.

2. In the left navigation plane, under Explore, do one of the following:

l To export your organization's scanned vulnerability findings, click Findings.

The Findings workbench appears.

l To export your organization's scanned assets, click Assets.

The Assets workbench appears.

3. Refine the displayed data, as described in Use Filters.

Note: On the Findings workbench, when using the Group By filter, you can only export five findings
at a time.

Note: On the Assets workbench, the Asset ID, Last Authenticated Scan, Last Licensed Scan, and
Source fields are required.

4. Select the check boxs next to the findings or assets to export.

Note: You can manually select up to 200 findings or assets. Otherwise, you must select them all.

5. In the action bar, click Export.

The Export plane appears.

Option Description

Name Type a name for the export.

Formats Select an export format:

l CSV – A CSV file that you can open in a spreadsheet

application such as Microsoft Excel.

Note: For findings exports, the system automatically trims cells

longer than 32,000 characters so they appear correctly in

- 65 -
Microsoft Excel. Select Untruncated Data to disable this.

Note: If your export file contains a cell starting with any of the
following characters (=, +, -, @), the system adds a single quote
(') at the beginning of the cell. For more information, see the
Knowledge Base.

l JSON – A JSON file containing a nested list of findings, with

no empty fields.

Configurations Select the fields to include:

l Under Select Field Set, search for or select the fields to add
to your export.

l To view only selected fields, click View Selected.

l In the Expiration box, type the number of days before the

export file ages out.

Note: In asset exports, Asset ID, Last Authenticated Scan, Last

Licensed Scan, and Source are required.

Schedule Turn on the Schedule toggle to schedule your export:

a. In the Start Date and Time section, choose the date and time
for the export.

b. In the Time Zone drop-down, choose a time zone.

c. In the Repeat drop-down, choose the cadence on which you

want the export to repeat (for example, daily).

d. In the Repeat Ends drop-down, choose the date when

exports end. If you select Never, the export repeats until you
modify or delete it.

Email Turn on the Email Notification toggle to send email notifications:

Notifications

- 66 -
a. In the Add Recipients box, type the emails to notify.

b. In the Password box, type a password for the export file.

Share this password with the recipients so they can download
the export file.

6. Click Export.

Depending on size, the export file may take several minutes to process. When processing
completes, the file downloads to your computer.

Tip: If you close the Export plane before the download completes, you can access the completed
export file in Settings > Exports.

Error Messages
For Tenable Vulnerability Management API status codes, see the Tenable Developer Portal.

Scanning
The following table describes the scanning error messages that may appear in Tenable Vulnerability
Management.

Some scanning errors occur when you exceed the following Tenable Vulnerability Management
scanning limitations:

Scan Limitations

The following table describes scanning limitations in Tenable Vulnerability Management:

Limitation Description

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single assessment scan (for more
hostnames per information, see Discovery Scans vs. Assessment Scans). The host target
assessment scan limit is 10 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than

- 67 -
10,000 hostnames or IP addresses in a single assessment scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single discovery scan (for more information,
hostnames per see Discovery Scans vs. Assessment Scans). The host target limit is 1,000
discovery scan times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
1,000,000 hostnames or IP addresses in a single discovery scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Host scan results Tenable Vulnerability Management limits the number of live hosts for
per scan which a single scan can generate scan results for. The live host scan
results limit is 1.1 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 1,100 live hosts from a single scan. If you exceed the
limit, Tenable Vulnerability Management aborts the scan. Tenable
Vulnerability Management does not apply the live host scan result limit to
discovery scans.

Tenable Vulnerability Management also limits the number of dead hosts

for which a single scan can generate scan results for. The dead host scan
results limit is 100 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 100,000 dead hosts from a single scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP You cannot specify more than 300,000 comma-separated IP addresses or

addresses or ranges when configuring a scan’s targets.
ranges per scan

Active scans You cannot have more than 25 scans running in your container

- 68 -
simultaneously.

Scan chunks Tenable Vulnerability Management limits scan chunks to 10,000 hosts,
150,000 findings, or 7 GB in total size. If a scan chunk exceeds any of
these values, Tenable Vulnerability Management does not process the
scan and eventually aborts it.

Note: This limits items like MDM assessments, importing Nessus files, and
very large Auto Discovery scenarios (for example, VMware) to individual scans
with less than 10,000 assessed targets.

Scan Tenable Vulnerability Management limits the number of scan

configurations configurations you can create to 10,000 scans. Tenable recommends re-
using scheduled scans instead of creating new scans. This approach
helps to avoid latency issues in the user interface.

For more information about creating, modifying, and launching scans, see Manage Scans. For more
information about scan status values, see Scan Status.

Warning Message Recommended Action

Account Target The target count exceeds the limit You reached the maximum scan
Limit for this account. Please contact target limit. To increase your scan
customer support to upgrade your target limit by upgrading your
license. license, contact Tenable Support.

Agent Group Unexpected error retrieving the

Error agent groups.

Agent Group The owner does not have access to You do not have access to all the
Permissions all of the configured agent groups. agent groups selected for this scan.
Select the correct groups. For more
information, see Agent Groups.

Agent Scan Tenable Vulnerability Management Re-scan the affected agent.

Indexing Error aborted a scan task after an
unexpected error during indexing.
You may need to re-scan the
agent: [agent name].

- 69 -
Warning Message Recommended Action

All Inactive All targets were routed to scanner

Scanners groups with no active scanners.

All Scans All active scans were aborted. Tenable Vulnerability Management
Aborted aborted the scan due to a system
abort request. Re-run the scan.

Auto Routed Custom scan targets are not Select a specific scanner to run
Custom Targets currently supported for auto routed scans on custom targets.
scans.

Auto Routing The scan is configured for auto

Disabled routing, but that feature is not
enabled.

Concurrent Scan Concurrent scan limit reached for You reached the maximum
Limit this account. Please contact concurrent scan limit. Re-run the
customer support to upgrade your scan later.
license.

Concurrent Scan Scan could not be completed: You reached the maximum
Limit Reached concurrent scan limit reached for concurrent scan limit. Re-run the
this account. Please contact scan later.
customer support to upgrade your
license.

Conflict Transition for indexing to pausing The scan is completed and is now
not supported. in the process of indexing. Wait for
the indexing to complete.

Empty Scanner The scan is configured to use a Confirm the scanner group contains
Group scanner group with no assigned functioning scanners, then re-run
scanners. the scan. For more information, see
Scanner Groups.

Empty Targets No targets are configured for the Confirm the scan configuration
scan. contains one or more valid targets,

- 70 -
Warning Message Recommended Action

then re-run the scan.

Inactive The scan is configured to use a Confirm the scanner group contains
Scanners scanner group with no active functioning scanners, then re-run
scanners. the scan. For more information, see
Scanner Groups.

Indexing Error Unexpected error during task Re-run the scan for unscanned
processing. Targets may need to targets or targets that need to be
be rescanned : [scan targets] re-scanned.

Initialization Unexpected error during Tenable Vulnerability Management

Error initialization. aborted the scan. Re-run the scan.

Invalid AWS No valid AWS targets are Confirm the scan contains valid
Targets configured for the scan. AWS scan targets and re-run the
scan. For more information, see
Targets.

Invalid PCI The PCI scan can only be launched Use a Tenable cloud sensor to run a
Scanner using Tenable Cloud Scanners Tenable PCI ASV scan. For more
information, see Cloud Sensors.

Invalid Tag Failed to resolve a target FQDN or One or more assets in a tag
Target IP from an asset in the configured configured for the scan requires an
tags. associated scan target. Confirm the
tag configuration, then re-run the
scan. For more information, see
Tags.

Invalid Tag Rule Tags with the "Match All" filter can Adjust your tag rules, then re-run
As Target only have one rule for scans with the scan.
the "Targets defined by tags"
option enabled. Tag category: [tag
category], Tag value: [tag value].

Invalid Target Can't resolve target. Confirm your scan includes valid

- 71 -
Warning Message Recommended Action

scan targets, then re-run the scan.

For more information, see Targets.

Invalid Target An invalid target range is Correct or remove the invalid scan
Range configured for the scan: [scan target range, then re-run the scan.
targets] For more information, see Targets.

Invalid Targets No valid targets are configured for Confirm the scan targets meet the
the scan. following criteria:

l IP addresses use a valid

format

l Use commas to separate lists

of IP addresses

l IP addresses in target groups

use a valid format

For more information, see Targets

and Target Groups.

For more troubleshooting

assistance, see the knowledge base
article.

Job Initialization Unexpected error during Re-run the scan.

Error initialization. Please check the
scan targets and settings for
irregularities and contact support if
the problem persists.

Log4j DNS Unable to resolve DNS [scan Re-run the scan for unscanned
Failed Request target] to check Log4j targets or targets that need to be
Vulnerability. re-scanned.

Max Findings The maximum number of findings Review the Tenable Vulnerability
Error was reached. Management scan limitations and

- 72 -
Warning Message Recommended Action

adjust the scan configuration to

produce an allowed number of
findings.

Max Hosts Scan has exceeded the maximum Review the Tenable Vulnerability
Reached Error number of allowed hosts. Management scan limitations and
adjust the scan configuration to
scan an allowed number of hosts.

Network Some network congestion was To reduce the risk of congestion:

Congestion detected during the scan. This may
l Reduce max hosts to a lower
Detected indicate that one or more of the
value
remote hosts are connected
through a connection that does not l Increase the network read
have enough bandwidth to handle timeout in your policy
the network traffic generated while
scanning.

No Available Unable to find a scanner that is Confirm you selected the correct
Scanner able to run the scan. scanner, then re-run the scan.

No Configured The scan has no configured Agent Add at least one Agent Group to the
Agent Groups Groups. scan.

No Scan Policy The scan must be configured with The scan requires a scan policy.
a scan policy. Configure a scan policy, then re-run
the scan.

No Tag Targets No valid targets were found from

the configured tags.

Notification Notifications for this scan may not The scan completed, but failed to
Error have been sent. send a notification.

Owner Disabled The owner of the scan is disabled. Enable the owner of the scan or
transfer ownership to an enabled
user. For more information, see

- 73 -
Warning Message Recommended Action

Permissions.

Paused Scan Paused scan exceeded timeout of The paused scan exceeded the
Timeout [maximum allowed pause] days. maximum pause duration. Re-run
Some tasks were aborted. Targets the scan for all incomplete scan
may need to be rescanned. targets.

Pending Scan The scan was unable to transition Confirm the selected scanner group
Timeout to running within the expected has sufficient capacity, then re-run
timeout. the scan. For more information, see
Scanner Groups.

Policy The owner of the scan does not You do not have access to the scan
Permissions have access to the configured policy for this scan. Re-run the
policy. scan with correct permissions. For
more information, see Permissions.

Portscanner Max Portscanners have found more Since this negatively impacts both
Ports Exceeded than [number] ports open for scan accuracy and performance,
target [target name], and the you may want to adjust your
number of reported ports has been network security configuration to
truncated to [number] (threshold disable this behavior for
controlled by scanner preference vulnerability scans.
portscanner.max_ports). Usually
this is due to intervening network
equipment intercepting and
responding to connection requests
as a countermeasure against
portscanning or other potentially
malicious activity.

Processing Error Unexpected error in processing. Tenable Vulnerability Management

aborted the scan. Re-run the scan.

Routed To The following targets were routed Confirm the scanner group contains
Inactive to a scanner group with no active functioning scanners, then re-run

- 74 -
Warning Message Recommended Action

Scanners scanners: [scan targets] the scan. For more information, see
Scanner Groups.

Running Scan The scan exceeded the maximum The scan may be taking too long to
Timeout allowed runtime. scan some scan targets. Re-run the
scan.

Scan Aborted Scan aborted because it stalled in Tenable Vulnerability Management

initializing. aborted the scan. Re-run the scan.

Scan Aborted An error occurred while initializing Tenable Vulnerability Management

the scan. failed to initialize the scan. Re-run
the scan.

Scan Aborted Failed to obtain plugin set Tenable Vulnerability Management

information from Tenable Nessus. failed to download the plugin set.
Re-run the scan.

Scan Aborted The assigned scanner was not Tenable Vulnerability Management
found. could not find the selected scanner.
Select a different scanner and re-
run the scan.

Scan Extraction An error occurred during the scan

Error extraction.

Scan Extraction The scan extraction timed out.

Timeout Error

Scan Forbidden Rejected attempt to scan [scan The scan target is excluded from
target], as it violates user-defined scans. If you want to scan this
rules. target, remove it from the exclusion
and re-run the scan. For more
information, see Exclusions.

Alternatively, you many not have

the correct user permissions to run

- 75 -
Warning Message Recommended Action

the scan. Check your user

permissions and re-run the scan.
For more information, see
Permissions.

Scan Force The scan was forcefully stopped,

Stopped which cancels all incomplete tasks
and updates scan status to
Aborted.

Scan Job The scan could not be initialized. Tenable Vulnerability Management
Initialization Please check the scan targets failed to launch the scan. Re-run
Error setting for irregularities and the scan with the correct scan
contact support if the problem target. For more information, see
persists. Targets.

Scanner The assigned scanner is disabled. A user disabled the selected

Disabled scanner. Select a different scanner
and re-run the scan.

Scanner Error Unexpected error retrieving the

assigned scanner.

Scanner Group Unable to load scanner group for Confirm the scan configuration
Error scanner [scanner ID]. contains one or more valid targets,
then re-run the scan.

Scanner Due to detection of scanner This error occurs when a Tenable

Interruptions interruptions during the scan, this Nessus scanner is unable to
scan might have run longer than complete a scan task, and Tenable
expected. Scanner name: [scanner Vulnerability Management reassigns
name] the scan task to another scanner.
This usually happens when the
original scanner goes offline
intentionally (for example, a user
stops, powers off, or unlinks the

- 76 -
Warning Message Recommended Action

scanner) or experiences an
unexpected failure while
completing the scan task (for
example, power or network loss).

Adjust the Tenable Nessus scanner

as needed to prevent interruptions.

Scanner Not The assigned scanner was not Tenable Vulnerability Management
Found found. could not find the selected scanner.
Select a valid scanner and re-run
the scan.

Scanner The owner of the scan does not You do not have access to the
Permissions have access to the assigned selected scanner. Select a different
scanner. scanner and re-run the scan. For
more information, see Permissions.

Stalled Task A task was automatically aborted Confirm the scanners are
after stalling on scanner. Targets functioning properly and have
may need to be rescanned: [scan enough capacity for your scans,
targets] then re-run the scan for unscanned
targets or targets that need to be
re-scanned.

Tag Not Found Tenable Vulnerability Management Open the scan configuration in
could not process the tag. The tag Tenable Vulnerability Management
either did not exist at the time of to automatically remove any tags
scanning or the user does not have that no longer existing. Save the
access to the tag. Tag UUID: [tag scan configuration and re-run the
uuid]. scan.

Tag Targets Failed to obtain tag targets Tenable Vulnerability Management

Error associated with scan. could not obtain the scan targets.

- 77 -
Warning Message Recommended Action

Verify the targets and re-run the

scan. For more information, see
Targets.

Target Access The owner of the scan does not You do not have the correct user
Error have access to any configured permissions to run the scan. Check
targets. your user permissions and re-run
the scan. For more information, see
Permissions.

Target Group The owner of the scan does not Confirm the scan owner's
Permissions have access to all of the configured permissions, then re-run the scan.
target groups. For more information, see Target
Groups.

Target Limit The target count exceeds the The scan target range is too large.
maximum allowed for Tenable Confirm the scan configuration
Vulnerability Management. includes a valid target range, then
re-run the scan. For more
information, see Targets.

Target Range A target range exceeds the Confirm or reduce the configured
Limit maximum allowed targets: [scan scan target range and re-run the
targets] scan. For more information, see
Targets.

Targets Unable The following targets are not able Re-run the scan for unscanned
To Complete to complete scanning in the targets or targets that need to be
allowed scan time and will need to scanned again.
be rescanned: [scan targets]

Task Unexpected error during Re-run the scan for unscanned

Initialization initialization. Targets may need to targets or targets that need to be
Error be rescanned: [scan targets] re-scanned.

Task Processing Unexpected error in processing. Re-run the scan for unscanned

- 78 -
Warning Message Recommended Action

Error Targets may need to be rescanned: targets or targets that need to be

[scan targets] re-scanned.

Transition Some tasks stalled when being Failed to complete scan on some
Timeout [resumed, paused, or stopped] and scan targets. Re-run the scan for all
were aborted. Targets may need to unscanned scan targets.
be rescanned.

Unable To Route Unable to find a matching scanner Tenable Vulnerability Management

Targets route for the following targets: could not find one or more scan
[scan targets] targets specified in the scan
configuration. Do the following,
then re-run the scan:

l Confirm the scan

configuration specifies the
correct network.

l Confirm the scan routing

configuration of the scanner
groups in that network.

The total number of scan Review and remove any scan

configurations cannot exceed configurations that your
10,000. organization no longer uses.

The following targets were not Ensure that you are using the
routable: [scan targets] correct scanner to scan the targets
and that there are not any
protective securities between the
scanner and the targets.

- 79 -
Dashboards
Dashboards are interactive, graphical interfaces that often provide at-a-glance views of key
performance indicators (KPIs) relevant to a particular objective or business process.

The Dashboards page contains tiles that represent:

l Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

Note: Depending on your license, more dashboards are included. For example, the Tenable Lumin
dashboard.

l Dashboards you have created. To create a template-based or custom dashboard with

Tenable-provided or custom widgets, see Create a Dashboard.

l Dashboards that other users have shared with you. Click the Shared with Me tab to view
dashboards that others have shared with you.

Vulnerability Management Dashboard

This Tenable-provided dashboard visualizes actionable insights for your vulnerability management
program. Tenable Vulnerability Management updates dashboard data every time you run a scan.

Note: There may be a delay between when a scan completes and when the dashboard data updates while
Tenable Vulnerability Management indexes the data.

To access the Vulnerability Management Overview dashboard:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Management.

The Vulnerability Management Overview dashboard appears.

You can roll over individual items to reveal additional information or click on items to drill down into
details behind the data.

- 80 -
Tip: All charts on the Vulnerability Management Overview show New, Active, and Resurfaced vulnerability
data. However, the counts or data displayed on each chart may differ for other reasons. For example, the
Vulnerability Priority Rating (VPR) widget organizes vulnerabilities by VPR category, but the Vulnerability
Trending widget graphs vulnerabilities by CVSS-based severity category. For more information about how
severity and VPR metrics compare, see CVSS vs. VPR.

In the Vulnerability Management Overview, you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Statistics This widget summarizes the highest severity vulnerabilities on

for your network during the last 30 days.

l View a count of your total vulnerabilities and counts for the

highest severity vulnerabilities (Critical and High) during
the past 30 days.

l To view a list of vulnerabilities, click one of the counts.

The Vulnerabilities page appears, filtered by a severity if

you selected the Critical or High count.

l View a count of your total licensed assets, your assets

discovered during the last 7 days, and your assets
discovered during the last and 30 days.

If necessary, onboard your newly discovered assets.

l To view a list of assets, click one of the counts.

The Assets page appears, filtered by a time range if you

selected the 7 days or 30 days count. For more
information, see View Asset Details.

- 81 -
l View a count of your scans run during the last 90 days and
the percentage that succeeded and failed.

To investigate your failed scans, review your scans with

the status Aborted or Canceled. For more information, see
View Scans.

l To export the data in the widget, click the button and

select a format.

CISA Alerts AA22-011A This widget provides a vulnerability count of risks associated
and AA22-047A with the CISA Alerts AA22-011A and AA22-047A vulnerabilities
that have been identified or mitigated.

l To view a list of related vulnerabilities by plugin, in the

Vulnerabilities column, click one of the tiles.

The Vulnerabilities page appears with results filtered by

vulnerability state.

l To view a list of related vulnerabilities by asset, in the

Assets column, click one of the tiles.

The Vulnerabilities page appears, filtered by vulnerability

state.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget summarizes the number of vulnerabilities on your

Rating (VPR) network, organized by VPR. For more information, see CVSS vs.
VPR.

l To view a list of vulnerabilities filtered by a VPR range,

click one of the tiles.

The Vulnerabilities page appears, filtered by the range you

selected.

l To export the data in the widget, click the button and

- 82 -
select a format.

SLA This widget visualizes vulnerability counts by severity and by

Progress: Vulnerability compliance with your Service Level Agreements (SLAs). To
Age modify how Tenable Vulnerability Management calculates SLA
severity, see General Settings.

l To view a list of vulnerabilities, click one of the tiles.

The Vulnerabilities page appears, filtered by severity.

l To export the data in the widget, click the button and

select a format.

Vulnerability Trending This widget shows the cumulative number of Critical, High,
Medium, and Low severity vulnerabilities on your network over
time. For more information, see CVSS vs. VPR.

l To show or hide data for a severity, click the boxes in the

graph legend.

The system updates the widget to show or hide the data

you selected.

l To view historical vulnerability count and severity data, roll

over a point on the graph.

l To view a list of current vulnerabilities, click a point on the

graph.

The Vulnerabilities page appears, filtered by the severity

you selected and by New, Active, or Resurfaced state.

l To export the data in the widget, click the button and

select a format.

Critical and High This widget summarizes the number of Critical and High severity
Exploitable Vulnerabilities vulnerabilities on your network, organized by exploitability
characteristic category. A single vulnerability may have multiple
exploitability characteristics and count towards multiple

- 83 -
categories.

l To view the counts of your vulnerabilities by decreasing

priority, view the categories and counts from left to right.

l To view a list of vulnerabilities, click one of the bars on the

graph.

The Vulnerabilities page appears, filtered by Critical and

High severity and the exploitability characteristic you
selected.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget summarizes the vulnerabilities that are not yet
Exploitable Vulnerabilities exploitable, determined by their Exploit Code Maturity and
Vulnerability Publication Date.

l To view the counts of your vulnerabilities by decreasing

priority, view the categories and counts from upper left to
lower right. Tenable recommends addressing
vulnerabilities with proof-of-concept before those with no
known exploit.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age This widget summarizes the age of your vulnerabilities (by
Vulnerability First Seen date), organized by severity, to help you
manage your SLAs. For more information about severity, see
CVSS vs. VPR.

l To view a list of vulnerabilities, click one of the

vulnerability counts.

The Vulnerabilities page appears, filtered by the

Vulnerability First Seen date and severity you selected.

l To export the data in the widget, click the button and

- 84 -
select a format.

Vulnerability Management Overview (Explore)

The Vulnerability Management Overview (Explore) dashboard provides executive management with a
summary of risk information at a glance, while enabling security analysts to drill down into technical
details by clicking on the widgets. Tenable Vulnerability Management updates the dashboard data
each time you run a scan.

Note: There may be a delay between the time when a scan completes and when the dashboard data
updates while Tenable Vulnerability Management indexes the data.

Hovering over individual items reveals a data summary that you can click to drill down for further
details.

In the Vulnerability Management Overview (Explore), you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Severity Statistics by The widget provides a count of vulnerabilities collected through

Source multiple sources: Tenable Nessus scan, Tenable Nessus Agents,
and Frictionless Assessment. The numbers displayed in this
widget use severity to determine the precedence of
vulnerabilities to mitigate.

l To view the list of assets for a specific category, click on

the summary information in the relevant category.

The Findings page appears with details about the assets

detected for the category.

- 85 -
l To export the data in the widget, click the button and
select a format.

Tenable Research This widget provides two indicators for current major threats
Advisory discovered by Tenable Research. The red indicator signifies the
presence of the relevant vulnerabilities, while the green
indicator is enabled when these vulnerabilities are patched.

l Click on the tiles to display a Findings page with details

about the assets detected for Missing Patches and
Applied Patches.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget displays vulnerabilities grouped by Vulnerability

Rating (VPR) Priority Rating (VPR). VPR is the output of Tenable's predictive
prioritization process which it is continually updates to
accommodate the evolving threat landscape.

Following the initial scan of an asset on the network, Tenable

computes an initial VPR using a machine-learning algorithm that
analyzes more than 150 different aspects of each vulnerability to
determine the level of risk. Vulnerabilities listed on the left have
the highest VPR, while those on the right have the lowest. For
more information, see CVSS vs. VPR.

l To view the asset details detected in a specific range, click

on a VPR range.

The Findings page appears with details about the assets

detected in the selected range.

l To export the data in the widget, click the button and

select a format.

SLA This widget helps organizations manage Service Level

Progress: Vulnerability Agreements (SLAs) by providing a vulnerability view organized by
Age Vulnerability Priority Rating (VPR) Score and Vulnerability Age.

- 86 -
Tenable calculates the vulnerabilities that do not meet SLAs
using a date filter for within the last X days. The vulnerabilities
that meet SLAs use a date filter for older than X days.

When you apply default SLA settings:

l Critical: row uses VPR greater than 9.0.

l High: row uses VPR between 7.0-8.9.

l Medium: row uses VPR between 4.0-6.9.

l Low: row uses VPR between 0-3.9.

To know how Tenable Vulnerability Management calculates SLA

severity, see General Settings.

l To view the list of assets detected for a specific category,

click on the summary information under the
SLA categories.

The Findings page appears with details about the assets.

l To export the data in the widget, click the button and

select a format.

Critical and High This widget focuses on the most severe current threats, critical,
Exploitable Vulnerabilities and high exploitable vulnerabilities to help prioritize remediation.
Each bar represents vulnerabilities grouped by an exploitability
characteristic.

l Exploited by Malware: Vulnerabilities that can be exploited

by malicious software, such as viruses, worms, spyware,
adware, and ransomware.

l Remotely Exploitable (Low Complexity): Vulnerabilities

that can easily be exploited remotely and require little skill
or information gathering to exploit.

l Locally Exploitable (Low Complexity): Vulnerabilities that

can easily be exploited with local access and require little

- 87 -
skill or information gathering to exploit.

l Exploited by Framework (Metasploit): Vulnerabilities that

have publicly available exploit code imported into various
exploit frameworks, such as Metasploit, pose risks. These
common exploit frameworks are easily accessible, which
both security researchers and malicious attackers use.

l Remotely Exploitable (High Complexity): Vulnerabilities

that can be exploited remotely, but require a high degree
of skill and information gathering to exploit.

Note: These groupings are not mutually exclusive, as a single

vulnerability can fall into multiple exploitability categories. Tenable
recommends prioritizing remediation starting with vulnerabilities in
the left-most column, Exploited by Malware.

l To view details about assets for a specific category, click

one of the bars on the graph.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget provides a view of vulnerabilities based on exploit
Exploitable Vulnerabilities code maturity and vulnerability publication date. The columns
display counts of published vulnerabilities within the specified
time period present in the organization. The rows display the
exploit code maturity, where Proof of Concept is more serious
than Unproven Exploit.

l To view the list of assets for a specific category, click on

the counts under the Published categories.

The Findings page appears with details about the assets

detected for the category.

- 88 -
Tip: Tenable recommends addressing vulnerabilities with proof-of-
concept before those with no known exploit.

l To export the data in the widget, click the button and

select a format.

Scan Health This widget provides a summary of scan health in relation to

authentication success and failures. The five columns display
asset counts related to:

l Authentication Success - Scans authenticate successfully

with full administrator/root privileges. Scan results are the
most comprehensive.

l Success but Insufficient Access - Scans authenticate

successfully, but do not have privileged access. Scan
results are limited to the scope of a local non-privileged
user.

l Success but Intermittent Failure - Scan credentials

intermittently fail, which result from session rate limits,
session concurrency limits, or other issues preventing
consistent authentication success.

l Authentication Failure (Credentials) - Incorrect

credentials provided.

l To view the list of assets that falls in a specific category,

click the required category.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age: This widget provides a view of vulnerabilities based on severity

Managing SLAs and age. The columns display counts of published vulnerabilities
within the specified time period present in the organization. The

- 89 -
rows display the severity level of the vulnerability.

l To view asset details for a specific category, click

vulnerability count in the required category.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Tenable Web App Scanning Dashboard

The default Web Applications Scanning dashboard displays data Tenable Web App Scanning
collects.

The tables below describes the sections and widgets displayed in the Web Applications Scanning
dashboard. You can view details about the data in a widget by clicking the widget.

Tenable Web App Scanning Statistics

The table below describes the widgets displayed in the Statistics section of the Web Applications
Scanning dashboard. You can view details about the data in a widget by clicking the widget.

Widget Description

Findings Number of findings Tenable Web App Scanning has discovered. The
findings are categorized by severity (Critical and High).

For information about vulnerability ratings and the severity metrics

Tenable uses to analyze risk, see Severity vs. VPR in the Tenable
Vulnerability Management User Guide.

Web Assets Number of assets scanned over time.

Scanned

Incomplete Scans Number of incomplete scans in the past 90 days.

Non Number of non-authenticated scans in the past 90 days.

Authenticated
Scans

- 90 -
OWASP Top 10
This chart displays the vulnerabilities discovered by Tenable Web App Scanning that appear in the
latest Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application
Security Risks document.

View the Dashboards Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management updates dashboard data based on date filters you add when you
Create a Custom Widget for the dashboard.

To view the Dashboards page:

1. Access the Dashboards page in one of the following ways:

l On any Tenable-provided dashboard page, click the Dashboards button.

l On any other page, do the following:

a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click Dashboards.

The Dashboards page appears. The page contains tiles that represent:

l Tenable-provided dashboards

l Dashboards you have created

l Dashboards that other users have shared with you

2. Do any of the following:

l In the upper-left corner, use the Search bar to search for specific dashboards.

l In the upper-left corner, use the drop-down to change the order in which dashboards
appear on the Dashboards page.

- 91 -
l In the Groups section, do any of the following:
o Use the Search Groups bar to search for specific dashboard groups.
o Click the Shared with Me tab to view dashboards that have been shared with you.
o Click the Updates Available tab to view dashboards that are eligible for auto-
update.

l Roll over individual dashboard tiles to reveal additional information.

l Toggle between the grid and list view.

l Set a default dashboard.

l Edit a dashboard.

l Share a dashboard.

l Export a dashboard.

l Duplicate a dashboard.

l Delete a dashboard.

l Click a dashboard tile to view the individual dashboard.

Tenable-Provided Dashboards
On the Dashboards page, Tenable Vulnerability Management shows dashboards in the following
order:

1. Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

2. Dashboards you create and dashboards that have been shared with you.

Note: You can change the order in which dashboards appear by using the drop-down in the upper-right
corner of the Dashboards page.

The Tenable-provided dashboards you see depend on the licenses you have, but can include the
following:

Dashboard License

- 92 -
Vulnerability Management Overview Tenable Vulnerability Management

Lumin Tenable Lumin

Web Application Scanning Tenable Web App Scanning

Note: You can export the Vulnerability Management Overview and Asset View dashboard landing pages,
or export individual widgets on those dashboards. For more information, see Export a Full Dashboard and
Export an Individual Dashboard Widget.

Note: If your dashboard fails to show data, you may be filtering the dashboard by a target group with too many
targets. Tenable recommends limiting the number of targets in any individual target group.

Export a Full Dashboard Landing Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export the following dashboard landing pages:

l Vulnerability Management Overview

l Tenable Lumin

l Tenable Web App Scanning

To export a full dashboard landing page:

1. View the dashboard page you want to export.

2. In the upper-right corner, click Export.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

- 93 -
Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

Export an Individual Dashboard Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can export individual widgets from the following
dashboard landing pages:

l Vulnerability Management Overview

l Tenable Lumin

l Tenable Web App Scanning

To export an individual dashboard widget:

1. View the dashboard page that contains the widget you want to export.

2. In the header of the widget you want to export, click the button.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser
settings, your browser may notify you that the download is complete.

View an Individual Dashboard

- 94 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management updates dashboard data every time you run a scan.

To view an individual dashboard:

1. View the Dashboards page.

2. Do one of the following:

l In grid view, roll over the tile for the dashboard you want to view.

Dashboard information and options overlay the dashboard tile.

l In list view, roll over the thumbnail dashboard image for the dashboard you want to view.

Dashboard options overlay the thumbnail dashboard image.

3. Click View.

The page for that dashboard appears.

4. Do one of the following:

l Change the dashboard you are viewing:

a. In the upper-right corner, click Jump to Dashboard.

A drop-down box appears.

b. Select the dashboard you want to view.

Tip: Use this option to view legacy versions of Explore dashboards. For more
information, see Enable Explore Dashboards

l Roll over individual widgets to reveal additional information.

l Click on widget elements to drill down into details behind the data.

l Share the dashboard.

l Export the dashboard.

l Edit the dashboard.

- 95 -
l Set the dashboard as default.

l Duplicate the dashboard.

l Create a new dashboard.

l Delete the dashboard.

View the Dashboard Template Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The Template Library provides a selection of Tenable-provided dashboards.

To view the dashboard template library:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

On the Template Library page, you can:

l Sort the Template Library page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the page.

l In the upper-left corner, use the Search bar to search for specific dashboards.

l Click the New and Updated tab to view dashboards that are eligible for auto-update.

l Toggle between the grid and list view.

l Preview a dashboard.

l Create a dashboard.

Create a Dashboard

- 96 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can create a custom dashboard or use the Template Library to create a copy from the available
templates. Dashboards let you drill down to view the details of each widget.

Important: The Template Library in Tenable Vulnerability Management includes Explore dashboard
templates. The Explore dashboard templates are marked with Explore at the end of the template name.
For example: Vulnerability Management (Explore). From the dashboards that you create using these
templates, you can drill down to the Findings or Assets pages. To add an Explore dashboard, see Enable
Explore Dashboards.

To create a dashboard:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Do one of the following:

To create a dashboard from a template:

a. Click Template Library.

The Template Library page appears.

b. In the Groups panel on the left, click the group name to view the templates for the
category.

Category Description

Center for CIS Benchmarks are best practices for the secure configuration
Internet of a target system. Be sure to use the proper audit file for
Security (CIS) scans.

Defense The Defense Information Systems Agency (DISA) is a United

Information States Department of Defense combat support agency
Systems composed of military, federal civilians, and contractors.
Agency (DISA) Security Technical Implementation Guides (STIG) is a

- 97 -
configuration standard that consists of cybersecurity
requirements for a specific product. Be sure to use the proper
audit file for scans.

Compliance Tenable allows you to audit configuration compliance with a

Framework variety of standards including GDPR, ISO 27000, HIPAA, NIST
800-53, PCI DSS, and so on. These reports provide summary
and detailed information for all the supported frameworks. Be
sure to use the proper audit file for scans.

Host Audit Organizations such as CIS, DISA, and some vendors create
Plugin Type golden configurations standards, known as benchmarks.
Tenable creates audit files that perform a detailed
configuration review. Scanning the assets with the Host Audit
Compliance Check plugins allows you to do detailed
configuration checks. These reports provide summary and
detailed information for all the Host Audit Compliance Check
plugins.

Tenable Best Allows you to implement best practice audits for new
Practice Audits technologies. Be sure to use the proper audit file for scans.

Vendor Based Allows you to implement vendor-specific guidance for new

Audits technologies. Vendors include: Vendor, IBM, Juniper, Microsoft,
NetApp, VMware, and others. Be sure to use the proper audit
file for scans.

Vulnerability Tenable Vulnerability Management provides the most

Management comprehensive vulnerability coverage with real-time
continuous assessment of the organization. These built-in
reports allow organizations to communicate risk based on
prioritization, threat intelligence and real-time insights to
prioritize remediation actions. These reports provide summary
and detailed information on data collected using Tenable
Vulnerability Management applications such as Tenable Nessus.

- 98 -
Web App Web application security provides the ability to detect and
Scanning mitigate threats and vulnerabilities that may compromise the
confidentiality, integrity, and availability of web applications.
These reports leverage data from Tenable Web App Scanning, a
comprehensive and automated vulnerability scanning tool for
modern web applications.

c. In the library, locate the template you want to use.

d. Hover over the template.

An overlay of template information and options appears.

e. (Optional) To preview the dashboard template, click Preview. For more information, see
Preview a Dashboard.

f. Click Add.

An Added dashboard to Dashboards confirmation message appears.

The new dashboard appears on the Dashboards page with the name Copy of selected
dashboard.

To create a custom dashboard:

a. Click Custom Dashboard.

The Edit Dashboard page appears.

b. Name the dashboard:

a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the updated name.

c. Add a dashboard description:

- 99 -
a. Click the dashboard description.

The description becomes an editable text box.

b. Type a description for the dashboard.

d. Add widgets to the dashboard:

a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

e. Add dashboard filters:

a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

Note: The Edit Filter option does not appear if there are no widgets added to the
dashboard.

b. Configure your dashboard filters as described in Filter a Dashboard.

f. (Optional) Reorder widgets on the dashboard:

a. Hover over the widget you want to move.

b. Press and hold the mouse button to highlight the widget.

The edges of the widget become defined and exhibit a raised appearance.

- 100 -
c. Using the mouse, drag the widget to the new location.

d. Release the mouse button to drop the widget in the new location.

g. (Optional) Delete the dashboard:

o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management discards the newly created dashboard.

What to do next:
l Manage Dashboards

Preview a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When creating a new dashboard from a template, you can preview the dashboard before adding it to
the Dashboards page.

To preview a dashboard:

1. Create a dashboard.

2. In the Template Library, roll over the template you want to preview.

An overlay of template information and options appears.

3. Click Preview.

A preview of the dashboard appears.

4. To exit the preview, in the top navigation bar, click a link in the breadcrumb trail to return to
the Template Library, or the Dashboards page.

5. To add the template to the Dashboards page, click Add to Dashboards.

An Added dashboard to Dashboards confirmation message appears, and the new dashboard
appears on the Dashboards page with the name Copy of selected dashboard.

Enable Explore Dashboards

- 101 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To use Explore dashboards within Tenable Vulnerability Management, you must first add them to
your interface via the Template Library.

Note: The numerical data that appears on your Explore dashboards may not match the data on your legacy
Tenable Web App Scanning or VM dashboards.

Note: The data on your Explore Tenable Web App Scanning and VM dashboards reflects your complete
scanning history. This differs from the Tenable Web App Scanning and VM dashboards, which display data
for only the last 30 calendar days.

To enable Explore dashboards:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

4. In the upper-left corner, in the Search bar, type "(Explore)".

All available Explore dashboards appear.

If Explore dashboards do not appear, your container may not have enabled them. Please contact
your Customer Success Manager.

5. For each Explore dashboard you want to add to your interface, do the following:

a. Roll over the Explore dashboard template.

An overlay of template information and options appears.

b. Click Add.

An Added dashboard to Dashboards confirmation message appears, and the Explore

dashboard appears on the Dashboards page.

- 102 -
Note: To reenable your Tenable Web App Scanning or VM dashboards, enable the corresponding
workbench.

Manage Dashboards
This section contains the following topics related to help you manage your Tenable Vulnerability
Management dashboards:

Dashboard Groups
In Tenable Vulnerability Management, you can organize dashboards into groups via the dashboard
Groups panel. This allows you to track different types of dashboards, and dashboards that others
have shared with you. You can also share a dashboard group with one or more users or user groups.

The Groups panel automatically expands when you view the Dashboards page. The panel is
separated by Tenable-provided dashboard groups and user-created dashboard groups.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Add a Dashboard Group

You can add a dashboard group via the Groups panel on the Dashboards page.

To add a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click Add.

The Edit Group pane appears.

3. In the Group Name box, type a name for your dashboard group.

4. In the Dashboards to Include section, select the check box next to any dashboards you want
to add to the dashboard group.

5. Click Save.

- 103 -
Tenable Vulnerability Management adds the dashboard group to the user-created dashboard
list in the Groups panel.

Share a Dashboard Group

In Tenable Vulnerability Management, you can share user-created dashboard group with other users
or user groups via the Groups panel.

Note: Dashboard groups are not automatically re-shared with a user after they have been updated. For
example:
User A shares a dashboard group with User B. User A then makes a change to the dashboard group. To see
the update, User A must re-share the dashboard group, with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to share.

The group and its included dashboards appears.

3. Click Share Group.

The Share Group pane appears.

4. Do one of the following:

l To share the dashboard group with all users, select the All Users check box.

l To share the dashboard group with specific users or user groups, from the drop-down
box, select the users or user groups with which you want to share the dashboard group.

Tip: You can share with multiple users or user groups.

5. Click Share.

- 104 -
A Group shared successfully message appears. Tenable Vulnerability Management shares the
dashboard group with the designated users or user groups and sends an email indicating that
you shared a dashboard with them.

Edit a Dashboard Group

In Tenable Vulnerability Management, you can edit user-created dashboard groups via the Groups
panel.

To edit a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to edit.

The group and its included dashboards appears.

3. Click Edit Group.

The Edit Group pane appears.

4. (Optional) In the Group Name box, edit the name of the dashboard group.

5. (Optional) In the Dashboards to Include section, select or deselect the dashboards that
appear in the dashboard group.

6. Click Save.

Tenable Vulnerability Management saves your changes to the dashboard group.

Delete a Dashboard Group

In Tenable Vulnerability Management, you can delete user-created dashboard groups via the Groups
panel.

To delete a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

- 105 -
2. In the Groups panel, click the user-created dashboard group you want to delete.

The group and its included dashboards appear.

3. Click Delete Group.

A confirmation message appears.

4. Click Delete.

Tenable Vulnerability Management deletes the dashboard group.

Note: Deleting dashboard groups does not delete the dashboards within the group.

Automatically Update Widgets on a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To provide the most up-to-date vulnerability information, Tenable updates or adds new dashboard
widgets when, for example, a new vulnerability is exposed or when Tenable Vulnerability
Management adds a new vulnerability filter. When Tenable updates these widgets, you can view and
automatically update them in one of the following ways:

l Dashboards page — On the Dashboards page, you can update all updated widgets on a
dashboard at one time.

l Dashboard Template Library — When creating a custom dashboard via the Template Library,
you can view new or updated widgets and add them to the custom dashboard.

Note: On predefined dashboard templates, Tenable Vulnerability Management always includes the
most recent version of widgets.

l Widget Library — In the Widget Library, you can view new or updated widgets and add them
to up to ten individual dashboards.

To update widgets automatically via the Dashboards page:

- 106 -
1. View the Dashboards page.

2. In the Groups section, click the Updates Available tab.

A list of dashboards with updated widgets appears.

Note: You can also see dashboards with new and updated widgets on the All tab. These dashboards
appear with a pulsing blue dot next to the dashboard name.

3. Roll over the dashboard for which you want to update widgets.

An overlay of options appears.

4. Click Apply.

An Update Available message appears that describes the updates to the widgets on the
dashboard.

5. Click Update.

An Update Applied Successfully message appears and Tenable Vulnerability Management

updates the widgets on the dashboard.

To update widgets automatically via the dashboard Template Library:

1. View the dashboard Template Library.

2. Click the New and Updated tab.

A list of dashboard templates with new and updated widgets appears.

3. Roll over the dashboard template you want to add.

An overlay of options appears.

4. Click Add.

An Added Dashboard Template to Dashboards message appears, and the dashboard

template with the new or updated widget appears on the Dashboards page.

To update widgets automatically via the Widget Library:

- 107 -
1. View the Widget Library.

2. Click the New and Updated tab.

A list of new and updated widgets appears.

3. Roll over any widget you want to add to a dashboard.

4. Click Add to Dashboards.

The Add to Dashboards plane appears.

5. In the Dashboards drop-down, select the dashboard or dashboards to which you want to add
the new or updated widget.

6. Click Save.

A Successfully Added to Selected Dashboards message appears and Tenable Vulnerability

Management adds the new or updated widget to the selected dashboards.

Edit a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To edit a dashboard:

1. Do one of the following:

l Access the Edit Dashboard page via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Edit.

- 108 -
l Access the Edit Dashboard page via an individual dashboard:

a. View the dashboard you want to edit.

b. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

c. Click Edit dashboard.

The Edit Dashboard page appears.

2. On the Edit Dashboard page, do any of the following:

l
Rename the dashboard:
a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a new name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the name.

l
Edit the dashboard description:
a. Click the dashboard description.

The description becomes an editable text box.

b. Type a new description for the dashboard.

l
Edit the dashboard filters:
a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

b. Configure your dashboard filters as described in Filter a Dashboard.

- 109 -
l
Add widgets to the dashboard:
a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

l
Reorder widgets on the dashboard:
a. Roll over the top of the widget until the move cursor appears.

b. Click and drag the widget to the desired location.

l
Resize the widgets on the dashboard:
a. Roll over the lower-right corner of the widget until the resize cursor appears.

b. Click and drag the widget to the desired size.

The widgets shift to accommodate the new widget size.

l
Delete the dashboard:
o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management removes the dashboard from the Dashboards

page.

3. Click Done Editing.

You return to the selected dashboard and Tenable Vulnerability Management applies your
changes.

Set a Default Dashboard

- 110 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can set any dashboard as the default dashboard to make it your landing page. If you do not set
a default dashboard, Tenable Vulnerability Management uses the Tenable-provided Vulnerability
Management Overview dashboard as the default.

When you set a dashboard as default, on the Dashboards page, the Default label appears in the
header of the dashboard tile.

Note: If you delete a dashboard set as default, the product Tenable-provided dashboard becomes the
default.

To set a default dashboard:

1. Do one of the following:

l Set a default dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

l Set a default dashboard via an individual dashboard:

a. View the dashboard you want to make the default.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Select Make Default.

A Successfully set as default dashboard confirmation message appears, and Tenable

Vulnerability Management sets the dashboard as the default.

Note: You may have to log out and log back in to see the updated default dashboard.

Rename a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 111 -
To rename a dashboard:

1. View the dashboard you want to rename.

2. On the dashboard page, roll over the dashboard name.

The name becomes highlighted and shows a button.

3. Click the button or double-click the name.

The name field becomes a text box.

4. Enter a new name for the dashboard.

5. Click the button to confirm the name change.

A confirmation appears at the top of the page.

The new name appears.

Duplicate a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a dashboard:

1. Do one of the following:

l To duplicate a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

- 112 -
l To duplicate a dashboard via an individual dashboard:

a. View the dashboard you want to duplicate.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Duplicate.

A Successfully copied the dashboard confirmation message appears, and Tenable

Vulnerability Management copies the dashboard on the Dashboards page.

Filter a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can apply filters at the dashboard level to all widgets within that dashboard.

Note: You can apply configurations to individual widgets. The widget-level configuration takes precedence
over dashboard-level configuration.

To filter a dashboard in the new interface:

1. View the dashboard you want to filter.

2. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

3. Click Filter.

The Filter plane appears.

4. In the Select Filter Type drop-down, select the assets you want the dashboard to analyze. See
the following table for options and requirements.

Option Description Requirement

- 113 -
All Assets (Default) This option includes This is the default option and
all the assets in the includes all assets in the dashboard.
dashboard. There is not a requirement for this
option.

Target Group This option only includes An extra field for Select Target
assets in a specific target Groups appears when you select this
group. option. Select the desired target
group from the drop-down list.

Custom This option only includes A text box appears when you select
assets with a specific this option. Enter one or more of the
hostname, IP address, FQDN, custom option formats (hostname, IP
or CIDR. address, FQDN, or CIDR). Separate
multiple items with commas.

Important: Make sure that the

number of IP addresses in your
search filter is less than or equal to
25.

Important: Make sure that the

number of Hostnames in your search
filter is less than or equal to 300.

5. Click Apply.

The icon appears in the header of all the dashboard widgets.

6. In the widgets section, roll over the icon to view the added filter.

Note: The following are the filtering limitations for Explore widgets:

l Explore widgets do not support Target Groups.

l Cloud Misconfigurations widgets do not support filtering by IP or hostname.
l Cloud Misconfigurations and Web Application Findings widgets do not support tags.

Note: You can filter only with the tags you can access. You cannot apply tags that you do not have access
to.

- 114 -
Filter a Dashboard by Time

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can filter a dashboard to show only vulnerabilities within a specific timeframe — in hours, days,
months, or years. Filters are available only for custom dashboards or dashboards created using the
template library.

Note: Filter by time option is available only for Explore dashboards and Explore widgets.

To filter a dashboard by a specific timeframe:

1. View the dashboard you want to filter.

2. To filter your dashboard data for a specific timeframe, do one of the following:

l In the All drop-down box, select the required timeframe: All, 7 days ago, 14 days ago, 30
days ago, 60 days ago, 90 days ago.

l For a custom timeframe, in the Last Seen box, type the value to view the data within the
last number of days, hours, years, or months.

Tenable Vulnerability Management displays the vulnerabilities for the selected timeframe on
the dashboard.

Share a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management users can share a dashboard with one or more users, or one or
more user groups. Shared dashboards appear automatically for the users or groups with which they
are shared.

Note: You cannot edit dashboards that are shared with you. You can, however, duplicate or delete a
dashboard that is shared with you.

- 115 -
Note: Dashboards are not automatically re-shared with a user after they have been updated. For example:
User A shares a dashboard with User B. User A then makes a change to the dashboard. To see the update,
User A must re-share the dashboard with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard:

1. Do one of the following:

l To share a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

A drop-down list appears.

c. Click Share.

l To share a dashboard via an individual dashboard:

a. View the dashboard you want to share.

b. In the upper-right corner, click Share.

The Share panel appears,

2. Do one of the following:

l To share the dashboard with all users, select the All Users check box.

l To share the dashboard with specific users or user groups, from the drop-down box,
select the users or user groups with which you want to share the dashboard.

Tip: You can share with multiple users or user groups.

3. Click Share.

A Dashboard shared successfully message appears. Tenable Vulnerability Management

shares the dashboard with the designated users or user groups and sends an email indicating
that a dashboard has been shared with them.

- 116 -
Manage Dashboard Exports

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

With the export feature, you can export dashboard data in CSV, PDF, and detailed PDF formats. You
can create dashboard exports on demand or schedule automated exports to specified recipients.

You can also manage your dashboard exports. You can download them, view your export history,
delete your exports, or delete their configuration.

Note: While you cannot export the Vulnerability Management Overview and Asset View dashboards, you
can export their associated landing pages, or export individual widgets on those dashboards. For more
information, see Export a Full Dashboard Landing Page and Export an Individual Dashboard Widget.

Export a Dashboard

To export a dashboard in CSV format:

1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to CSV.

l Export the dashboard while viewing the individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click CSV.

An Export in Progress confirmation message appears.

- 117 -
The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To export a dashboard in PDF format:

You can use the Export PDF feature to share customized dashboards externally. The exported
PDF is a generated report of the selected dashboard.

To export a PDF:

1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to PDF or, where available, Export to PDF - Detailed.

Note: By default, the following dashboards support PDF-Detailed exports:

l Executive Summary
l Exploitable by Malware
l Exploitable Framework Analysis
l Measuring Vulnerability Management
l Mitigation Summary
l Outstanding Remediation Tracking
l Prioritize Assets
l Vulnerabilities by Common Ports
l Vulnerability Management
l Web Services

- 118 -
l Export the dashboard via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information that is included in the report.

The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To schedule a dashboard export:

The Schedule Export option allows you to export a dashboard at specified times.

To schedule an export:

- 119 -
1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Schedule Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. Do one of the following:

l If you have never exported and/or scheduled an export for the dashboard, the Schedule
options automatically appear.

l If you have already exported the dashboard, in the Schedule section, click Add New.

The Schedule options appear.

l If you have already scheduled an export for the dashboard, you cannot create another
one. You must first cancel the scheduled dashboard export.

3. Select CSV, PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information included in the report.

The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

- 120 -
Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

4. In the Schedule section, set the following parameters:

Option Description

Name A name for the scheduled export.

Start Date and Time The date and time that you want the export to begin.

Repeat The frequency that you want Tenable Vulnerability Management

to send the export:

l Daily — The export occurs daily at the time specified.

l Weekly — The export occurs every week on the same day

at the time specified (for example, Weekly on Tuesday).

l Monthly — The export occurs once a month on the day of

the week and time specified (for example Monthly on Last
Tuesday)

l Custom — The export occurs at a custom interval. If you

select Custom, more options appear:

a. In the Repeat Every section, in the drop-down, select

how often you want the export to repeat. For
example, if you want the export to repeat every 2
days, then in the first drop-down box, select 2 and in
the second drop-down box, select Days.

l Does not Repeat — The export does not repeat.

Password Protection Specifies the export as encrypted or unencrypted.

If you toggle this option on, an Encryption Password box

appears. Type the password you want to use to encrypt the

- 121 -
export file.

Note: Once you save the scheduled export, you cannot edit the
Encryption Password. Instead, you must create a copy of the
dashboard, create a scheduled export, and then select the desired
password.

Add Recipients (Optional) The email address for the person that receives the
report. You can specify multiple email addresses as a comma-
separated list.

5. Click Schedule.

The scheduled export appears in the Schedule Export plane.

Download a Dashboard Export

To download a dashboard export:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard with the export you want to download.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

- 122 -
2. In the Downloads section, next to the export download you want to download, click the
button.

Tenable Vulnerability Management downloads the export file to your computer.

View Dashboard Export History

To view dashboard export history:

1. View the dashboard for which you want to view export history.

2. In the upper-right corner, click Export.

A drop-down list appears.

3. In the drop-down list, click History.

The Export History plane appears.

On the Export History plane, you can view:

l The schedule for the dashboard export.

l Available downloads of previous dashboard exports.

You cannot access the Export History plane if the dashboard has not yet been exported.

Delete a Dashboard Export Download

To delete a dashboard export download:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

- 123 -
l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete an export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, roll over the export download you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Delete.

A Download deleted successfully message appears and Tenable Vulnerability Management

removes the export download from the Schedule Export plane.

Delete a Dashboard Export Configuration

To delete a dashboard export configuration:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

- 124 -
l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete a scheduled export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Schedule section, roll over the scheduled export configuration you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Confirm.

A Successfully deleted export configuration message appears and Tenable Vulnerability

Management removes the export configuration from the Schedule section of the Schedule
Export plane.

Delete a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: In Tenable Vulnerability Management, you can only delete custom dashboards. You cannot delete
Tenable-Provided Dashboards.

To delete a dashboard:

1. Do one of the following:

l Delete a dashboard from the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

- 125 -
l Delete a dashboard from the individual dashboard:

a. View the dashboard page you want to delete.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Delete.

A Confirm Deletion confirmation message appears.

3. Click Delete.

A Successfully deleted the dashboard confirmation message appears and Tenable

Vulnerability Management removes the dashboard from the Dashboards page.

Manage Widgets
You can use the widget library to create and edit widgets to use across your dashboards.

To manage widgets in the widget library:

l View the Widget Library

l Create a Custom Widget

l Edit a Custom Widget

l Add a Widget to a Dashboard

On your dashboards, you can further configure widgets to modify your dashboards.

To manage widgets on a dashboard:

l Configure a Widget

l Duplicate a Widget

l Rename a Widget

l Delete a Widget from a Dashboard

View the Widget Library

- 126 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The widget library provides a selection of Tenable-provided widgets to add to your template-based
or custom dashboard.

Note: The Tenable-provided Vulnerability Trending widget is not available in the widget library. All other
Tenable-provided widgets appear in the widget library.

To view the widget library:

1. View the Dashboards page.

2. In the upper-right corner of the page, click the Widget Library button.

The Widgets page appears.

3. (Optional) In the upper-left corner of the page, click the tab for the dashboard widgets you
want to view. For example, if you want to only widgets associated with Tenable Vulnerability
Management, click the Vulnerability Management tab.

Note: The tabs that appear on the Widgets page depend on the licenses (for example, Tenable
Lumin, Tenable Web App Scanning) you have enabled in Tenable Vulnerability Management.

On the Widgets page you can:

l Sort the Widgets page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the widgets page.

l In the upper-left corner, use the Search bar to search for specific widgets.

l Click the New and Updated tab to view dashboard widgets that are eligible for auto-
update.

l Add the widget to a dashboard.

l Delete a widget from the widget library.

Delete a Widget from the Widget Library

- 127 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: You can only delete custom widgets. You cannot delete pre-configured Tenable Vulnerability
Management widgets.

To delete a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the header of the widget you want to delete, click the button.

A drop-down menu appears.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Vulnerability Management removes the widget from the widget plane, and a message
confirming the deletion appears at the top of the plane.

Create a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add
to any user-defined dashboards.

To create a custom widget:

- 128 -
1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the upper-right corner of the page, click Add Widgets.

A menu appears.

3. Click Custom Widget.

The Widgets page appears.

4. In the charts section, select the chart type for your custom widget:

l Table

l Ring chart (Vulnerabilities dataset only)

l Bar chart (Vulnerabilities dataset only)

5. In the dataset drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

- 129 -
l Vulnerabilities

l Assets

Note: If you selected ring chart or bar chart in the charts section, selecting the Assets
dataset resets the chart selection to a table.

The chart type, Data Grouping, and Display Fields options update based on your selection.

6. In the Data Grouping drop-down box, select how you want to group the data:

l By Plugin (Vulnerabilities dataset only)

l By Asset (Vulnerabilities dataset only)

l By CVE (Vulnerabilities dataset only)

l Asset List (Assets dataset only)

7. (Optional) To filter the widget data using filters:

a. Click the button to expand the filter options.

b. In the drop-down box, select category, operator, and value types.

c. (Optional) Click the Add button to specify more filters.

Note: If you previously created a tag, it appears in the custom widget's list of filters.

Note: If you exceed the current asset query limitation of 5,000, a message appears in your interface.
Refine the query to a smaller set of asset tags.

Note: Tenable Vulnerability Management does not currently support tag filters in exports.

8. (Optional) To filter the widget data using an existing saved search, in the Saved Searches
drop-down box, select the saved search you want to use to filter your widget data.

Note: If you do not have any saved searches, this option does not appear. To create a new saved
search, see Saved Search.

9. In the Name box, type a name for the custom widget.

- 130 -
In the Widget Preview, the title updates automatically.

10. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the description hover text updates
automatically.

11. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

12. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Create a Custom Widget for Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add
to any user-defined Explore dashboards. You can create custom widgets with vulnerabilities and
assets data. Vulnerabilities can include host vulnerabilities, Tenable Web App Scanning
vulnerabilities, and vulnerabilities from Legacy Tenable Cloud Security. Adding a mix of these
custom widgets to your dashboard provides you with a holistic view of the vulnerability
environment.

You can drill down from the custom widgets to the Findings and Assets pages.

To create a custom widget:

- 131 -
1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the New Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the Chart Type section, select the chart type for your custom widget:

l Chart types for vulnerabilities:

l Bar

l Column

l Doughnut

l Matrix

l Multi-series Bar

l Multi-series Column

l Stacked Bar

l Stacked Column

l Table

- 132 -
l Chart types for assets:

l Column

l Bar

l Doughnut

l Table

3. In the Name box, type a name for the custom widget.

In the Widget Preview, the title updates automatically.

4. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the contextual description updates
automatically.

5. In the Data Set drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

l Findings

l Assets

The Chart Type, Group By, and Sort Fields options update based on your selection.

If you
Options
selected...

Findings Provide the following details:

a. In the Entity drop-down box, select the type of vulnerability for

which you want to create a widget. You can select from the
following:

l Vulnerabilities — Includes the list of findings.

l Web Application Findings — Includes vulnerabilities from

Tenable Web App Scanning.

l Cloud Misconfigurations— Includes vulnerabilities from

Legacy Tenable Cloud Security.

- 133 -
b. In the Limit drop-down box, select the number of records you
want to show on the widget. The default value is 5 and maximum
value is 20.

c. In the Group By drop-down box, select how you want to group the
data. The values in the Group By drop-down changes based on the
Entity you select.

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group vulnerabilities. For Matrix,
Multi-series Bar, Multi-series Column, Stacked Bar, and
Stacked Column chart types, you must select two options for
grouping vulnerabilities.

For more information about all filters, see Findings Filters.

d. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

e. In the Sort Fields drop-down box, select how you want to sort the
data on the widget. You can sort by one of these options:

l Count

l Value in Group By

f. In the Sort Order drop-down box, select whether you want the sort
in ascending or descending order.

Assets Provide the following details:

a. In the Limit drop-down box, select the number of records you

want to show on the widget. The default value is 5 and maximum
value is 20.

- 134 -
b. In the Group By drop-down box, select how you want to group the
data:

l System Type

l Name

l Operating System

l SSH Fingerprint

l Fully Qualified Domain

l Mac Addresses

l Asset Types

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group assets. For Matrix, Multi-
series Bar, Multi-series Column, Stacked Bar, and Stacked
Column chart types, you must select two options for grouping
assets.

c. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

6. For each filter you want to use, do the following:

Note: Tenable recommends that you use simple instead of complex queries or one level of nested
filters when creating your custom widgets. Widgets can only have a maximum of one level of nested
filters, provided no additional context filters are applied when the widgets are added to the
dashboards. An example of a query with one level of nesting:
(CVSSv3 Base Score is greater than 8.9 OR VPR is greater than 8.9) AND State is
not equal to Fixed

a. Click Select Filters.

The Select Filters drop-down box appears.

- 135 -
b. Click the filter you want to apply.

The filter appears in the box.

c. In the filter, click the ˅ button.

A list of filter value and operator options appears.

d. In the first drop-down box, select the operator you want to apply to the filter.

e. In the second drop-down box, select one or more values to apply to the filter.

f. Select Match All from the drop-down box. By default, Tenable Vulnerability Management
sets the filter to Match All.

7. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

8. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Edit a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Note: You cannot edit Tenable-provided widgets.

To edit a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the upper-right corner of the widget you want to edit, click the button.

A menu appears.

- 136 -
4. Click Edit.

The widget options appear.

5. Edit the widget options.

6. Click Save and Exit.

A confirmation appears.

Note: A custom widget that was previously included in dashboards before you edited the widget does not
update to reflect your edits. To include the edited widget, you must add the widget again as described in
Add a Widget to a Dashboard.

Add a Widget to a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Use the following steps to add a widget to your template-based and custom dashboards.

You can add custom widgets, widgets from Tenable-provided dashboards, and other general
purpose Tenable-provided widgets.

To add a widget to a dashboard:

Note: These steps describe how to add a template widget to a dashboard. See custom widgets for
information on how to create custom widgets and add them to your dashboard.

1. View the widget library.

2. For each widget you want to add:

a. Do one of the following:

l Scroll through the list of widgets.

l Use the Search box to find a specific widget.

Tip: You can hover over a widget tile for brief descriptions of each widget. For detailed
descriptions about widgets originating from Tenable-provided dashboards, see Tenable-
Provided Dashboards.

- 137 -
b. Roll over the widget you want to add.

The Add to Dashboards button appears.

c. Click Add to Dashboards.

The Add to Dashboards plane appears.

d. In the Dashboards drop-down box, select the dashboard or dashboards to which you
want to add the widget.

e. Click Save.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard or dashboards.

f. Click Add.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard.

3. Click Done.

You return to the Dashboards page.

Configure a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To configure a widget:

1. View the dashboard page that contains the widget you want to configure.

2. In the upper-right corner of the widget you want to change, click the button.

A menu appears.

3. Click Configure.

The widget summary plane appears.

4. On the widget summary plane, do any of the following:

- 138 -
l
Rename the widget:
a. Do one of the following:

l Click the name of the widget.

l In the widget summary plane, roll over the widget name and click the
button.

The name field becomes an editable text box.

b. Type a new name for the widget.

c. Click the button to confirm the name change.

A confirmation message appears at the top of the page, and the new name
appears in the widget header.

l
Edit the widget description:
a. Do one of the following:

l Click the widget description.

l In the widget summary plane, roll over the widget description and click the
button.

The description field becomes an editable text box.

b. Type a new description for the widget.

c. Click the button to confirm the change.

A confirmation message appears at the top of the page, and the new description
appears in the widget header.

l
Duplicate the widget:
o In the Actions row, click the button.

A confirmation message appears and Tenable Vulnerability Management adds the

duplicated widget to the dashboard.

- 139 -
l
Delete the widget from the dashboard:
a. In the Actions row, click the button.

A Confirm Deletion message appears.

b. Click Delete.

A confirmation message appears and Tenable Vulnerability Management removes

the dashboard from the Dashboards page.

l
Apply filters to the widget:

Option Description Requirement

All Assets (Default) This option This is the default option and
includes all the assets in the includes all assets in the
dashboard. dashboard. There is not a
requirement for this option.

Custom This option only includes When you select this option, a
assets with a specific text box appears. Enter one or
hostname, IP address, FQDN, more of the custom option
or CIDR. formats (hostname, IP address,
FQDN, or CIDR). You must
separate multiple items with a
comma.

Tags This option uses tags to When you select this option, a
filter asset results or drop-down box appears. Select or
vulnerability results. type the tag name by which you
want to filter results. Tenable
Note: Because the Vulnerability Management filters
ACR Widget uses Tenable
Lumin data, this widget
the results by the selected tags.
does not support filtering
by tag. Note: Tenable Vulnerability
Management supports a
maximum of 100 filters.

- 140 -
Note: Once you apply a filter to a widget, a icon appears in the widget header. Roll over the
icon to view the applied filter.

5. Click Apply.

A confirmation message appears and Tenable Vulnerability Management applies your changes
to the widget.

Duplicate a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a widget:

1. View the dashboard page that contains the widget you want to duplicate.

2. In the upper-right corner of the widget you want to duplicate, click the button.

A menu appears.

3. Click Duplicate.

The duplicated widget appears at the bottom of the page.

4. (Optional) Change the name of the widget.

5. (Optional) Reorder the widget sections.

Rename a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To rename a widget:

1. View the dashboard page that contains the widget you want to change.

2. In the upper-right corner of the widget you want to rename, click the button.

A menu appears.

- 141 -
3. Click Configure.

The widget summary plane appears.

4. In the widget summary plane, roll over the widget name.

The button appears next to the name.

5. Click the button or double-click the name.

The name field becomes an editable text box.

6. Type a new name for the widget.

7. Click the button to confirm the name change.

A confirmation message appears at the top of the page.

The new name appears in the widget header.

Delete a Widget from a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To remove a widget from a dashboard:

1. View the dashboard page that contains the widget you want to remove.

2. In the upper-right corner of the widget you want to remove, click the button.

A menu appears.

3. Click Delete.

Tenable Vulnerability Management prompts you to confirm the removal.

4. Click Delete.

A confirmation message appears at the top of the page.

Tenable Vulnerability Management removes the widget from the dashboard. Remaining
widgets adjust to fill the new space.

- 142 -
Vulnerability Intelligence
In the Vulnerability Intelligence section, you can review all vulnerabilities known to Tenable without
leaving Tenable Vulnerability Management.

The vulnerabilities come from Tenable’s database, which draws on sources such as internal
expertise, vendor advisories, the GitHub Advisory Database, and the National Vulnerability Database
(NVD).

The Vulnerability Intelligence section also holds curated categories that blend known risk
indicators with insights from the Tenable Research Team to surface the most crucial vulnerabilities.

Once you have chosen which vulnerabilities to focus on, you compare them to your own findings
and build a list to take action on. To do this, use the query builder to refine the results and save your
searches to re-use or share.

The following topics explain how to use the tools in the Vulnerability Intelligence section to: 1)
search Tenable’s vulnerability database, 2) view vulnerability profiles, and 3) identify your exposure
when compared to known vulnerabilities.

l Search Known Vulnerabilities

l View Vulnerability Profiles

- 143 -
l Identify Your Exposure

l Vulnerability Categories

Search Known Vulnerabilities

On the Vulnerability Intelligence Overview page, you can search all vulnerabilities known to Tenable
by Common Vulnerabilities and Exposures (CVE) ID or common name.

To search for a vulnerability:

1. In the left navigation, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

2. In the drop-down, select CVE ID or Common Name.

3. In the search box, type a complete or partial search (for example, CVE-2014-0160, 2014, or
Heartbleed).

4. Press the Enter key.

5. In the list of results, click a vulnerability.

The Vulnerability Profile page appears.

View Vulnerability Profiles

On the Vulnerability Intelligence Overview page, when you click a search result or a row in the
CVEs tab, the Vulnerability Profile page appears.

- 144 -
The Vulnerability Profile page breaks down a single vulnerability in detail and includes an event
timeline, your affected assets and products, the sources, and metrics such as risk profile and
severity.

The Vulnerability Profile page has four sections.

In this Section You Can…

Vulnerability View the Common Vulnerability Scoring System (CvSSv3), Vulnerability

Information Priority Rating (VPR), and Exploit Prediction Scoring System (EPSS) scores.

In tabs, review an event timeline, VPR and EPSS trends, identifying plugins,
all known products affected, and a summary.

How Does This View affected assets and products in your environment and build queries to
Affect Me? refine the results.

Sources View contextual intelligence such as security advisories on the external

websites where they appear.

Vulnerability In a right-hand pane, review metrics broken down by general information,

Metrics risk profile, severity, and plugin coverage.

Vulnerability Information

- 145 -
On the Vulnerability Profile page, the Vulnerability Information section provides a short summary
along the vulnerability's Vulnerability Priority Rating (VPR), Common Vulnerability Scoring System
(CVSSv3), and Exploit Prediction Scoring System (EPSS) scores.

It also contains four tabs, within which you can view an event timeline, VPR and EPSS widgets,
plugin details, known affected products, and a full summary.

Events
The Events tab appears by default and contains a timeline for the vulnerability. Use the horizontal
scroll bar or click an event marker to go to that event. Click event links to open them in your web
browser.

The timeline can contain the following events.

Event Description

Discovery Date Indicates the date Tenable first observed the vulnerability.

NVD Published Indicates the date that the National Vulnerability Database (NVD)
disclosed the vulnerability.

First Tenable Indicates the first time Tenable provided coverage for the vulnerability.
Coverage

First Proof of Indicates the date Tenable first observed a proof of concept for the
Concept vulnerability.

First Functional Indicates the date the first functional exploit for the vulnerability was
Exploit released.

Consec Plugin Appears when a new Container Security Scanner plugin for the
Published vulnerability is released.

LCE Plugin Appears when a new Log Correlation Engine plugin for the vulnerability is
Published released.

Nessus Plugin Appears when a new Tenable Nessus plugin for the vulnerability is
Published released.

NNM Plugin Appears when a new Tenable Nessus Network Monitor plugin for the

- 146 -
Published vulnerability is released.

WAS Plugin Appears when a new Tenable Web App Scanning plugin for the
Published vulnerability is released.

Ransomware Indicates the first time Tenable observed ransomware events for the
vulnerability.

Malware Indicates the first time Tenable observed malware events for the
vulnerability.

Emerging Indicates that Tenable is actively monitoring the vulnerability since it is

Threats being publicly discussed, has a viable proof of concept, and/or is widely
used.

Exploited in the Indicates that the vulnerability has been used in a cyberattack.
Wild

Persistently Appears each time Tenable observes that the vulnerability is being
Exploited persistently exploited.

CISA Known Indicates the date that the Cybersecurity and Infrastructure Security
Exploits Agency (CISA) added the vulnerability to their Known Exploited
Vulnerabilities catalog.

CISA Due-Date Indicates the date by which federal agencies must fix vulnerabilities on
the CISA Known Exploited Vulnerabilities (KEV) list.

Cyber Exposure Appears when Tenable publishes a Cyber Exposure Alert for the
Alert vulnerability.

EPSS Increased Appears when the Exploit Prediction Scoring System (EPSS) increases (for
example, EPSS Increased to 65%).

EPSS Decreased Appears when the EPSS decreases.

EPSS Assigned Appears when an EPSS score is assigned.

VPR Increased Appears when the Vulnerability Priority Rating (VPR) increases (for
example, VPR Increased to 6.1).

- 147 -
VPR Decreased Appears when the VPR decreases.

VPR Assigned Appears when a VPR score is assigned.

Scores
The Scores tab contains ring charts for VPR and EPSS along with trend charts to track how these
scores have changed over time.

In addition, you can review the following VPR Key Drivers.

VPR Driver Description

Age of Indicates the number of days since the vulnerability was discovered.
Vulnerability

CVSSv3 Impact Indicates the NVD-provided CVSSv3 impact score from 0–10. If NVD did not
Score provide a score, Tenable generates one.

Exploit Code The highest level of exploit maturity for the vulnerability: Unproven, PoC,
Maturity Functional, or High. Drawn from Tenable’s research, as well as key external
sources.

Product Indicates the relative number of unique products affected. Values are Low,
Coverage Medium, High, or Very High.

Threat Intensity Indicates the number and frequency of recent threat events. Values are
Very Low, Low, Medium, High, or Very High.

Threat Sources Lists sources where relevant threat events occurred (for example, social
media or the dark web). If no events were observed in the past 28 days, No
recorded events appears.

Threat Recency Indicates the number of days since a threat event occurred, from 0–180.

Plugins
The Plugins tab lists plugins that detected findings for the vulnerability. From the Source drop-
down, choose between Tenable Web App Scanning and Tenable Nessus.

- 148 -
Column Description

Plugin ID Indicates the ID of the Tenable plugin that detected the finding.

Name Indicates the name of the Tenable plugin that detected the finding.

Family Indicates the type of plugin. For example, with a Tenable Nessus plugin,
Backdoors. Or, with a Tenable Web App Scanning plugin, Code Execution. To
learn more, see About Plugin Families on the Tenable website.

Severity Indicates severity for the detected vulnerability as Low, Medium, or High.

Products
In the Products tab, view affected products by vendor. Next to a vendor, click the drop-down > to
view a list of products.

For example, a vulnerability might have the Vendor canonical with the Product linux.

Tip: Tenable curates this data. It represents all known affected products for a vulnerability, not only yours.
To view only your affected products, go to How Does This Affect Me.

Summary
In the Summary tab, read a summary and Copy it to your clipboard.

How Does This Affect Me

On the Vulnerability Profile page, view your affected assets and products that relate to the current
vulnerability in the How Does This Affect Me? section. You can build queries to refine the results.

Affected Assets
The table of results in the Affected Assets tab has the following columns, which you can show or
hide as described in Customize Tables.

Column Description

Asset ID The asset’s Universally Unique Identifier (UUID).

- 149 -
Name The asset identifier, assigned based on the availability of specific
attributes in logical order.

IPv4 Address The IPv4 address for the affected asset.

IPv6 Address The IPv6 address for the affected asset.

Vulnerabilities A heatmap of the asset’s vulnerabilities, color coded by severity. This

column also lists the number of vulnerabilities.

ACR (Requires Tenable One or Tenable Lumin license) The Tenable-defined

Asset Criticality Rating (ACR) as an integer from 1 to 10.

AES (Requires Tenable One or Tenable Lumin license) The Tenable-defined

Asset Exposure Score as an integer from 0 to 1000.

Tags Any asset tags applied to the affected asset.

Affected Products
The table of results in the Affected Products tab has the following columns.

Column Description

Product The name of the affected product, using Common Platform Enumeration (CPE).
For example, cpe:/a:apache:httpd. If multiple products are affected, click the
link to view a complete list.

Plugin Name The name of the Tenable plugin that detected a finding.

Findings The number of findings affected by the vulnerability relating to that product.
Click the number to view more information on the Findings workbench grouped
by None.

Assets The number of assets with active findings relating to that product. Click the
Affected number to open that result on the Findings workbench grouped by Asset.

Sources
In the Sources section, search for and review contextual intelligence such as security advisories on
the external websites where they appear.

- 150 -
This section contains a table with the following columns.

Column Description

Source Links to contextual intelligence about a vulnerability.

Authoritative Indicates if the source is authoritative with a label such as Tenable

Research or NVD (for the National Vulnerability Database).

Source Details Provides more information about the source via labels added by the
Tenable Research Team (for example, Third Party Advisory).

Vulnerability Metrics
In the right-hand Vulnerability Metrics pane, review key details in the following sections.

General Information
In the General Information section, review when a vulnerability was first discovered, how
exploitable it is, and other details.

Field Description

Tenable The date Tenable first discovered the vulnerability.

Discovery Date

NVD Published The date that the National Vulnerability Database (NVD) added the
Date vulnerability.

Exploitability How easy it is to exploit the vulnerability (for example, Low Complexity,
Network Exploitability).

Exploit Maturity The highest level of exploit maturity for the vulnerability: Unproven, PoC,
Functional, or High. Drawn from Tenable’s research, as well as key external
sources.

First Proof of The date the first proof of concept for the vulnerability was released.
Concept

First Functional The date the first functional exploit for the vulnerability was released.
Exploit

- 151 -
Risk Profile
In the Risk Profile section, see if the Tenable Research Team is tracking a vulnerability, learn which
categories it belongs to, and find out if it can be exploited from a remote network.

Field Description

Categories The categories the vulnerability belongs to, as described in Vulnerability

Categories. Most vulnerabilities do not have a category.

Tenable Indicates that Tenable is actively monitoring the vulnerability since it is

Research being publicly discussed, has a viable proof of concept, and/or is widely
Watchlist used.

Remotely If the vulnerability can be exploited from a remote network.

Exploitable

Proof of If Tenable has identified a proof of concept for this vulnerability.

Concept
Available

Zero Day If a vulnerability is a zero-day vulnerability—that is, a vulnerability which has

been publicly disclosed or is known to be exploited in the wild before a patch
is available. Possible values are Yes or No.

Severity Metrics
In the Severity Metrics section, view Common Vulnerability Scoring System (CVSS) v3 or CVSSv2
scores, depending on which are available, along with their vector strings.

Field Description

CVSSv3 Indicates the CVSSv3 score. When not available from NVD, Tenable determines
Base Score this score. To learn more, see CVSS vs. VPR.

CVSSv3 Lists a vector string with the values used to calculate the CVSSv3 score, for
Vector example: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. To learn more, see
this CVSSv3 calculator on the FIRST website.

CVSSv2 Indicates the CVSSv2 score. When not available from NVD, Tenable determines

- 152 -
Base Score this score.

CVSSv2 Lists a vector string with the values used to calculate the CVSSv2 score.
Vector

Latest Plugin Coverage

In the Latest Plugin Coverage section, view the most recent Tenable Nessus and Tenable Web App
Scanning plugins to detect the vulnerability. Click the links to view plugin details on Tenable’s
website.

Field Description

Nessus Lists the release date of the newest Tenable Nessus plugin to identify the
vulnerability.

Web App Lists the release date of the newest Tenable Web App Scanning plugin to
Scanning identify the vulnerability.

Identify Your Exposure

On the Vulnerability Intelligence page, you can review all vulnerabilities known to Tenable or only
those in crucial categories such as Recently Actively Exploited. Then, you can compare the list of
vulnerabilities to findings in your environment. This process has two parts: 1) review known
vulnerabilities and, 2) compare them to your findings.

Review Known Vulnerabilities

First, build a list of known vulnerabilities to compare with your own findings.

To review vulnerabilities known to Tenable:

1. In the left navigation, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

2. (Optional) Click a hexagon tile to choose a vulnerability category. Or, to search all
vulnerabilities, click the default category to deselect it.

- 153 -
In the CVEs tab on the lower area of the page, a table of results appears.

Tip: Under How Does This Affect Me? click Findings or Affected Assets to open those tabs and
start reviewing your vulnerabilities.

3. (Optional) Use the Query Builder to refine the results, as described in Use the Query Builder.

4. (Optional) Click a vulnerability row.

The Vulnerability Intelligence Profile page appears.

Compare Known Vulnerabilities to Your Findings

Once you have built a list of known vulnerabilities, compare them with your findings in the My
Findings tab or the My Affected Assets tab as follows.

Click the My Findings tab and do one of the following:

l Refine your results with the Query Builder.

l In a row, click the number in the Affected Assets column.

The Findings workbench appears. It is grouped by Asset and lists findings for that Tenable
plugin.

l Click the dropdown > to display a list of assets with that finding. Then, click an Asset Name.

The Asset Details page appears.

Click the My Affected Assets tab and do one of the following:

l Refine your results with the Query Builder.

In a row, click the number in the Plugin Count column.

l The Findings workbench appears. It is grouped by Plugin and lists findings for that asset.

l Click the dropdown > to display a list of assets with that finding. Then, click an Asset Name.

A list of plugins that identified findings on that asset appears.

Use the Query Builder

- 154 -
In the three tabs on the lower part of the Vulnerability Intelligence page, use the Query Builder to
refine your search results with contextual filters.

How Queries Work

Queries are joined by Conditions (for example, AND). They have three components:

l Filter — The search criteria (for example, for a vulnerability, Common Name).

l Operator — The condition to filter on (for example, is not equal to).

l Value — The value to search (for example, a CVE ID of CVE-2024-3272).

Tip: You can nest queries with parentheses. For example, to search for CISA Known Exploited
vulnerabilities where the VPR is greater than five or the EPSS is greater than 50, use:
Category is equal to CISA Known Exploited AND (VPR is greater than 5 OR EPSS Score is greater
than 50) .

Build a Query
To build a query with the Query Builder:

1. In the left navigation, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

2. Build a list of CVEs, findings, or affected assets, as described in Identify Your Exposure.

3. Click the query box.

The Filters list appears. To review the filters you can use, see Vulnerability Management
Filters.

4. In the Filters list, choose a filter.

The Operators list appears.

5. In the Operators list, choose an operator.

For a filter where the value is text or a number, the Value Hint box appears. Otherwise, the
Value Options list appears.

- 155 -
6. Type a Value or select one from the list.

7. (Optional) Add another query (that is, type a Condition and then add a Filter, an Operator, and a
Value).

8. Click Search or press Enter.

A table of results appears.

Edit a Query
To edit a query, do one of the following.

Action Description

Replace a query In the query box, click the component to replace. A list of options
component appears.

Delete a query On the query component, click the X.

component

Clear a query On the right side of the query box, click Clear.

Keyboard Shortcuts
Use the following keyboard shortcuts in the Query Builder.

Shortcut Description

Up Arrow or Down Navigate lists of open-ended values such as text or numbers.

Arrow

Right Arrow or Left Move the cursor in your query or choose a date in the date picker.
Arrow

Enter Select a query component or date. If no component is selected, apply

the query.

Esc Close a list (for example, the Filters list).

Ctrl-C Copy the highlighted text.

- 156 -
Ctrl-V Paste your clipboard contents into the Query Builder.

Ctrl-Z Undo the last action.

Ctrl-Y Redo the last action.

Vulnerability Management Filters

On the Vulnerability Intelligence page and the Vulnerability Profile page, use the Query Builder to
refine your results. Show only the CVEs, findings, or affected assets you want to take action on.

The following table lists the filters you can use with the Query Builder and the tabs they appear in.

Filter Description

ACR The Tenable-defined Asset Criticality Rating (ACR) as a number from 1 to

10.

AES The Tenable-defined Asset Exposure Score (AES) as a number from 0 to

1000.

Asset Name The asset name, for example the IPv4 address [Link].

Category The category, as described in Vulnerability Categories.

Common Name A vulnerability's common name, for example Log4Shell. Not all
vulnerabilies have a common name.

CVE ID The Common Vulnerabilities and Exposures (CVE) ID, for example CVE-
2002-2024.

CVSSv2 Base The CVSSv2 score for the vulnerability, for example 5.2. When not
Score available from NVD, Tenable determines this score. To learn more, see
CVSS vs. VPR.

CVSSv3 Attack The attack complexity, which defines how difficult it is to use a
Complexity vulnerability in an attack. Choose from High or Low.

CVSSv3 Attack The attack vector, which defines an attack's location. Choose from
Vector Adjacent, Network, Local, or Physical.

CVSSv3 The affected asset's availability. Choose from High, Low, or None. For

- 157 -
Availability example, an affected asset with High is completely unavailable.

CVSSv3 Base The CVSSv3 score for the vulnerability, for example 4.3. When not
Score available from NVD, Tenable determines this score. To learn more, see
CVSS vs. VPR.

CVSSv3 The expected impact of the affected asset's information confidentiality

Confidentiality loss. Choose from High, Low, or None. For example, an affected asset
with High may have a catastrophic adverse effect on your organization or
customers.

CVSSv3 Integrity The expected impact of the affected asset's data integrity loss. Choose
from High, Low, or None.

CVSSv3 Privileges The permission level attackers require to exploit the vulnerability.
Required Choose from High, Low, or None. None means attackers need no
permissions in your environment and can exploit the vulnerability while
unauthorized.

CVSSv3 Scope Whether a vulnerability allows attackers to compromise resources

beyond an affected asset's normal authorization privileges. Choose from
Unchanged or Changed. Changed means the vulnerability increases the
affected asset's privileges.

CVSSv3 User Whether a vulnerability requires other users (such as end users) for
Interaction attackers to be able to use it. Choose from Required or None. None is
more severe since it means that no additional user interaction is
required.

EPSS Score The percentage likelihood that a vulnerability will be exploited, based on
the third-party Exploit Prediction Scoring System (EPSS). Type a number
from 1 to 100 with up to three decimal places, for example, 50.5.

Exploit Maturity The exploit maturity based on sophistication and availability. This
information is drawn from Tenable’s own research as well as key external
sources. Choose from High, Functional, PoC, or Unproven.

First Discovered The date a vulnerability was first identified. Use Operators to get results
based on a date range, a specific date, vulnerabilities older than a date,

- 158 -
and others.

First Functional The date a vulnerability was first known to be exploited. Use Operators to
Exploit get results based on a date range, a specific date, vulnerabilities older
than a date, and others.

First Proof of The date a vulnerability's first proof of concept was found. Use Operators
Concept to get results based on a date range, a specific date, vulnerabilities older
than a date, and others.

IPv4 Address Affected asset IPv4 addresses as a single IP, an IP range, or an IP

Classless Inter-Domain Routing (CIDR) block. For example, type [Link]-
[Link].

IPv6 Address Affected asset IPv6 addresses as a single IP, an IP range, or an IP

Classless Inter-Domain Routing (CIDR) block. For example, type
[Link].

Last Seen The date a finding affected or asset last appeared on a scan. Use
Operators to get results based on a date range, a specific date,
vulnerabilities older than a date, and others.

Plugins Available Filter by whether or not a vulnerability currently has a Tenable plugin that
detects it. Choose from Yes or No.

Plugin ID The ID of the Tenable plugin that detected the vulnerability, for example
157288. To look up plugin IDs, go to the Tenable website.

Plugin Name The name of the Tenable plugin that detected the vulnerability, for
example TLS Version 1.1 Protocol Deprecated.

Tags Tags on your affected assets. To learn more, see Tags.

VPR The Tenable-calculated Vulnerability Priority Rating (VPR) score, as a

number from 1 to 10.

Note: A finding's VPR is based on the VPR of the plugin that identified it.
When plugins are associated with multiple vulnerabilities, the highest VPR
appears.

- 159 -
VPR Threat A vulnerability's Tenable-calculated threat intensity based on the number
Intensity and frequency of threat events. Choose from Very Low, Low, Medium,
High, or Very High.

Weaponization If a vulnerability is judged to be ready for use in a cyberattack. Choose

from Advanced Persistent Threat, Botnet, Malware, Ransomware, or
Rootkit.

Zero Day If a vulnerability is a zero-day vulnerability—that is, a vulnerability which

has been publicly disclosed or is known to be exploited in the wild before
a patch is available. Possible values are Yes or No.

Use Saved Queries

On the Vulnerability Intelligence page, you can use the the Query Builder to refine lists of CVEs,
findings, or affected assets and save the queries you create. In the user interface, this feature is
called Saved Filters.

Save a Query
To save a query:

1. In a query box, use the Query Builder to refine results.

2. To the left of the query box, click Saved Filters.

A drop-down appears.

3. Click Save As New Filter.

4. In New Filter Name, type a name and click the button.

Run a Saved Query

To run a saved query:

- 160 -
1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. In the drop-down, click a query to run it.

Share a Saved Query

To share a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. To the right of the query to share, click the button.

3. Paste the link to share the query.

Note: Any Tenable Vulnerability Management user can run a shared query, but the assets they can view are
based on permissions. To learn more, see Access Control.

Edit a Saved Query

To edit a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. In the drop-down, click the query to edit.

3. Do one of the following:

Rename the query...

a. Click the button.

b. Type a new name and click the button.

Save the query as a new query...

a. In the filter box, update the query.

b. To the left of the query box, click Saved Filters.

- 161 -
c. In the drop-down that appears, click Save as New Filter.

d. Type a new name in the box and click the button.

Delete a Saved Query

To delete a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. Next to the query to delete, click the button.

Export Results
On the Vulnerability Intelligence page, you can export results from both the My Findings and My
Affected Assets tabs in JSON or CSV format. This enables you to to build reports or share data
with your organization.

To export a finding or affected asset:

1. In the left navigation, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

2. Refine the results that appear in the table on the lower area of the page, as described in
Identify Your Exposure.

3. In My Findings or My Affected Assets, select the items to export.

Note: You export different items from the Findings and Affected Assets tabs:
l My Findings — In the main table, export findings. In the drop-downs >, export the
assets that those findings appear on.
l My Affected Assets — In the main table, export assets. In the drop-downs >, export
plugin results for those assets.

Tip: To select all items, in the blue bar above the items to export, click, the check box. Then, if your
results span multiple pages, click Select all.

- 162 -
4. In the blue bar, depending on the items to export, click Export Findings, Export
Affected Assets, or Export Plugins.

The Export dialog appears.

5. In the Export dialog, select JSON or CSV and click Export.

The system processes your request. Once processed, a confirmation message appears and
your browser saves the file to your computer. Tenable Vulnerability Management also logs
your request to the Exports page.

Note: If you request a large export and then leave the Vulnerability Intelligence page before it is
processed, you must manually download the file from the Exports page.

CVEs
On the Vulnerability Intelligence Overview page, the CVEs tab shows vulnerabilities from Tenable's
database. All vulnerabilities appear by default, but you can refine the results with vulnerability
categories and the query builder.

Tip: Select the checkbox to only show CVEs affecting your assets.

The table in the CVEs tab has the following columns, which you can show or hide as described in
Customize Tables.

Column Description

CVE ID Indicates the Common Vulnerability and Exposure (CVE) identifier for the
vulnerability, as assigned by the CISA-sponsored CVE Program.

Common Indicates the informal name of the vulnerability (for example, Log4Shell). Not
Name all vulnerabilities have a common name.

VPR The Tenable-calculated Vulnerability Priority Rating (VPR) score from 0.1 to
10.

CVSSv2 Indicates the CVSSv2 score for the vulnerability. When not available from
NVD, Tenable determines this score. To learn more, see CVSS vs. VPR.

CVSSv3 Indicates the CVSSv3 score for the vulnerability. When not available from
NVD, Tenable determines this score.

- 163 -
Exploit The highest level of exploit maturity for the vulnerability: Unproven, PoC,
Maturity Functional, or High. Drawn from Tenable’s research, as well as key external
sources.

EPSS Indicates the likelihood that the vulnerability will be actively exploited, based
on the third-party Exploit Prediction Scoring System (EPSS).

First Indicates the date the vulnerability was first identified.

Discovered

First Exploited Indicates the date of the vulnerability’s first-known exploitation.

First PoC Indicates the date the vulnerability’s first proof of concept was discovered.

Zero Day If a vulnerability is a zero-day vulnerability—that is, a vulnerability which has

been publicly disclosed or is known to be exploited in the wild before a patch
is available. Possible values are Yes or No.

Plugins Lists the IDs for the Tenable plugins that detected the vulnerability.

Affected Assets
In any row, click the drop-down > to reveal a table of assets on which that CVE appears, with the
following columns.

Column Description

Asset Name The asset identifier, assigned based on the availability of specific attributes in
logical order.

Operating Indicates the operating system run on the asset, for example Linux Kernel 3.13.
System

IPv4 Address Indicates the IPv4 address for the asset.

IPv6 Address Indicates the IPv6 address for the asset.

Plugin Count Indicates the number of plugins that identified the CVE on the asset.

ACR (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Criticality Rating (ACR) as an integer from 1 to 10.

- 164 -
AES (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Exposure Score as an integer from 0 to 1000.

Last Seen Indicates the date when the asset last appeared on a scan.

Source Indicates the scanner or sensor that identified the finding, for example Nessus
network-based assessment.

Tags Lists any asset tags you applied in Tenable Vulnerability Management.

My Findings
On the Vulnerability Intelligence Overview page, the My Findings tab shows all active, new, or
resurfaced findings findings in your environment that are being tracked by Tenable Vulnerability
Management. Refine the results with vulnerability categories and the query builder.

The My Findings tab has the following columns, which you can show or hide as described in
Customize Tables.

Column Description

VPR The Tenable-calculated Vulnerability Priority Rating (VPR) score from 0.1 to 10.

Note: A finding's VPR is based on the VPR of the plugin that identified it. When
plugins are associated with multiple vulnerabilities, the highest VPR appears.

Plugin Name The name of the Tenable plugin that detected the finding.

Plugin ID The ID of the Tenable plugin that detected the finding.

Affected The number of affected assets. Click the number to open the Asset Details
Assets page.

CVSSv3 The Common Vulnerability Scoring System (CVSS) v3 score for the finding.

Affected Assets
In any findings row, click the dropdown > to reveal a table of assets on which that finding appears,
with the following columns.

- 165 -
Column Description

Asset The asset identifier, assigned based on the availability of specific attributes in
Name logical order.

IPv4 The IPv4 address for the asset.

Address

IPv6 The IPv6 address for the asset.

Address

ACR (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Criticality Rating (ACR) as an integer from 1 to 10.

AES (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Exposure Score as an integer from 0 to 1000.

Last Seen The date when the asset last appeared on a scan.

Tags Any asset tags applied in Tenable Vulnerability Management.

My Affected Assets
On the Vulnerability Intelligence Overview page, the My Affected Assets tab shows all assets in
your environment with a finding that has not yet been fixed. Refine the results with vulnerability
categories and the query builder, or add tags to provide business context.

The My Affected Assets tab has the following columns, which you can show or hide as described in
Customize Tables.

Column Description

Name The name of the asset.

IPv4 The IPv4 address for the asset.

Address

IPv6 The IPv6 address for the asset.

Address

Plugin The number of Tenable plugins that identified findings on the asset. Click the
Count number to review details on the Findings workbench.

- 166 -
ACR (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Criticality Rating (ACR) as an integer from 1 to 10.

AES (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Exposure Score as an integer from 0 to 1000.

Tags Any asset tags for the asset.

Plugins
In any asset row, click the dropdown > to reveal a table of plugin results for the findings on that
asset, with the following columns.

Column Description

VPR The Tenable-calculated Vulnerability Priority Rating (VPR) score from 0.1 to 10.

Note: A finding's VPR is based on the VPR of the plugin that identified it. When
plugins are associated with multiple vulnerabilities, the highest VPR appears.

Severity The vulnerability's severity based on the Common Vulnerability Scoring System
(CVSS).

Plugin The name of the Tenable plugin that detected the finding.
Name

Plugin ID The ID of the Tenable plugin that detected the finding.

Findings The number of findings detected on the asset.

CVSSv3 The CVSSv3 score for the finding.

Tag Affected Assets

On the Vulnerability Intelligence page in the My Affected Assets tab, the Tags column shows all
asset tags for your assets. You can add or remove these tags using the steps below.

Add Tags to an Asset

To add tags to an asset:

- 167 -
1. In the left navigation, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

2. On the lower part of the page, click My Affected Assets.

3. In My Affected Assets, select the assets to tag.

4. In the blue bar, click Add Tags.

The Add Tags dialog appears.

5. In the Add Tags dialog, do one of the following:

Add new tags...

a. In the two text boxes, type a tag category and value (for example, Location:
Headquarters).

b. After you type the value, in the drop-down that appears, click Create.

The tag appears in the Tags to be Added section.

c. (Optional) Add more tags as needed.

Add recently used tags...

a. In the Recently Used Tags section, click a tag.

The tag appears in the Tags to be Added section.

b. (Optional) Add more tags as needed.

6. Click Add Tags.

The system adds the tag or tags to the assets.

Remove Tags from an Asset

To remove tags from an asset:

- 168 -
1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Intelligence.

The Vulnerability Intelligence Overview page appears.

3. On the lower part of the page, click My Affected Assets.

4. In My Affected Assets, select the assets to remove tags from.

5. In the blue bar, click Remove Tags.

The Remove Tags dialog appears.

6. In the Remove Tags dialog and the Current Tags section, click the tag or tags to remove.

7. Click Remove Tags.

The system removes the tag or tags from the assets.

Vulnerability Categories
The Vulnerability Intelligence page breaks down key vulnerabilities from Tenable's database into
curated categories that you select from hexagon-shaped tiles.

While most vulnerabilities do not belong to categories, the ones that do require quick action when
found in your environment! To learn how to compare your findings to one of these categories, see
Identify Your Exposure.

You can choose from the following categories.

Category Description

Emerging Vulnerabilities being actively monitored by Tenable in three areas:

Threats
l Vulnerabilities Being Monitored — Publicly discussed, but no exploit
or proof of concept has been disclosed.

l Vulnerabilities of Interest — Publicly discussed and have a proof of

- 169 -
concept that could lead to widespread use by attackers.

l Vulnerabilities of Concern — Widely discussed and large-scale abuse

by attackers is being observed.

CISA Known Vulnerabilities that appear in the CISA Known Exploited Vulnerabilities
Exploited Catalog. CISA suggests that you prioritize remediation efforts for these
vulnerabilities since they are known to cause immediate harm.

In the News Vulnerabilities being widely reported in the press with notable coverage
over the past 30 days.

Recently Vulnerabilities with notable coverage in the press over the past 30 days,
Actively and for which Tenable has evidence of active exploitation.
Exploited

Ransomware Vulnerabilities used in current or historical ransomware attacks, as

determined from evidence gathered by the Tenable Research team.

Persistently Vulnerabilities being leveraged by threat actors over an extended period of

Exploited time in targeted attacks, ransomware, or malware campaigns. These
vulnerabilities are manually curated by the Tenable Research team.

Top 50 VPR The top 50 vulnerabilities by Vulnerability Priority Rating (VPR).

- 170 -
Exposure Response
In the Exposure Response section, you create initiatives, which are projects to address
vulnerabilities in your environment.

In initiatives, you track specific findings using combinations and apply asset tags to choose the
assets in scope. Then, you assign initiatives to your team, set SLAs, and measure progress through
remediation scan results.

As a Tenable administrator, you use the Exposure Response section to create, assign, and report
on all initiatives. As a initiative owner, you only see and work with your initiatives.

The following topics explain how to use these tools to create, manage, review, and report on
initiatives.

l Create Initiatives

l Edit or Delete Initiatives

l Review Initiatives

l View the Combination Timeline

l Manage Combinations

l Use Report Cards

Create Initiatives
In the Exposure Response section, your first step is creating an initiative. To do this, add the
initiative, define the scope with asset tags, assign an owner, and choose an SLA. Then, add
combinations to define the vulnerabilities to track.

Note: As a Tenable administrator, you can assign initiatives to other users. As a non-
administrator, you can only create initiatives for yourself. As either type of user, you can create
up to ten initiatives.

Example Initiative
To address recently exploited vulnerabilities on your Headquarters network, you might create an
initiative as follows:

- 171 -
l Name — Recently exploited vulnerabilities at HQ

l Asset Scope — Network: HQ

l Owner — user@[Link]

l Remediate Within — 7 days

l Combinations — Category is equal to Recently Actively Exploited AND VPR is greater than 6

Before You Begin

Before you create an initiative:

l Create asset tags — Initiatives use asset tags to define the assets in scope.

l (Optional) Create custom combinations — If you plan to use custom combinations, create
them.

Create a New Initiative

To create a new initiative:

1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. In My Initiatives, click New.

The Create New Initiative pane appears.

3. Set the following options.

Option Description

Name Type a name for the initiative.

Description Type a description for the initiative, for example Reduce my external
attack surface.

- 172 -
Owner Select the initiative owner from a list of Tenable Vulnerability
Management users. You cannot reassign initiatives once created.

Note: Only administrators and initiative owners can view initiatives.

Asset Scope Choose up to ten tags to define which assets in your environment are
in scope. Search for and select tags to assign, for example Priority:
High or Software: Oracle.

Remediate Choose an SLA by which all findings must be remediated. For example,
Within to set an SLA of one week, enter 7.

4. Under Assign Combinations, add up to ten combinations from the following tabs.

Tab Description

My Combinations Your personal combinations, which only you can view. You cannot
assign personal combinations to initiatives you do not own.

Shared Organization-wide combinations, which anyone can view or use and

which your administrators and the combination owners can update.
Updates may change the resources in your initiative. Track updates
in the Combination Timeline.

Tenable Predefined combinations from the Tenable Research Team. These

may be updated infrequently, which can change the resources in
your initiatives. Track updates in the Combination Timeline.

Note: Initiatives can contain no more than 17 queries across all combinations. For example, if you
add four combinations to an initiative—and the combinations have five queries each for a total of 20,
a warning appears and you cannot save the initiative.

5. Click Save.

The initiative appears in the My Initiatives panel.

Edit or Delete Initiatives

You can edit initiatives that you own or have assigned. If you are a Tenable administrator, you can
delete initiatives. This topic contains steps to complete both tasks.

- 173 -
Edit an Initiative
To edit an initiative:

1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. In My Initiatives, click in the upper-right corner of the initiative.

3. In the menu that opens, click Edit.

4. The Edit Initiative panel appears.

Edit the initiative settings, as described in Create Initiatives.

Note: You cannot edit an initiative's owner, since the system calculates initiative metrics based on
the owner's Tenable permissions.

5. Click Save.

6. The system saves the initiative.

Delete an Initiative
To delete an initiative:

1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. In My Initiatives, click in the upper-right corner of the initiative.

3. In the menu that opens, click Delete.

4. In the box that appears, click Delete again.

The system permanently deletes the initiative.

Review Initiatives
On the Exposure Response page, review initiatives that you own or have assigned in two sections:

- 174 -
l My Initiatives — On the left, view all your initiatives.

Tip: If you have assigned initiatives to others, Click Append from Other Users on the lower area to
follow those initiatives in the My Initiatives panel.

l Initiative Details — Under My Initiatives, click an initiative to view details.

Initiative Details
The initiative details section contains four panels.

In this section You can...

Findings on View a sunburst chart of all findings. In the chart, each segment shows the
Assets percentage of assets with a relevant finding, by asset tag or combination.

How Am I View a dashboard with at-a-glance metrics and a line chart that tracks
Doing? finding and remediation trends.

What's New? View recently identified findings and affected assets.

My Findings View all findings and affected assets in two tabs. Refine the displayed items
and Affected with a query builder and save or share the results.
Assets

Findings on Assets
In the Findings on Assets panel, view a sunburst chart containing findings and assets.

Reading the chart

You can view the the chart in two tabs as follows:

l By Tag — View the chart broken down by the ten asset tags in the initiative with the most
findings.

l By Combination — View the chart broken down by the combinations used in the initiative.

In the chart, each segment shows the percentage of assets containing a tag or a combination. The
segment is colored green, yellow, or red to indicate low, medium, or high. Click a segment to open a
popup with more details.

- 175 -
In the following example, 100% of the initiative’s assets match a combination that checks for
ransomware, as shown in the top left area. Since all assets have ransomware, the segment is red.

How Am I Doing?
In the How Am I Doing? panel, view key metrics and an area chart which tracks initiative trends
over time.

Key Metrics
At the top of the panel, the following metrics appear.

Metric Description

Average Age of View the average age of findings in the initiative. This metric is based on
Vulnerabilities the dates that findings were first seen or when they resurfaced.

Average Time to View the average time to fix findings since they were discovere on a

- 176 -
Remediate scan. A finding is marked Fixed after being Active, New, or Resurfaced.

Percentage of View the percentage of fixed findings in the initiative, including all
Findings historic findings.
Remediated

New Findings vs. Remediations

In the New Findings vs. Remediations graph, view the initiative’s finding and remediation trends,
which change over time as scans run and new assets are found or added.

Do one of the following:

l To change the date range, select 30 Days, 60 Days, 90 Days, or Custom.

l To see more details for a date, in the graph, hover on that date.

l To see details about major events, below the graph, click an event marker to open an event
card.

Event Cards
Below the chart, the following events can appear.

Metric Description

Asset Count Appears when the number of affected assets changes by more than
20%.

Combination Appears when Tenable modifies or removes combinations in the

Changes initiative

Finding Count Appears when the total findings count changes by more than 20%.

Resurfaced Findings Appears when the resurfaced findings count changes by more than
20%.

What's New?

- 177 -
In the What's New panel, view how an initiative has recently changed. This includes new findings,
new affected assets, and new Common Vulnerabilities and Exposures (CVEs) that are now in scope
based on the combinations used (for example, a CVE whose VPR increased).

Top New Plugins

In the Top New Findings table, view recent findings in the following columns.

Column Description

VPR Indicates the Vulnerability Priority Rating (VPR) for the finding.

Plugin Indicates the plugin that identified the finding. Click a plugin name to view all
findings related to that plugin in My Findings.

Last Seen Indicates the date when the finding last appeared on a scan.

Top New Assets

In the Top New Assets table, view recent findings in the following columns.

Column Description

Asset Name Indicates the name of the affected asset. Click an asset name to view all results
for that Asset ID in My Affected Assets.

Findings Indicates the number of findings on the asset.

Last Seen Indicates the date when the asset last appeared on a scan.

Latest Combination Changes

In the Latest Combination Changes section, view CVEs recently found by the combinations in the
initiative. Click a CVE to view it on the Vulnerability Profile page.

My Findings and Affected Assets

In the Findings and Affected Assets panel, view findings and affected assets in two tabs. Filter the
items in each tab with the Query Builder, save queries, and export lists of resources.

- 178 -
To learn more, see the following topics.

Topic Description

Export from Exposure Export lists of findings or affected assets to CSV or JSON.
Response

Tag Affected Assets Tag assets so they appear in initiatives.

My Findings View all active, new, and resurfaced findings in an

initiative.

My Affected Assets View all affected assets in an initiative.

Export from Exposure Response

On the Exposure Response page, you can export results from both the My Findings and My
Affected Assets tabs in CSV or JSON format.

To export a finding or affected asset:

- 179 -
1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. On the lower part of the page, click My Findings or My Affected Assets.

3. Select the items to export.

Note: You export different items from the My Findings and the My Affected Assets tabs:
l My Findings — In the main table, export findings. In the drop-downs >, export the
assets that those findings appear on.
l My Affected Assets — In the main table, export assets. In the drop-downs >, export
plugin results for those assets.

Tip: To select all items, in the blue bar above the items to export, click the checkbox. Then, if your
results span multiple pages, click Select all.

4. In the blue bar, depending on the items to export, click Export Findings or Export
Affected Assets.

The Export dialog appears.

5. In the Export dialog, select JSON or CSV and click Export.

Note: If you request a large export and then leave the page before it is processed, you must
manually download the file from the Exports page.

Tag Affected Assets

On the Exposure Initiatives page in the My Affected Assets tab, the Tags column shows all asset
tags for your assets. You can add or remove these tags using the following steps.

Add Tags to an Asset

To add tags to an asset:

- 180 -
1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. On the lower part of the page, click My Affected Assets.

3. In My Affected Assets, select the assets to tag.

4. In the blue bar, click Add Tags.

The Add Tags dialog appears.

5. In the Add Tags dialog, do one of the following:

Add new tags...

a. In the two text boxes, type a tag category and value (for example, Location:
Headquarters).

b. After you type the value, in the drop-down that appears, click Create.

The tag appears in the Tags to be Added section.

c. (Optional) Add more tags as needed.

Add recently used tags...

a. In the Recently Used Tags section, click a tag.

The tag appears in the Tags to be Added section.

b. (Optional) Add more tags as needed.

6. Click Add Tags.

The system adds the tags to the assets.

Remove Tags from an Asset

To remove tags from an asset:

- 181 -
1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. On the lower part of the page, click My Affected Assets.

3. In My Affected Assets, select the assets to remove tags from.

4. In the blue bar, click Remove Tags.

The Remove Tags dialog appears.

5. In the Remove Tags dialog and the Current Tags section, click the tag or tags to remove.

6. Click Remove Tags.

The system removes the tag or tags from the assets.

My Findings
In the My Findings and Affected Assets section, the My Findings tab shows all active, new, or
resurfaced findings for that initiative. Refine the results with the Query Builder.

The My Findings tab has the following columns, which you can show or hide as described in
Customize Tables.

Column Description

VPR The Tenable-calculated Vulnerability Priority Rating (VPR) score from 0.1 to 10.

Note: A finding's VPR is based on the VPR of the plugin that identified it. When
plugins are associated with multiple vulnerabilities, the highest VPR appears.

Plugin Name Indicates the name of the Tenable plugin that detected the finding.

Plugin ID Indicates the ID of the Tenable plugin that detected the finding.

Affected Indicates the number of affected assets. Click the number to open the Asset
Assets Details page.

CVEs Indicates the Common Vulnerability and Exposure (CVE) identifier for the

- 182 -
finding, as assigned by the CISA-sponsored CVE Program.

CVSSv2 Indicates the Common Vulnerability Scoring System (CVSS) v2 score for the
finding.

CVSSv3 Indicates the Common Vulnerability Scoring System (CVSS) v3 score for the
finding.

Affected Assets
In any findings row, click the drop-down > to reveal a table of assets on which that finding appears,
with the following columns.

Column Description

Asset Name The asset identifier, assigned based on the availability of specific attributes in
logical order.

Operating Indicates the operating system run on the asset, for example Linux Kernel 3.13.
System

IPv4 Address Indicates the IPv4 address for the asset.

IPv6 Address Indicates the IPv6 address for the asset.

Findings Indicates the number of findings on the asset. Click the number to view
Count details on the Findings workbench.

ACR (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Criticality Rating (ACR) as an integer from 1 to 10.

AES (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Exposure Score as an integer from 0 to 1000.

Last Seen Indicates the date when the asset last appeared on a scan.

Source Indicates the scanner or sensor that identified the finding, for example Nessus
network-based assessment.

Tags Lists any asset tags you applied in Tenable Vulnerability Management.

My Affected Assets

- 183 -
In the My Findings and Affected Assets section, the My Affected Assets tab shows all assets in
the initiative with a finding that has not yet been fixed. Refine the results with the Query Builder or
add tags to provide business context.

The My Affected Assets tab has the following columns, which you can show or hide as described in
Customize Tables.

Column Description

Name Indicates the name of the asset.

Operating Indicates the operating system run on the asset, for example Linux Kernel 3.13.
System

IPv4 Address Indicates the IPv4 address for the asset.

IPv6 Address Indicates the IPv6 address for the asset.

Plugin Count Indicates the number of Tenable plugins that identified findings on the asset.
Click the number to review details on the Findings workbench.

ACR (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Criticality Rating (ACR) as an integer from 1 to 10.

AES (Requires Tenable One or Tenable Lumin license) The Tenable-defined Asset
Exposure Score as an integer from 0 to 1000.

CVEs Indicates the Common Vulnerability and Exposure (CVE) identifier for the
finding on the asset, as assigned by the CISA-sponsored CVE Program.

Source Indicates the scanner or sensor that identified a finding on the asset, for
example Nessus network-based assessment.

Tags Lists any asset tags for the asset.

Plugins

In any asset row, click the drop-down > to reveal a table of plugin results for the findings on that
asset, with the following columns.

Column Description

- 184 -
VPR The Tenable-calculated Vulnerability Priority Rating (VPR) score from 0.1 to 10.

Note: A finding's VPR is based on the VPR of the plugin that identified it. When
plugins are associated with multiple vulnerabilities, the highest VPR appears.

Severity Indicates the vulnerability's severity, based on the Common Vulnerability

Scoring System (CVSS).

Plugin Indicates the name of the Tenable plugin that detected the finding.
Name

Plugin ID Indicates the ID of the Tenable plugin that detected the finding.

Findings Indicates the number of findings detected on the asset.

CVSSv2 Indicates the CVSSv2 score for the finding.

CVSSv3 Indicates the CVSSv3 score for the finding.

View the Combination Timeline

In the Combination Timeline tab, you can view a 30-day timeline of combinations added to or
removed from the initiatives you have access to. You can also view new combinations added by the
Tenable research team.

l To view the Combination Timeline, in the left navigation, click Exposure Response >
Combination Timeline.

- 185 -
On the lower area, in Combinations with Updates, view combinations edited in the past 30 days.
You may want to do this when the data in one of your initiatives changes significantly, since editing
combinations changes initiative data.

In the top-right corner of any combination, click to open a menu where you can edit or delete the
combination.

Note: Unless you are an administrator, you cannot delete a combination when it is the only one in an
initiative. As an administrator, if you delete the only combination, its initiativestops updating.

Manage Combinations
When you create initiatives, you assign combinations to define what resources they track in your
environment. Combinations use queries to search for specific findings. They work together with
asset tags, which define the assets in scope.

You can use the Query Builder to create your own combinations, apply Tenable combinations, or
combine the two. When you create combinations, you can save them as templates to share with
your organization.

The following topics explain how to use combinations.

- 186 -
Topic Description

Create Combinations Create new combinations to add to initiatives.

Edit or Delete Manage your current combinations.

Combinations

Copy Shared Copy combinations created by other users and then customize
Combinations them.

Create Combinations
When you create initiatives, unless you want to use existing combinations, you must first create
new ones in the Manage Combinations tab.

To create new combinations:

1. In the left navigation, click Exposure Response > Manage Combinations.

The Exposure Response page appears with the Manage Combinations tab open.

2. In the left panel, click New.

The Create Combination pane appears. It contains the following options.

Option Description

Name Type a combination name.

Description Type a description, for example High CvSS score.

Query In the query box, use the Query Builder to define what resources the
combination searches for. For example, CVSSv3 Base Score is greater
than 6.

Note: For any combination, the system supports a maximum of six queries
separated by operators.

Add to (Optional) Choose a current initiative in which to add the combination.

Initiatives

- 187 -
Shared (Optional) Enable this toggle to share the combination with your
organization in the Shared tab.

3. Click Save.

The combination appears in the left panel under Personal or Shared.

Edit or Delete Combinations

In the Exposure Response section, you can edit or delete combinations based on your Tenable user
role and the combination status.

Edit a Combination
As an administrator, you can edit non-Tenable combinations. As a non-administrator, you can edit
your combinations.

To edit a combination:

1. In the left navigation, click Exposure Response > Manage Combinations.

The Exposure Response page appears with the Manage Combinations tab open.

2. In the left pane, in the combination to edit, click and select Edit.

3. In the Edit Combination panel that appears, change the options.

Note: To remove a combination from a current initiative, edit the initiative instead.

4. Click Save.

The system saves the combination.

Delete a Combination
As an administrator, you can delete non-Tenable combinations. As a non-administrator, you can
delete your combinations in most cases.

Administrator Non-administrator

You can delete any non-Tenable combination. You can delete unshared combinations

- 188 -
Note: When a combination is the only data source from My Combinations.
for an initiative, deleting it pauses the initiative.
You can delete Shared combinations that
you created if they are not in use.

To delete a combination:

1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. Click Manage Combinations.

The Manage Combinations tab appears.

3. In the left pane, in the combination to edit, click and select Delete.

4. In the confirmation dialog that appears, click Delete again.

The system deletes the combination.

Copy Shared Combinations

In the Exposure Response section, the Shared tab contains combinations shared by your
organization. When you want to customize a combination that you did not create, you can copy it to
My Combinations and then edit the copy.

To copy and edit a shared combination:

1. In the left navigation, click Exposure Response > Manage Combinations.

The Exposure Response page appears with the Manage Combinations tab open.

2. In the left panel, click Shared.

3. In the left panel, click the template to copy and then, in the right panel, click Copy to my
combinations.

The system copies the shared combination.

Use the Query Builder

- 189 -
In the Exposure Response section, you can use the Query Builder to refine search results in the My
Findings and My Affected Assets tabs or build queries for combinations.

How Queries Work

Queries are joined by Conditions (for example, AND). They have three components:

l Filter — The search criteria (for example, for a finding, Severity).

l Operator — The condition to filter on (for example, is not equal to).

l Value — The value to search (for example, a Severity of High).

Tip: You can nest queries with parentheses. For example, to search for high-severity findings
where the VPR is greater than seven or the CVSSv3 Base Score is greater than six, use:
Severity is equal to High AND (VPR is greater than 7 OR CVSSv3 is greater than 6) .

Build a Query
To build a query with the Query Builder:

1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. Do one of the following:

l Filter findings or affected assets — On the left, click an initiative. In the pane that
appears, scroll down and click My Findings or My Affected Assets.

l Build a query in a new combination — Click Manage Combinations > New to open the
Create Combination pane.

3. Click the query box.

The Filters list appears. To review the filters you can use, see Query Builder Filters.

4. In the Filters list, choose a filter.

The Operators list appears.

5. In the Operators list, choose an operator.

- 190 -
For a filter where the value is text or a number, the Value Hint box appears. Otherwise, the
Value Options list appears.

6. Type a Value or select one from the list.

7. (Optional) Add another query (that is, type a Condition and then add a Filter, an Operator, and a
Value).

8. Press Enter.

Edit a Query
To edit a query, do one of the following.

Action Description

Replace a query In the query box, click the component to replace. A list of options
component appears.

Delete a query On the query component, click the X.

component

Clear a query On the right side of the query box, click Clear.

Keyboard Shortcuts
Use the following keyboard shortcuts in the Query Builder.

Shortcut Description

Up Arrow or Down Navigate lists of open-ended values such as text or numbers.

Arrow

Right Arrow or Left Move the cursor in your query or choose a date in the date picker.
Arrow

Enter Select a query component or date. If no component is selected, apply

the query.

Esc Close a list (for example, the Filters list).

- 191 -
Ctrl-C Copy the highlighted text.

Ctrl-V Paste your clipboard contents into the Query Builder.

Ctrl-Z Undo the last action.

Ctrl-Y Redo the last action.

Query Builder Filters

In the Exposure Response section, use the Query Builder to view specific findings or affected
assets or to choose which vulnerabilities appear in a combination.

The following table lists the filters you can use and where you can use them.

Filter Description Appears In...

ACR Filter by Tenable-defined Asset Criticality Rating My Findings, My

(ACR) as a number from 1 to 10. Affected Assets

AES Filter by Tenable-defined Asset Exposure Score My Findings, My

(AES) as a number from 0 to 1000. Affected Assets

Asset ID The UUID of the asset. This value is unique to My Findings, My

Tenable Vulnerability Management. Affected Assets

Asset Name Filter by asset name, for example the IPv4 address My Findings, My
[Link]. Affected Assets

Category Filter by category, which the Vulnerability My Findings, My

Intelligence features also use. To learn more, see Affected Assets,
Vulnerability Categories. Manage
Combinations

Common Name Filter by a vulnerability's common name, for Manage

example Log4Shell. Not all vulnerabilies have a Combinations
common name.

CVE ID Filter by Common Vulnerabilities and Exposures My Findings, My

(CVE) ID, for example CVE-2002-2024. Affected Assets,
Manage

- 192 -
Combinations

CVSSv2 Base Filter by the CVSSv2 score for the vulnerability, for My Findings, My
Score example 5.2. When not available from NVD, Tenable Affected Assets,
determines this score. To learn more, see CVSS vs. Manage
VPR. Combinations

CVSSv3 Attack Filter by attack complexity, which defines how Manage

Complexity difficult it is to use a vulnerability in an attack. Combinations
Choose from High or Low.

CVSSv3 Attack Filter by attack vector, which defines an attack's Manage

Vector location. Choose from Adjacent, Network, Local, or Combinations
Physical.

CVSSv3 Filter by the affected asset's availability. Choose Manage

Availability from High, Low, or None. For example, an affected Combinations
asset with High is completely unavailable.

CVSSv3 Base Filter by the CVSSv3 score for the vulnerability, for My Findings, My
Score example 4.3. When not available from NVD, Tenable Affected Assets,
determines this score. To learn more, see CVSS vs. Manage
VPR. Combinations

CVSSv3 Filter by the expected impact of the affected Manage

Confidentiality asset's information confidentiality loss. Choose Combinations
from High, Low, or None. For example, an affected
asset with High may have a catastrophic adverse
effect on your organization or customers.

CVSSv3 Integrity Filter by the expected impact of the affected Manage

asset's data integrity loss. Choose from High, Low, Combinations
or None.

CVSSv3 Privileges Filter by the permission level attackers require to Manage

Required exploit the vulnerability. Choose from High, Low, or Combinations
None. None means attackers need no permissions
in your environment and can exploit the

- 193 -
vulnerability while unauthorized.

CVSSv3 Scope Filter by whether a vulnerability allows attackers to Manage

compromise resources beyond an affected asset's Combinations
normal authorization privileges. Choose from
Unchanged or Changed. Changed means the
vulnerability increases the affected asset's
privileges.

CVSSv3 User Filter by whether a vulnerability requires other Manage

Interaction users (such as end users) for attackers to be able to Combinations
use it. Choose from Required or None. None is
more severe since it means that no additional user
interaction is required.

EPSS Score Filter by the percentage likelihood that a Manage

vulnerability will be exploited, based on the third- Combinations
party Exploit Prediction Scoring System (EPSS).
Type a number from 1 to 100 with up to three
decimal places, for example, 50.5.

Exploit Maturity Filter by exploit maturity based on sophistication Manage

and availability. This information is drawn from Combinations
Tenable’s own research as well as key external
sources. Choose from High, Functional, PoC, or
Unproven.

First Discovered Filter for the date a vulnerability was first Manage
identified. Use Operators to get results based on a Combinations
date range, a specific date, vulnerabilities older
than a date, and others.

First Functional Filter for the date a vulnerability was first known to Manage
Exploit be exploited. Use Operators to get results based on Combinations
a date range, a specific date, vulnerabilities older
than a date, and others.

First Proof of Filter for the date a vulnerability's first proof of Manage

- 194 -
Concept concept was found. Use Operators to get results Combinations
based on a date range, a specific date,
vulnerabilities older than a date, and others.

IPv4 Address Filter for affected asset IPv4 addresses as a single My Findings, My
IP, an IP range, or an IP Classless Inter-Domain Affected Assets
Routing (CIDR) block. For example, type [Link]-
[Link].

IPv6 Address Filter for affected asset IPv6 addresses as a single My Findings, My
IP, an IP range, or an IP Classless Inter-Domain Affected Assets
Routing (CIDR) block. For example, type
[Link].

Last Seen Filter for the date a finding affected or asset last My Findings, My
appeared on a scan. Use Operators to get results Affected Assets
based on a date range, a specific date,
vulnerabilities older than a date, and others.

Plugins Available Filter by whether or not a vulnerability currently has Manage

a Tenable plugin that detects it. Choose from Yes Combinations
or No.

Plugin ID Filter by the ID of the Tenable plugin that detected My Findings, My

the vulnerability, for example 157288. To look up Affected Assets,
plugin IDs, go to the Tenable website. Manage
Combinations

Plugin Name Filter by the name of the Tenable plugin that My Findings, My
detected the vulnerability, for example TLS Version Affected Assets
1.1 Protocol Deprecated.

Severity The vulnerability's CVSS-based severity. For more My Findings, My

information, see CVSS vs. VPR. Affected Assets

Tags Filter by tags on affected assets by choosing them My Findings, My

from a list. To learn more, see Tags. Affected Assets

VPR Filter by the Tenable-calculated Vulnerability My Findings, My

- 195 -
Priority Rating (VPR) score, as a number from 1 to Affected Assets,
10. Manage
Combinations
Note: A finding's VPR is based on the VPR of the
plugin that identified it. When plugins are associated
with multiple vulnerabilities, the highest VPR
appears.

VPR Threat Filter for a vulnerability's Tenable-calculated threat Manage

Intensity intensity based on the number and frequency of Combinations
threat events. Choose from Very Low, Low,
Medium, High, or Very High.

Weaponization Filter by whether a vulnerability is judged to be Manage

ready for use in a cyberattack. Choose from Combinations
Advanced Persistent Threat, Botnet, Malware,
Ransomware, or Rootkit.

Use Saved Queries

In the Exposure Response section, you can use the the Query Builder to refine lists of findings or
affected assets or choose which vulnerabilities appear in a combination. Then, you can save the
queries you create. In the user interface, this feature is called Saved Filters.

Save a Query
To save a query:

1. In a query box, use the Query Builder to refine results.

2. To the left of the query box, click Saved Filters.

A drop-down appears.

3. Click Save As New Filter.

4. In New Filter Name, type a name and click the button.

- 196 -
Run a Saved Query
To run a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. In the drop-down, click a query to run it.

Share a Saved Query

To share a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. To the right of the query to share, click the button.

3. Paste the link to share the query.

Note: Any Tenable Vulnerability Management user can run a shared query, but the assets they can view are
based on permissions. To learn more, see Access Control.

Edit a Saved Query

To edit a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. In the drop-down, click the query to edit.

3. Do one of the following:

Rename the query...

a. Click the button.

b. Type a new name and click the button.

- 197 -
Save the query as a new query...

a. In the filter box, update the query.

b. To the left of the query box, click Saved Filters.

c. In the drop-down that appears, click Save as New Filter.

d. Type a new name in the box and click the button.

Delete a Saved Query

To delete a saved query:

1. To the left of a query box, click Saved Filters.

A drop-down appears.

2. Next to the query to delete, click the button.

Use Report Cards

In the Exposure Response section of Tenable Vulnerability Management, you can view dashboard-
style reports about the initiatives you have access to and export them to PDF.

View Report Cards

To view report cards:

- 198 -
1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. In the left panel, click Create Report Card.

3. The Initiatives Report Card page appears with cards for all the initiatives you can access.

4. (Optional) In the top-right corner, choose a date range.

Read Report Cards

Report cards contain the following sections.

Section Description

Owner Indicates the owner, chosen during initiative creation. You cannot
reassign initiatives to other owners.

New Findings vs. Indicates the findings and remediations as they have trended during
Remediations the selected date range.

Assets in Scope Indicates the assets tracked by the initiative when compared to all
assets in your environment.

Average Time to Indicates the average time in days to fix findings since they were
Remediate identified on a scan and a countdown to the SLA.

CVEs Included in Indicates the total number of vulnerabilities being tracked.

Initiative

Average Age of Indicates the average age of unfixed vulnerabilities and a countdown
Vulnerabilities to the SLA.

Percentage of Indicates the percentage of remediated findings, as indicated by your

Findings Remediated scans.

Total Findings Indicates the total number of active, new, or resurfaced findings in the
initiative.

Export Report Cards

- 199 -
To export all your report cards:

1. In the left navigation, click Exposure Response.

The Exposure Response page appears.

2. In the left pane, click Create Report Card.

The Initiatives Report Card page appears.

3. In the top-right corner, click Export.

The system downloads the report cards to your computer in a single PDF.

- 200 -
Assets
Assets are entities of value on your network that can be exploited. They include laptops, desktops,
servers, routers, mobile phones, virtual machines, software containers, and cloud instances. Use
the Assets workbench to get insight into assets broken down into four categories: host assets,
cloud resources, web applications, and domain inventory.

When scans complete or you import scan results, Tenable Vulnerability Management uses an
algorithm to look at the hosts from the scan or the import. It employs heuristics to match hosts
with existing assets and update any changed properties—or, when no match is found, to create new
assets. When available, Tenable Vulnerability Management also collects information about asset
interfaces (IP and MAC address), DNS name, NetBIOS name, operating system, installed software,
UUIDS (Tenable, ePO, BIOS), and if an Agent is installed.

Note: Tenable Vulnerability Management ages out assets which have not been updated for more than 15
months.

The topics in this section explain how to use the Assets workbench, view asset details, export
assets, use filters, and more.

Use the Assets Workbench

- 201 -
View Asset Details

Asset Filters

Open Ports and the Assets workbench

Asset Widgets

Edit the ACR for Host Assets

Move Assets to Another Network

Remove and Prevent Duplicate Assets

Download Inventory Data

Delete Assets

Use the Assets Workbench

You can view all your assets on the Assets workbench.

To view your assets:

1. In the left navigation, click Assets.

The Assets workbench appears.

2. (Optional) To show or hide asset types, click the following tiles:

l Host Assets

l Cloud Resources

l Web Applications

l Domain Inventory

On the Assets workbench, you can do the following:

l In the Search box, search by Agent Name, NetBios Name, DNS (FQDN), or IP Address. Use (*)
as a wildcard.

l Filter the displayed assets and customize your view, as described in Explore Tables.

- 202 -
Tip: To view definitions for all Asset filters, see Asset Filters.

l Save filters as a custom search, as described in Saved Filters.

l Export assets to CSV or JSON format, as described in Export Findings or Assets.

l Filter the displayed assets by time period with a drop-down in the upper-right corner.

l View details about an asset, as described in View Asset Details.

l View visualizations for the displayed assets, as described in Asset Widgets.

l In any asset tile, select Only Show Unmanaged Assets to view assets which have been
discovered, but not assessed for vulnerabilities.

Host Assets

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your host assets, select the Hosts tile and deselect other
tiles. Common host assets include workstations, servers, virtual machines, printers, network
switches, routers, and wireless access points.

The Hosts tile contains a table with the following columns. To show or hide columns, see Customize
Explore Tables.

Column Description

Asset ID The UUID of the asset. This value is unique to Tenable Vulnerability
Management.

Name The asset identifier, assigned based on the availability of specific

attributes in logical order.

AES The Asset Exposure Score of the asset.

ACR The Asset Criticality Rating of the asset.

IPV4 Address The IPv4 address for the affected asset.

IPV6 Address The IPv6 address for the affected asset.

- 203 -
Operating System The operating system that a scan identified as installed on the asset.

Licensed Indicates if the asset is licensed within Tenable Vulnerability

Management. For more information, see Tenable Vulnerability
Management Licenses.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Last Licensed The date and time of the last scan in which the asset was considered
Scan "licensed" and counted towards Tenable's license limit. A licensed scan
uses non-discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update the Last
Licensed Scan field, but not the Last Authenticated Scan field. For more
information on how licenses work, see Tenable Vulnerability Management
Licenses.

Last The date and time of the last authenticated scan run against the asset.
Authenticated An authenticated scan that only uses discovery plugins updates the Last
Scan Authenticated Scan field, but not the Last Licensed Scan field.

Last Scan Target The IP address or fully qualified domain name (FQDN) of the asset
targeted in the last scan.

Source The source of the scan that identified the asset.

Tags Tags applied to the asset.

System Type The operating system installed on the asset.

NetBIOS Name The asset's NetBIOS name.

DNS (FQDN) The fully qualified domain name of the asset host.

Note: When processing fully qualified domain names (FQDNs) for host assets,
Tenable Vulnerability Management normalizes all FQDNs to lowercase and
then merges any duplicates.

MAC Address A MAC address that a scan has associated with the asset record.

- 204 -
ServiceNow Sys Where applicable, the unique record identifier of the asset in
ID ServiceNow. For more information, see the ServiceNow documentation.

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Updated Date The date and time when Tenable Vulnerability Management last updated
the asset record.

Has Plugin Specifies whether the asset has plugin results associated with it.
Results

Public Specifies whether the asset is available on a public network. A public

asset is within the public IP space and identified by the is_public
attribute in the Tenable Vulnerability Managementquery namespace.

AWS Availability Where applicable, the AWS availability zone of the asset, as described in
Zone the Tenable Vulnerability Management AWS documentation.

AWS EC2 AMI ID Where applicable, the AWS EC2 AMI ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS EC2 Where applicable, the AWS EC2 instance ID of the asset, as described in
Instance ID the Tenable Vulnerability Management AWS documentation.

AWS Security Where applicable, the AWS security group of the asset, as described in
Group the Tenable Vulnerability Management AWS documentation.

AWS Instance Where applicable, the AWS instance state of the asset, as described in
State the Tenable Vulnerability Management AWS documentation.

AWS Instance Where applicable, the AWS instance type of the asset, as described in the
Type Tenable Vulnerability Management AWS documentation.

AWS EC2 Name Where applicable, the AWS EC2 name of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS EC2 Product Where applicable, the AWS EC2 product code of the asset, as described

- 205 -
Code in the Tenable Vulnerability Management AWS documentation.

AWS Owner ID Where applicable, the AWS owner ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS Region Where applicable, the AWS region of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS Subnet ID Where applicable, the AWS subnet ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

AWS VPC ID Where applicable, the AWS VPC ID of the asset, as described in the
Tenable Vulnerability Management AWS documentation.

Azure Resource Where applicable, the Azure resource ID of the asset, as described in the
ID Tenable Vulnerability ManagementMicrosoft Azure documentation.

Azure VM ID Where applicable, the Azure VM ID of the asset, as described in the

Tenable Vulnerability Management Microsoft Azure documentation.

Google Cloud Where applicable, the Google cloud instance ID of the asset, as described
Instance ID in the Tenable Vulnerability Management Google Cloud Platform
documentation.

Google Cloud Where applicable, the Google cloud project ID of the asset, as described
Project ID in the Tenable Vulnerability Management Google Cloud Platform
documentation.

Google Cloud Where applicable, the Google cloud zone of the asset, as described in the
Zone Tenable Vulnerability Management Google Cloud Platform
documentation.

Resource Tags Specifies the tags or labels that have been imported from the cloud
provider. This field appears for assets with source as Cloud Discovery
Connector.

Note: Tenable Vulnerability Management imports tags and labels with the
following considerations:

l For AWS and Azure, the limit is 50 tags per resource.

- 206 -
l For GCP, the limit is 64 labels per resource.
l Tenable Vulnerability Management does not support importing
JSON strings for Azure tags.

Cloud Provider Indicates whether the asset is from AWS, Azure, or GCP.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears,

click a tag and click Remove.

l Edit ACR – (Tenable Lumin-only). Edit the Asset Criticality Rating, as

described in Edit the ACR for Host Assets.

l Move — Move an asset to another network, as described in Move

Assets to Another Network.

l View All Details — View complete details for an asset, as described

in View Asset Details.

l View All Details in New Tab — View complete details for an asset in
a new browser tab.

l View All Solutions — View available solutions for asset

vulnerabilities, as described in Solutions.

l Delete — Permanently delete an asset, as described in Delete

Assets.

Cloud Resources

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 207 -
On the Assets workbench, to view only your cloud resources, select the Cloud Resources tile and
deselect other tiles. A cloud resource can be any compute instance, storage object, networking
device, or object you can create or configure within a cloud platform. Examples of cloud resources
include assets such as virtual servers, buckets, databases, disks, and containers. Other examples of
cloud resources are configurable items such as resource groups, policies, users, and roles.

The Cloud Resources tile contains a table with the following columns. To show or hide columns, see
Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the finding. This value is unique
to Tenable Vulnerability Management.

Name The asset identifier, assigned based on the availability of specific attributes in
logical order.

Resource The name of the cloud resource type (for example, a resource group or virtual
Type machine).

Resource The name of the category to which your cloud resource type belongs (for
Category example, object storage or virtual network).

Resource Tags synced from a cloud source such as Amazon Web Services (AWS). Only
Tags the first tag is shown. Hover on the displayed tag to view a complete list.

Cloud The name of the cloud provider that hosts the asset.
Provider

Region The cloud region where the asset runs.

Licensed Indicates if the asset is licensed within Tenable Vulnerability Management. For
more information, see Tenable Vulnerability Management Licenses.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Source The source of the scan that identified the asset.

Tags Any Tenable Vulnerability Management tags applied to the asset.

- 208 -
Created Date The date and time when Tenable Vulnerability Management created the asset
record.

Updated The date and time when Tenable Vulnerability Management last updated the
Date asset record.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a Category
and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click a
tag and click Remove.

Web Applications

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your web application assets, select the Web Applications
tile and deselect other tiles. A web application is software that runs in a browser. Examples of web
applications are: workplace collaboration apps, ecommerce apps, email apps, and banking apps.

The Web Applications tile contains a table with the following columns. To show or hide columns,
see Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Name The asset identifier, assigned based on the availability of specific

attributes in logical order.

AES The Asset Exposure Score of the asset.

ACR The Asset Criticality Rating of the asset.

- 209 -
Licensed Indicates if the asset is licensed within Tenable Vulnerability
Management. For more information, see Tenable Vulnerability
Management Licenses.

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

IPV4 Address The IPv4 address for the affected asset.

Operating System The operating system installed on the asset.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Public Specifies whether the asset is available on a public network. A public

asset is within the public IP space and identified by the is_public
attribute in the Tenable Vulnerability Managementquery namespace.

Source The source of the scan that identified the asset.

Tags Tags applied to the asset.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Updated Date The date and time when Tenable Vulnerability Management last updated
the asset record.

- 210 -
Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears,

click a tag and click Remove.

l View All Details — View complete details for a finding, as described

in View Finding Details.

l Delete — Permanently delete an asset, as described in Delete

Assets.

Domain Inventory

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, to view only your domain inventory assets, select the Domain Inventory
tile and deselect other tiles. A domain inventory is a complete account of every domain owned by
your organization. Domains are associated with a wide range of assets: databases, applications,
directory services, and identity or access management platforms.

The Domain Inventory tile contains a table with the following columns. To show or hide columns,
see Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the finding. This value is unique
to Tenable Vulnerability Management.

Name The asset identifier, assigned based on the availability of specific attributes in
logical order.

Host Name The name of the host of the asset.

- 211 -
Record Type The type of asset.

Record The record value of the asset.

Value

Domain The domain to which the asset belongs.

DNS (FQDN) The fully qualified domain name of the asset host.
(ASM)

IPv4 The IPv4 address for the asset.

Address
(ASM)

IPv4 The IPv6 address for the asset.

Address
(ASM)

Hosting The provider hosting the asset.

Provider

ASN The Autonomous System Number (ASN) of the asset.

Licensed Indicates if the asset is licensed within Tenable Vulnerability Management. For
more information, see Tenable Vulnerability Management Licenses.

First Seen The date and time when a scan first identified the asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Source The source of the scan that identified the asset.

Tags Tags applied to the asset.

Created The date and time when Tenable Vulnerability Management created the asset
Date record.

Updated The date and time when Tenable Vulnerability Management last updated the
Date asset record.

Port The port associated with the asset.

- 212 -
Actions In this column, click the button to view a drop-down where you can:

l Add Tags — Add new tags. In the dialog that appears, choose a Category
and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click a
tag and click Remove.

l Create Advanced Network Scan — Create an advanced network scan, as

described in Create a Scan

l Create Web Application Scan — Create a web application scan, as

described in Create a Scan

l Delete — Permanently delete an asset, as described in Delete Assets.

View Asset Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can View permission for applicable assets.

From the Assets workbench, you can drill down into a single asset to view it on the Asset Details
page. Tenable Vulnerability Management customizes this page by asset type.

Note: Domain Inventory assets do not have an Asset Details page, but you can view them in a preview, as
described in Domain Inventory Preview.

To view asset details:

1. In the left navigation, click Assets.

The Assets workbench appears.

2. (Optional) Click another asset tile to show or hide asset types or or use filters to refine your
results.

3. Click the row for the asset to view.

At the bottom of the page, a preview appears.

- 213 -
4. In the preview, click See All Details.

The Asset Details page appears. Its layout varies by asset type as follows:

l Host Asset Details

l Cloud Resource Details

l Web Application Details

Host Asset Details

When you View Asset Details, the Asset Details page varies by asset type. For host assets, it
includes asset information, a list of associated findings, the AES, and the ACR.

- 214 -
The Asset Details page for host assets contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Asset Information about the host asset, including:

- 215 -
Information l Asset ID — The UUID of the asset.

l Licensed — Specifies whether the asset is licensed.

l System Type — The system types as reported by Plugin ID 54615. For

more information, see Tenable Plugins.

l Operating System — The operating system that a scan identified as

installed on the asset.

l IPv4 Address — An IPv4 address for the asset.

l IPv6 Address — An IPv6 address for the asset.

l MAC Address — The MAC address for the asset.

l Network — The name of the network object associated with scanners

that identified the asset. The default network name is Default. For
more information about networks, see Networks.

l Agent Name — The name of the Tenable Nessus Agent that scanned
and identified the asset.

l DNS (FQDN) — The fully qualified domain name of the asset host.

l SSH Fingerprint — The SSH key fingerprints that scans have

associated with the asset record.

l Tenable ID — A UUID created for new assets during credentialed scans

or agent scans. If an asset is found not to be unique, this UUID is not
created and an existing one is reused.

l Public — Specifies whether the asset is available on a public network.

A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Managementquery
namespace.

l BIOS ID — The asset's BIOS UUID.

l ServiceNow Sys ID — Where applicable, the unique record identifier of

the asset in ServiceNow.

- 216 -
l Network Device Serial ID — The unique identifier of the asset as
assigned by the manufacturer. This property is only available for
network devices.

l Custom Attributes — Custom attributes added to the asset. For more

information, see the Tenable Developer Portal.

Findings Click the Findings tab to view all findings associated with the asset:

l In the drop-down, switch between Vulnerability and Host Audit

findings.

l Click the Show All Vulnerabilities toggle to hide Fixed and Accepted
vulnerabilities or host audits.

l Click Open in Findings to view all findings on the Findings workbench.

l In a finding row, click to show a menu where you can view findings
details, export a finding, or launch a remediation scan.

l Show or hide columns, as described in Customize Explore Tables.

Open Ports Click the Open Ports tab to view open ports on the asset:

l Open Ports – Specifies open ports on the asset.

l Protocol – Specifies the protocol with which information is

transported to the open port, for example, TCP or UDP.

l First Detected Open – The date and time the port was first detected
as open.

l Last Detected Open – The date and time the port was last detected as
open.

l Service – The service running on the open port, such as HTTPS, SSH,
or FTP. To learn more about possible services, see Service Name and
Transport Protocol on the Internet Assigned Numbers Authority
website.

Activity Click the Activity tab to view activity for the asset:

- 217 -
l Event – Specifies all asset events logged by Tenable Vulnerability
Management, for example, Asset Discovered.

l Date – Specifies the event date.

l Source – Specifies the event source, for example, Nessus Scan.

Mitigations Click the Mitigations tab to view information about any mitigation software
that a scan identified on the asset.

Asset (Requires Tenable Lumin license) An icon indicating the Asset Exposure
Exposure Score (AES) calculated for the asset.
Score

Asset (Requires Tenable Lumin license) An icon indicating the asset's Asset
Criticality Criticality Rating.
Rating

Cloud Cloud resource information including:

Resource
l AWS Availability Zone — The AWS EC2 AMI ID of the asset. For more
Information
information, see the Tenable Vulnerability Management AWS
documentation.

l AWS EC2 AMI ID — The AWS EC2 instance ID of the asset.

l AWS EC2 Instance ID — The AWS EC2 instance ID of the asset.

l AWS Security Group — The AWS security group of the asset.

l AWS Instance State — The AWS instance state of the asset.

l AWS instance Type — The AWS instance type of the asset.

l AWS EC2 Name —The AWS EC2 name of the asset.

l AWS EC2 Product Code — The AWS EC2 product code of the asset.

l AWS Owner ID — The AWS owner ID of the asset.

l AWS Region — The AWS region of the asset.

l AWS Subnet ID — The AWS subnet ID of the asset.

- 218 -
l AWS VPC ID — The AWS VPC ID of the asset.

l Google Cloud Instance ID — The Google cloud instance ID of the asset.

For more information, see the Tenable Vulnerability
ManagementGoogle Cloud Platform documentation.

l Google Cloud Project ID —The Google cloud project ID of the asset.

l Google Cloud Zone — The Google cloud zone of the asset.

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Asset Scan Information about the asset's scan history, including:

Information
l First Seen — The time and date when a scan first identified the asset.

l Last Seen — The date and time of the scan that most recently
identified the asset.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan that
only uses discovery plugins updates the Last Authenticated Scan
field, but not the Last Licensed Scan field.

l Last Authentication Attempt — The last time that Tenable Nessus

attempted to sign in, either with SSH on Unix-based systems or SMB
on Windows.

l Last Authentication Status — The last authentication attempt by

Tenable Nessus was successful.

l Last Successful Authentication — The last time that Tenable Nessus

authenticated successfully.

l Last Licensed Scan — The date and time of the last scan in which the
asset was considered "licensed" and counted towards Tenable's
license limit. A licensed scan uses non-discovery plugins and can
identify vulnerabilities. Unauthenticated scans that run non-discovery
plugins update the Last Licensed Scan field, but not the Last

- 219 -
Authenticated Scan field. For more information on how licenses work,
see Tenable Vulnerability Management Licenses.

l Source — The source of the scan that identified the asset.

l Last Scan Target — The IP address or fully qualified domain name

(FQDN) of the asset targeted in the last scan.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click
a tag and click Remove.

l Edit ACR – (Tenable Lumin-only). Edit the Asset Criticality Rating, as

described in Edit the ACR for Host Assets.

l Move — Move an asset to another network, as described in Move

Assets to Another Network.

l View All Solutions — View available solutions for asset vulnerabilities,

as described in Solutions.

l Delete — Permanently delete an asset, as described in Delete Assets.

Cloud Resource Details

When you View Asset Details, the Asset Details page varies by asset type. For cloud resource
assets, it includes a summary, a list of associated findings, the AES, and the ACR.

- 220 -
The Asset Details page for cloud resources contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Cloud Information about the cloud resource, including:

Resource
l Asset ID — The resource's UUID.
Information
l Licensed — Whether the resource is licensed.

l Resource Name — The name of the resource.

l Resource ID — The unique identifier assigned to the resource in the

- 221 -
cloud service that hosts it.

l Resource Criticality — The criticality rating for the resource according

to Tenable Container Security, based on the most recent scan.

l Region — The cloud region where the resource runs.

l Cloud Provider — The name of the cloud provider that hosts the asset.

l Account ID — The account ID for the Legacy Tenable Cloud Security

account associated with the resource.

l VPC — Virtual Private Cloud; the unique identifier of the public cloud
that hosts the AWS virtual machine instance.

l Resource Type — The asset's cloud resource type (for example,

network, virtual machine).

l Resource Category — The name of the category to which your cloud

resource type belongs (for example, object storage or virtual network).

l Resource Tag - The labels associated with the resource by the cloud
provider.

l IaC Resource Type — The Terraform resource type associated with

the Infrastructure as Code (IaC) cloud resource asset.

l Repositories — The path to the asset's source directory.

l Has Drift — Indicates whether the asset has any drifts. For more
information, see Set up Drift Analysis in the Legacy Tenable Cloud
Security User Guide.

l Is Mapped — Indicates whether the asset is mapped. For more

information, see Cloud Scan Workflow in the Legacy Tenable Cloud
Security User Guide.

l Project — The cloud project associated with the asset.

l Network — The name of the network to which the scanner that scans
the asset belongs. For more information, see Networks.

- 222 -
l Availability Zone — The name of the availability zone where the virtual
machine instance is hosted.

Findings A table that lists all the findings associated with the resource. Click Open in
Findings to view the Vulnerabilities page.

Asset (Requires Tenable Lumin license) An icon indicating the Asset Exposure
Exposure Score calculated for the asset.
Score

Asset (Requires Tenable Lumin license) An icon indicating the asset's Asset
Criticality Criticality Rating.
Rating

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Asset Scan l First Seen — The time and date when a scan first identified the asset.
Information l Last Seen — The date and time of the scan that most recently
identified the asset.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan that
only uses discovery plugins updates the Last Authenticated Scan
field, but not the Last Licensed Scan field.

l Source — The source of the scan that identified the asset.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

- 223 -
l Export — Export to CSV or JSON, as described in Export from Explore
Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click
a tag and click Remove.

l View All Details — View complete details for an asset, as described in

View Asset Details.

l View All Details in New Tab — View complete details for an asset in a
new browser tab.

Web Application Details

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Asset Details, the Asset Details page varies by asset type. For web application
assets, it includes asset information, a list of associated findings, the AES, and the ACR.

The Asset Details page for web application assets contains the following sections.

- 224 -
Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

5. IPv4 address

6. IPv6 address

Asset Information about the asset, including:

Information
l Asset ID — The UUID of the asset.

l Licensed — Specifies whether the asset is licensed.

l System Type — The system types as reported by Plugin ID 54615. For

more information, see Tenable Plugins.

l IPv4 Address — The first IPv4 address for the asset. If there is no IPv4
address, then the first IPv6 for the asset.

l Public — Specifies whether the asset is available on a public network.

A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Managementquery
namespace.

l DNS — The fully qualified domain name of the asset host.

l Operating System — The operating system that a scan identified as

installed on the asset.

l Network — The name of the network object associated with scanners

that identified the asset. The default network name is Default. For

- 225 -
more information, see Networks.

l MAC Address — The static Media Access Control (MAC) address for the
asset.

l SSH Fingerprint — The SSH key fingerprints that scans have

associated with the asset record.

l Tenable UUID — The unique identifier for the Tenable account

associated with the asset.

l Custom Attributes — Custom attributes added to the asset. For more

information, see the Tenable Developer Portal.

Findings A table that lists all the findings associated with the asset. In this section,
you can perform the following actions:

l Export selected findings.

l Click Open in Findings to view the Vulnerabilities page for the asset.

Asset (Requires Tenable Lumin license) An icon indicating the Asset Exposure
Exposure Score for the asset.
Score

Asset (Requires Tenable Lumin license) An icon indicating the asset's Asset
Criticality Criticality Rating.
Rating

Screenshot An interactive button that indicates whether a screenshot is available. To

Available view a screenshot, click the button.

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Scan Information about the asset's scan history, including:

Information
l First Seen — The date and time when a scan first identified the asset.

l Last Seen — The date and time at which the asset was last observed
as part of a scan.

- 226 -
l Source — The source of the scan that identified the asset.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Add Tags — Add new tags. In the dialog that appears, choose a
Category and Value, as described in Tags.

l Remove Tags — Remove existing tags. In the dialog that appears, click
a tag and click Remove.

l View All Details — View complete details for an asset, as described in

View Asset Details.

l View All Details in New Tab — View complete details for an asset in a
new browser tab.

l Delete — Permanently delete an asset, as described in Delete Assets.

Domain Inventory Preview

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, click a domain inventory asset to preview its details.

The preview contains the following sections.

Section Description

Header The asset header; based on the presence of certain attributes in the
following logical order:

1. Agent name

2. NetBIOS name

3. Local hostname

4. Fully Qualified Domain Name (FQDN)

- 227 -
5. IPv4 address

6. IPv6 address

Tags Tags applied to the asset. To add a tag, click the button. To remove a
tag, click the button on the tag label. For more information, see Tags.

Asset Information about the asset, including:

Information
l Asset ID — The UUID of the asset.

l Licensed — Specifies whether the asset is licensed.

l IPV4 Address — The first IPv4 address for the asset.

l IPV6 Address —The first IPv6 address for the asset.

Asset Scan Information about the asset's scan history, including:

Information
l First Seen — The date and time when a scan first identified the asset.

l Last Seen — The date and time at which the asset was last observed
as part of a scan.

l Updated Date — The date and time when the asset record was last
updated.

l Source — The source of the scan that identified the asset.

Related Assets Links to filtered lists of assets, showing the other times Tenable
Vulnerability Management scans identified the asset.

Asset Filters
On the Assets page, you can filter your assets via standard filters that apply to all assets or by
asset-specific filters.

You can save a set of commonly used filters as a saved filter to access later or share with other
members of your team.

Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore >
Assets views (including Group By tables) to 35.

- 228 -
Note: You can right-click on values within a table cell to use the Filter By option. For more information,
see Right-Click Filtering.

You can select from the following filter types:

All
The following table describes the filters that apply to all assets:

Filter Description

Account ID The unique identifier assigned to the asset resource in the cloud service
that hosts the asset.

ACR (Requires Tenable Lumin license) The asset's ACR.

ACR Severity (Requires Tenable Lumin license) (Requires Tenable One or Tenable
Lumin license) The ACR category of the ACR calculated for the asset.

AES (Requires Tenable Lumin license)The Asset Exposure Score (AES)

calculated for the asset.

AES Severity (Requires Tenable Lumin license) (Requires Tenable Lumin license) The
AES category of the AES calculated for the asset.

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

ARN The Amazon Resource Name (ARN) for the asset.

ASN The Autonomous System Number (ASN) for the asset.

Assessed vs. Specifies whether Tenable Vulnerability Management scanned the asset
Discovered for vulnerabilities or if Tenable Vulnerability Management only discovered
the asset via a discovery scan. Possible values are:

l Assessed

l Discovered Only

Note: This filter is selected by default.

- 229 -
Asset ID The asset's unique identifier.

AWS Availability The name of the Availability Zone where AWS hosts the virtual machine
Zone instance. For more information, see Regions and Zones in the AWS
documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI image in Amazon Elastic Compute
Cloud (Amazon EC2). For more information, see the Amazon Elastic
Compute Cloud Documentation.

AWS EC2 The unique identifier of the Linux instance in Amazon EC2. For more
Instance ID information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product The product code associated with the AMI used to launch the virtual
Code machine instance in Amazon EC2.

AWS Instance The state of the virtual machine instance in AWS at the time of the scan.
State For possible values, see InstanceState in the Amazon Elastic Compute
Cloud Documentation.

AWS Instance The type of virtual machine instance in Amazon EC2. Amazon EC2
Type instance types dictate the specifications of the instance (for example,
how much RAM it has). For a list of possible values, see Amazon EC2
Instance Types in the AWS documentation.

AWS Owner ID A UUID for the Amazon AWS account that created the virtual machine
instance. For more information, see View AWS Account Identifiers in the
AWS documentation.

This attribute contains a value for Amazon EC2 instances only. For other
asset types, this attribute is empty.

AWS Region The region where AWS hosts the virtual machine instance, for example,
us-east-1.

AWS Security The AWS security group (SG) associated with the Amazon EC2 instance.
Group

- 230 -
AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine
instance was running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual Private
Cloud Documentation.

Azure Location The location of the resource in the Azure Resource Manager. For more
information, see the Azure Resource Manager Documentation.

Azure Resource The name of the resource group in the Azure Resource Manager. For
Group more information, see the Azure Resource Manager Documentation.

Azure Resource The unique identifier of the resource in the Azure Resource Manager. For
ID more information, see the Azure Resource Manager documentation.

Azure Resource The resource type of the resource in the Azure Resource Manager. For
Type more information, see the Azure Resource Manager Documentation.

Azure The unique subscription identifier of the resource in the Azure Resource
Subscription ID Manager. For more information, see the Azure Resource Manager
Documentation.

Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance. For
more information, see the Azure Resource Manager documentation.

BIOS ID The NetBIOS name for the asset.

Cloud Provider The name of the cloud provider that hosts the asset.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair. For
more information about custom attributes, see the Tenable Developer
Portal.

DNS The fully-qualified domain name of the host that the vulnerability was
detected on.

- 231 -
Domain The domain to which the asset belongs.

First Seen The date and time when a scan first identified the asset.

Google Cloud The unique identifier of the virtual machine instance in Google Cloud
Instance Platform (GCP).

Google Cloud The customized name of the project to which the virtual machine
Project ID instance belongs in GCP. For more information, see Creating and
Managing Projects in the GCP documentation.

Google Cloud The zone where the virtual machine instance runs in GCP. For more
Zone information, see Regions and Zones in the GCP documentation.

Has Plugin Specifies whether the asset has plugin results associated with it.
Results

Host Name The host name for assets found during attack surface management
(Domain scans; only for use with Domain Inventory assets.
Inventory)

Hosting Provider The hosting provider for the asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

Installed A list of Common Platform Enumeration (CPE) values that represent

Software applications identified on an asset from a scan. This field supports the
CPE 2.2 format. For more information, see the Component Syntax section
of the CPE Specification documentation. For assets identified in Tenable
scans, this field only contains data when a scan using Tenable Nessus
Plugin 45590 has evaluated the asset.

IPV4 Address The IPv4 address associated with the asset record.

IPV6 Address The IPv6 address associated with the asset record.

Is Attribute Specifies whether the asset is an attribute.

- 232 -
Is Auto Scale Specifies whether the asset scales automatically.

Is Unsupported Specifies whether the asset is unsupported in Tenable Vulnerability

Management.

Last Audited The time and date at which the asset was last audited.

Port Last Filter for all assets that had detected open ports as of a date or a date
Detected Open range you specify. For the best results, combine with the Ports filter.

Last Scan Time The date when a scan was last run against the asset.

Last Seen The date and time at which the asset was last observed as part of a scan.

Licensed Specifies whether the asset is included in the asset count for the Tenable
Vulnerability Management instance.

MAC Address A MAC address that a scan has associated with the asset record.

Mitigated Specifies whether a scan has identified mitigation software on the asset.

Mitigation Last The date and time of the scan that last identified mitigation software on
Detection the asset.

Mitigation The name of the mitigation software identified on the asset. Tenable
Product Name Lumin defines mitigations as security agent software running on
endpoint assets, which include antivirus software, Endpoint Protection
Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

- 233 -
Mitigation Vendor The name of the vendor for the mitigation that a scan identified on the
Name asset.

Mitigation The version of the mitigation that a scan identified on the asset.
Version

Name The asset identifier, assigned based on the availability of specific

attributes in logical order.

Note: This filter is selected by default.

NetBIOS Name The NetBIOS name for the asset.

Network The name of the network object associated with scanners that identified
the asset. The default name is Default. For more information, see
Networks.

Operating System The operating system that a scan identified as installed on the asset.

Note: This filter is selected by default.

Operating System The Tenable Web App Scanning (Tenable Web App Scanning) operating
(WAS) system that a scan identified as installed on the asset.

Port Search your hosts or domain inventory by port values or ranges for assets
with a relationship to that port. For example, assets with port 80. If you
import data from Tenable Attack Surface Management, those ports also
appear.

Public Specifies whether the asset is available on a public network. A public

asset is within the public IP space and identified by the is_public
attribute in the Tenable Vulnerability Management query namespace.

Record Type The asset type.

Region The cloud region where the asset runs.

Repositories Any code repositories associated with the asset.

Resource Type The asset's cloud resource type (for example, network, virtual machine).

- 234 -
Note: This filter is selected by default.

Scan Frequency The number of times the asset was scanned within the past 90 days.

ServiceNow Sys Where applicable, the unique record identifier of the asset in
ID ServiceNow. For more information, see the ServiceNow documentation.

Source The source of the scan that identified the asset. Possible values are:

l AWS

l AWS FA

l Azure

l AZURE FA

l Cloud Connector

l Cloud IAC

l Cloud Runtime

l GCP

l Nessus Agent

l Nessus Scan

l NNM

l ServiceNow

l WAS

Note: This filter is selected by default.

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

System Type The system types as reported by Plugin ID 54615. For more information,
see Tenable Plugins.

- 235 -
Tags Asset tags, entered in pairs of category and value (for example
Network: Headquarters). This includes the space after the colon (:). If
there is a comma in the tag name, insert a backslash (\) before the
comma. If your tag name includes double quotation marks (" "), use the
UUID instead. You can add a maximum of 100 tags.

For more information, see Tags.

Note: This filter is selected by default.

Target Groups The target group to which the asset belongs. This attribute is empty if
the asset does not belong to a target group. For more information, see
Target Groups.

Tenable ID The UUID of the asset in Tenable Vulnerability Management.

Terminated Specifies whether or not the asset is terminated.

Type The system type on which the asset is managed. Possible options are:

l Cloud Resource

l Container

l Host

l Cloud

Note: This filter is selected by default.

Host Assets
The following table describes the Host asset filters:

Filter Description

ACR (Requires Tenable Lumin license) The asset's ACR.

ACR Severity (Requires Tenable Lumin license) (Requires Tenable One or Tenable
Lumin license) The ACR category of the ACR calculated for the asset.

- 236 -
AES (Requires Tenable Lumin license)The Asset Exposure Score (AES)
calculated for the asset.

AES Severity (Requires Tenable Lumin license) (Requires Tenable Lumin license) The
AES category of the AES calculated for the asset.

Agent Name The name of the Tenable Nessus agent that scanned and identified the
asset.

Asset ID The asset's unique identifier.

AWS Availability The name of the Availability Zone where AWS hosts the virtual machine
Zone instance. For more information, see Regions and Zones in the AWS
documentation.

AWS EC2 AMI ID The unique identifier of the Linux AMI image in Amazon Elastic
Compute Cloud (Amazon EC2). For more information, see the Amazon
Elastic Compute Cloud Documentation.

AWS EC2 Instance The unique identifier of the Linux instance in Amazon EC2. For more
ID information, see the Amazon Elastic Compute Cloud Documentation.

AWS EC2 Name The name of the virtual machine instance in Amazon EC2.

AWS EC2 Product The product code associated with the AMI used to launch the virtual
Code machine instance in Amazon EC2.

AWS Instance State The state of the virtual machine instance in AWS at the time of the
scan. For possible values, see InstanceState in the Amazon Elastic
Compute Cloud Documentation.

AWS Instance Type The type of virtual machine instance in Amazon EC2. Amazon EC2
instance types dictate the specifications of the instance (for example,
how much RAM it has). For a list of possible values, see Amazon EC2
Instance Types in the AWS documentation.

AWS Owner ID A UUID for the Amazon AWS account that created the virtual machine
instance. For more information, see View AWS Account Identifiers in
the AWS documentation.

- 237 -
This attribute contains a value for Amazon EC2 instances only. For
other asset types, this attribute is empty.

AWS Region The region where AWS hosts the virtual machine instance, for example,
us-east-1.

AWS Security The AWS security group (SG) associated with the Amazon EC2 instance.
Group

AWS Subnet ID The unique identifier of the AWS subnet where the virtual machine
instance was running at the time of the scan.

AWS VPC ID The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud Documentation.

Azure Location The location of the resource in the Azure Resource Manager. For more
information, see the Azure Resource Manager Documentation.

Azure Resource The name of the resource group in the Azure Resource Manager. For
Group more information, see the Azure Resource Manager Documentation.

Azure Resource ID The unique identifier of the resource in the Azure Resource Manager.
For more information, see the Azure Resource Manager documentation.

Azure Resource The resource type of the resource in the Azure Resource Manager. For
Type more information, see the Azure Resource Manager Documentation.

Azure Subscription The unique subscription identifier of the resource in the Azure
ID Resource Manager. For more information, see the Azure Resource
Manager Documentation.

Azure VM ID The unique identifier of the Microsoft Azure virtual machine instance.
For more information, see the Azure Resource Manager documentation.

BIOS ID The NetBIOS name for the asset.

Cloud Provider The cloud provider for the asset — AWS, Azure, or GCP.

Note: Filter with the Cloud Provider instead of Source to search for

- 238 -
resources with imported tags.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair.
For more information about custom attributes, see the Tenable
Developer Portal.

DNS The fully-qualified domain name of the host that the vulnerability was
detected on.

Domain The domain to which the asset belongs.

First Seen The date and time when a scan first identified the asset.

Google Cloud The unique identifier of the virtual machine instance in Google Cloud
Instance Platform (GCP).

Google Cloud The customized name of the project to which the virtual machine
Project ID instance belongs in GCP. For more information, see Creating and
Managing Projects in the GCP documentation.

Google Cloud Zone The zone where the virtual machine instance runs in GCP. For more
information, see Regions and Zones in the GCP documentation.

Has Plugin Results Specifies whether the asset has plugin results associated with it.

Installed Software A list of Common Platform Enumeration (CPE) values that represent
applications identified on an asset from a scan. This field supports the
CPE 2.2 format. For more information, see the Component Syntax
section of the CPE Specification documentation. For assets identified
in Tenable scans, this field only contains data when a scan using
Tenable Nessus Plugin 45590 has evaluated the asset.

IPv4 Address The IPv4 address associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated list

- 239 -
(for example, hostname_example, [Link], [Link]). For IP
addresses, you can specify individual addresses, CIDR notation (for
example, [Link]/24), or a range (for example, [Link]-
[Link]).

Note: Tenable Vulnerability Management does not support a CIDR mask of

/0 for this parameter, because that value would match all IP addresses. If
you submit a /0 value for this parameter, Tenable Vulnerability Management
returns a 400 Bad Request error message.

Note: Ensure the filter value does not end in a period.

IPv6 Address An IPv6 address that a scan has associated with the asset record.

This filter supports multiple asset identifiers as a comma-separated

list. The IPV6 address must be an exact match. (for example,
[Link]).

Note: Ensure the filter value does not end in a period.

Last Authenticated The date and time of the last credentialed scan run on the asset.
Scan

Last Licensed Scan The date and time of the last scan that identified the asset as licensed.
For more information about licensed assets, see Tenable Vulnerability
Management Licenses.

Last Seen The date and time at which the asset was last observed as part of a
scan.

Note: This filter is selected by default.

Licensed Specifies whether the asset is included in the asset count for the
Tenable Vulnerability Management instance.

Note: This filter is selected by default.

- 240 -
MAC Address A MAC address that a scan has associated with the asset record.

Mitigated Specifies whether a scan has identified mitigation software on the

asset.

Mitigation Last The date and time of the scan that last identified mitigation software
Detection on the asset.

Mitigation Product The name of the mitigation software identified on the asset. Tenable
Name Lumin defines mitigations as security agent software running on
endpoint assets, which include antivirus software, Endpoint Protection
Platforms (EPPs), or Endpoint Detection and Response (EDR) solutions.

Mitigation Vendor The name of the vendor for the mitigation that a scan identified on the
Name asset.

Mitigation Version The version of the mitigation that a scan identified on the asset.

Name The asset identifier, assigned based on the availability of specific

attributes in logical order.

Note: This filter is selected by default.

NetBIOS Name The NetBIOS name for the asset.

Network The name of the network object associated with scanners that
identified the asset. The default name is Default. For more information,
see Networks.

Operating System The operating system that a scan identified as installed on the asset.

Public Specifies whether the asset is available on a public network. A public

asset is within the public IP space and identified by the is_public
attribute in the Tenable Vulnerability Management query namespace.

Resource Tags (By The key in the key-value pair of the tags or labels imported from the
Key cloud provider.

Resource Tags (By The value in the key-value pair of the tags or labels imported from the
Value cloud provider.

- 241 -
Scan Frequency The number of times the asset was scanned within the past 90 days.

ServiceNow Sys ID Where applicable, the unique record identifier of the asset in
ServiceNow. For more information, see the ServiceNow
documentation.

Source The source of the scan that identified the asset. Possible values are:

l AWS

l AWS FA

l Azure

l Azure FA

l Cloud Discovery Connector

Note: Tenable Vulnerability Management shows this source for

compute assets with imported resource tags.
l For existing assets, the Source column shows Cloud
Discovery Connector along with the existing source (AWS,
Azure, or GCP).

For new assets, the Source column shows Cloud Discovery

Connector.
See the Cloud Provider column to view from where the asset is
imported from.

Caution: If you currently have queries utilizing AWS, GCP, or Azure as

sources, you must update these queries. The Cloud Discovery
Connector source now replaces AWS, GCP, and Azure sources.
Additionally, for the source of assets, use the Cloud Provider
parameter to indicate AWS, Azure, or GCP.

l Cloud IaC

l Cloud Runtime

l GCP

l Nessus Agent

- 242 -
l Nessus Scan

l NNM

l ServiceNow

l WAS

Note: This filter is selected by default.

System Type The system types as reported by Plugin ID 54615. For more information,
see Tenable Plugins.

Tags Asset tags, entered in pairs of category and value (for example
Network: Headquarters). This includes the space after the colon (:). If
there is a comma in the tag name, insert a backslash (\) before the
comma. If your tag name includes double quotation marks (" "), use the
UUID instead. You can add a maximum of 100 tags.

For more information, see Tags.

Note: This filter is selected by default.

Target Groups The target group to which the asset belongs. This attribute is empty if
the asset does not belong to a target group. For more information, see
Target Groups.

Tenable ID The UUID of the agent present on the asset.

Terminated Specifies whether or not the asset is terminated.

Updated Date The time and date when the asset record was last updated.

Cloud Resources Assets

The following table describes the cloud resources asset filters:

Option Description

Account ID The account ID associated with the asset.

- 243 -
ARN The Amazon Resource Name (ARN) for the asset.

Asset ID The asset's unique identifier.

Cloud Provider The name of the cloud provider that hosts the asset.

Created Date The time and date when Tenable Vulnerability Management created the
asset record.

First Seen The date and time when a scan first identified the asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

Is Attribute Specifies whether the asset is an attribute.

Is Auto Scale Specifies whether the asset scales automatically.

Is Unsupported Specifies whether the asset is unsupported in Tenable Vulnerability

Management.

Last Audited The time and date when Tenable Vulnerability Management last audited the
asset.

Last Seen The date and time at which the asset was last observed as part of a scan.

Licensed Specifies whether the asset is included in the asset count for the Tenable
Vulnerability Management instance.

Name The asset identifier, assigned based on the availability of specific

attributes in logical order.

- 244 -
Note: This filter is selected by default.

Region The cloud region where the asset runs.

Repositories Any code repositories associated with the asset.

Resource The category of the asset resource in the cloud service that hosts the
Category asset.

Resource Tags Tags synced from a cloud source such as Amazon Web Services (AWS),
(By Key) matched by the tag key (for example, Name). Separate individual search
items with commas and use wildcards (*) to locate keys that equal, begin
with, end with, or contain part of a string. Alternately, search for Assets
with or without tags.

Resource Tags Tags synced from a cloud source such as Amazon Web Services (AWS),
(By Value) matched by the tag value. Separate individual search items with commas
and use wildcards (*) to locate values that equal, begin with, end with, or
contain part of a string. Alternately, search for Assets with or without tags.

Resource Type The asset's cloud resource type (for example, network, virtual machine).

Note: This filter is selected by default.

Source The source of the scan that identified the asset. Possible values are:

l Cloud IaC

l Cloud Runtime

Note: This filter is selected by default.

Tags Asset tags, entered in pairs of category and value (for example Network:
Headquarters). This includes the space after the colon (:). If there is a
comma in the tag name, insert a backslash (\) before the comma. If your
tag name includes double quotation marks (" "), use the UUID instead. You
can add a maximum of 100 tags.

For more information, see Tags.

- 245 -
Note: This filter is selected by default.

Web Applications Assets

The following table describes the web application asset filters:

Filter Description

ACR (Requires Tenable Lumin license) The asset's ACR.

ACR Severity (Requires Tenable Lumin license) (Requires Tenable One or Tenable
Lumin license) The ACR category of the ACR calculated for the asset.

AES (Requires Tenable Lumin license) (Requires Tenable Lumin license) The
AES category of the AES calculated for the asset.

AES Severity (Requires Tenable Lumin license) (Requires Tenable Lumin license) The
AES category of the AES calculated for the asset.

Asset ID The asset's unique identifier.

Created Date The date and time when Tenable Vulnerability Management created the
asset record.

Custom Attribute A filter that searches for custom attributes via a category-value pair. For
more information about custom attributes, see the Tenable Developer
Portal.

First Seen The date and time when a scan first identified the asset.

Last Licensed The time and date of the last scan that identified the asset as licensed.
Scan For more information about licensed assets, see License Information.

Last Seen The date and time at which the asset was last observed as part of a scan.

Note: This filter is selected by default.

- 246 -
Licensed Specifies whether the asset is included in the asset count for the Tenable
Web App Scanning instance.

An asset is licensed if it meets the following criteria:

l The scan results for the asset do not include discovery plugin
results.

l The scan results for the asset do not include Tenable Web App
Scanning sources (e.g., results from Tenable Nessus scanners,
Agents, Tenable Nessus Network Monitor).

l The asset has not been terminated.

Mitigated Specifies whether a scan has identified mitigation software on the asset.

Mitigation Last The date and time of the scan that last identified mitigation software on
Detected the asset.

Mitigation The version of the mitigation software that a scan identified on the asset.
Version

Name The asset identifier, assigned based on the availability of specific

attributes in logical order.

Note: This filter is selected by default.

Operating System The operating system that a scan identified as installed on the asset.
(WAS)

Public Specifies whether the asset is available on a public network.

Note: A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Management query namespace.

- 247 -
Source The source of the scan that identified the asset. Possible values are:

l ASM

l AWS

l AWS FA

l Azure

l Azure FA

l Cloud IAC

Note: This filter is selected by default.

SSL/TLS Specifies whether the application on which the asset is hosted uses
SSL/TLS public-key encryption.

For more information, see Tags.

Note: This filter is selected by default.

Updated Date The time and date when the asset record was last updated.

Domain Inventory Assets

The following table describes the domain inventory asset filters:

Filter Description

ASN The Autonomous System Number (ASN) for the asset.

Asset ID The asset's unique identifier.

Created The date and time when Tenable Vulnerability Management created the asset

- 248 -
Date record.

DNS (FQDN) The fully-qualified domain name of the host that the vulnerability was detected
on.

Domain The domain name for the asset.

Host Name The hostname of the asset. This string is determined by information reported
by target plugins, and is dependent on the user's environment and
configuration.

Hosting The hosting provider for the asset.

Provider

IPv4 The IPv4 address associated with the asset record.

Address
This filter supports multiple asset identifiers as a comma-separated list (for
example, hostname_example, [Link], [Link]). For IP addresses, you
can specify individual addresses, CIDR notation (for example, [Link]/24),
or a range (for example, [Link]-[Link]).

Note: Tenable Vulnerability Management does not support a CIDR mask of /0 for
this parameter, because that value would match all IP addresses. If you submit a /0
value for this parameter, Tenable Vulnerability Management returns a 400 Bad
Request error message.

Note: Ensure the filter value does not end in a period.

IPv6 An IPv6 address that a scan has associated with the asset record.
Address
This filter supports multiple asset identifiers as a comma-separated list. The
IPV6 address must be an exact match. (for example, [Link]).

Note: Ensure the filter value does not end in a period.

Last Seen The date and time at which the asset was last observed as part of a scan.

Licensed Specifies whether the asset is included in the asset count for the Tenable
Vulnerability Management instance.

- 249 -
Name The asset identifier, assigned based on the availability of specific attributes in
logical order.

Note: This filter is selected by default.

Port A port associated with the asset, open or closed. Only applies to Domain
Inventory assets.

Record Type The type of asset.

Source The source of the scan that identified the asset. Possible values are:

l ASM

l AWS

l AWS FA

l Azure

l Azure FA

l Cloud IAC

Note: This filter is selected by default.

Tags Asset tags, entered in pairs of category and value (for example Network:
Headquarters). This includes the space after the colon (:). If there is a comma
in the tag name, insert a backslash (\) before the comma. If your tag name
includes double quotation marks (" "), use the UUID instead. You can add a
maximum of 100 tags.

For more information, see Tags.

Updated The time and date when the asset record was last updated.
Date

Open Ports and the Assets workbench

Tip: For more information about open ports and the Tenable Vulnerability Management API, see the API
changelog in the Tenable Developer Portal. For more information, contact Tenable Customer Support.

- 250 -
Tenable Vulnerability Management displays open port findings on the Asset Details page, which
appears when you click a host asset on the Assets workbench and then click See All Details. On the
Asset Details page, the Open Ports tab shows open ports on an asset and includes the port
protocol, when the port was first and last detected open, and the service running on the port.

Working with Ports

Use the following features to search for, manage, and export your port data:

l Ports — On the Assets workbench, search for ports on your host assets (or your domain
inventory if you have imported data from Tenable Attack Surface Management.

l Port tag rule — On the Assets workbench, add tags to your ports.

l Port export field — With a custom field, export port data from the Assets workbench.

Supported Plugins
The Open Ports tab shows output from the following high-traffic plugins:

- 251 -
l 34220 - Netstat Portscanner (WMI)

l 34252 - Microsoft Windows Remote Listeners Enumeration (WMI)

l 11219 - Nessus SYN Scanner

l 14272 - Netstat Portscanner (SSH)

l 25221 - Remote listeners enumeration (Linux / AIX)

l 10736 - DCE Services Enumeration

l 99265 - macOS Remote Listeners Enumeration

l 10335 - Nessus TCP scanner

l 14274 - Nessus SNMP Scanner

l 34277 - Nessus UDP Scanner

Asset Widgets
On the Assets workbench, interactive widgets break down the assets in your environment and
update based on the filters you apply. To toggle these widgets, click Show Visualization or Hide
Visualization.

Widget Types
The Assets workbench shows three widgets.

Widget Description

Assets by Groups assets by type and shows if they are or Live or Terminated. This metric
Live Status is particularly relevant for cloud assets.

- 252 -
Assets by Groups assets by type and shows if they are Discovered but not scanned,
Scan Scanned without authentication, or have received an Authenticated Scan.
Status

Assets by Groups assets by type and shows if they are Licensed or Un-Licensed. For more
License information on licensed assets, see Tenable Vulnerability Management Licenses.
Status

Edit the ACR for Host Assets

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

In the Explore section of Tenable Vulnerability Management, you can manually override the Asset
Criticality Rating (ACR) of Host assets to better reflect the unique infrastructure or needs of your
organization.

To edit an Explore asset's ACR:

1. In the left navigation, click Assets.

The Assets workbench appears.

2. Select the check boxes next to the host assets whose ACR you want to edit.

The action bar appears.

3. In the action bar, click .

A menu appears.

4. Click Edit ACR.

The Edit Asset Criticality Rating window appears.

- 253 -
5. On the Asset Criticality Rating slider, click the number of the score to which you want to
change the ACR.

6. In the Overwrite Reasoning section, select the check box next to the reason that best
matches why you want to edit the ACR.

7. (Optional) In the Notes section, type any additional notes you want to add.

8. Click Save.

- 254 -
The system can take up to 24 hours to apply the new ACR. When this happens, Processing
appears on the Assets workbench.

Move Assets to Another Network

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management automatically assigns scanned assets to a network based on the
scanner's network ID. However, you may need to manually move assets to another network. For
example, you might have multiple assets with the same IP address which belong on different
subnets so they can be identified as separate entities.

You can move assets to another network from the Assets workbench. If you first need to create the
network to move assets to, see Create a Network.

Tip: You can also move assets to a network via the Settings section.

When you move assets, be sure to move the scanner as well as the asset. Otherwise, the scanner
will create the same asset again. For more information, see Add a Scanner to a Network.

Note: Move assets before you run scans on a new network. If you move assets to a network where scans
have already run, Tenable Vulnerability Management may create duplicate records that count against your
license.

Tip: On the Assets workbench, you can move host assets, cloud resources, or web applications to another
network. You cannot move domain inventory assets.

To move assets to another network:

1. In the left navigation, click Assets.

The Assets workbench appears.

2. Select the check boxes for the assets you want to move.

The action bar appears.

3. In the action bar, click Move.

- 255 -
A dialog appears.

4. In the dialog, under Choose a New Destination Network, select the network to move the
assets to.

5. Click Move.

The system moves the assets to the destination network. If you moved a large number of
assets, the move may take a few hours to complete.

Remove and Prevent Duplicate Assets

In Tenable Vulnerability Management, assets get assigned a unique ID when scanned with
credentialed or agent scans. Tenable Vulnerability Management checks this unique ID each time a
scan runs, so that it can update the existing asset record with new findings, resolved findings, or
resurfaced findings. When you then run an uncredentialed scan against the same asset, there could
be scenarios in where the scanner cannot log in to the asset and retrieve the unique ID. This causes
Tenable Vulnerability Management to view the asset as new, and therefore create a new record (in
this case a duplicate of an asset).

Remove Duplicate Assets

To remove duplicate assets in Tenable Vulnerability Management:

1. Within the Explore section, view your asset list.

2. Delete any duplicate assets.

Once an asset is deleted, Tenable Vulnerability Management immediately returns the license
to your available license count.

Prevent Duplicate Assets

As a best practice, Tenable recommends scanning assets with a combination of uncredentialed,
credentialed, and agent scans to ensure full vulnerability coverage. To resolve duplicate assets
when running an agent scan and a non-credentialed Nessus scan, Tenable recommends using the
Open Agent Port feature included in Tenable Nessus Agent versions 10.6.0 and later. To view more
configuration information for this feature, see Configure Agent Profiles to Avoid Asset Duplication
in Tenable Vulnerability Management in the Tenable Nessus Agent User Guide.

- 256 -
Note: The Open Agent Port feature does not merge existing duplicates. It only resolves asset duplication
issues between agent scans and non-credentialed Nessus scans once you configure the setting.

While there are different use cases for each scan type, generally, Tenable recommends prioritizing
the types of scans you run in the following order:

1. Credentialed Scans from a Tenable Nessus Scanner

2. Tenable Nessus Agent Scans

3. Uncredentialed Scans

4. Tenable Nessus Network Monitor

For more information, see Create a Tenable Vulnerability Management Scan.

Download Inventory Data

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Vulnerability Management Permission: Can Edit, Can Use permission for applicable
asset tags

Required Access Group Permissions: Can View

When you open a support ticket related to a Tenable Vulnerability Management asset, you can
download the asset's inventory data in ZIP format and attach it to the ticket. This data is only
intended for support cases.

Note: You can only download inventory data for assets scanned in the past 90 days which either have SSM
or AZURE_FA source types, or are NESSUS_AGENT scans with enabled inventory collection plugins.

To download asset inventory data:

1. In the left navigation, click Assets.

The Assets workbench appears.

2. In the Actions column for the asset to download, click .

- 257 -
A menu appears.

3. In the menu, click Download Inventory Debug Data.

The debug data downloads in ZIP format.

Delete Assets
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

On the Assets workbench, you can delete host assets, web application assets, or domain inventory
assets. When you delete an asset, the system removes it from the Assets workbench, deletes all
associated findings, and stops matching scan results to the asset. Within 24 hours, the asset is no
longer included in your license count.

Caution: Deleting assets quickly removes decommissioned hosts or other irrelevant assets from your
license count and reports, but it is permanent! Be careful with this feature.

Note: On a network with Asset Age Out enabled, assets expire on a schedule and do not need to be
deleted. For more information, see View or Edit a Network and Create a Network.

Note: If you see deleted assets when using the Asset ID filter, these are temporary. Deleted assets do not
count against your license and have no associated findings. Deleted assets are labeled as Deleted.

To delete assets from Tenable Vulnerability Management:

1. In the left navigation, click Assets.

The Assets workbench appears.

2. On the Assets workbench, do one of the following:

l
Delete a single asset with the button

a. In the row for the asset to delete, click the button.

A menu appears.

b. In the menu, click Delete.

- 258 -
c. In the confirmation window that appears, click Delete again.

Tip: You can also delete single assets from the Asset Details page.

l
Delete multiple assets from the action bar

a. Select the check boxes next to the assets to delete.

The action bar appears.

Tip: To delete all assets, click Select all. You can only delete 1,000 assets at a time.

b. In the action bar, click More.

c. In the menu that appears, click Delete.

d. In the confirmation window that appears, click Delete again.

- 259 -
Findings
On the Findings workbench, you can get insight into your organization's findings. These include
vulnerabilities, cloud misconfigurations, host audits, and web application findings.

Note:Tenable Vulnerability Management retains findings data for 15 months.

A finding is a single instance of a vulnerability appearing on an asset, uniquely identified by plugin

ID, port, and protocol. By providing comprehensive information about your findings, Tenable
Vulnerability Management helps to identify potential security risks, visibility on under-utilized
resources, and support compliance efforts.

Tenable Vulnerability Management automatically creates or updates findings when a scan

completes or scan results are imported.

See the following topics for more information.

Use the Findings Workbench

View Finding Details

Findings Filters

- 260 -
Group Your Findings

Create Recast Rules from Findings

Generate a Findings Report

Use the Findings Workbench

You can view all your findings on the Findings workbench.

To view your findings:

1. In the left navigation, click Findings.

The Findings workbench appears.

2. (Optional) To view a different finding type, click a tab:

l Vulnerabilities

l Cloud Misconfigurations

l Host Audits

l Web Application Findings

On the Findings workbench, you can do the following:

l In the search box, search for findings by asset name, IPv4 address or range, or Classless Inter-
Domain Routing (CIDR) block. Or, use a wildcard (*)

l Filter the displayed findings and customize your view, as described in Explore Tables.

l Save filters as a custom search, as described in Saved Filters.

l Group findings by asset, plugin, and more, as described in Group Your Findings.

l In the upper-right corner of the Vulnerabilities or Web Application Findings tabs, toggle
Include Info Severity, as described in Vulnerability Severity Indicators.

l In the Vulnerabilities or Web Application Findings tabs, to view informational findings about
artificial intelligence services on your assets, click AI Inventory. These findings cannot be
grouped. To view their details, hover on the AI/LLM Tools column.

- 261 -
l Filter displayed findings by time period with a drop-down in the upper-right corner.

l Export findings to CSV or JSON format, as described in Export Findings or Assets.

l View details about a finding, as described in View Finding Details.

Vulnerabilities

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Vulnerabilities tab to view your asset vulnerabilities. Common
vulnerabilities include system misconfigurations, unpatched software, poor data encryption, and
weak authorization credentials.

The Vulnerabilities tab contains a table with the following columns. To show or hide columns, see
Customize Explore Tables.

Column Description

AI/LLM Tools Indicates an informational finding about artificial intelligence

services running on an asset. Hover on the AI/LLM Tools
column to view details. These findings cannot be grouped.

Asset ID The UUID of the asset where a scan detected the finding. This
value is unique to Tenable Vulnerability Management.

Asset Name The name of the asset. This value is unique to Tenable
Vulnerability Management.

Asset Tags Tags applied to the asset.

IPv4 Address The IPv4 address for the affected asset.

IPv6 Address The IPv6 address for the affected asset.

Last Fixed The last time a previously detected vulnerability was scanned
and noted as no longer present on an asset.

Last Scan Target The IP address or fully qualified domain name (FQDN) of the
asset targeted in the last scan.

- 262 -
Severity The vulnerability's CVSS-based severity. For more information,
see CVSS vs. VPR.

Plugin Name The name of the plugin that identified the vulnerability detected
in the finding.

Plugin ID The ID of the plugin that identified the vulnerability.

Plugin Family The family of the plugin that identified the vulnerability.

Port The port that the scanner used to connect to the asset where
the scan detected the vulnerability.

Protocol The protocol the scanner used to communicate with the asset
where the scan detected the vulnerability.

Resurfaced Date The most recent date that a scan detected a Resurfaced
vulnerability which was previously Fixed. If a vulnerability is
Resurfaced multiple times, only the most recent date appears.

Time Taken to Fix How long it took your organization to fix a vulnerability identified
on a scan, in hours or days. Only appears for Fixed
vulnerabilities. Use this filter along with the State filter set to
Fixed for more accurate results.

VPR A descriptive icon indicating the VPR of the vulnerability. For

more information, see CVSS vs. VPR.

CVSSv2 Base Score The CVSSv2 base score (intrinsic and fundamental
characteristics of a vulnerability that are constant over time and
user environments). Tenable Vulnerability Management shows
the CVSSv2 or CVSSv3 column depending on the Vulnerability
Severity Metric setting.

State The state of the vulnerability.

CVSSv3 Base Score The CVSSv3 base score (intrinsic and fundamental
characteristics of a vulnerability that are constant over time and
user environments). Tenable Vulnerability Management shows
the CVSSv2 or CVSSv3 column depending on the Vulnerability

- 263 -
Severity Metric setting.

Scan Origin The scanner that detected the finding. Also identifies if the scan
is a work-load scan. Possible values for this column are:
Tenable Vulnerability Management, Tenable Security Center, and
Agentless Assessment.

Region The cloud region where the asset runs.

Account ID The unique identifier assigned to the asset resource in the

cloud service that hosts the asset.

Live Result Indicates whether the scan result is based on live results. In
Agentless Assessment, you can use live results to view scan
results for new plugins based on the most recently collected
snapshot data, without running a new scan. The possible values
are Yes or No. For more information, see Live Results for
Agentless Assessment.

First Seen The date when a scan first found the vulnerability on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Actions In this column, click the button to view a drop-down where you
can:

l Export — Export to CSV or JSON, as described in Export

from Explore Tables.

l Generate Report — Generate a report from a template, as

described in Reports.

l Recast — Recast or accept finding severity, as described

in Create Recast Rules from Findings.

l View All Findings — View all findings for an asset, as

described in View Asset Details.

l View All Details — View complete details for a finding, as

described in View Finding Details.

- 264 -
l Create Remediation Project — Start a new remediation
project for an asset, as described in Remediation Projects.

l Launch Remediation Scan — Start a remediation scan to

follow up on existing scan results, as described in Launch
a Remediation Scan.

Cloud Misconfigurations

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Cloud Misconfigurations tab to view your cloud
misconfigurations. Common cloud misconfigurations include unrestricted inbound and outbound
ports, credential management and encryption, disabled monitoring and logging, insecure automated
backups, and storage access.

The Cloud Misconfigurations tab contains a table with the following columns. To show or hide
columns, see Customize Explore Tables.

Column Description

Resource ID A unique identifier made up of the resource type and the asset name.

Policy Name The security policy that governs the affected asset.

Policy Group The group associated with the security policy that governs the affected
Name asset.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS
vs. VPR.

Result The outcome of the vulnerability scan.

Source The environment where the affected asset runs.

First Seen The date when a scan first found the vulnerability on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Asset ID The UUID of the asset where a scan detected the finding. This value is

- 265 -
unique to Tenable Vulnerability Management.

Cloud Provider The name of the cloud provider that hosts the asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

Resource Name The name of the asset where the scanner detected the vulnerability.
Tenable Vulnerability Management assigns this identifier based on the
presence of certain asset attributes in the following order:

1. Agent Name (if agent-scanned)

2. NetBIOS Name

3. FQDN

4. IPv6 address

5. IPv4 address

For example, if scans identify a NetBIOS name and an IPv4 address for an
asset, the NetBIOS name appears as the Resource Name.

Region The cloud region where the asset runs.

VPC The virtual private cloud on which the asset is hosted in AWS.

ARN The unique Amazon Resource Name for the asset in AWS.

Resource Type The types of assets affected, determined by plugin data.

Benchmark The benchmark associated with the finding.

Account ID The unique identifier assigned to the asset resource in the cloud service
that hosts the asset.

Repositories Any code repositories associated with the asset.

Resource Type The types of assets affected, determined by plugin data.

Policy Category The category associated with the security policy that governs the affected
asset.

- 266 -
Last Scan Time The date and time when Tenable Vulnerability Managementlast scanned the
asset.

Updated Time The date and time when a user last updated the asset.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Generate Report — Generate a report from a template, as described

in Reports.

l View All Findings — View all findings for an asset, as described in

View Asset Details.

Host Audits

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Host Audits tab to view your host audit findings. Host audits
assess workstations, services, or network devices in order to evaluate the configuration, hardening,
and security controls applied to a target. View specific host audit findings to identify issues to
remediate.

The Host Audits tab contains a table with the following columns. To show or hide columns, see
Customize Explore Tables.

Note: Because of inefficient host-specific details, the Host Audits tab does not include data from Cloud
Infrastructure audits such as those found in the Audit Cloud Infrastructure scan template. To view this data,
view the scan results for the audit.

Column Description

Audit The name of the compliance check the scanner performed on the affected
Check asset.
Name

Audit File The name of the audit file the scanner used to perform the compliance check.

- 267 -
Result The outcome of the compliance check.

Plugin The name of the plugin that identified the compliance check finding.
Name

Asset ID The UUID of the asset where a scan detected the finding. This value is unique to
Tenable Vulnerability Management.

Asset The name of the asset. This value is unique to Tenable Vulnerability
Name Management.

Asset Tags Tags applied to the asset.

State The state of the compliance check finding.

Last The date and time when a scan last performed the compliance check on the
Audited asset.

Control ID The UUID of the control instance applied on the system that hosts the impacted
asset. This value is unique to Tenable Vulnerability Management.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l View All Findings — View all findings for an asset, as described in View
Asset Details.

l View All Details — View complete details for a finding, as described in

View Finding Details.

Web Application Findings

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, click the Web Application Findings tab to view your web application
findings. Common web application findings include SQL injections, cross-site scripting, local file
inclusions, security misconfigurations, and XML external entity processing.

- 268 -
The Web Application Findings tab contains a table with the following columns. To show or hide
columns, see Customize Explore Tables.

Column Description

Asset ID The UUID of the asset where a scan detected the vulnerability. This value is
unique to Tenable Vulnerability Management.

Asset The name of the asset where the scanner detected the vulnerability. This value
Name is unique to Tenable Vulnerability Management.

IPv4 The IPv4 address associated with the asset record.

Note:Tenable Vulnerability Management does not support a CIDR mask of /0 for this
parameter, because that value would match all IP addresses. If you submit a /0 value
for this parameter, Tenable Vulnerability Management returns a 400 Bad Request
error message.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS vs.
VPR.

Plugin The name of the plugin that identified the vulnerability.

Name

Plugin ID The ID of the plugin that identified the vulnerability.

Plugin The family of the plugin that identified the vulnerability.

Family

CVSSv2 The CVSSv2 base score (intrinsic and fundamental characteristics of a

Base Score vulnerability that are constant over time and user environments).

Tenable Vulnerability Management shows the CVSSv2 or CVSSv3 column

depending on the Vulnerability Severity Metric setting.

CVSSv3 The CVSSv3 base score (intrinsic and fundamental characteristics of a

- 269 -
Base Score vulnerability that are constant over time and user environments).

Tenable Vulnerability Management shows the CVSSv2 or CVSSv3 column

depending on the Vulnerability Severity Metric setting.

State The state of the vulnerability.

First Seen The date when a scan first found the vulnerability on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Actions In this column, click the button to view a drop-down where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Recast — Recast or accept finding severity, as described in Create Recast

Rules from Findings.

l View All Findings — View all findings for an asset, as described in View
Asset Details.

l View All Details — View complete details for a finding, as described in

View Finding Details.

View Finding Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

From the Findings workbench, you can drill down into a single asset to view it on the Finding
Details page. Tenable Vulnerability Management customizes this page by finding type.

To view finding details:

- 270 -
1. In the left navigation, click Findings.

The Findings workbench appears.

2. (Optional) Click another tab to view a different finding type or use filters to refine your results.

3. Click the row for the finding to view.

At the bottom of the page, a preview appears.

4. In the preview, click See All Details.

The Finding Details page appears. Its layout varies by finding type:

l Vulnerability Details

l Cloud Misconfiguration Details

l Host Audit Details

l Web Application Findings Details

Vulnerability Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Finding Details, the Finding Details page varies by finding type. For vulnerability
findings, it includes a description, the recommended solution, and the plugin output.

- 271 -
The Finding Details page for vulnerabilities contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Description A description of the Tenable plugin that identified the vulnerability

detected in the finding.

Solution A brief summary of how you can remediate the vulnerability detected
in the finding. Only appears if an official solution is available.

Workaround The type of workaround recommended for the vulnerability, if any.

Possible values are Configuration Change or Disable Service. If there
is a workaround, Workaround Published also appears.

AI Inventory If a finding is AI-related, this section lists the AI/LLM-related tools

found by Tenable's plugins.

See Also Links to websites that contain helpful information about the
vulnerability detected in the finding.

- 272 -
Asset Information Information about the affected asset, including:

l Asset ID — The UUID of the asset where a scan detected the

vulnerability.

l Name — The name of the asset where a scan detected the

vulnerability. This value is unique to Tenable Vulnerability
Management.

l IPV4 Address — The IPv4 address for the affected asset.

l IPV6 Address — The IPv6 address for the affected asset.

l Operating System — The operating system that the scan

identified as installed on the affected asset.

l System Type — The type of operating system that the scan

identified as installed on the affected asset.

l Network — The name of the network object associated with

scanners that identified the asset. The default name is Default.
For more information, see Networks.

l Public — Specifies whether the asset is available on a public

network. A public asset is within the public IP space and
identified by the is_public attribute in the Tenable
Vulnerability Management query namespace.

l Network Device Serial ID — The unique identifier of the asset as

assigned by the manufacturer. This property is only available for
network devices.

Cloud The number of resources that failed to comply with the configured
Misconfigurations policies. Click this number to go to the Cloud Misconfigurations tile
and view the affected resources.

Asset Scan Information about the scan that detected the vulnerability, including:
Information
l First Seen — The date when a scan first found the vulnerability
on an asset.

- 273 -
l Last Seen — The date when a scan last found the vulnerability
on an asset.

l Last Licensed Scan — The date and time of the last scan in
which the asset was considered "licensed" and counted towards
Tenable's license limit. A licensed scan uses non-discovery
plugins and can identify vulnerabilities. Unauthenticated scans
that run non-discovery plugins update the Last Licensed Scan
field, but not the Last Authenticated Scan field. For more
information on how licenses work, see Tenable Vulnerability
Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated
scan that only uses discovery plugins updates the Last
Authenticated Scan field, but not the Last Licensed Scan field.

l Source — The source of the scan that detected the vulnerability

on the affected asset.

l Scan Origin — The scanner that detected the finding. It also

helps identify whether the scan is a work-load scan. Possible
values are: Tenable Vulnerability Management, Tenable Security
Center, and Agentless Assessment.

l Last Scan Target — The IP address or fully qualified domain

name (FQDN) of the asset targeted in the last scan.

Additional Additional information about the vulnerability findings, including:

Information
l Network —The name of the network object associated with
scanners that identified the finding. The default network name
is Default. For more information, see Networks.

l DNS (FQDN) — The fully qualified domain name of the host on

which the vulnerability identified in the finding was detected.

l MAC Address — The static Media Access Control (MAC) address

for the affected asset.

- 274 -
l Tenable ID — The unique identifier for the Tenable account
associated with the affected asset.

l Installed Software — Software that a scan identified on the

affected asset.

l SSH Fingerprint — The SSH key fingerprints that scans have

associated with the asset record.

Vulnerability Priority (Requires Tenable Lumin license) A descriptive icon indicating the
Rating (VPR) VPR of the vulnerability. For more information, see CVSS vs. VPR.

Asset Criticality (Requires Tenable Lumin license) Rates the criticality of an asset to
Rating (ACR) the organization from 1 to 10. A higher value means the asset is more
crucial to the business. For more information, see Tenable Lumin
Metrics.

Finding State A descriptive icon indicating the state of the vulnerability. For more
information, see Vulnerability States.

Vulnerability Information about the vulnerability that the plugin identified,

Information including:

l Severity — The severity of the vulnerability on the finding.

l Original Severity — The vulnerability's CVSS-based severity from

when a scan first detected the finding.

l Vuln Published — The oldest date on which the vulnerability was

either documented in an advisory or published in the National
Vulnerability Database (NVD).

l Exploitability — Characteristics of the vulnerability that factor

into its potential exploitability.

l Exploitability Ease — A description of how easy it is to exploit

the vulnerability.

l Exploited With — The most common ways that the vulnerability

may be exploited.

- 275 -
l Exploited by Malware — Indicates whether the vulnerability is
known to be exploited by malware.

l Exploited by Nessus — Indicates whether Tenable Nessus

exploited the vulnerability during the identification process.

l In the News — Indicates whether this plugin has received media

attention (for example, ShellShock, Meltdown).

l Last Fixed — The last time a previously detected vulnerability

was scanned and noted as no longer present on an asset.

l Malware — Indicates whether the plugin that identified the

vulnerability checks for malware.

l Resurfaced Date — The most recent date that a scan detected a

Resurfaced vulnerability which was previously Fixed. If a
vulnerability is Resurfaced multiple times, only the most recent
date appears.

l Time Taken to Fix — How long it took your organization to fix a

vulnerability identified on a scan, in hours or days. Only appears
for Fixed vulnerabilities. Use this filter along with the State filter
set to Fixed for more accurate results.

l Unsupported by Vendor — Software found by this plugin is

unsupported by the software's vendor (for example, Windows 95
or Firefox 3).

l Vulnerability Age — The age of a vulnerability based on its

State. For Active vulnerabilities, based on the time elapsed
between First Seen and today's date. For Fixed vulnerabilities,
based on the time elapsed between First Seen and Last Fixed or
the time elapsed between Resurfaced and Last Fixed. For
Resurfaced vulnerabilities, based on the time elapsed between
Resurfaced and and today's date.

l Patch Published — Displays when a patch has been published

for a vulnerability.

- 276 -
l Remediation Type — The type of fix recommended. Possible
values are Patch, Workaround, Patch and Workaround, and No
Fix.

l Workaround Type — Appears if the Remediation Type is

Workaround. Possible values are Configuration Change or
Disable Service.

l Port — The port that the scanner used to connect to the asset
where the scan detected the vulnerability.

l Protocol — The protocol the scanner used to communicate with

the asset where the scan detected the vulnerability.

l Live Result — Indicates whether the scan result is based on live

results. In Agentless Assessment, you can use live results to
view scan results for new plugins based on the most recently
collected snapshot data, without running a new scan. The
possible values are Yes or No. For more information, see Live
Results for Agentless Assessment.

l CPE — The Common Platform Enumeration (CPE) numbers for

vulnerabilities that the plugin identifies.

l Asset Inventory — This plugin is an Tenable Inventorynventory

plugin.

l Default Account — Any default credentials or accounts.

Discovery Information about when Tenable Vulnerability Management first

discovered the vulnerability, including:

l First Seen — The date when a scan first found the vulnerability
on an asset.

l Last Seen — The date when a scan last found the vulnerability
on an asset.

l Age — The number of days since a scan first found the

vulnerability on an asset in your network.

- 277 -
l Resurfaced Date — The most recent date that a scan detected a
Resurfaced vulnerability which was previously Fixed. If a
vulnerability is Resurfaced multiple times, only the most recent
date appears.

l Vulnerability Age — The age of a vulnerability based on its

current State:

l New or Active — The time elapsed between First Seen and

today's date.

l Fixed — The time elapsed between First Seen and Last

Fixed or between Resurfaced and Last Fixed.

l Resurfaced — The time elapsed between Resurfaced and

today's date.

VPR Key Drivers Information about the key drivers Tenable uses to calculate a VPR for
the vulnerability, including:

l Threat Recency — The number of days (0-730) since a threat

event occurred for the vulnerability.

l Threat Intensity — The relative intensity based on the number

and frequency of recently observed threat events related to this
vulnerability: Very Low, Low, Medium, High, or Very High.

l Exploit Code Maturity — The relative maturity of a possible

exploit for the vulnerability based on the existence,
sophistication, and prevalence of exploit intelligence from
internal and external sources (for example, Reversinglabs,
Exploit-db, Metasploit, etc.). The possible values (High,
Functional, PoC, or Unproven) parallel the CVSS Exploit Code
Maturity categories.

l Age of Vuln — The number of days since the National

Vulnerability Database (NVD) published the vulnerability.

l Product Coverage — The relative number of unique products

affected by the vulnerability: Low, Medium, High, or Very High.

- 278 -
l CVSS3 Impact Score — The NVD-provided CVSSv3 impact score
for the vulnerability. If the NVD did not provide a score, Tenable
Vulnerability Management shows a Tenable-predicted score.

l Threat Sources — A list of all sources (for example, social media

channels, the dark web, etc.) where threat events related to this
vulnerability occurred. If the system did not observe a related
threat event in the past 28 days, the system shows No recorded
events.

Plugin Details Information about the plugin that detected the vulnerability,
including:

l Publication Date — The date on which the plugin that identified

the vulnerability was published.

l Modification Date — The date on which the plugin was last

modified.

l Family — The family of the plugin that identified the

vulnerability.

l Type — The general type of plugin check (for example, local or

remote).

l Version — The version of the plugin that identified the

vulnerability.

l Plugin ID — The ID of the plugin that identified the vulnerability.

Risk Information Information about the relative risk that the vulnerability presents to
the affected asset, including:

l Risk Factor — The CVSS-based risk factor associated with the

plugin.

l CVSSV3 Base Score — Intrinsic and fundamental characteristics

of a vulnerability that are constant over time and user
environments.

l CVSSV3 Temporal Score — Characteristics of a vulnerability

- 279 -
that change over time.

l CVSSV3 Vector — More CVSSv3 metrics for the vulnerability.

l CVSSV2 Base Score — Intrinsic and fundamental characteristics

of a vulnerability that are constant over time and user
environments.

l CVSSV2 Temporal Score — A score that denotes characteristics

of a vulnerability that change over time, but not among user
environments.

l CVSSV2 Vector — More CVSSv2 metrics for the vulnerability.

l STIG Severity — A vulnerability's severity rating based on the

Department of Defense's Security Technical Implementation
Guide (STIG).

Reference Industry resources that provide additional information about the

Information vulnerability.

Actions In the upper-right corner, click the Actions button to view a drop-
down where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Generate Report — Generate a report from a template, as

described in Reports.

l Recast — Recast or accept finding severity, as described in

Create Recast Rules from Findings.

l View All Findings — View all findings for an asset, as described

in View Asset Details.

l View All Details — View complete details for a finding, as

described in View Finding Details.

l View All Details in New Tab — View complete details for an

asset in a new browser tab.

- 280 -
l Create Remediation Project — Start a new remediation project
for an asset, as described in Remediation Projects.

l Launch Remediation Scan — Start a remediation scan to follow

up on existing scan results, as described in Launch a
Remediation Scan.

Cloud Misconfiguration Details

When you View Finding Details, the Finding Details page varies by finding type. For cloud
misconfiguration findings, it includes policy information, a recommended solution, and details on
the affected asset.

The Finding Details page for cloud misconfigurations contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Policy Group Name The name of the cloud policy group associated with the affected

- 281 -
finding.

Policy Name The name of the cloud policy associated with the affected finding.

Solution A brief summary of how you can remediate the vulnerability. This
section appears only if an official solution is available.

Asset Information Information about the affected asset, including:

l Asset ID — The UUID of the asset where a scan detected the

vulnerability. This value is unique to Tenable Vulnerability
Management.

l Name — The name of the asset where a scan detected the

vulnerability. This value is unique to Tenable Vulnerability
Management.

l Project — The cloud project associated with the findings and

affected asset.

l Region — The cloud region on which the asset resides.

l VPC The unique identifier of the public cloud that hosts the
AWS virtual machine instance. Stands for "virtual private
cloud."

l Account ID — The unique identifier assigned to the asset on

which a scan detected the finding.

l Resource Name — The asset identifier.

l Types — The types of assets affected, determined by plugin

data.

l IaC Resource Type — The Infrastructure as Code (IAC)

resource type of the asset.

l Resource Type — The types of resources affected,

determined by plugin data.

l Has Drift — Indicates whether the asset has any drifts. For
more information, see Set up Drift Analysis in the Legacy

- 282 -
Tenable Cloud Security User Guide.

l Is Mapped — Indicates whether the asset is mapped. For more

information, see Cloud Scan Workflow in the Legacy Tenable
Cloud Security User Guide.

l Is Real — Indicates whether the affected asset exists in a

cloud environment.

l Cloud Provider — The name of the cloud provider that hosts

the resource.

l Resource ID — The resource ID of the resource.

l Resource Name — The name of the asset where the scanner

detected the vulnerability. Tenable Vulnerability Management
assigns this identifier based on the presence of certain asset
attributes in the following order:

l Agent Name (if agent-scanned)

l NetBIOS Name

l FQDN

l IPv6 address

l IPv4 address
for example, if scans identify a NetBIOS name and an
IPv4 address for an asset, the NetBIOS name appears as
the Resource Name.

l ARN — The unique Amazon resource name for the asset in

AWS.

l Resource Criticality — The criticality rating for the asset

according to Container Security, based on the most recent
scan.

Additional Information The number of vulnerabilities the policy detected during the scan.

Asset Scan Information about the scan that detected the vulnerability,

- 283 -
Information including:

l First Seen — The date when a scan first found the vulnerability
on an asset.

l Last Seen — The date when a scan last found the vulnerability
on an asset.

l Last Licensed Scan — The date and time of the last scan in
which the asset was considered "licensed" and counted
towards Tenable's license limit. A licensed scan uses non-
discovery plugins and can identify vulnerabilities.
Unauthenticated scans that run non-discovery plugins update
the Last Licensed Scan field, but not the Last Authenticated
Scan field. For more information on how licenses work, see
Tenable Vulnerability Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated
scan that only uses discovery plugins updates the Last
Authenticated Scan field, but not the Last Licensed Scan
field.

l Source — The source of the scan that detected the

vulnerability on the affected asset.

Tags Tags assigned to the affected asset.

Cloud Misconfiguration Information about the vulnerability finding, including:

Information
l Finding ID — The unique ID for the individual finding. You can
view the ID for a finding by accessing the Findings Details
page for the finding and checking the page URL. The finding ID
is the alphanumeric text that appears in the path between
details and asset.

l Project — The cloud project associated with the findings and

affected asset.

- 284 -
l Policy Group ID — The type of policy group ID associated with
the finding.

l Policy ID — The unique ID for the cloud policy associated with

the affected asset.

l Rule ID — The rule ID associated with the finding.

l Environment ID — The environment ID associated with the

finding.

l Severity — A descriptive icon that indicates the CVSS-based

severity of the vulnerability. For more information, see CVSS
vs. VPR.

l Result — The result of the finding.

l Benchmark — The benchmark associated with the finding.

l Policy Category — The policy category associated with the

finding.

l IaC Type — The Infrastructure as Code (IAC) resource type of

the asset.

l Managed By — The name of the person, group, or company

that manages the affected asset.

l Policy Type — The type of cloud policy associated with the

finding.

l Rule Reference ID — The reference ID for the security rule for

which the scanner found a violation.

l Version — The version associated with the finding.

l Exists in IAC — Indicates whether the affected asset was

created via Infrastructure as Code (IaC).

l Exists in Cloud — Indicates whether the affected asset exists

in a cloud environment.

- 285 -
l Ignored — Indicates whether Legacy Tenable Cloud Security
ignored the policy violation when determining the finding
severity.

Cloud Misconfiguration Information about when Tenable Vulnerability Management first

Discovery discovered the vulnerability, including:

l First Seen — The date when Tenable Vulnerability Management

first scanned the affected asset.

l Last Seen — The date when Tenable Vulnerability Management

last scanned the affected asset.

Actions In the upper-right corner, click the Actions button to view a drop-
down where you can:

l Generate Report — Generate a report from a template, as

described in Reports.

l View All Findings — View all findings for an asset, as

described in View Asset Details.

Host Audit Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Finding Details, the Finding Details page varies by finding type. For host audit
findings, it includes a description of the host audit finding, its recommended solution, and a
summary of the corresponding asset.

- 286 -
The Finding Details page for host assets contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Description A brief description of the plugin that identified the finding during a
compliance check.

Solution A brief summary of how you can address the compliance check findings.

Audit File The name of the audit file the scanner used to perform the compliance
check.

See Also Links to external websites that contain helpful information about the
compliance check.

Asset Information about the affected asset, including:

Information
l Asset ID — The UUID of the asset where a scan detected the
vulnerability.

- 287 -
l Name — The name of the asset on which the scanner performed a
compliance check.

l Operating System — The operating system that the scan identified as

installed on the affected asset.

l IPV4 Address — The IPv4 address for the affected asset.

l System Type — The type of system on which the affected asset runs.

l Public — Specifies whether the asset is available on a public network.

A public asset is within the public IP space and identified by the is_
public attribute in the Tenable Vulnerability Management query
namespace.

Asset Scan Information about the scan that detected the vulnerability, including:
Information
l First Seen — The date when a scan first found the vulnerability on an
asset.

l Last Seen — The date when a scan last found the vulnerability on an
asset.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan that
only uses discovery plugins updates the Last Authenticated Scan
field, but not the Last Licensed Scan field.

l Source — The source of the scan that detected the vulnerability on the
affected asset.

Additional Additional information about the affected asset, including:

- 288 -
Information l Network — The name of the network object associated with scanners
that detected the finding. The default network name is Default. For
more information, see Networks.

l Network (FQDN) — The fully qualified domain name of the host on

which the vulnerability identified in the finding was detected.

l MAC Address — The static Media Access Control (MAC) address for the
affected asset.

l Tenable ID —The unique identifier for the Tenable account associated

with the affected asset.

l Installed Software — Software that a scan identified on the affected

asset.

Policy Value The plugin output that appears in the finding if the affected asset is
compliant with the audit policy.

Actual Value The plugin output that actually appears in the finding.

Host Audit Information about the compliance check, including:

Information
l Audit Name — The name of the compliance check the scanner
performed on the affected asset.

l Audit File — The name of the audit file the scanner used to perform
the compliance check.

l Plugin Name — The name of the plugin that identified the compliance
check.

l Result — The result for the item in a configuration audit. Results can
be: Passed, Warning, or Failed.

l State — An indication about whether the audit finding is currently

active on the affected asset. States can be: Active, Fixed, and
Resurfaced.

Audit l First Audit — The date and time when a scan first performed the
Discovery compliance check on the asset.

- 289 -
l Last Audit — The date and time when a scan last performed the
compliance check on the asset.

Reference A list of industry resources that provide additional information about the
Information compliance check.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from Explore

Tables.

l Generate Report — Generate a report from a template, as described in

Reports.

l View All Findings — View all findings for an asset, as described in View
Asset Details.

l View All Details — View complete details for a finding, as described in

View Finding Details.

l View All Details in New Tab — View complete details for an asset in a
new browser tab.

Web Application Findings Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

When you View Finding Details, the Finding Details page varies by finding type. For web application
findings, it includes a description, the recommended solution, and details about the affected asset.

- 290 -
The Finding Details page for web application findings contains the following sections.

Note: Tenable Vulnerability Management hides empty sections, so these may not appear in some cases.

Section Description

Description A description of the Tenable plugin that identified the vulnerability

detected in the finding.

Solution A brief summary of how you can remediate the vulnerability detected in
the finding. This section appears only if an official solution is available.

AI Inventory If a finding is AI-related, this section lists the AI/LLM-related tools found
by Tenable's plugins.

See Also Links to external websites that contain helpful information about the
vulnerability detected in the finding.

Asset Information about the affected asset, including:

Information
l Asset ID — The UUID of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability

- 291 -
Management.

l Name — The name of the affected asset. You can click the link in the
name to view details about the affected asset on the Web
Application Details page.

l IPV4 Address — The IPv4 address for your asset.

l Public — Indicates whether or not the asset is public.

Asset Scan Information about the scan that detected the vulnerability, including:
Information
l First Seen — The date and time when a scan first identified the
asset.

l Last Seen — The date and time at which the asset was last observed
as part of a scan.

l Last Licensed Scan — The date and time of the last scan in which
the asset was considered "licensed" and counted towards Tenable's
license limit. A licensed scan uses non-discovery plugins and can
identify vulnerabilities. Unauthenticated scans that run non-
discovery plugins update the Last Licensed Scan field, but not the
Last Authenticated Scan field. For more information on how
licenses work, see Tenable Vulnerability Management Licenses.

l Last Authenticated Scan — The date and time of the last

authenticated scan run against the asset. An authenticated scan
that only uses discovery plugins updates the Last Authenticated
Scan field, but not the Last Licensed Scan field.

l Source — The source of the scan that detected the vulnerability on

the affected asset.

Identification Information about how the plugin identified the vulnerability detected in
the finding, including:

l URL — The target URL where the scanner detected the vulnerability.

l Proof — Output from the scanner's attempt to verify the vulnerability

that proves the vulnerability is exploitable on the affected asset.

- 292 -
l Input Type — The component of the asset where an attacker could
inject malicious code (for example, a form or session cookie). This
section appears only if the asset is vulnerable to injection attacks.

l Input Name — The name of the asset component where an attacker

could inject malicious code. This section appears only if the asset is
vulnerable to injection attacks.

l Output — More detailed information from the plugin about the

vulnerability detected during the scan.

Http Info Information about the HTTP messages between the scanner and the web
application, including:

l HTTP Request — The HTTP request of the scanner that identified the
vulnerability made to the web application.

l HTTP Response — The HTTP response that the web application sent
to the scanner that identified the vulnerability.

Attachments Plugin attachments that include more details about the vulnerability
detected in the finding. This section appears only if attachments are
available.

Vulnerability The Vulnerability Priority Rating Tenable calculated for the vulnerability.
Priority Rating
(VPR)

Finding State The state of the vulnerability detected in the finding. For more
information, see Vulnerability States.

Vulnerability Information about the vulnerability that the plugin identified, including:
Information
l Severity — An icon that indicates the severity of the vulnerability.

l Exploitability — Characteristics of the vulnerability that factor into

its potential exploitability.

l Exploited With — The most common ways that the vulnerability may
be exploited.

- 293 -
Discovery Information about when Tenable Vulnerability Management first
discovered the vulnerability detected in the finding, including:

l First Seen — The date when a scan first found the vulnerability on an
asset.

l Last Seen — The date when a scan last found the vulnerability on an
asset.

l Age — The number of days since a scan first found the vulnerability
on an asset in your network.

Plugin Details Information about the plugin that detected the vulnerability detected in
the finding, including:

l Publication Date — The date on which the plugin that identified the
vulnerability was published.

l Modification Date — The date on which the plugin was last modified.

l Family — The family of the plugin that identified the vulnerability.

l Risk Factor —The CVSS-based risk factor associated with the plugin.

l Plugin ID — The ID of the plugin that identified the vulnerability.

Risk Information Information about the relative risk that the vulnerability presents to the
affected asset, including:

l Risk Factor — The CVSS-based risk factor associated with the

plugin.

l CVSSV3 Base Score — The CVSSv3 base score (intrinsic and

fundamental characteristics of a vulnerability that are constant over
time and user environments).

l CVSSV3 Vector — More CVSSv3 metrics for the vulnerability.

l CVSSV2 Base Score — The CVSSv2 base score (intrinsic and

fundamental characteristics of a vulnerability that are constant over
time and user environments).

- 294 -
l CVSS2 Vector — More CVSSv2 metrics for the vulnerability.

Reference Industry resources that provide additional information about the

Information vulnerability that Tenable Vulnerability Management detected in the
finding, including but not limited to:

l OWASP — A link or links to each Open Web Application Security

Project (OWASP) Top 10 list on which the vulnerability appears.

l OWASP API — A link or links to each OWASP API Top 10 list on which
the vulnerability appears.

l WASC — A link to the Web Application Security Consortium (WASC)

description for the vulnerability's threat classification.

l CWE — A link to the Common Weakness Enumeration (CWE)

description for the vulnerability’s CWE score.

Actions In the upper-right corner, click the Actions button to view a drop-down
where you can:

l Export — Export to CSV or JSON, as described in Export from

Explore Tables.

l Generate Report — Generate a report from a template, as described

in Reports.

l Recast — Recast or accept finding severity, as described in Create

Recast Rules from Findings.

l Recast — Recast or accept finding severity, as described in Create

Recast Rules from Findings.

l View All Findings — View all findings for an asset, as described in

View Asset Details.

l View All Details — View complete details for a finding, as described

in View Finding Details.

l View All Details in New Tab — View complete details for an asset in
a new browser tab.

- 295 -
Findings Filters
On the Findings page, you can filter and view analytics for the following findings types:

l Vulnerabilities

l Cloud Findings

l Host Audits Findings

l Web Application Vulnerabilities

You can save a set of commonly used filters as a saved filter to access later or share with other
members of your team.

Note: To optimize performance, Tenable limits the number of filters that you can apply to any Explore >
Findings or Assets views (including Group By tables) to 18.

Note: When Tenable Vulnerability Management identifies the same finding on multiple scans, it only stores
the most recent result. For example, if an Agent scan identifies a finding and then a later Tenable Nessus
scan identifies the same finding, that finding is associated with the Tenable Nessus scan. If you can't
locate a known finding with a filter such as Source, search for the finding directly.

Vulnerabilities Filters

Option Description

Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Asset Name The name of the asset where a scan detected the vulnerability. This
value is unique to Tenable Vulnerability Management. This filter is case-
sensitive, but you can use the wildcard character to turn this off.

Asset Tags Asset tags, entered in pairs of category and value (for example
Network: Headquarters). This includes the space after the colon (:). If
there is a comma in the tag name, insert a backslash (\) before the
comma. If your tag name includes double quotation marks (" "), use the
UUID instead. You can add a maximum of 100 tags.

For more information, see Tags.

- 296 -
Bugtraq ID The Bugtraq ID for the plugin that identified the vulnerability.

Canvas Exploit The name of the CANVAS exploit pack that includes the vulnerability.

CERT Advisory ID The ID of the CERT advisory related to the vulnerability.

CERT Vulnerability The ID of the vulnerability in the CERT Vulnerability Notes Database.
ID

CISA KEV Due The date on which Cybersecurity and Infrastructure Security Agency
Date (CISA) Known Exploitable Vulnerability (KEV) remediation is due, as per
Binding Operational Directive 22-01. Searches by the earliest due date
for KEVs associated with the plugin. For more information, see the
Known Exploited Vulnerabilities Catalog.

CORE Exploit Indicates whether an exploit for the vulnerability exists in the CORE
Framework Impact framework.

CPE The Common Platform Enumeration (CPE) numbers for vulnerabilities

that the plugin identifies.

(200 value limit)

CVE The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities
that the plugin identifies.

(200 value limit)

CVSSv2 Base The CVSSv2 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSSv2 Temporal The CVSSv2 temporal score (characteristics of a vulnerability that

Score change over time but not among user environments).

CVSSv2 Temporal CVSSv2 temporal metrics for the vulnerability.

Vector

CVSSv2 Vector The raw CVSSv2 metrics for the vulnerability. For more information, see
CVSSv2 documentation.

CVSSv3 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a

- 297 -
Score vulnerability that are constant over time and user environments).

CVSSv3 Temporal The CVSSv3 temporal score (characteristics of a vulnerability that

Score change over time but not among user environments).

CVSSv3 Temporal CVSSv3 temporal metrics for the vulnerability.

Vector

CVSSv3 Vector More CVSSv3 metrics for the vulnerability.

CWE The Common Weakness Enumeration (CWE) for the vulnerability.

Default/Known Indicates whether the plugin that identified the vulnerability checks for
Account default accounts.

Elliot Exploit The name of the exploit for the vulnerability in the D2 Elliot Web
Exploitation framework.

Exploit Database The ID of the vulnerability in the Exploit Database.

Exploitability Ease A description of how easy it is to exploit the vulnerability.

Exploited By Indicates whether the vulnerability is known to be exploited by malware.

Malware

Exploited By Indicates whether Tenable Nessus exploited the vulnerability during the
Nessus process of identification.

Exploit Hub Indicates whether an exploit for the vulnerability exists in the ExploitHub
framework.

Finding ID The unique ID for the individual finding.

Note: You can view the ID for a finding by accessing the Findings Details
page for the findings and checking the page URL. The finding ID is the alpha-
numeric text that appears in the path between details and asset.

First Seen The date when a scan first found the vulnerability on an asset.

IAVA ID The ID of the information assurance vulnerability alert (IAVA) for the

- 298 -
vulnerability.

IAVB ID The ID of the information assurance vulnerability bulletin (IAVB) for the
vulnerability.

IAVM Severity The severity of the vulnerability in Information Assurance Vulnerability

Management (IAVM).

IAVT ID The ID of the information assurance vulnerability technical bulletin (IAVT)

for the vulnerability.

In The News Indicates whether this plugin has received media attention (for example,
ShellShock, Meltdown).

IPv4 Address The IPv4 address for the affected asset. You can add up to 256
IP addresses to this filter.

IPv6 Address The IPv6 address for the affected asset.

Last Fixed The last time a previously detected vulnerability was scanned and noted
as no longer present on an asset.

Last Seen The date when a scan last found the vulnerability on an asset.

Malware Indicates whether the plugin that identified the vulnerability checks for
malware.

Metasploit Exploit The name of the related exploit in the Metasploit framework.

Microsoft Bulletin The Microsoft security bulletin that the plugin, which identified the
vulnerability, covers.

Original Severity The vulnerability's CVSS-based severity when a scan first detected the
finding. For more information, see CVSS vs. VPR.

OSVDB ID The ID of the vulnerability in the Open Sourced Vulnerability Database

(OSVDB).

Patch Published The date on which the vendor published a patch for the vulnerability.

Plugin Description The description of the Tenable plugin that identified the vulnerability.

- 299 -
Plugin Family The family of the plugin that identified the vulnerability.

(200 value limit)

Plugin ID The ID of the plugin that identified the vulnerability.

(200 value limit)

Plugin The date at which the plugin that identified the vulnerability was last
Modification Date modified.

Plugin Name The name of the plugin that identified the vulnerability.

Plugin Output Use this filter to return findings with plugin output you specify. Search
for plugin output that contains a value or does not contain it, as
described in Use Filters. If your search is too broad, the system suggests
adding Plugin ID and Last Seen to refine the results and then displays
the top ten plugins from that search.

For example, to search for output that contains “Kernel,” in Advanced

mode, type:

Plugin Output contains Kernel

Note: Manually enable this filter in Settings > General Search > Enable
Plugin Output Search. If you do not use this filter for 35 days, it is disabled
again.

Plugin Output search best practices...

Since plugin outputs can be large, broad searches may cause system
timeouts! For the best results, combine the Plugin Output filter with the
Plugin ID and Last Seen filters. Limit the number of plugin IDs you
search at once.

Specify plugin ID(s) to search for plugins or exclude them. These

approaches apply to different use cases. For example, include plugins
when searching for software listings by operating system. Exclude
plugins from exploratory searches where the top plugins appear too
frequently.

- 300 -
l Search for output from one plugin:

Plugin Output contains Kernel AND Plugin ID is equal

to 110483

l Search for output from multiple plugins:

Plugin Output contains Chrome AND Plugin ID is equal

to 45590, 10456

l Search for output from any plugin but the ones listed:

Plugin Output contains Chrome AND Plugin ID is not

equal to 45590, 10456

Plugin Published The date on which the plugin that identified the vulnerability was
published.

Plugin Type The general type of plugin check. Possible options are:

l Local

l Remote

l Local & Remote

Port Information about the port the scanner used to connect to the asset
where the scan detected the vulnerability.

(200 value limit)

Protocol The protocol the scanner used to communicate with the asset where the
scan detected the vulnerability.

Resurfaced Date The most recent date that a scan detected a Resurfaced vulnerability
which was previously Fixed. If a vulnerability is Resurfaced multiple
times, only the most recent date appears.

Risk Modified The risk modification applied to the vulnerability's severity. Possible
options are:

l Recasted

- 301 -
l Accepted

l None

For more information, see Recast/Accept Rules.

Scan Origin The scanner that detected the finding.

Secunia ID The ID of the Secunia research advisory related to the vulnerability.

See Also Links to external websites that contain helpful information about the
vulnerability.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS
vs. VPR.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

Solution A brief summary of how you can remediate the vulnerability.

Source The source of the scan that identified the asset. Possible values are:

l Agent (Tenable Nessus Agent)

l Nessus (Tenable Nessus scan)

l PVS/NNM (Tenable Nessus Network Monitor)

l WAS (Tenable Web App Scanning)

l AWS Connector

l Azure Connector

l GCP Connector

l Qualys Connector

State The state of the vulnerability detected in the finding. Appears in the
filters plane by default, with Active, Resurfaced, and New selected. For
more information, see Vulnerability States.

- 302 -
Stig Severity The STIG severity associated with the finding.

Synopsis A brief description of the plugin or vulnerability.

Target Groups A target group or groups associated with the scan that identified the
vulnerability. For more information, see Target Groups.

Time Taken to Fix How long it took your organization to fix a vulnerability identified on a
scan, in hours or days. Only appears for Fixed vulnerabilities. Use this
filter along with the State filter set to Fixed for more accurate results.

Unsupported by Software found by this plugin is unsupported by the software's vendor

Vendor (for example, Windows 95 or Firefox 3).

VPR The Vulnerability Priority Rating Tenable calculated for the vulnerability.

Vulnerability The date when the vulnerability definition was first published (for
Published example, the date that the CVE was published).

Cloud

Cloud Misconfiguration Filters

Option Description

Filters

Account ID The unique identifier assigned to the asset resource in the cloud
service that hosts the asset on which a scan detected the finding.

ARN The Amazon Resource Name (ARN) for the asset on which a scan
detected the finding.

Asset ID The UUID of the asset on which a scan detected the finding. This
value is unique to Tenable Vulnerability Management.

Benchmark The benchmark associated with the finding.

Cluster The cluster associated with the finding.

Created Time The time and date when Tenable Vulnerability Management created

- 303 -
the asset record on which a scan detected the finding.

Criticality The criticality of the vulnerability finding.

Exists in Cloud Indicates whether the affected cloud resource exists in a cloud
environment.

Exists in IAC Indicates whether the affected asset was created via Infrastructure
as Code (IaC).

Finding ID The unique ID for the individual finding.

Note: You can view the ID for a finding by accessing the Findings
Details page for the findings and checking the page URL. The finding
ID is the alpha-numeric text that appears in the path between details
and asset.

First Seen The date when Tenable Vulnerability Management first scanned the
affected asset.

Found in Indicates whether or not the finding was discovered in a TF state.

TF State

First Seen The date when Tenable Vulnerability Management first scanned the
affected asset.

IaC Resource The Infrastructure as Code (IAC) resource type of the asset.
Type

IaC Type The Infrastructure as Code (IAC) type of the asset.

Ignored Indicates whether Tenable Vulnerability Management ignored the

policy violation when calculating the finding's severity.

Immutable Drift Indicates whether the asset has immutable drifts. For more
information, see Set up Drift Analysis in the Legacy Tenable Cloud
Security User Guide.

Is Attribute Specifies whether the asset is an attribute.

- 304 -
Last Fixed The date when the finding was last fixed.

Last Scan Time The date when a scan was last run against the finding.

Last Seen The date when Tenable Vulnerability Management last scanned the
affected asset.

Managed By The name of the person, group, or company that manages the
affected asset.

Policy Category The policy category associated with the finding.

Policy ID The unique ID for the cloud policy associated with the affected
asset.

Policy Name The unique ID for the cloud policy associated with the affected
asset.

Policy Type The unique ID for the cloud policy associated with the affected
asset.

Project The project associated with the finding.

Provider The third-party provider associated with the finding.

Region The cloud region where the affected asset runs.

Repositories Any code repositories associated with the affected asset.

Resource The category of the asset resource in the cloud service that hosts
Category the affected asset.

Resource ID The ID of the asset resource in the cloud service that hosts the
affected asset.

Resource Name The name of the asset resource in the cloud service that hosts the
affected asset.

Resource Type The type of the asset resource in the cloud service that hosts the
affected asset.

Result The outcome of the scan. Possible options are:

- 305 -
l Failed

l Passed

l Unknown

Rule ID The unique ID for the security rule for which the scanner found a
violation.

Rule Reference The reference ID for the security rule for which the scanner found a
ID violation.

Severity The vulnerability's CVSS-based severity. For more information, see

CVSS vs. VPR.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

Source Line The source line associated with the finding.

Updated Time The time and date when the asset record was last updated.

Version The version associated with the finding.

VPC The unique identifier of the public cloud that hosts the AWS virtual
machine instance. For more information, see the Amazon Virtual
Private Cloud Documentation.

Host Audit Filters

Option Description

Filters

Asset ID The UUID of the asset where a scan detected the finding. This value is
unique to Tenable Vulnerability Management.

Asset Name The name of the asset on which the scanner performed an audit check.
This value is unique to Tenable Vulnerability Management.

Asset Tags Asset tags, entered in pairs of category and value (for example Network:
Headquarters). This includes the space after the colon (:). If there is a

- 306 -
comma in the tag name, insert a backslash (\) before the comma. If your
tag name includes double quotation marks (" "), use the UUID instead. You
can add a maximum of 100 tags.

For more information, see Tags.

Audit File The name of Audit file the scanner used to perform the audit. Audit files
are XML-based text files that contain the specific configuration, file
permission, and access control tests to be performed.

Audit Check The name Tenable assigned to the audit. In some cases, the compliance
Name control may be listed as the prefix within the name.

Benchmark Benchmarks are published best practices released from source

authorities, such as Center for Internet Security (CIS), United States
Defense Information Systems Agency (DISA), and Microsoft. This filter
provides a list of the supported benchmarks and the version of the
benchmark.

Benchmark The benchmark name.

Specification
Name

Benchmark The benchmark version.

Version
Note: Use this filter with the Benchmark filter.

Compliance There are a series of designations within the compliance frameworks that
Control Tenable calls controls. For example: CSF:[Link]-3, 800-53:AU-12c, STIG-
ID:WN10-AU-000045, and so on. This is a text-based field to filter on the
specific control(s).

Note: Use this filter in conjunction with the Compliance Framework filter.

Compliance There are a series of designations within compliance frameworks that

Family Name Tenable calls control. For example: ISO/IEC-27001:A.12.4.1, or CSF:[Link]-
1.

- 307 -
This filter groups the controls into families for easier and more efficient
queries. For example: A12 - Operations security or CSF:Detect.

Note: Use this filter in conjunction with the Compliance Framework filter.

Compliance Tenable audits configuration compliance with a variety of standards

Framework including GDPR, ISO 27000, HIPAA, NIST 800-53, PCI DSS, and so on. This
filter allows searching based on the respective framework.

Control ID An ID that can correlate results with other results that meet a certain
benchmark recommendation. You can use this filter to identify checks in
the audit portal.

First Audited Identifies the first date the audit check was performed on the asset.

FQDNs The fully qualified domain names (FQDNs) for the asset.

IPv4 Address The IPv4 address for the affected asset. You can add up to 256 IP
addresses to this filter.

IPv6 Address The IPv6 address for the affected asset.

Last Audited Identifies the date of the most recent audit check performed on the asset.

Last Fixed The date when the finding was last fixed.

Last Seen The date when a scan last observed the finding.

Original Result The result from the initial audit.

Plugin ID The Nessus Plugin ID used to perform the audit check.

Plugin Name The Nessus Plugin Name used to perform the audit check.

Plugin Name The name of the plugin that identified the audit finding.

Result The current or modified result from the audit check.

Result Modified Rules can be created to accept or modify the results of an audit check.
This filter allows you to report modified results.

Severity The vulnerability's CVSS-based severity. For more information, see CVSS

- 308 -
vs. VPR.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

State The state of the vulnerability detected in the finding. Appears in the filters
plane by default, with Active, Resurfaced, and New selected. For more
information, see Vulnerability States.

Web Application Vulnerabilities Filters

Option Description

Asset ID The UUID of the asset where a scan detected the vulnerability. This value is
unique to Tenable Vulnerability Management.

Asset Name The name of the asset where the scanner detected the vulnerability. This
value is unique to Tenable Vulnerability Management.

This filter appears on the filter plane by default.

Bugtraq ID The Bugtraq ID for the plugin that identified the vulnerability.

CPE The Common Platform Enumeration (CPE) numbers for vulnerabilities that
the plugin identifies.

(200 value limit)

CVE The Common Vulnerability and Exposure (CVE) IDs for the vulnerabilities
that the plugin identifies.

(200 value limit)

CVSSv2 Base The CVSSv2 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

CVSSv2 Vector The raw CVSSv2 metrics for the vulnerability. For more information, see
CVSSv2 documentation.

CVSSv3 Base The CVSSv3 base score (intrinsic and fundamental characteristics of a
Score vulnerability that are constant over time and user environments).

- 309 -
CVSSv3 Vector More CVSSv3 metrics for the vulnerability.

CWE The Common Weakness Enumeration (CWE) for the vulnerability.

First Seen The date when a scan first found the vulnerability on an asset.

Input Name The name of the specific web application component that the vulnerability
exploits.

Input Type The web application component type (for example, form, cookie, header)
that the vulnerability exploits.

IPv4 Address The IPv4 address for the affected asset. You can add up to 256
IP addresses to this filter.

Last Fixed The date when the finding was last fixed.

Last Seen The date when a scan last observed the finding.

Original The vulnerability's CVSS-based severity when a scan first detected the
Severity finding. For more information, see CVSS vs. VPR.

OWASP 2010 The Open Web Application Security Project (OWASP) 2010 category for the
vulnerability targeted by the plugin.

OWASP 2013 The Open Web Application Security Project (OWASP) 2013 category for the
vulnerability targeted by the plugin.

OWASP 2017 The Open Web Application Security Project (OWASP) 2017 category for the
vulnerability targeted by the plugin.

OWASP 2021 The Open Web Application Security Project (OWASP) 2021 category for the
vulnerability targeted by the plugin.

OWASP The Open Web Application Security Project (OWASP) 2019 category for the
API 2019 API vulnerability targeted by the plugin. Possible options are:

l API1:2019 Broken Object Level Authorization

l API2:2019 Broken User Authentication

l API3:2019 Excessive Data Exposure

- 310 -
l API4:2019 Lack of Resources & Rate Limiting

l API5:2019 Broken Function Level Authorization

l API6:2019 Mass Assignment

l API7:2019 Security Misconfiguration

l API8:2019 Injection

l API9:2019 Improper Assets Management

l API10:2019 Insufficient Logging & Monitoring

Plugin The description of the Tenable plugin that identified the vulnerability.
Description

Plugin Family The family of the plugin that identified the vulnerability.

(200 value limit)

Plugin ID The ID of the plugin that identified the vulnerability.

(200 value limit)

Plugin The date on which the plugin was last modified.

Modification
Date

Plugin Name The name of the plugin that identified the audit finding.

Plugin The date on which the plugin that identified the vulnerability was published.
Published

Risk Modified The risk modification applied to the vulnerability's severity. Possible options
are:

l Recast

l Accepted

l None

For more information, see Recast/Accept Rules.

- 311 -
See Also Links to external websites that contain helpful information about the
vulnerability.

Severity The CVSS score-based severity. For more information, see CVSS Scores vs.
VPR in the Tenable Vulnerability Management User Guide.

This filter appears in the filters plane by default, with Critical, High,
Medium, and Low selected.

Solution A brief summary of how you can remediate the vulnerability.

State The state of the vulnerability detected in the finding. Appears in the filters
plane by default, with Active, Resurfaced, and New selected. For more
information, see Vulnerability States.

Url The complete URL on which the scanner detected the vulnerability.

This filter appears in the filters plane by default.

WASC The Web Application Security Consortium (WASC) category associated with
the vulnerability targeted by the plugin.

Group Your Findings

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, you can group your findings by specific attributes. You can group host
vulnerabilities, cloud misconfigurations, and web application findings, but you cannot group host
audit findings.

To group your vulnerability findings:

1. In the left navigation, click Findings.

The Findings workbench appears.

2. Do one of the following:

To group your host vulnerability findings...

- 312 -
a. Next to Group By, click one of the following:

l Asset — The name of the asset where a scan identified a vulnerability.

l Plugin — The name of the plugin that identified a vulnerability.

The system groups your findings by the selected attribute.

b. View the following details about your grouped findings. These vary depending on the
attribute you select:

Column Description

Asset

Asset Name The name of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability
Management.

Asset Tags Asset tags for the affected asset. Hover over the first tag
to view any additional tags.

Last Seen The date and time when a scan last found the vulnerability
on the asset.

Asset IP The IPv4 or IPv6 address associated with the asset record.

Vulnerabilities A descriptive image that indicates vulnerability

percentages by CVSS-based severity for each set of
grouped findings. For more information, see CVSS vs. VPR.

Vuln Count The number of vulnerabilities that Tenable Vulnerability

Management identified on each set of grouped findings.

Critical The number of vulnerabilities with a critical CVSS-based

severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

High The number of vulnerabilities with a high CVSS-based

severity rating on each set of grouped findings. For more

- 313 -
information, see CVSS vs. VPR.

Plugin

Severity The CVSS-based severity score identified on each set of

grouped findings. For more information, see CVSS vs. VPR.

Name The name of the plugin that identified the vulnerability.

Family The family of the plugin that identified the vulnerability.

Plugin ID The ID of the plugin that identified the vulnerability.

Vuln Count The number of vulnerabilities that Tenable Vulnerability

Management identified on each set of grouped findings.

To group your cloud misconfiguration findings...

a. Next to Group By, click one of the following:

l Policy — The cloud policy associated with the affected asset.

Policy Group — The unique ID for the cloud policy associated with the affected
asset.

l Resource Type — The name of the cloud resource type (for example, a resource
group or virtual machine).

The Findings table displays your findings grouped by the selected attribute.

b. View the following details about your grouped findings. These vary depending on the
attribute you select:

Column Description

Policy

Policy Name The name of the policy associated with the affected asset.

Severity The vulnerability's CVSS-based severity. For more

information, see CVSS vs. VPR.

- 314 -
Source The source of the policy. Possible values are:

l Cloud

l IaC (Infrastructure as Code)

Last Seen The last date the vulnerability was identified in a scan.

Count of Impacted The number of cloud resources the vulnerability impacts.

Resources

Policy Group

Policy ID The unique ID for the cloud policy associated with the
affected asset.

Severity The vulnerability's CVSS-based severity. For more

information, see CVSS vs. VPR.

Policy Group The group associated with the security policy that governs
the affected asset.

Exists in Cloud Indicates whether the affected cloud resource exists in a

cloud environment.

Exists in IAC Indicates whether the affected asset was created via
Infrastructure as Code (IaC).

Count of Impacted The number of cloud resources the vulnerability impacts.

Resources

Misconfiguration The number of misconfigurations that Tenable

Count Vulnerability Management identified on each set of
grouped findings.

Resource Type

Resource Type The CVSS-based severity score identified on each set of

grouped findings. For more information, see CVSS vs. VPR.

- 315 -
Count of Affected The number of cloud resources the vulnerability affects.
Resources

Count of Immutable The number of discrepancies between the running cloud

Drift environment on which the affected resource runs and the
Infrastructure as Code (IaC) that was used to deploy it.

Misconfiguration The number of misconfigurations that Tenable

Count Vulnerability Management identified on each set of
grouped findings.

To group your web application findings...

a. Next to Group By, click one of the following:

l Asset — The unique name for the web application associated with the affected
asset.

l Plugin — The ID of the web application resource type (for example, a resource
group or virtual machine).

The web application findings table appears with your findings grouped by the selected
attribute.

b. View the following details about your grouped findings. These vary depending on the
attribute you select:

Column Description

Asset

Asset Name The name of the asset where a scan detected the
vulnerability. This value is unique to Tenable Vulnerability
Management.

Vulnerabilities A descriptive image that indicates vulnerability

percentages by CVSS-based severity for each set of
grouped findings. For more information, see CVSS vs. VPR.

- 316 -
Critical The number of vulnerabilities with a critical CVSS-based
severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

High The number of vulnerabilities with a high CVSS-based

severity rating on each set of grouped findings. For more
information, see CVSS vs. VPR.

Vuln Count The number of vulnerabilities that Tenable Vulnerability

Management identified on each set of grouped findings.

Last Seen The date and time when a scan last found the vulnerability
on the asset.

Actions The actions you can perform with each set of grouped
findings.

Plugin

Severity The CVSS-based severity score identified on each set of

grouped findings. For more information, see CVSS vs. VPR.

Name The name of the plugin that identified the vulnerability.

Family The family of the plugin that identified the vulnerability.

CVSSv2 Base Score The CVSSv2 base score (intrinsic and fundamental
characteristics of a vulnerability that are constant over
time and user environments).

Note: Based on your severity metric settings, this parameter

may display CVSSv3 base scores. For more information, see
General Settings.

Plugin ID The ID of the plugin that identified the vulnerability.

Asset Count The number of assets that Tenable Vulnerability

Management identified on each set of grouped findings.

- 317 -
Vuln Count The number of vulnerabilities that Tenable Vulnerability
Management identified on each set of grouped findings.

Actions The actions you can perform with each set of grouped
findings.

Create Recast Rules from Findings

On the Findings workbench in Vulnerabilities or Host Audits, you can create rules to change the
status of findings or hide them. You can also create rules from Settings > Recast, as
described in Create Recast Rules from Settings.

Tip: To learn more about when to create rules and how to manage them, see Recast Rules.

Create a Recast or Accept Rule

To create a Recast or Accept rule:

1. In the left navigation, click Findings.

The Findings workbench appears.

2. Click the Vulnerabilities tab.

A table of results containing your host vulnerabilities appears.

3. In the Actions column for the finding to target, click .

A drop-down appears.

4. In the drop-down, click Recast.

A plane of options appears. Set these options as follows:

Option Description

Action Click Accept or Recast. To learn about these rule types, see About
Recast and Accept Rules.

Vulnerability Type the Tenable Plugin ID for the vulnerability, for example 70658.

- 318 -
Plugin ID

New Severity (Recast rules only) Select the severity you want to change the
corresponding vulnerability to, for example Low.

Targets Select All or Custom. If the rule will override other rules, a warning
appears. The most recently created rule trumps other rules.

Target Hosts For Custom targets, enter up to 1000 comma-separated IPv4

addresses or ranges, hostnames, Classless Inter-Domain Routing
(CIDR) notations, or fully qualified domain names (FQDNs).

Caution: If you target findings by IP address and have multiple networks,

the rule matches findings on all your networks. For more information, see
Networks.

Expires Select After or Exact Date. Then, type a number of days or a date
when the rule will expire.

Comments Type comments to provide rule details.

Report as False (Optional) (Accept rules only) Turn on this toggle when a plugin
Positive to generates inaccurate findings and you want Tenable to review the
Tenable results.

5. Click Save.

The system processes the rule, which may take time if many findings are targeted. When
complete, the the Findings workbench is updated and the rule appears in Settings >
Recast.

Create a Change Result or Accept Rule

Caution: For best performance, the system supports a maximum of 5000 Change Result and Accept rules
in each container, total.

To create a Change Result or Accept rule:

- 319 -
1. In the left navigation, click Findings.

The Findings workbench appears.

2. Click the Host Audits tab.

A table of results containing your host audit findings appears.

3. In the Actions column for the finding to target, click .

A drop-down appears.

4. Click Add Recast Rule.

A plane of options appears. Set these options as follows:

Option Description

Action Click Accept or Change Result. To learn about these rule types, see
About Change Result and Accept Rules.

Category Select a category for the new rule, for example, Windows.

Audit File Select an audit file to run against your assets, for example, CIS_MS_
Windows_11_Enterprise_Level_1_v1.[Link].

Audit Name Type an audit name, for example, 9.3.1 Ensure 'Windows Firewall: Public:
Firewall state' is set to 'On (recommended)'.

Original Select the original result of the host audit, for example, Failed.
Result

New Result (Change Result rules only) Select the result to change the targeted
findings to.

Targets (Optional) Select Custom. If the rule will override other rules, a warning
appears. The most recently created rule trumps other rules.

Target Hosts For Custom targets, type a comma-separated list of IPv4 addresses or
ranges, hostnames, Classless Inter-Domain Routing (CIDR) notation, or
fully qualified domain names (FQDNs). The system supports up to 100
items.

- 320 -
Expires (Optional) Select After or Exact Date. Then, type a number of days or a
date when the rule will expire.

Comments Type comments to provide rule details.

5. Click Save.

The system processes the rule, which may take time if many findings are targeted. When
complete, the the Findings workbench is updated and the rule appears in Settings >
Recast.

Generate a Findings Report

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

On the Findings workbench, you can build a report about the vulnerabilities in your environment.
You can also schedule this report and email it.

Note: You can only generate reports for vulnerabilities findings. These reports must contain less than 10,000
findings.

Note: You cannot run more than 50 reports at a time.

To generate a report:

1. In the left navigation, click Findings.

The Findings workbench appears.

2. (Optional) Using a maximum of five filters, refine the list of findings, as described in Use
Filters.

3. Select the check boxes next to the findings to report on.

The action bar appears.

4. In the action bar, click Generate Report.

The Generate Report plane appears.

- 321 -
Option Description

Name (Optional) Type a name for the report.

Templates Select a template for the report. Choose from the following templates:

l Host Findings Executive Summary Report — Summarizes

severity levels for the vulnerabilities you are reporting on, as well
as the criticality, last scan time, and port count of the associated
assets.

l Host Findings Vulnerability Details by Plugin — Details the

vulnerabilities you are reporting on by plugin.

l Host Findings Vulnerability Details by Asset — Details associated

assets for the vulnerabilities you are reporting on.

Schedule Turn on the Schedule toggle to schedule the report:

a. In the Start Date and Time section, choose the date and time
when the report will run.

b. In the Time Zone drop-down, choose a time zone.

c. In the Repeat drop-down, choose the cadence on which you want

the report to repeat (for example, daily).

d. In the Repeat Ends drop-down, choose the date when the report
will stop running.

Add (Optional) Type the emails where you want Tenable Vulnerability
Recipients Management to send the finished report.

Password (Optional) Enable this toggle to password-protect your report with AES
Protection 128-bit encryption. In the Encryption Password field, type a password
to provide to the recipients.

5. Click Generate Report.

A confirmation message appears and the system starts to build the report. Click the link in the
message to view the report. Or, go to the Reports > Report Results page.

- 322 -
Solutions
Tenable provides recommended solutions for all vulnerabilities on your network. You can sort
recommended solutions by VPR to identify your highest priority solutions, then drill into the solution
details to understand the steps to address the vulnerability on your network.

Note: You cannot view solution details without a Tenable Lumin license. For more information, see
Welcome to Tenable Lumin.

View Solutions
Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable provides recommended solutions for all vulnerabilities on your network. You can sort
recommended solutions by Vulnerability Priority Rating (VPR) to identify your highest priority
solutions, then drill into the solution details to understand the steps to address the vulnerability on
your network.

Addressing a vulnerability instance lowers your CES and AES metrics.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely
by plugin ID, port, and protocol.

To view solutions in the new interface:

1. In the left navigation, click Solutions.

The Solutions page appears.

2.
Note: All Tenable Lumin data reflects all assets within the organization's Tenable Vulnerability
Management instance.

On this page, you can:

Section Action

- 323 -
Filters Filter the data displayed in the table.

Saved l Load or edit an existing saved search.

Searches l Save a new saved search.
drop-down
box

Export Export a solution as a .csv file.

Solutions l View information about each solution.

table l Solution — A description for the solution.

l Assets Affected — The total number of assets affected by

the vulnerabilities addressed by the solution.

l CVE Count — The CVEs included in the solution.

l VPR — The highest VPR for the vulnerabilities addressed by

the solution.

l CVSS — The highest CVSSv2 score (or CVSSv3 score, when

available) for the vulnerabilities addressed by the solution.

l To view details for a solution, click a solution row.

The Solution Details page appears. For more information, see

Solution Details.

l To sort, increase or decrease the number of rows per page, or

navigate to another page of the table, see Tenable Vulnerability
Management Tables.

Solutions Filters

Required Additional License: Tenable Lumin

On the Solutions page, you can filter vulnerabilities using Tenable-provided filters and filters based
on asset tags.

Tenable-provided Filters

- 324 -
Tenable Vulnerability Management provides the following solutions filters:

Filter Description

ACR Score The ACR of assets associated with the solution.

ACR Severity The ACR severity of assets associated with the solution.

AES Severity The AES severity of assets associated with the solution.

Asset Count The number of assets impacted by the solution.

Asset ID The UUID of assets associated with the solution. This value is unique to
Tenable Vulnerability Management.

CVE Count The Common Vulnerability and Exposure (CVE) count associated with the
solution.

CVSS The Common Vulnerability Scoring System (CVSS) score of vulnerabilities

associated with the solution.

CVSS Severity The Common Vulnerability Scoring System (CVSS) severity of vulnerabilities
associated with the solution.

Family The plugin family associated with the solution.

Hostname The hostname of the asset associated with the solution.

Note: Ensure the search query does not end in a period.

License Status The licensing status of assets associated with the solution.

Solution A brief summary of how you can remediate the vulnerability.

VPR The Vulnerability Priority Rating (VPR) of vulnerabilities associated with the
solution.

VPR Severity TheVulnerability Priority Rating (VPR) severity of vulnerabilities associated

with the solution.

Tag Filters

- 325 -
In Tenable Vulnerability Management, tags allow you to add descriptive metadata to assets that
helps you group assets by business context. For more information, see Tags.

In the Category drop-down box for a filter, your organization's tags appear at the bottom of the list,
after the Tenable-provided filters.

Export Solutions

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In the new interface, the export feature allows you to export solution data .csv file format.

To export solutions as a .csv file:

1. In the left navigation, click Solutions.

The Solutions page appears.

2. In the upper-right hand corner, click Export.

The Export plane appears.

3. View the selected format for the export: CSV.

4. Click the check box next to the Data option you want included in the export file.

Data Description

Solutions Includes solutions data.

Details Includes solutions data and data for assets affected where Tenable
recommends the solutions.

5. Click Export.

Tenable Vulnerability Management begins processing the report. Depending on the size of the
exported data, Tenable Vulnerability Management may take several minutes to process the
report.

- 326 -
When processing completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

6. Access the export file via your browser's downloads directory.

View Solution Details

Required Additional License: Tenable Lumin

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can use this page to view details for a solution, including asset and vulnerability information.

To view solution details in the new interface:

1. In the left navigation, click Solutions.

The Solutions page appears.

2. Click a solution row.

The Solution Details page appears.

On this page, you can:

Section Action

Summary panel

Metrics summary View summary statistics for the recommended solution.

l Assets Affected — The total number of assets affected by the

vulnerabilities addressed by the solution.

l CVE Count — The total number of CVEs included in the

solution.

l CVE Instances — The total number of vulnerabilities

addressed by the solution.

- 327 -
l VPR — The highest VPR for a vulnerability included in the
solution.

l CVSS V2/V3 Base Score — The highest CVSSv2 score (or

CVSSv3 score, when available) for the vulnerabilities
addressed by the solution.

Vulnerabilities l View all vulnerabilities addressed by the solution.

Included (#) table l Identifier — The vulnerability identifier: the CVE (if
available), the TVI, or the plugin ID.

l VPR — The VPR for the vulnerability.

l CVSS — The CVSSv2 score (or CVSSv3 score, when

available) for the vulnerability.

l Assets Affected — The total number of assets affected

by the vulnerability.

l To view details about a vulnerability, click a vulnerability row.

The vulnerability details plane appears. On this plane, you can:

l View a summary of the vulnerability.

l View information about the key drivers Tenable used to

calculate the VPR for this vulnerability.

l View a graph that shows the VPR adjustments over the

past 30 days, compared to the static CVSSv2 score (or
CVSSv3 score, when available).

l View additional information about the vulnerability,

including the TVI.

l To navigate to another page of the table, see Tenable

Vulnerability Management Tables.

Assets Affected tab

- 328 -
ACR tiles View the ACR severity tiles, which summarize the number of
affected assets in the Low, Medium, High, or Critical, or
Unclassified ACR category.

Assets Affected l View asset information.

table l Asset —

The asset identifier, assigned based on the availability

of specific attributes in logical order.

l IP — The asset's IP address.

l ACR — The asset's ACR.

l CVE Count — The total number of CVEs on the asset.

l OS — The asset's operating system.

l Detection Source — The scanner type that first scanned

the asset.

l To view details for an asset, click an asset row.

The Asset Details page appears. For more information, see

View Asset Details.

l To filter the assets displayed in the table, see Filter a Table.

Tenable Vulnerability Management refreshes the table.

l To sort, increase or decrease the number of rows per page, or

navigate to another page of the table, see Tenable
Vulnerability Management Tables.

- 329 -
Scans
You can create, configure, and manage scans in Tenable Vulnerability Management.

Section Description

Manage Scans Create, import, and launch scans. View and manage scans and scan
results.

Scans (Unified Create, launch, and manage Tenable Vulnerability Management and
Configuration) Tenable Web App Scanning scans in the Tenable Vulnerability
Overview Management unified user interface.

Scan Templates Use a Tenable-provided scanner template, agent template or a user-

and Settings defined template to configure scan settings.

Sensors Link your sensors, such as Tenable Nessus scanners, Tenable Nessus
Agents, and Tenable Nessus Network Monitors, to Tenable Vulnerability
Management.

Note: For information about scanning in Tenable Web App Scanning, see the Tenable Web App Scanning
Getting Started Guide.

Manage Scans
To manage your Tenable Vulnerability Management and Tenable Web App Scanning scans in the
unified Scans user interface, see Scans Overview.

To manage your Tenable Web App Scanning scans in Tenable Web App Scanning, see the Tenable
Web App Scanning Getting Started Guide.

Scans Overview
The Scans page allows you to create, launch, and configure Tenable Vulnerability Management
scans and Tenable Web App Scanning scans.

Many of the Scans workflows and procedures are similar to the legacy Vulnerability Management >
Scans and Web App Scanning > Scans pages, but we have provided updated help topics that match
the new Scans user interface:

- 330 -
Create a Scan
In Tenable Vulnerability Management, you can create scans using scan templates. For general
information about templates and settings, see Scan Templates and Settings.

When you create a scan, Tenable Vulnerability Management assigns you owner permissions for the
scan.

Tip: To quickly target specific vulnerabilities that previous scans have identified on your assets, create a
Tenable Vulnerability Management remediation scan.

Note: Tenable Vulnerability Management excludes PCI Quarterly External scan data from dashboards,
reports, and workbenches intentionally. This is due to the scan's paranoid nature, which may lead to false
positives that Tenable Vulnerability Management would otherwise not detect. For more information, see
Tenable PCI ASV Scans.

Note: If you are scanning a Linux machine with Tenable Vulnerability Management, the Linux machine's
shell configuration file must have a PS1 variable of four or more characters (for example, PS1='\u@\h:~\$
'). Having a PS1 variable of less than four characters (for example, PS1='\$ ') can drastically increase the
overall scan time.

Before you begin:

l (Optional) View Tenable Vulnerability Management scan limitations.

l If you want to create a scan from a user-defined template, create a user-defined template as
described in Create a User-Defined Template.

l Create an access group for any targets you want to use in the scan and assign Can Scan
permissions to the appropriate users.

To create a scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

This also determines whether you are creating a Tenable Vulnerability Management or Tenable
Web App Scanning scan.

- 331 -
3. In the upper-right corner of the page, click the Create a Scan button.

The Select a Scan Template page appears.

4. Do one of the following:

l If you are creating a Tenable Vulnerability Management scan, use the following
procedure:

a. Click the Nessus Scanner, Nessus Agent, or User Defined tab to view available
templates for your scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what

- 332 -
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

Plugins Select security checks by plugin family or individual

plugin.

d. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option
is not available.

Note: If you are editing an imported scan, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

- 333 -
a. Click the Web Application or User Defined tab to view available templates for your
scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in Tenable
Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

d. Do one of the following:

- 334 -
l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option
is not available.

Note: If you are editing an imported scan, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

View Scans

Required Scan Permissions: Can View

Tenable Vulnerability Management defines Archived as any individual scan results that are older
than 35 days. For scan results that are younger than 35 days, you can view and export the results in
Tenable Vulnerability Management. For archived scan results, you can export the results, but cannot
view them in Tenable Vulnerability Management. This limitation applies to both imported scan
results and scan results that Tenable Vulnerability Management collects directly from scanners.
After 15 months, Tenable Vulnerability Management removes the scan data entirely.

You can view configured and imported scans. If you have appropriate permissions, you can also
perform actions to manage the scans.

Before you begin:

l Create or import one or more scans.

To view scans in the Scans section:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

- 335 -
The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

4. Do any of the following:

Section Action

Search box Search the table by scan name or status. For more information, see
Tenable Vulnerability Management Tables.

Filter Filter the table with Tenable-provided scan filters.

Create In the upper-right corner, click the Create Scan button to create a new
Scan scan.
button

Tools In the upper-right corner, click the Tools button. A menu appears with
button the following options:

l Import Scan (Tenable Vulnerability Management scans only)

l Manage Sensors

l Manage Credentials

l Manage Exclusions

Scans l View summary information about each scan:

table l Name — The scan name.

If you have assigned permissions for the scan to other users,

the label Shared appears next to the scan name.

l Schedule — The scan schedule.

l Last Modified — (Tenable Web App Scanning scans only) The

date and time the scan was last modified.

l Last Run — The date and time the scan was last run.

l Status — The status of the scan.

- 336 -
l Sort, increase or decrease the number of rows per page, or navigate
to another page of the table. For more information, see Tenable
Vulnerability Management Tables.

l View details for a scan.

l Launch a scan.

l Change the read status for a scan.

l Export scan results.

l Move a scan to the trash.

l Delete a scan permanently.

l Move a scan to a different folder.

View Scan Details

Required Scan Permissions: Can View

You can view scan results for scans you own and scans that were shared with you.

Consider the following when viewing scan results:

l You can view details for an individual scan based on the permissions configured for the scan.
However, when you view aggregated scan results in dashboards and other analysis views (for
example, the Vulnerabilities or Assets tables), your access is based on the access groups you
belong to.

l Tenable Vulnerability Management defines Archived as any individual scan results that are
older than 35 days. For scan results that are younger than 35 days, you can view and export
the results in Tenable Vulnerability Management. For archived scan results, you can export the
results, but cannot view them in Tenable Vulnerability Management. This limitation applies to
both imported scan results and scan results that Tenable Vulnerability Management collects
directly from scanners. After 15 months, Tenable Vulnerability Management removes the scan
data entirely.

l When you view results from the latest run of the scan, Tenable Vulnerability Management
categorizes the scan as Read. The Read status is specific to your user account only. You can

- 337 -
also manually change the read status.

l Tenable Vulnerability Management retains scan data for 15 months. If you want to store scan
data for longer than 15 months, you can export the scan data for storage outside of Tenable
Vulnerability Management.

l You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

To view scan details for an individual scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scan table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

5. Do any of the following:

Section Action

Scan Actions menu l Launch a scan.

l Edit a scan configuration.

l Export scan results.

l Move a scan to a different folder.

l Change the read status for a scan.

l Delete a scan permanently.

l Copy a scan.

l Move a scan to the trash.

- 338 -
See All Details button Click the See All Details button to open the Scan
Details page and view the scan's vulnerabilities and
affected assets, target information, and scan history.
You can also use the Scan Details page to export the
scan, edit the scan configuration, move the scan to the
trash folder, and submit the scan for PCI validation.

The scan details page includes the following features

and information:

Table header
l (Rollover scans only) Download a list of a rollover
scan's remaining targets.

l Export the currently visible scan results.

l Edit the scan configuration.

l Move a scan to the trash folder.

Severity summaries
The number of vulnerabilities with a Critical, High,
Medium, and Low severity in the scan results.

Scan Details section

View details about the scan run:

l Status — The status of the scan.

l Start Time — The start date and time for the

scan.

l Template — The Tenable-provided template on

which the scan configuration is based.

l Scanner — The scanner that performed the scan.

l Scanner Groups — The scanner group or groups

- 339 -
to which Tenable Vulnerability Management
assigned the scan. This detail appears only if
scan routing is enabled for the scan.

l Targets — The targets that the scan evaluated.

Vulns by Plugin tab

View the vulnerabilities in the scan results, organized
by plugin.

Note: This tab does not appear for scan results older
than 35 days.

l View information about each vulnerability:

l Severity icon — The severity of the

vulnerability.

l Name — The name of the plugin that

identified the vulnerability.

l Family — The family of the plugin that

identified the vulnerability.

l Instances — The number of vulnerability

instances.

Tip: A vulnerability instance is a single

instance of a vulnerability appearing on an
asset, identified uniquely by plugin ID, port,
and protocol.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

per page, or navigate to another page of the
table, see Tenable Vulnerability Management

- 340 -
Tables.

l To view details for a vulnerability, click a row of

the table.

The Vulnerability Details page appears. For more

information, see Vulnerability Details.

Audit tab
View compliance audit check results. This tab only
appears if the scan results include data from
compliance audit checks.

Tip: This tab does not appear for scan results older than
35 days.

On this tab, you can view:

l View tiles representing the number of audit

checks identified the last time the scan was
completed organized by severity level.

l View a table of audits detected during the scan.

Each row represents a specific audit, and
includes the following information:
o Status — The status of the audit, for
example Passed, Warning, or Failed.
o Name — The name of the compliance
check.
o Family — The compliance check family to
which the audit belongs.
o Count — The number of times the audit was
identified.

l To view additional information about a specific

- 341 -
audit check, click a row in the audits table.

The Audit Details page appears.

l Overview — Information about the audit

check, including a description of the check
and the audit file used for the check.

l Assets — A list of assets where the scan

performed the audit check.

Summary tab
(Rule-based scans only) Shows the scan's description,
triggers, an explanation of rule-based scanning, and a
link to the vulnerabilities workbench.

Vulns by Asset tab

View the vulnerabilities in the scan results, organized
by asset. By default, assets in the table are sorted by
decreasing number of vulnerabilities, then by
decreasing severity.

Tip: This tab does not appear for scan results older than
35 days.

l View information about each vulnerability:

l Assets — The asset identifier. Tenable

Vulnerability Management assigns this
identifier based on the presence of certain
asset attributes in the following order:
o Agent Name (if agent-scanned)
o NetBIOS Name
o FQDN

- 342 -
o IPv4 address

For example, if scans identify a NetBIOS

name and an IPv4 address for an asset, the
NetBIOS name appears as the Asset Name.

l Vulnerabilities — A visual summary of the

vulnerabilities on the asset, organized by
severity.

l Vuln Count — The total number of

vulnerabilities on the asset.

l Critical — The total number of

vulnerabilities on the asset with a critical
severity.

l High — The total number of vulnerabilities

on the asset with a high severity.

l Audits — A visual summary of the audits on

the vulnerability, organized by severity.

l Audit Count — The total number of audits

on the asset.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

per page, or navigate to another page of the
table, see Tenable Vulnerability Management
Tables.

l To view details for an asset, click a row of the

table.

The Asset Details page appears. For more

information, see View Legacy Workbench Asset

- 343 -
Details.

Warnings tab
View warnings about problems Tenable Vulnerability
Management or the scanner encountered while running
the scan. This tab only appears if Tenable Vulnerability
Management or the scanner encountered an issue
while running the scan. This tab does not appear for
scan results older than 35 days.

Review the warnings to determine how to resolve the

scan problem. For example, if an Invalid Target note is
present, check the target parameters in the scan
configuration.

Tip: In the scan warnings table header, click

Download All Warnings to download a JSON file of all the
scan result's warnings. The button is not shown if the
scan was archived.

Remediations tab
View remediation details.

Note: The Remediation tab only appears if there are

known remediations for the scan.

This tab contains a table listing each remediation

action. On this tab, you can view:

l Vulnerabilities — The number of vulnerabilities

resolved by the recommended remediation.

l Assets — The number of assets scanned.

History tab
View the scan history.

- 344 -
This tab contains a table listing each time the scan has
run. For the scan run currently displaying in the Scan
Details page, Tenable Vulnerability Management adds
the label Current to the run. By default, the latest scan
run is labeled Current.

Note: Scan history is unavailable for imported scans,

configured scans that have not yet run, and triggered
scans.

Note: For triggered scan histories, Tenable Vulnerability

Management shows a scan history entry for each 12-hour
window of the past 7 days. Tenable Vulnerability
Management only retains up to 15 triggered scan
histories at a time for each scan.

On this tab, you can:

l View summary information about each time the

scan was run:

l Start Time — The start date and time for

the scan.

l End Time — The end date and time for the

scan.

l Duration — The duration of the scan .

l Status — The status of the scan.

l Filter the data displayed in the table.

l Sort, increase or decrease the number of rows

per page, or navigate to another page of the
table. For more information, see Tenable
Vulnerability Management Tables.

l View details for a historical scan by clicking a row

- 345 -
in the table.

Tenable Vulnerability Management marks the run

you selected as Current and updates the Scan
Details section to show data for the selected run.

If the historical scan results are younger than 35

days, Tenable Vulnerability Management also
updates the tabs on the Scan Details page.

If the historical scan results are older than 35

days, the additional tabs are absent from the
Scan Details page. Use export instead to obtain
the results.

Activity section A history of the scan's activity.

In this section, you can view the date and time when
the scan Started, Completed, and when it was
Modified, Canceled, or manually Aborted.

Vulnerabilities by The number of vulnerabilities with a Critical, High,

Severity/VPR Breakdown Medium, and Low severity in the scan results.
section

Scan Duration section The amount of time elapsed between the start and end
of the scan.

Targets section The number of targets scanned.

Type section The scan type.

Template section The scan template used.

Schedule section The scan schedule.

View Scan Vulnerability Details

You can view a scan's vulnerability details by plugin or by asset (Tenable Vulnerability Management
scans only) from the Scans section.

To view a scan's vulnerability details from the Scans section:

- 346 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scans table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

5. In the scan details plane, click the See All Details button.

The Scan Details page appears. The Vulns by Plugin tab shows by default.

6. If you would rather view vulnerabilities by the affected asset, click the Vulns by Asset tab.

The vulnerabilities by asset table appears.

Note: You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

7. From either the Vulns by Plugin tab or the Vulns by Asset tab, do one of the following:

l Filter the plugins table by vulnerability attributes.

l Search the plugins table.

l View the number of plugin results, next to the Search box.

l On the Vulns by Plugin tab, click a vulnerability to view its details. For more information,
see View Finding Details.

l On the Vulns by Asset tab, click an asset row to view its vulnerability details. For more
information, see View Asset Details.

Scan Filters

On the Scans page, you can filter scans using Tenable-provided filters. The Tenable Vulnerability
Management scan view allows you to filter by scan status, and the Tenable Web App Scanning scan
view allows you to filter by multiple values.

- 347 -
Filter Description

Status The status of the scan. For more information about

scan statuses, see Scan Status.

Created Date (Tenable Web App The date the scan configuration was created.
Scanning scans only)

Description (Tenable Web App The description of the scan configuration.

Scanning scans only)

Finalized Date (Tenable Web App The date on which the scan last completed.
Scanning scans only)

Last Modified Date (Tenable Web App The date on which the scan configuration was last
Scanning scans only) modified.

Last Scanned Date (Tenable Web App The date on which the scan was last ran.
Scanning scans only)

Name (Tenable Web App Scanning The name of the scan configuration.
scans only)

Schedule (Tenable Web App Scanning Whether a scan schedule is enabled or on demand.
scans only)

Target (Tenable Web App Scanning The target URL used to launch the scan.
scans only)

Template (Tenable Web App The Tenable-provided scan template the scan
Scanning scans only) configuration was based on.

User Template (Tenable Web App The user-defined scan template the scan
Scanning scans only) configuration was based on.

Launch a Scan
In addition to configuring a scan's Schedule settings to launch the scan at scheduled times, you can
launch a scan manually. You can only launch a new scan when the previous scan has the Completed,
Aborted, or Canceled status (for more information, see Scan Status).

- 348 -
To launch a standard scan manually, see Launch a Scan.

Alternatively, you can launch a rollover scan to scan the remaining targets of a previous scan that
ended prematurely (for more information, see Launch a Rollover Scan). You can also launch a
remediation scan to run a follow-up scan against existing scan results (for more information, see
Launch a Remediation Scan).

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

Launch a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

Use the following steps to launch a scan manually. You can launch the scan using the targets as
configured in the scan, or you can launch the scan with custom targets that override the configured
targets.

To launch a scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

4. In the scans table, roll over the scan you want to launch.

- 349 -
The action buttons appear in the row.

5. Do one of the following:

l To launch the scan using the targets as configured in the scan, click the button in the
row.

l If you have previously launched the scan and want to use custom targets that override
the configured targets:

a. In the row, click the button.

The Custom Launch Scan plane opens.

b. In the Targets box, type a comma-separated string of targets.

c. Click Launch.

Tenable Vulnerability Management launches the scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Rollover Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

When you launch a rollover scan, the scan runs only against targets and hosts that Tenable
Vulnerability Management did not scan previously. This happens when a scan ends before scanning
all the assigned targets, which can occur when:

l A user manually stops the scan

l The scan times out due to the Scan Window setting

l The scanner aborts scan tasks or does not initialize properly

In some cases, you may see Completed scans that you can perform rollover scans for. This
indicates that even though all the assigned targets were scanned, some individual scan tasks may
have failed.

- 350 -
Rollover scans allow you to achieve complete scan coverage for all your assets, and you can use the
rollover feature to split up large, network-impacting scans. You can launch a rollover scan from
Scans page. Tenable Vulnerability Management marks scans that you can launch a rollover scan for
in the scan table with the Rollover tag in the Name column.

To view the remaining targets that the rollover scan will run against, see Download Rollover Targets.
If you want to restart the scan and rescan all the targets, see Launch a Scan.

Note: You cannot launch rollover Web Application scans.

To launch a rollover scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

4. In the scans table, roll over the scan you want to launch.

5. In the row, click the button.

A menu appears.

6. Click the Launch Rollover option.

Tenable Vulnerability Management launches the rollover scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Remediation Scan

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Access Group Permissions: Can Scan

- 351 -
You can create a remediation scan to run a follow-up scan against existing scan results. A
remediation scan evaluates a specific plugin against a specific scan target or targets where a
vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan
targets have been successful. If a remediation scan cannot identify a vulnerability on targets where
the vulnerability was previously identified, the system changes the status of the vulnerability to
Fixed.

You can perform remediation scans for scan results from certain sensors only:

Sensor Type Supported?

Tenable Vulnerability Management Cloud Sensor yes

On-premises Tenable Nessus yes

Tenable Nessus scanner for Amazon Web Services (AWS) yes

Tenable Web App Scanning no

Tenable Nessus Network Monitor no

Tenable Nessus Agent no

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a remediation scan:

- 352 -
1. Set the scope for the remediation scan:

Remediation Scan
Action
Scope

All vulnerabilities on This scope is not supported.

all affected assets

All vulnerabilities on To set this scope:

an individual asset
a. View asset details.

b. On the asset details page, click the Findings tab.

The Findings tab appears.

c. In the ribbon of the Findings table (next to the

Vulnerability/Host Audit drop-down menu), select the blank
checkbox to select all vulnerabilities.

d. In the ribbon of the Findings table, click Launch

Remediation Scan.

All vulnerabilities on This scope is not supported.

multiple assets

An individual To set this scope:

vulnerability on an
a. View asset details.
individual asset
b. On the asset details page, click the Findings tab.

The Findings tab appears.

c. In the Findings table, select the checkbox next to the

vulnerability you want to select.

d. In the ribbon of the Findings table, click Launch

Remediation Scan.

Multiple This scope is not supported.

- 353 -
vulnerabilities on all
affected assets

Multiple To set this scope:

vulnerabilities on an
a. View asset details.
individual asset
b. On the asset details page, click the Findings tab.

The Findings tab appears.

c. In the Findings table, select the checkbox next to each

vulnerability you want to select.

d. In the ribbon of the Findings table, click Launch

Remediation Scan.

Multiple This scope is not supported.

vulnerabilities on
multiple assets

An individual finding To set this scope:

a. View findings details for a host vulnerability finding or web

application vulnerability finding.

b. On the findings details page, in the upper-right corner, click

the Actions button.

The actions menu appears.

c. In the actions menu, click Launch Remediation Scan.

The Create a Scan - Remediation Scan appears.

Tenable Vulnerability Management automatically creates the remediation scan from the
Tenable-provided Advanced Network Scan template and populates certain settings based on
the assets and vulnerabilities you selected.

2. On the Create a Scan page:

- 354 -
a. Verify the settings that Tenable Vulnerability Management populated based on the
vulnerabilities and assets you selected.

b. Configure additional settings for the scan.

The number of manual changes you must make depends on the plugins involved in the
remediation scan.

The following table defines the inherited and default values for settings in the remediation
scan.

Setting
Setting Remediation Scan Value
Category

Basic Name Specifies an editable scan name in the format

"Remediation scan of plugin # number" where
number is the number of the plugin that identified
the vulnerability.

Folder Cannot be configured. Remediation scans appear

in the Remediation Scans folder only.

Scanner Specifies the scanner that performs the scan.

The scanner you select depends on the location

of the targets included in the remediation scan.
For example:

l By default, this value is the cloud scanner

for your geographical region (for example,
US Cloud Scanner). However, a cloud
scanner cannot scan non-routable IP
addresses. If the scan targets include non-
routable IP addresses, select a linked
scanner instead.

l Select a scanner group if you want to:

o Improve scan speed by balancing the

- 355 -
scan load among multiple scanners.
o Rebuild scanners and link new
scanners in the future without having
to update scanner designations in
scan configurations.

Network (Required if the scanner is set to Auto-Select) Do

one of the following:

l If your scans involve separate environments

with overlapping IP ranges, select the
network that contains the scanner groups
that you configured for scan routing.

l If your scans do not involve separate

environments with overlapping IP ranges,
retain the Default network.

Targets Specifies the scan targets based on the assets

you selected for the remediation scan.

User Specifies default settings for the Advanced

Permissions Network Scan template.

By default, only you have access to the individual

scan results for the remediation scan. The
Default user permissions are set to No Access. If
you want to share the remediation scan with
other users, configure the user permissions.

Schedule Cannot be configured. If you do not launch a

remediation scan when you create it, you can
launch the scan manually later.

all other Specifies default settings for the Advanced

settings Network Scan template.

- 356 -
Discovery all Specifies default settings for the Advanced
Network Scan template.

Note: The default Port Scan Range scans common

ports only. If the plugins used in the remediation
scan require specific ports, configure this setting
for a range that includes those ports.

Assessment all Specifies default settings for the Advanced

Network Scan template.

Report all Specifies default settings for the Advanced

Network Scan template.

Advanced all Specifies default settings for the Advanced

Network Scan template.

Credentials all By default, there are no credentials configured. If

the plugins in the remediation scan require
credentials, configure them in the remediation
scan.

Note: Remediation scans work best for un-

credentialed network scan results. Use caution
when running a remediation scan for a plugin that
requires scan credentials. If you neglect to add
scan credentials when required for a specific
plugin, or if you type the credentials incorrectly,
the system may identify the related vulnerabilities
as fixed. In fact, the vulnerabilities do not appear in
the scan results because the system could not
complete the credentialed scan.

Compliance all By default, no compliance audits are configured.

If the plugins in the remediation scan require
compliance audit settings, configure the
appropriate settings.

- 357 -
Plugins limited Specifies plugins limited to the following:

l the plugins you selected for remediation

scanning

l any plugins on which the selected plugins

are dependent

3. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

What to do next:
l In the Remediation Scans folder on the Scans page:
o View the scan status to determine when the scan completes.
o Edit the scan configuration.
o Change the read status of the scan results.
o Launch the scan.

l Once the scan completes:

a. On the Findings page, search for the plugin.

b. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the
remediation scan targeted.

Stop a Running Scan

Required Scan Permissions: Can Control

- 358 -
When you stop a scan, Tenable Vulnerability Management terminates all tasks for the scan and
categorizes the scan as canceled. The scan results associated with the scan reflect only the
completed tasks. You cannot stop individual tasks, only the scan as a whole.

To stop a running scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the scans table, roll over the scan you want to stop.

3. In the row, click the button.

A menu appears.

4. Click Stop.

A confirmation window appears.

5. In the confirmation window, click Stop.

Tenable Vulnerability Management stops the scan. The Status column updates to reflect the
status of the scan.

Pause or Resume a Scan

Required Scan Permissions: Can Control

You can pause scans that you want to stop temporarily. When you pause a scan, Tenable
Vulnerability Management pauses all active tasks for that scan and concludes the scanner's local
scan task. Paused scans do not consume scanner resources, and other scans can run while there is
a paused scan. Tenable Vulnerability Management does not dispatch new tasks from a paused scan
job. If the scan remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management terminates the related tasks on the scanner and categorizes the scan as
aborted.

You can resume scans that you previously paused. When you resume a scan, Tenable Vulnerability
Management instructs the scanner to start the tasks from the point at which the scan was paused.
If Tenable Vulnerability Management encounters problems when resuming the scan, the scan fails,
and Tenable Vulnerability Management categorizes the scan as aborted. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan remains in a paused

- 359 -
state for more than 14 days, the scan times out. Tenable Vulnerability Management terminates the
related tasks on the scanner and categorizes the scan as aborted.

Note: You can only pause and resume Tenable Vulnerability Management scans.

To pause or resume a scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the scans table, roll over the scan.

3. Do one of the following:

l To pause the scan, click the button in the row.

l To resume the scan, click the button in the row.

A confirmation window appears.

4. In the confirmation window, click Pause or Resume as appropriate.

Tenable Vulnerability Management pauses or resumes the scan.

Change Scan Ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Scan Permissions: Owner

Before you begin:

l If the scan is based on a user-defined template, assign the new owner at least Can View
permissions for that template. Otherwise, the new owner cannot view the scan configuration.

Note: Only the scan owner can change scan ownership. Therefore, if an administrator needs to change the
ownership of another user's scan, they must first assist the user with their account and then assign
ownership to the appropriate user.

To change the ownership of a scan in the new interface:

- 360 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. (Optional) Search for the scan you want to edit. For more information, see Tenable
Vulnerability Management Tables.

5. In the scans table, click the scan you want to edit.

The scan details appear.

6. Click the button next to the scan name.

The Edit a Scan page appears.

7. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

8. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

9. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

10. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

- 361 -
11. (Optional) Edit the Tenable Vulnerability Management permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

12. Click Save.

Tenable Vulnerability Management assigns ownership to the selected user and assigns your
user account the permissions you selected. If you removed all permissions for your user
account from the scan, the scan no longer appears in any of your scan folders.

Change the Scan Read Status

Required Scan Permissions: Can View

On the Scans page, a scan appears in bold in the scans table if you have not yet viewed (read) the
results of the latest run of the scan.

If you view the scan results, Tenable Vulnerability Management categorizes the scan as "read" and
removes the bold formatting from the scan in the scans table.

You can also manually change the scan read status.

To change the scan read status:

1. View your scans.

2. In the scans table, roll over the scan you want to change.

3. Click the button.

A menu appears.

4. Do one of the following:

l If you have already read the scan, click Mark Unread.

l If you have not read the scan, click Mark Read.

Tenable Vulnerability Management changes the read status for the scan.

Edit a Scan Configuration

- 362 -
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

To edit a scan configuration:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. (Optional) Search for the scan you want to edit. For more information, see Tenable
Vulnerability Management Tables.

5. In the scans table, click the scan you want to edit.

The scan details appear.

6. Click the button next to the scan name.

The Edit a Scan page appears.

7. Change the scan configuration. For more information about scan configuration settings, see
Scan Settings.

8. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

- 363 -
Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Configure vSphere Scanning

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

You can configure a scan to scan the following virtual environments:

l ESXi/vSphere that vCenter manages

l ESXi/vSphere that vCenter does not manage

l Virtual machines

Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.

Note: For more information on VMware/vCenter, refer to the VMware integration documentation.

Scenario 1: Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the Targets section, type the IP address or addresses of the ESXi host or hosts.

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware ESX SOAP API.

- 364 -
7. In the Username box, type the username associated with the local ESXi account.

8. In the Password box, type the password associated with the local ESXi account.

9. If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do
not verify SSL Certificate toggle. Otherwise, leave the toggle enabled.

10. Click Save.

11. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin
always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication
was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks:
Yes in the scan results of the ESXis.

Scenario 2: Scanning vCenter-Managed ESXi/vSpheres

Note: The SOAP API requires a vCenter admin account with read and write permissions. The REST API
requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle manager
account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

- 365 -
3. In the Targets section, type the IP addresses of:

l the vCenter host

l the ESXi host or hosts

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware vCenter SOAP API.

7. In the vCenter Host box, type the IP address of the vCenter host.

8. In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.

9. In the Username box, type the username associated with the vCenter account.

10. In the Password box, type the password associated with the vCenter account.

11. If the vCenter host is SSL enabled, enable the HTTPS toggle.

12. If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the
Verify SSL Certificate toggle. Otherwise, leave the toggle disabled.

13. Click Save.

14. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

- 366 -
Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Section 3: Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP
address or addresses of your virtual machines in the Targets text box. For more information, see
Create a Scan.

VMware vCenter Support Matrix

Feature Requires Authentication Supported vCenter Version

Vulnerability Management No 7.x, 8.x

Auto Discovery Yes 7.0.3+, 8.x

Audit / Compliance Yes 6.x, 7.x, 8.x

VIB Enumeration Yes 7.0.3+, 8.x

Active / Inactive VMs Yes 7.0.3+, 8.x

Copy a Scan Configuration

Required Scan Permissions: Owner

When you copy a scan configuration, Tenable Vulnerability Management assigns you owner
permissions for the copy and assigns the copy scan permissions from the original scan.

Note: You cannot copy a scan from the Remediation Scans folder.

To copy a scan configuration:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

- 367 -
3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scans table, roll over the scan you want to copy.

5. In the row, click the button.

A menu appears.

6. Click Copy.

The Copy to Folder plane appears, which contains a list of your scan folders.

7. Click the folder where you want to save the copy.

8. Click Copy.

Tenable Vulnerability Management creates a copy of the scan with Copy of prepended to the
name and assigns you owner permissions for the copy. The copy appears in the scans table of
the folder you selected.

Export Scan Results

Required Scan Permissions: Can View

You can export both imported scan results and results that Tenable Vulnerability Management
collects directly from scanners.

Tenable Vulnerability Management retains individual scan results until the results are 15 months old.

Notes:
l Filters are not applicable for Tenable Web App Scanning exports, All results will are
exported.
l For archived scan results (that is, results older than 35 days), Tenable Vulnerability
Management limits export types to .nessus and .csv files.
l When a scan is actively running, the Export button does not appear in the Tenable
Vulnerability Management interface. Wait until the scan completes, then export the scan
results.

To export results for an individual scan:

- 368 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. Do one of the following:

Location Scope of Export

Scans table a. In the scans table, roll over the scan you want to export.

b. Click the button.

A menu appears.

c. Click Export.

The Export plane appears.

Note: You cannot export scan results from the Scans table if the scan has
multiple targets. For scans with multiple targets, you can export scan results
for each target from the Scan Details page.

Scan Details a. In the scans table, click the scan you want to export.

The scan details plane appears below the scan table.

b. Click the Scan Actions button.

A menu appears.

c. Click Export.

The Export plane appears.

5. Select an export format:

Format Description Supported for

- 369 -
Archived
Scan Results

Tenable Vulnerability Management Scans

PDF - An Adobe .pdf file. No

Custom
Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

PDF - An Adobe .pdf file. No

Executive
Summary Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

HTML - A web-based .html file. No

Custom

HTML - A web-based .html file. No

Executive
Summary

Nessus A .nessus file in XML format that contains the list of Yes
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML. If you import a .nessus file as a
user-defined scan template, you must re-apply your
passwords to any credentials.

Unlike other export formats, the .nessus file includes

individual open port findings. This ensures that you
can still view open port findings in Tenable Security
Center if your organization integrates Tenable
Vulnerability Management with Tenable Security

- 370 -
Center.

CSV A .csv text file with only scan results. Yes

Note: When exporting scan results as a .csv file,

the severities always show CVSSv2 scores
regardless of your configured severity metric.
When exporting compliance scan results as a .csv
file, the Risk column results are replaced with the
following values:
l PASSED results show as None
l WARNING results show as Medium
l FAILED results show as High

Tenable Web App Scanning Scans

HTML A web-based .html file that contains the list of n/a

targets, scan results, and scan notes.

PDF An Adobe .pdf file that contains the list of targets, n/a
scan results, and scan notes.

Note:Tenable Vulnerability Management cannot export

PDF files with more than 400,000 individual scan
results.

Nessus A .nessus file in XML format that contains the list of n/a
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML.

CSV A .csv text file with only scan results. n/a

JSON A .json file that contains the list of targets, scan n/a
settings defined by the user, scan results, and scan

- 371 -
notes. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the JSON file.

6. For Tenable Vulnerability Management scans, if you select the PDF - Custom or HTML -
Custom formats:

l Retain the default Data setting (Vulnerabilities selected).

l Select either Assets or Plugin from the Group By list, depending on how you want to
group the scan results in the export file.

7. Click Export.

Tenable Vulnerability Management generates the export file. Depending on your browser
settings, your browser may automatically download the export file to your computer, or may
prompt you to confirm the download before continuing.

Import a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can import scan results into Tenable Vulnerability Management.

Imported scans always belong to the default network. For more information, see Networks.

Note: You can only import Tenable Vulnerability Management scans.

Note: Tenable Vulnerability Management supports scan imports up to 4GB in size.

To import a scan in the new interface:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the upper-right corner of the page, click the Tools button.

A menu appears.

- 372 -
3. Click Import Scan.

Your file directory appears.

4. Browse to and select the scan file you want to import.

If the scan file is a .nessus or .db file, the Import plane appears.

Note: To learn more about the .nessus file format, see Nessus File Format.

If the scan file is any other file type, the Scan Import window appears.

5. Do one of the following:

l If the scan file is a .nessus or .db file:

a. In the Password box, type the password to allow Tenable Vulnerability

Management to view the scan.

b. (Optional) To show the scan results in dashboards, select the Show in Dashboard?
check box.

c. Click Import.

l If the scan file is any other file type, specify if you want the scan results to appear in
dashboards:
o Click Yes to show the scan results in dashboards.
o Click No to prevent the scan results from appearing in dashboards.

Note: Clicking Cancel cancels the import.

The Scans page appears, and the imported scan appears in the scans table.

Tenable Vulnerability Management begins processing the imported scan results. Once this
process is complete, the imported data appears in the individual scan details and aggregated
data views (such as dashboards). This process can take up to 30 minutes, depending on the
size of the import file.

Tip: If the imported data does not appear in the individual scan results or aggregated data views
after a reasonable processing time, verify that you are assigned adequate permissions for the
imported targets in access groups.

- 373 -
Organize Scans by Folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, the Scans page contains a Folders section that automatically
groups your configured and imported scans into default folders. To organize your scans further, you
can create custom folders.

To organize your scans by folder:

1. View scans in default folders.

Note: You cannot rename or delete the default folders.

By default, Tenable Vulnerability Management provides the following folders:

Folder Description

My Scans Contains scans that you have created or imported.

This folder appears by default when you access the Scans page.

All Scans l (Administrators) Contains scans created by any users.

l (All other users) Contains:

o Scans that you have created
o Any shared scans for which you have Can View
permissions or higher

Remediation Contains any remediation scans you own or that another user has
Scans shared with you.

Trash Contains scans that you have moved to the trash. If you have Can
Configure permissions for a scan in this folder, you can permanently
delete the scan for all users.

If you delete a custom folder that contains scans, Tenable

- 374 -
Vulnerability Management automatically moves any scans in the
deleted folder to the Trash folder.

2. (Optional) Manage custom folders using the following procedures:

Manage scan folders

Use the following procedures to manage your custom scan folders:

Create a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The custom scan folders you create appear only to you and cannot be shared with other users. You
are the only user who can view, rename, or delete the scan folders you create.

Note: The custom folders you create appear only to you and cannot be shared with other users.

To create a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. Next to Folders, click the button.

The New Folder box appears at the bottom of the folder list.

3. In the New Folder box, type a name for the folder.

4. Click the button.

A Folder added successfully message appears and the new folder appears in the Folders
section.

Move a scan to a scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

- 375 -
Required Scan Permissions: Can View

You can move a scan from a default folder to either the My Scans default folder or a custom scan
folder. You can also move a scan from a custom folder to the My Scans default folder or a different
custom folder.

If you move a scan from the All Scans default folder, the scan appears in both the folder you select
and the All Scans folder.

If you move a scan from the My Scans default folder, the scan appears in the custom folder only.

For information about moving a scan to the trash, see Move a Scan to the Trash Folder.

Note: You cannot move scans to or from the Remediation Scans folder.

To move a scan to a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

3. In the scan table, roll over the scan you want to move.

The action buttons appear in the row.

4. Do one of the following:

l Tenable Vulnerability Management scans:

a. In the row, click the button.

A menu appears.

b. In the menu, click Move.

The Move to Folder plane appears. This plane contains a list of your scan folders.

l Tenable Web App Scanning scans:

- 376 -
a. In the row, click the button.

The Move to Folder plane appears. This plane contains a list of your scan folders.

5. Search for a folder:

a. In the search box, type the folder name.

b. Click the button.

Tenable Vulnerability Management limits the list to folders that match your search.

6. In the folder list, click the folder where you want to move the scan.

7. Click Move.

Tenable Vulnerability Management moves the scan to the selected folder.

Rename a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can rename custom scan folders only. You cannot rename the default scan folders.

Renaming a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

To rename a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, roll over the folder you want to rename.

The action buttons appear in the row.

3. In the row, click the button.

An editable box replaces the folder name.

4. In the box, type a new name for the folder.

- 377 -
5. Click the button.

Tenable Vulnerability Management updates the folder name and a Folder updated
successfully message appears.

Delete a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can delete custom scan folders only. You cannot delete the default scan folders that Tenable
Vulnerability Management provides (All Scans, My Scans, and Trash).

Deleting a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

If you delete a scan folder that contains inactive scans, Tenable Vulnerability Management moves
the folder's scans to the Trash folder. If you delete a scan folder that contains at least one active
(Pending or Running) scan, Tenable Vulnerability Management moves the folder's scans to the My
Scans folder.

To delete a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, roll over the folder you want to delete.

The action buttons appear in the row.

3. In the row, click the button.

A confirmation window appears.

4. Click Delete to confirm the action.

A Folder deleted successfully message appears, and Tenable Vulnerability Management

deletes the folder.

Move a Scan to the Trash Folder

Required Scan Permissions: Can View

- 378 -
When you move a shared scan to the Trash folder, Tenable Vulnerability Management moves the
scan for your account only. The scan remains in the original folder for all other users who have Can
View permissions or higher for the scan.

Scans moved to the Trash folder also appear in the All Scans folder, marked with the label, Trash.

Note: After you move a scan to the Trash folder, the scan remains in the Trash folder until a user with Can
Edit permissions permanently deletes the scan.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.
l For more information about Tenable Vulnerability Management scan schedules, see
Schedule.
l For more information about Tenable Web App Scanning scan schedules, see Schedule.

Note: You cannot move scans from the Remediation Scans folder to the Trash folder. Instead, delete
remediation scans directly in the folder.

To move a scan or scans to the Trash folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click the folder that contains the scan you want to move.

The scans table lists scans in the selected folder.

4. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to move.

b. Click the button.

A menu appears.

c. Click Trash.

- 379 -
l
Select multiple scans:
a. In the scans table, select the check box next to each scan you want to move.

The action bar appears at the top of the table.

b. In the action bar, click Trash.

Tenable Vulnerability Management moves the scan or scans you selected to the Trash
folder.

Delete a Scan

Required Scan Permissions: Can Configure

When you permanently delete a scan, you delete the scan configuration and scan results for all
users the scan is shared with.

The workflow for deleting a remediation scan differs from the workflow described in this procedure.
For more information, see the Delete a remediation scan steps at the end of this topic.

Caution: After you delete a scan, you cannot recover the scan or any scan data associated with the scan.
Delete only scans you are certain you no longer need to view or run.

Before you begin:

l Move the scan to the Trash folder.

To delete a scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click the Trash folder.

The scan table updates to show the scans in the trash folder.

4. Do one of the following:

- 380 -
l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:
a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Delete a remediation scan

Required Scan Permissions: Can Configure

When you delete a remediation scan, you delete the scan configuration and scan results for all
users the scan is shared with.

Note:Tenable Vulnerability Management deletes scan results older than 90 days.

To delete a remediation scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

- 381 -
3. In the Folders section, click the Remediation Scans folder.

Note: The Remediation Scans folder only shows for Tenable Vulnerability Management scans.

The scan table updates to show remediation scans that you own or that other users have
shared with you. By default, the rows are sorted by Created Date.

4. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:
a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Note: Tenable Vulnerability Management keeps up to 10,000 of the most recent remediation scan
results. Once you have more than 10,000 remediation scan results, Tenable Vulnerability
Management deletes the scan results, starting with the oldest result.

Discovery Scans vs. Assessment Scans

You can perform two types of scans using Tenable products: discovery scans and assessment
scans. Tenable recommends performing discovery scans to get an accurate picture of the assets on
your network and assessment scans to understand the vulnerabilities on your assets.

- 382 -
For information about how discovered and assessed assets are counted towards your license, see
Tenable Vulnerability Management Licenses.

Type Description Licensing

Discovery scans Find assets on your network. Assets identified by

discovery scans do
For example:
not count toward
l a scan configured with the your license.
Host Discovery template.

l a scan configured to use only

discovery plugins.

l a scan configured to use

Tenable Nessus Network
Monitor in discovery mode.

Assessment scans Find vulnerabilities on your assets. In general, assets

assessed by
For example, run an authenticated or
assessment scans
unauthenticated scan using a
count toward your
Tenable Nessus scanner or Tenable
license.
Nessus Agent.

Authenticated Scans

Configure authenticated scans, also

known as credentialed scans, by
adding access credentials to your
assessment scan configuration.

Credentialed scans can perform a

wider variety of checks than non-
credentialed scans, which can result
in more accurate scan results. This
facilitates scanning of a very large
network to determine local
exposures or compliance violations.

- 383 -
Credentialed scans can perform any
operation that a local user can
perform. The level of scanning
depends on the privileges granted to
the user account. The more
privileges the scanner has via the
login account (e.g., root or
administrator access), the more
thorough the scan results.

For more information, see

Credentials in Tenable Vulnerability
Management Scans.

Unauthenticated Scans

If you do not add access credentials

to your assessment scan
configuration, Tenable Vulnerability
Management performs a limited
number of checks when scanning
your assets.

Identify Assets That Have Not Been Assessed

Tenable Vulnerability Management can discover, or see, assets without assessing the assets for
vulnerabilities (for example, via a host discovery scan, Tenable Nessus Network Monitor running in
discovery mode, or connectors). Assets that have been seen but not assessed do not count towards
your asset license limit. For a list of conditions that cause an asset to be assessed, see How Assets
are Counted. However, once assessed, the asset is always categorized as assessed, even if it ages
out of the license count.

This licensing exception allows you to discover assets on your network without the large number of
assets counting towards your license limit. After you discover your assets, you can then identify
which assets have not yet been assessed for vulnerabilities, and choose which of those assets you
want to scan and manage going forward.

To identify assets that have not been assessed:

- 384 -
1. Discover assets using any of the following methods:

l Create and launch a host discovery scan in Tenable Vulnerability Management.

l Configure Tenable Nessus Network Monitor with discovery mode enabled, linked to
Tenable Vulnerability Management.

l Configure a connector.

Assets discovered by these methods do not count towards your asset license limit until they
have been assessed for vulnerabilities.

2. Filter for assets that have not been assessed.

a. In the assets table, create a filter with the following settings:

l In the Category box, select Asset Assessed.

l In the Operator box, select is equal to.

l In the Value box, select false.

a. Click Apply.

Tenable Vulnerability Management filters for assets that have not yet been assessed for
vulnerabilities.

Note: Unassessed assets (where Asset Assessed is equal to false) can differ from unlicensed
assets (where Is Licensed (VM) is equal to false). Once you scan an asset for vulnerabilities,
Tenable Vulnerability Management categorizes the asset as assessed from that point on, but
the licensing status of an asset can change over time as assets are deleted or age out of your
organization's license count.

b. (Optional) Save the search for later use.

3. (Optional) Tag assets to identify assets that have not been assessed.

a. Create tags to identify assets that have not been assessed.

For example, Assets:NotYetAssessed.

b. Manually apply the tag to assets, or create tag rules that automatically filter for assets
that have not been assessed.

- 385 -
For example, to create a dynamic tag for assets that have not yet been assessed, set
the tag rules to filter for Asset Assessed is equal to false.

4. (Optional) Create a scan to target assets using the tag you created.

Scan Failovers
If Tenable Vulnerability Management assigns a scan job to a scanner, and the scanner goes offline
while scanning, the following happens:

1. The scan job times out if the assigned scanner does not respond to Tenable Vulnerability
Management after two hours.

2. Tenable Vulnerability Management removes the scan job from the scanner and attempts the
scan job on another scanner in the same scanner group, or on the same scanner if it comes
back online.

3. Tenable Vulnerability Management attempts steps 1 and 2 three times. If the scan job is not
completed after three attempts, Tenable Vulnerability Management aborts the scan job.

Scan Status
Tenable Vulnerability Management provides a scan status for each of your configured scans.

If the scan is in progress, Tenable Vulnerability Management shows the number of scan tasks
completed as a percentage.

For example, if you scan less than 120 IP addresses in a single scan, Tenable Vulnerability
Management creates a single scan task and the progress percentage changes from 0% to 100%
when it completes.

However, if you target more than 120 IP addresses, Tenable Vulnerability Management creates
multiple scan tasks. After each task completes, the percentage changes to reflect the number of
completed tasks. For example, a scan that targets 300 IP addresses is split into three scan tasks,
and as each task completes, the progress bar updates the percentage to reflect the completed
tasks.

Note: Pausing a scan causes Tenable Vulnerability Management to move any completed results to
processing. When you resume the scan, Tenable Vulnerability Management creates a new scan task or
tasks for incomplete results. Therefore, pausing a scan can cause the progress percentage to update.

- 386 -
Tip: For Tenable Vulnerability Management scans, you can hover over the scan status to view more status
information in a pop-up window, such as the number of targets scanned and the elapsed or final scan time.
The window shows different information based on the scan's current status.

Tenable Vulnerability Management scans can have the following status values:

Status Description

Tenable Vulnerability Management Scans

Tip: The typical Tenable Vulnerability Management scan status flow is as follows: Initializing, Running,
Publishing Results, Completed.

Aborted Either the latest run of the scan is incomplete because Tenable Vulnerability
Management or the scanner encountered problems during the run, or the
scan remained queued without running for four or more hours. For more
information about the problems encountered during the run, view the scan
warnings.

Canceled At user request, Tenable Vulnerability Management successfully stopped the

latest run of the scan.

Completed The latest run of the scan is complete.

Empty The scan is either empty (the scan is new or has yet to run) or pending
(Tenable Vulnerability Management is processing a request to run the scan).

Imported A user imported the scan. You cannot run imported scans. Scan history is
unavailable for imported scans.

Pausing A user paused the scan, and Tenable Vulnerability Management is processing
the action.

Paused At user request, Tenable Vulnerability Management successfully paused

active tasks related to the scan. The paused tasks continue to fill the task
capacity of the scanner that the tasks were assigned to. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan
remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management then aborts the related tasks on the scanner and
categorizes the scan as aborted.

- 387 -
Status Description

Pending Tenable Vulnerability Management has the scan queued to launch and is
assigning scan tasks to the assigned sensors.

Note: Tenable Vulnerability Management aborts scans that remain in

Pending status for more than four hours. If Tenable Vulnerability
Management aborts your scan, modify your scan schedule to reduce the
number of overlapping scans. If you still have issues, contact Tenable
Support.

Publishing Tenable Vulnerability Management processes and stores the scan results
Results data for you to view and use in the Tenable Vulnerability Management user
interface. The Publishing Results status begins once the Running status
reaches 100%.

Resuming Tenable Vulnerability Management is in the process of restarting tasks after

the user resumed the scan. Tenable Vulnerability Management instructs the
scanner to start the tasks from the point at which the scan was paused. If
Tenable Vulnerability Management or the scanner encounters problems when
resuming the scan, the scan fails, and Tenable Vulnerability Management
updates the scan status to aborted.

Running The scan is currently running. While this status is shown, the scan's sensors
complete their assigned scan tasks, and Tenable Vulnerability Management
processes the scan results. The progress bar shows next to the status when
a scan is running. The progress bar shows the percentage of the completed
tasks.

Stopping A user stopped the scan, the scan timed out, or Tenable Vulnerability
Management is stopping the scan after all associated scan tasks are
complete.

Scan Templates

- 388 -
Scan templates contain granular configuration settings for your scans. You can use Tenable's scan
templates to create custom scan configurations for your organization. Then, you can run scans
based on Tenable's scan templates or your custom configurations' settings.

When you create a scan configuration, the Select a Scan Template page appears. Tenable
Vulnerability Management provides separate templates for Tenable Vulnerability Management and
Tenable Web App Scanning. Within Tenable Vulnerability Management scanning, Tenable
Vulnerability Management provides separate templates for scanners and agents, depending on
which sensor you want to use for scanning:

If you have custom configurations, they appear in the User Defined tab. For more information about
user-defined templates, see User-Defined Templates.

When you configure a Tenable-provided scan template, you can modify only the settings included
for the scan template type. When you create a user-defined scan template, you can modify a
custom set of settings for your scan.

For descriptions of all scan template settings, see Scan Settings.

Tip: For information and tips on optimizing your Tenable Vulnerability Management scan configurations,
see the Tenable Vulnerability Management Scan Tuning Guide.

Tenable-Provided Tenable Nessus Scanner Templates

There are three scanner template categories in Tenable Vulnerability Management:

l Vulnerability Scans (Common) — Tenable recommends using vulnerability scan templates for
most of your organization's standard, day-to-day scanning needs.

l Configuration Scans — Tenable recommends using configuration scan templates to check

whether host configurations are compliant with various industry standards. Configuration
scans are sometimes referred to as compliance scans. For more information about the checks
that compliance scans can perform, see Compliance in Tenable Vulnerability Management
Scans and SCAP Settings in Tenable Vulnerability Management Scans.

l Tactical Scans — Tenable recommends using the tactical scan templates to scan your network
for a specific vulnerability or group of vulnerabilities. Tactical scans are lightweight, timely
scan templates that you can use to scan your assets for a particular vulnerability. Tenable

- 389 -
frequently updates the Tenable Vulnerability Management Tactical Scans library with
templates that detect the latest vulnerabilities of public interest, such as Log4Shell.

The following table describes the available Tenable Nessus Scanner templates:

Template Description

Vulnerability Scans (Common)

Advanced The most configurable scan type. You can configure this scan template to
Network Scan match any policy. This template has the same default settings as the basic
scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow Tenable Vulnerability Management

experts to scan more deeply using custom configuration, such as faster or
slower checks, but misconfigurations can cause asset outages or network
saturation. Use the advanced templates with caution.

Note: Tenable automatically updates this template with any newly-released

plugin families in which plugins rely on network traffic for detection.

Basic Network Performs a full system scan that is suitable for any host. Use this template
Scan to scan an asset or assets with all of Nessus's plugins enabled. For
example, you can perform an internal vulnerability scan on your
organization's systems.

Credentialed Authenticates hosts and enumerates missing updates.

Patch Audit
Use this template with credentials to give Tenable Vulnerability
Management direct access to the host, scan the target hosts, and
enumerate missing patch updates.

Host Discovery Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated
information such as IP address, FQDN, operating systems, and open ports,
if available. After you have a list of hosts, you can choose what hosts you
want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive

- 390 -
network monitor, such as Tenable Nessus Network Monitor, run this scan
weekly to discover new assets on your network.

Note: Assets identified by discovery scans do not count toward your license.

Internal PCI Performs an internal PCI DSS (11.2.1) vulnerability scan.

Network Scan
This template creates scans that you can use to satisfy internal (PCI DSS
11.2.1) scanning requirements for ongoing vulnerability management
programs that satisfy PCI compliance requirements. You can use these
scans for ongoing vulnerability management and to perform rescans until
passing or clean results are achieved. You can provide credentials to
enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or "clean"
scans on at least a quarterly basis, you must also perform scans after any
significant changes to your network (PCI DSS 11.2.3).

Legacy Web App Uses a Tenable Nessus scanner to scan your web applications.
Scan
Note: Unlike the Tenable Web App Scanning scanner, the Tenable Nessus
scanner does not use a browser to scan your web applications. Therefore, a
Legacy Web App Scan is not as comprehensive as Tenable Web App Scanning.

Mobile Device Assesses mobile devices via Microsoft Exchange or an MDM.

Scan

PCI Quarterly Performs quarterly external scans as required by PCI.

External Scan
Note: Because the nature of a PCI ASV scan is more paranoid and may lead to
false positives, the scan data is not included in the aggregate Tenable
Vulnerability Management data. This is by design.

Configuration Scans

Audit Cloud Audits the configuration of third-party cloud services.

Infrastructure
You can use this template to scan the configuration of Amazon Web
Service (AWS), Google Cloud Platform, Microsoft Azure, Rackspace,
[Link], and Zoom, given that you provide credentials for the

- 391 -
service you want to audit.

MDM Config Audit Audits the configuration of mobile device managers.

The MDM Config Audit template reports on a variety of MDM

vulnerabilities, such as password requirements, remote wipe settings, and
the use of insecure features, such as tethering and Bluetooth.

Offline Config Audits the configuration of network devices.

Audit
Offline configuration audits allow Tenable Vulnerability Management to
scan hosts without the need to scan over the network or use credentials.
Organizational policies may not allow you to scan devices or know
credentials for devices on the network for security reasons. Offline
configuration audits use host configuration files from hosts to scan
instead. Through scanning these files, you can ensure that devices'
settings comply with audits without the need to scan the host directly.

Tenable recommends using offline configuration audits to scan devices

that do not support secure remote access and devices that scanners
cannot access.

Policy Audits system configurations against a known baseline.

Compliance
Auditing Note: The maximum number of audit files you can include in a single Policy
Compliance Auditing scan is limited by the total runtime and memory that the
audit files require. Exceeding this limit may lead to incomplete or failed scan
results. To limit the possible impact, Tenable recommends that audit selection
in your scan policies be targeted and specific for the scan's scope and
compliance requirements.

The compliance checks can audit against custom security policies, such
as password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can test
for a large percentage of anything that can be described in a Windows
policy file. For Unix systems, the compliance audits test for running
processes, user security policy, and content of files.

SCAP and OVAL Audits systems using SCAP and OVAL definitions.
Auditing

- 392 -
The National Institute of Standards and Technology (NIST) Security
Content Automation Protocol (SCAP) is a set of policies for managing
vulnerabilities and policy compliance in government agencies. It relies on
multiple open standards and policies, including OVAL, CVE, CVSS, CPE,
and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable
required for auditing. For those systems, you must make an
exception for either the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can perform
Linux and Windows SCAP CHECKS to test compliance standards as
specified in NIST’s Special Publication 800-126.

Tactical Scans

Active Directory Use a Domain User account to query AD identity information. This policy
Identity enumerates Active Directory identity information via LDAPS. It requires
Domain User credentials, LDAPS configuration, and an Active Directory
Domain Controller as the scan target.

Active Directory Scans for misconfigurations in Active Directory.

Starter Scan
Use this template to check Active Directory for Kerberoasting, Weak
Kerberos encryption, Kerberos pre-authentication validation, non-expiring
account passwords, unconstrained delegation, null sessions, Kerberos
KRBTGT, dangerous trust relationships, Primary Group ID integrity, and
blank passwords.

Credential A lightweight scan template used to verify that host credential pairs for
Validation Windows and Unix successfully authenticate to scan targets. Use this
scan template to quickly diagnose credential pair issues in your network.

Find AI Scans for AI, LLM, and ML-related vulnerabilities.

Malware Scan Scans for malware on Windows and Unix systems.

- 393 -
Tenable-Provided Tenable Nessus Agent Templates
There are two agent template categories in Tenable Vulnerability Management:

l Vulnerability Scans — Tenable recommends using vulnerability scan templates for most of
your organization's standard, day-to-day scanning needs.

l Inventory Collection — Unlike standard Tenable Nessus Agent vulnerability scans, the Collect
Inventory template provides faster scan results and reduce the scan's system footprint.
Agent-based inventory scans gather basic information from a host and upload it to Tenable
Vulnerability Management. Then, Tenable Vulnerability Management analyzes the information
against missing patches and vulnerabilities as Tenable releases coverage. This reduces the
performance impact on the target host while also reducing the time it takes for an analyst to
see the impact of a recent patch.

Note: If a plugin requires authentication or settings to communicate with another system, the
plugin is not available on agents. This includes, but is not limited to:
l Patch management
l Mobile device management
l Cloud infrastructure audit
l Database checks that require authentication

The following table describes the available Tenable Nessus Agent templates:

Template Description

Vulnerability Scans

Advanced An agent scan without any recommendations, so that you can fully
Agent Scan customize the scan settings. In Tenable Vulnerability Management, the
Advanced Agent Scan template allows for two scanning methods:

l Scan Window - Specify the timeframe during which the agent must
report to be included and visible in vulnerability reports.

l Triggered Scans - Provide the agent with specific criteria that

indicates when to launch a scan. The agent launches the scan when

- 394 -
Template Description

one (or more) of the criteria are met. For more information, see Basic
Settings in the Tenable Vulnerability Management User Guide.

Note: When you create an agent scan using the Advanced Agent Scan template,
you must also select the plugins you want to use for the scan.

Agent Agent detection of Apache Log4j CVE-2021-44228.

Log4Shell

Basic Agent Scans systems connected via Tenable Nessus Agents.

Scan

Malware Scan Scans for malware on systems connected via Tenable Nessus Agents.

Tenable Nessus Agent detects malware using a combined allow list and
block list approach to monitor known good processes, alert on known bad
processes, and identify coverage gaps between the two by flagging unknown
processes for further inspection.

Policy Audits system configurations against a known baseline for systems

Compliance connected via Tenable Nessus Agents.
Auditing
The compliance checks can audit against custom security policies, such as
password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can test
for a large percentage of anything that can be described in a Windows policy
file. For Unix systems, the compliance audits test for running processes,
user security policy, and content of files.

SCAP and Audits systems using SCAP and OVAL definitions for systems connected via
OVAL Agent Tenable Nessus Agents.
Auditing
The National Institute of Standards and Technology (NIST) Security Content
Automation Protocol (SCAP) is a set of policies for managing vulnerabilities
and policy compliance in government agencies. It relies on multiple open
standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

- 395 -
Template Description

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable required
for auditing. For those systems, you must make an exception for either
the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can perform
Linux and Windows SCAP CHECKS to test compliance standards as
specified in NIST’s Special Publication 800-126.

Inventory Collection

Collect Scans with a compiled, limited selection of software inventory plugins.

Inventory
This template provides faster scan results and a reduced system footprint
because the agent only performs checks that collect asset information (for
example, installed software and IP addresses). This scanning method is
sometimes referred to as inventory scanning in the Tenable Vulnerability
Management user interface and documentation.

Collect Inventory scans provide coverage for:

l RedHat local security checks

l Oracle Linux local security checks

l CentOS local security checks

l Amazon Linux local security checks

l Debian local security checks

l Fedora local security checks

l SUSE local security checks

l Ubuntu local security checks

l Windows/Microsoft bulletin checks (All Windows roll-up checks since

2017)

- 396 -
Template Description

Collect Inventory scans do not currently provide coverage for:

l Malware and compliance checks

l Third-party Linux application detection (for example, Apache HTTP or

Postgres) for instances not installed via dpkg or rpm

l Third-party Windows applications (for example, Google Chrome or

Mozilla Firefox)

l Microsoft product Patch Tuesday updates (for example, Exchange or

Sharepoint)

Note: An asset that Tenable Vulnerability Management has performed inventory

scanning on continues to report vulnerabilities until the asset ages out, even if
the asset is offline.

Tenable-Provided Tenable Web App Scanning Templates

The following table describes the available Tenable Web App Scanning scan templates:

Template Description

API A scan that checks an API for vulnerabilities. This scan analyzes RESTful APIs
described via an OpenAPI (Swagger) specification file. File attachment size is
limited to 1 MB.

Tip: If the API you want to scan requires keys or a token for authentication, you
can add the expected custom headers in the Advanced settings in the HTTP
Settings section.

Note: The API scan template is available as a public beta. Its functionality is
subject to change as ongoing improvements are made throughout the beta period.

Note: API scans support only one target at a time.

Config Audit A high-level scan that analyzes HTTP security headers and other externally
facing configurations on a web application to determine if the application is

- 397 -
compliant with common security industry standards.

If you create a scan using the Config Audit scan template, Tenable Web App
Scanning analyzes your web application only for plugins related to security
industry standards compliance.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local
checks.

Overview A high-level preliminary scan that determines which URLs in a web application
Tenable Web App Scanning scans by default.

The Overview scan template does not analyze the web application for active
vulnerabilities. Therefore, this scan template does not offer as many plugin
family options as the Scan template.

PCI A scan that assesses web applications for compliance with Payment Card
Industry Data Security Standards (PCI DSS) for Tenable PCI ASV.

Quick Scan A high-level scan similar to the Config Audit scan template that analyzes
HTTP security headers and other externally facing configurations on a web
application to determine if the application is compliant with common security
industry standards. Does not include scheduling.

If you create a scan using the Quick Scan scan template, Tenable Vulnerability
Management analyzes your web application only for plugins related to security
industry standards compliance.

Scan A comprehensive scan that assesses web applications for a wide range of
vulnerabilities.

The Scan template provides plugin family options for all active web
application plugins.

If you create a scan using the Scan template, Tenable Web App Scanning
analyzes your web application for all plugins that the scanner checks for when
you create a scan using the Config Audit, Overview, or SSL TLS templates, as
well as additional plugins to detect specific vulnerabilities.

A scan run with this scan template provides a more detailed assessment of a

- 398 -
web application and take longer to complete that other Tenable Web App
Scanning scans.

SSL TLS A scan to determine if a web application uses SSL/TLS public-key encryption
and, if so, how the encryption is configured.

When you create a scan using the SSL TLS template, Tenable Web App
Scanning analyzes your web application only for plugins related to SSL/TLS
implementation. The scanner does not crawl URLs or assess individual pages
for vulnerabilities.

User-Defined Templates

Required Template Permissions: Owner

Tenable provides a variety of scan templates for specific scanning purposes. If you want to
customize a Tenable-provided scan template and share it with other users, you can create a user-
defined scan template.

For information about any scan settings, see Scan Settings.

You can create, edit, copy, export, or delete user-defined Tenable Vulnerability Management and
Tenable Web App Scanning Scan templates from the Scans page. You can also import and export
Tenable Vulnerability Management scan templates.

To manage your user-defined scan templates:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the upper-right corner of the page, click the Tools button.

A menu appears.

3. Select Manage Scan Templates.

The Scan Templates page appears.

4. Below Scan Templates, choose to view Vulnerability Management Scan Templates or Web

- 399 -
Application Scan Templates.

The scan template table updates based on your selection.

Click a template to view or edit its settings and parameters, or use the following procedures to
further manage your user-defined templates:

Create a user-defined template

You can create user-defined scan templates to save and share custom scan settings with other
Tenable Vulnerability Management users.

When you define a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

To create a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Create Template button.

The Select a Template page appears.

4. Click the tile for the template you want to use as the base for your user-defined scan
template.

The Create a Template page appears.

5. Do one of the following:

l If you are creating a Tenable Vulnerability Management scan template, use the following
procedure:

- 400 -
a. Configure the scan template:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

- 401 -
Plugins Select security checks by plugin family or individual
plugin.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

a. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

6. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of scan templates on the Scan Templates page.

Edit a user-defined template

Required Template Permissions: Can Configure

- 402 -
To edit a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the scan templates table, click the scan template you want to edit.

The Edit a Scan Template page appears.

6. Do one of the following:

l If you are editing a Tenable Vulnerability Management scan template, use the following
procedure:

- 403 -
a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name of
the scan, its targets, whether you want to
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

- 404 -
Plugins Select security checks by plugin family or individual
plugin.

l If you are editing a Tenable Web App Scanning scan template, use the following
procedure:

a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual plugin.

7. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of templates on the Scan Templates page.

Copy a user-defined template

- 405 -
When you copy a user-defined scan template, Tenable Vulnerability Management assigns you owner
permissions for the copy. You can share the copy by assigning template permissions to other users,
but only you can delete the copied scan template.

To copy a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the scans table, roll over the scan you want to launch.

6. In the row, click the button.

A menu appears.

7. In the menu, click the button.

A Template copied message appears. Tenable Vulnerability Management creates a copy of

the scan template with Copy of prepended to the name and assigns you owner permissions for
the copy. The copy appears in the scan templates table.

Export a user-defined template (Tenable Vulnerability Management only)

You can export a user-defined scan template for later import.

Note: Tenable Vulnerability Management does not export passwords, credentials, and file-based settings
(for example, .audit files and the SSH known_hosts file) in user-defined scan templates.

To export a user-defined scan template:

- 406 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the scans table, roll over the scan template you want to export.

6. In the row, click the button.

A menu appears.

7. In the row, click the button.

Tenable Vulnerability Management exports the user-defined scan template as a .nessus file.

Note: To learn more about the .nessus file format, see Nessus File Format.

Import a user-defined template (Tenable Vulnerability Management only)

When you import a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

Tenable Vulnerability Management does not include passwords or compliance audit files in exported
user-defined scan templates. You must add these settings in manually after importing the scan
template.

To import a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans.

- 407 -
3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the upper-right corner of the page, click the Import button.

Your file manager appears.

6. Select the scan template you want to import.

7. Click Open.

A Template uploaded message appears, and the scan template appears on the Scan
Templates page.

What to do next:
l As needed, add passwords and compliance audit files to the imported template.

Delete a user-defined template

If you delete a user-defined scan template, Tenable Vulnerability Management deletes it from all
user accounts.

Before you begin:

l Delete any scans that use the template you want to delete. You cannot delete a scan template
if a scan is using the template.

To delete a user-defined scan template or templates:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

- 408 -
4. Select Manage Scan Templates.

The Scan Templates page appears.

5. Select the scan template or templates you want to delete:

l
Select a single scan template:
a. In the scans table, roll over the scan you want to launch.

b. In the row, click the button.

A menu appears.

c. In the menu, click the button.

A confirmation window appears.

l
Select multiple scan templates:
a. In the scan templates table, select the check box for each scan template you want
to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the user-defined scan template or templates you
selected.

Change user-defined template ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Template Permissions: Owner

To change the ownership of a user-defined scan template in the new interface:

- 409 -
1. Edit a user-defined template.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

4. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

5. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

6. (Optional) Edit permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

7. Click Save.

Tenable assigns ownership to the selected user and assigns your user account the
permissions you selected. If you removed all permissions for your user account from the
template, the template no longer appears in the templates table.

Scan Settings
Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

- 410 -
You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Scan settings are organized into the following categories:

Tenable Vulnerability Management Scans Tenable Web App Scanning Scans

l Basic Settings in User-Defined Templates l Basic Settings in User-Defined

Templates
l Basic Settings in Tenable Vulnerability
Management Scans l Basic Settings in Tenable Web App
Scanning Scans
l Discovery Settings in Tenable Vulnerability
Management Scans l Scope Settings in Tenable Web App
Scanning Scans
l Assessment Settings in Tenable
Vulnerability Management Scans l Report Settings in Tenable Web App
Scanning Scans
l Report Settings in Tenable Vulnerability
Management Scans l Assessment Settings in Tenable Web
App Scanning Scans
l Advanced Settings in Tenable Vulnerability
Management Scans l Advanced Settings in Tenable Web
App Scanning Scans
l Credentials in Tenable Vulnerability
Management Scans l Credentials in Tenable Web App
Scanning Scans
l Compliance in Tenable Vulnerability
Management Scans l Plugin Settings in Tenable Web App
Scanning Scans
l SCAP Settings in Tenable Vulnerability
Management Scans

l Configure Plugins in Tenable Vulnerability

Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

- 411 -
l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those
settings in an individual scan based on a user-defined template. These settings include
Discovery, Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to
modify these settings for individual scans, create individual scans based on a Tenable-
provided template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Tenable Vulnerability Management Scan Settings

Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Tenable Vulnerability Management scan settings are organized into the following categories:

l Basic Settings in User-Defined Templates

l Basic Settings in Tenable Vulnerability Management Scans

l Discovery Settings in Tenable Vulnerability Management Scans

l Assessment Settings in Tenable Vulnerability Management Scans

l Report Settings in Tenable Vulnerability Management Scans

l Advanced Settings in Tenable Vulnerability Management Scans

- 412 -
l Credentials in Tenable Vulnerability Management Scans

l Compliance in Tenable Vulnerability Management Scans

l SCAP Settings in Tenable Vulnerability Management Scans

l Configure Plugins in Tenable Vulnerability Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Basic Settings in Tenable Vulnerability Management Scans

Note: This topic describes Basic settings you can set in individual scans. For Basic settings in user-
defined templates, see Basic Settings in User-Defined Templates.

You can use Basic settings to specify organizational and security-related aspects of a scan
configuration. This includes specifying the name of the scan, its targets, whether the scan is
scheduled, and who has access to the scan.

- 413 -
Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

The Basic settings include the following sections:

l General

l Schedule

l Notifications

l User Permissions

General
The general settings for a scan.

Setting Default Value Description

Name None Specifies the name of the scan.

Description None (Optional) Specifies a description of the scan.

Scan Results Show in Specifies whether the results of the scan should
dashboard appear in workbenches, dashboards, and reports, or
be kept private.

When set to Keep private, the scan results Last Seen

dates do not update and you must access the scan
directly to view the results.

Private scan results do not show new Active findings

in the workbenches, dashboards, and reports, and
they do not transition the vulnerability states of
previously discovered findings to Fixed or
Resurfaced.

Note: Show in dashboard is always enabled for

triggered scans.

Folder My Scans Specifies the folder where the scan appears after
being saved.

- 414 -
You cannot specify a folder when you launch a
remediation scan. All remediation scans appear in the
Remediation Scans folder only.

Agent Groups None (Tenable Nessus Agent templates only) Specifies the
agent group or groups you want the scan to target. In
the drop-down box, select an existing agent group, or
create a new agent group.

Scanner Type Internal Scanner Specifies whether a local, internal scanner or a cloud-
managed scanner performs the scan, and determines
whether the Scanner field lists local or cloud-
managed scanners to choose from.

Scanner Auto-Select Specifies the scanner that performs the scan.

Select a scanner based on the location of the targets

you want to scan. For example:

l Select a linked scanner to scan non-routable

IP addresses.

Note: Auto-select is not available for cloud

scanners.

l Select a scanner group if you want to:

o Improve scan speed by balancing the scan
load among multiple scanners.
o Rebuild scanners and link new scanners in
the future without having to update
scanner designations in scan
configurations.

l Select Auto-Select to enable scan routing for

the targets.

Network Default Select the network of scanners and asset that you
want to scan with.

- 415 -
Unless your organization has created and uses custom
networks for specific business needs (for example,
scanning different sub-organizations, differentiating
between external and internal asset scanning, or
differentiating between ephemeral and static asset
scanning), Tenable recommends using the Default
network, which all scanners and scanner groups are
assigned to by default.

For more information about networks, see Networks.

Tags None Select one or more tags to scan all assets that have
any of the specified tags applied. To see a list of
assets identified by the specified tags, click View
Assets.

IP Selection Internal (Required) Select whether to run a tag-based scan on

Internal or External IP addresses.

l Internal — RFC 1918 (private) IP addresses.

l External — Non-RFC 1918 (public) IP addresses.

Note: You can use your organization's non-cloud

scanners to scan both Internal and External targets.
Cloud scanners can only be used to scan External
targets.

Tip: If you need to scan both External and Internal

targets with the same tag or tags, create two different
scan configurations; one scan that targets External IPs,
and one scan that targets Internal IPs.

Tenable Vulnerability Management evaluates the

identifiers to determine a single target in the following
order:

1. Last scan target

2. Most recent IPv4

- 416 -
3. Most recent IPv6

4. Most recent FQDN added

Note: Scan routing is available for linked scanners only.

Use Tag Rules Existing tagged (Required) Specifies whether Tenable Vulnerability
as Targets assets only Management scans tagged assets only, or any assets
that which the selected tags' rules apply to.

l Existing tagged assets only — Tenable

Vulnerability Management scans all existing
assets that have any of the specified tags
applied.

l Targets defined by tags — Tenable Vulnerability

Management scans all assets whose IP address
or DNS matches the rules of the specified tag.
The Targets defined by tags option only works
for the following tag rules: IPv4, IPv6, and DNS.

Note: If you select the Match All filter, you

can have only one tag rule. Otherwise, the
tag resolves to empty targets.
If you select the Match Any filter, you are
allowed to have more than one tag rule. All
tag rules resolve as targets as long as the
rules are for IPv4, IPv6, and DNS.

For example, you create a scan policy that scans for a

tag with a tag rule that specifies a certain IPv4 range.
The example tag name is My IPv4s.

l If you choose Existing tagged assets only,

Tenable Vulnerability Management only scans
assets that are already tagged with the My IPv4s
tag.

- 417 -
l If you choose Targets defined by tags, Tenable
Vulnerability Management scans any assets
whose IPv4 addresses are within the range
specified in the My IPv4s tag rule.

For more information about tags and tag rules, see

Tags and Tag Rules.

Scan Window Disabled (Tenable Nessus Scanner templates only) Specifies

the timeframe after which the scan automatically
stops. Use the drop-down box to select an interval of
time, or click to type a custom scan window.

Note: The scan window timeframe only applies to the

scan job. After the scan job completes within the
timeframe, or once the scan job stops due to the scan
window ending, Tenable Vulnerability Management may
still need to index the scan job. This can cause the scan
not to show as Completed after the scan window is
complete. Once Tenable Vulnerability Management
indexes the scan, it shows as Completed.

Scan Type Scan Window (Tenable Nessus Agent templates only) (Required)
Specifies whether the agent scans occur based on a
scan window or triggers:

l Scan Window — Specifies the timeframe during

which agents must report in order to be included
and visible in vulnerability reports. Use the drop-
down box to select an interval of time, or click
to type a custom scan window.

Window scans must be explicitly launched or

scheduled to launch at a particular time.

l Triggered Scan — Specifies the triggers that

cause agents to report in. Use the drop-down
boxes to select from the following trigger types:

- 418 -
l Interval — The time interval (hours)
between each scan (for example, every 12
hours).

l File Name — The file name that triggers

the agent scan. The scan triggers when the
file name is detected in the trigger
directory.

Tip: You can set multiple triggers for a single

scan, and the scan searches for the triggers in
their listed order (in other words, if the first
trigger does not trigger the scan, it searches for
the second trigger).

To learn more about triggered agent scanning,

see Triggered Agent Scans.

Note: Tenable Vulnerability Management ignores

triggered agent scan data that is older than 14
days. This ensures that Tenable Vulnerability
Management is not processing stale data from
agents that have been offline for extended
periods of time.

Info-level Triggered agent (Tenable Nessus Agent vulnerability templates only)

Reporting scans — After 10 (Required) Specifies how often the agent scan should
scans report unchanged Info-severity vulnerability findings.
To learn more about this setting, see Info-level
Scan Window
Reporting.
agent scans —
After 10 days You can configure the agent scan to report all severity
findings by launching a new baseline scan after one of
Note: Tenable the following intervals:
highly
recommends l After number of scans — The agent scan
using the
reports all findings every x number of scans. You
default values.
Only lower the choose from the following increments: 4, 7, 10,

- 419 -
value if doing 15, or 20 scans.
so is necessary l After number of days — The agent scan reports
for your
organization. all findings after a set number of days after the
previous day on which the agent scan last
reported all findings. You choose from the
following increments: 7, 10, 20, 30, 60, or 90
days.

You can only set triggered agent scans to After

number of scans. You can set Scan Window
scans to either After number of scans or After
number of days.

Target Groups None You can select or add a new target group to which the
scan applies. Assets in the target group are used as
scan targets.

Note: Tenable plans to deprecate target groups in the

near future. Currently, you can still create and manage
target groups. However, Tenable recommends that you
instead use tags to group and scan assets on your
Tenable Vulnerability Management instance.

Targets None Specifies one or more targets to be scanned. If you

select a target group or upload a target file, you are
not required to specify additional targets.

Targets can be specified using a number of different

formats.

The targets you specify must be appropriate to the

scanner you select for the scan. For example, cloud
scanners cannot scan non-routable IP addresses.
Select an internal scanner instead.

Tip: You can force Tenable Vulnerability Management to

use a given hostname for a server during a scan by using

- 420 -
the hostname[ip] syntax (for example,
[Link][[Link]]). However, you
cannot use this approach if you enable scan routing for
the scan.

Note: You cannot apply more than 300,000 IP address

targets to a scan. To learn more about scan limitations
in Tenable Vulnerability Management, see Scan
Limitations.

Note: See Permissions for more information on how

permissions affect targets.

Upload Targets None Uploads a text file that specifies the targets.

The targets file must be formatted in the following

manner:

l ASCII file format

l Only one target per line

l No extra spaces at the end of a line

l No extra lines following the last target

Note: Unicode/UTF-8 encoding is not supported.

Policy None This setting appears only when the scan owner edits
an existing scan that is based on a user-defined scan
template.

Note: After scan creation, you cannot change the

Tenable-provided scan template on which a scan is
based.

In the drop-down box, select a user-defined scan

template on which to base the scan. You can select
user-defined scan templates for which you have Can
View or higher permissions.

- 421 -
In most cases, you set the user-defined scan template
at scan creation, then keep the same template each
time you run the scan. However, you may want to
change the user-defined scan template when
troubleshooting or debugging a scan. For example,
changing the template makes it easy to enable or
disable different plugin families, change performance
settings, or apply dedicated debugging templates with
more verbose logging.

When you change the user-defined scan template for

a scan, the scan history retains the results of scans
run under the previously assigned template.

Schedule
The scan schedule settings.

By default, scans are not scheduled. When you first access the Schedule section, the Enable
Schedule setting appears, set to Off. To modify the settings listed on the following table, click the
Off button. The rest of the settings appear.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.

Default
Setting Description
Value

Frequency Once Specifies how often the scan is launched.

l Once: Schedule the scan at a specific time.

l Daily: Schedule the scan to occur every 1-20

days, at a specific time.

l Weekly: Schedule the scan to occur every 1-

20 weeks, by time and day or days of the
week.

l Monthly: Schedule the scan to occur every 1-

- 422 -
20 months, by:

l Day of Month: The scan repeats monthly

on a specific day of the month at the
selected time. For example, if you select
a start date of October 3, the scan
repeats on the 3rd of each subsequent
month at the selected time.

l Week of Month: The scan repeats

monthly on a specific day of the week.
For example, if you select a start date of
the first Monday of the month, the scan
runs on the first Monday of each
subsequent month at the selected time.

Note: If you schedule your scan to recur

monthly and by time and day of the month,
Tenable recommends setting a start date no
later than the 28th day. If you select a start
date that does not exist in some months (for
example, the 29th), Tenable Vulnerability
Management cannot run the scan on those
days.

l Yearly: Schedule the scan to occur every 1-20

years, by time and date.

Starts Varies Specifies the exact date and time when a scan
launches.

The starting date defaults to the date when you are

creating the scan. The starting time is the nearest
half-hour interval. For example, if you create your
scan on 09/08/2023 at 9:16 AM, the default starting
date and time is set to 09/08/2023 and 09:30.

Timezone Zulu Specifies the timezone of the value set for Starts.

- 423 -
Repeat Every Varies Specifies the interval at which a scan is relaunched.
The default value of this item varies based on the
frequency you choose.

Repeat On Varies Specifies what day of the week a scan repeats. This
item appears only if you specify Weekly for
Frequency.

The value for Repeat On defaults to the day of the

week on which you create the scan.

Repeat By Day of the Specifies when a monthly scan is relaunched. This

Month item appears only if you specify Monthly for
Frequency.

Summary N/A Provides a summary of the schedule for your scan

based on the values you have specified for the
available settings.

Notifications
The notification settings for a scan.

Default
Setting Description
Value

Email None Specifies zero or more email addresses (separated by commas)

Recipient(s) that are alerted when a scan completes and the results are
available.

Result Filters None Defines the type of information to be emailed.

User Permissions
You can share the scan with other users by setting permissions for users or groups. When you
assign a permission to a group, that permission applies to all users within the group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

- 424 -
Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Can View Groups and users with this permission can view the results of the scan,
export the scan results, and move the scan to the Trash folder. They cannot
view the scan configuration or permanently delete the scan.

Can Execute In addition to the tasks allowed by Can View, groups and users with this
permission can launch, pause, and stop a scan. They cannot view the scan
configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or
the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting for the
scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of
the permissions assigned to that user in the individual scan.
l An administrator always has the equivalent of Can Edit permissions,
regardless of the permissions set for the administrator account in
the individual scan. This does not apply to user-defined scan
templates.

Basic Settings in User-Defined Templates

Note: This topic describes Basic settings you can set in user-defined templates. For Basic settings in
individual scans, see Basic Settings in Tenable Vulnerability Management Scans .

You can use Basic settings to specify basic aspects of a user-defined template, including who has
access to the user-defined template.

- 425 -
The Basic settings include the following sections:

l General

l Permissions

General
The general settings for a user-defined template.

Default
Setting Description
Value

Name None Specifies the name of the user-defined template.

Description None (Optional) Specifies a description of the user-defined

template.

Permissions
You can share the user-defined template with other users by setting permissions for users or
groups. When you assign a permission to a group, that permission applies to all users within the
group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

- 426 -
Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or
the scanner does not scan the target.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

Authentication
In user-defined templates, you can use Authentication settings to configure the authentication
Tenable Vulnerability Management performs for credentialed scanning.

Tip: The Authentication settings are equivalent to the Scan-wide Credential Type Settings in Tenable-
provided scan templates.

Setting Default Value Description

SNMPv1/v2c

equivalent to Scans > Credentials > Plaintext Authentication > SNMPv1/v2c

- 427 -
UDP Port 161 Ports where Tenable Vulnerability Management
attempts to authenticate on the host device.
Additional 161
UDP port #1

Additional UDP 161

port #2

Additional UDP 161

port #3

HTTP

equivalent to Scans > Credentials > Plaintext Authentication > HTTP

Re-authenticate 0 The time delay between authentication attempts.

delay (seconds) Setting a time delay is useful to avoid triggering brute
force lockout mechanisms.

Follow 30x 0 If a 30x redirect code is received from a web server,

redirections (# of this setting directs Tenable Vulnerability Management
levels) to follow the link provided or not.

Invert Disabled A regex pattern to look for on the login page, that if
authenticated found, tells Tenable Vulnerability Management that
regex authentication was not successful (e.g., Authentication
failed!).

Use Disabled Rather than search the body of a response, Tenable

authenticated Vulnerability Management can search the HTTP
regex on HTTP response headers for a given regex pattern to better
headers determine authentication state.

Case insensitive Disabled he regex searches are case sensitive by default. This
authenticated instructs Tenable Vulnerability Management to ignore
regex case.

- 428 -
telnet/rsh/rexec

equivalent to Scans > Credentials > Plaintext Authentication > telnet/ssh/rexec

Perform patch Disabled Tenable Vulnerability Management uses telnet to

audits over telnet connect to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rsh to connect

audits over rsh to the host device for patch audits.