100% found this document useful (1 vote)

55 views1,682 pages

Tenable Vulnerability Management-User Guide

Uploaded by

Mr Robot

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

55 views1,682 pages

Tenable Vulnerability Management-User Guide

Uploaded by

Mr Robot

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1682

Tenable Vulnerability Management

User Guide
Last Revised: September 17, 2025

Copyright © 2025 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other
products or services are trademarks of their respective owners.
Table of Contents

Welcome to Tenable Vulnerability Management 30

Get Started with Tenable Vulnerability Management 30

Plan Your Deployment 31

Install and Configure Sensors 32

Configure Application Settings 33

Analyze Your Attack Surface 33

Tenable Vulnerability Management Licenses 37

System Requirements 42

Sensor Connection Requirements 42

Log in to Tenable Vulnerability Management 43

CVSS vs. VPR 44

CVSS 45

CVSS-Based Severity 45

CVSS-Based Risk Factor 46

Vulnerability Priority Rating 46

VPR Key Drivers 47

Vulnerability Severity Indicators 49

Vulnerability Mitigation 50

Vulnerability States 51

Log Out of Tenable Vulnerability Management 52

Navigate Tenable Vulnerability Management 52

My Account 60

View Your Account Details 62

-2-
Update Your Account 65

Change Your Password 66

Configure Two-Factor Authentication 67

Generate API Keys 70

Unlock Your Account 72

Breadcrumbs 72

Planes 73

Tables 74

Use Tables 74

Customize Table Columns 74

Right-Click Menu 75

Filter a Table 76

Explore Tables 79

Use Filters 79

Use the Context Menu 85

Customize Explore Tables 86

Query Builder 87

Saved Queries 89

Manage Queries 91

Export Findings or Assets 93

Error Messages 96

Dashboards 110

Vulnerability Management Dashboard 110

Vulnerability Management Overview (Explore) 115

-3-
Tenable Web App Scanning Dashboard 120

View the Dashboards Page 121

Tenable-Provided Dashboards 122

Export a Full Dashboard Landing Page 123

Export an Individual Dashboard Widget 124

View an Individual Dashboard 125

View the Dashboard Template Library 126

Create a Dashboard 127

Preview a Dashboard 131

Enable Explore Dashboards 132

Manage Dashboards 133

Dashboard Groups 133

Add a Dashboard Group 134

Share a Dashboard Group 134

Edit a Dashboard Group 135

Delete a Dashboard Group 136

Automatically Update Widgets on a Dashboard 136

Edit a Dashboard 138

Set a Default Dashboard 141

Rename a Dashboard 142

Duplicate a Dashboard 142

Filter a Dashboard 143

Filter a Dashboard by Time 145

Share a Dashboard 146

-4-
Manage Dashboard Exports 147

Export a Dashboard 147

Download a Dashboard Export 152

View Dashboard Export History 153

Delete a Dashboard Export Download 154

Delete a Dashboard Export Configuration 154

Delete a Dashboard 155

Manage Widgets 156

View the Widget Library 157

Delete a Widget from the Widget Library 158

Create a Custom Widget 158

Create a Custom Widget for Explore Dashboards 161

Edit a Custom Widget 166

Add a Widget to a Dashboard 167

Configure a Widget 168

Duplicate a Widget 171

Rename a Widget 171

Delete a Widget from a Dashboard 172

Scans 173

Manage Scans 173

Scans Overview 173

Create a Scan 174

View Scans 178

View Scan Details 180

-5-
View Scan Vulnerability Details 190

Scan Filters 191

Launch a Scan 192

Launch a Scan 193

Launch a Rollover Scan 194

Launch a Remediation Scan 195

Stop a Running Scan 202

Pause or Resume a Scan 203

Change Scan Ownership 204

Change the Scan Read Status 206

Edit a Scan Configuration 207

Configure vSphere Scanning 208

About VMware Credentialed Checks 208

VMware vCenter Support Matrix 212

Copy a Scan Configuration 212

Export Scan Results 213

Import a Scan 217

Organize Scans by Folder 219

Move a Scan to the Trash Folder 224

Delete a Scan 225

Discovery Scans vs. Assessment Scans 228

Identify Assets That Have Not Been Assessed 229

Scan Failovers 231

Scan Status 231

-6-
Shared Collections 234

Scan Templates 241

Tenable-Provided Tenable Nessus Scanner Templates 242

Tenable-Provided Tenable Agent Templates 246

Tenable-Provided Tenable Web App Scanning Templates 250

User-Defined Templates 252

Scan Settings 265

Tenable Vulnerability Management Scan Settings 267

Basic Settings in Tenable Vulnerability Management Scans 268

Basic Settings in User-Defined Templates 281

Scan Targets 288

Target Groups 292

Info-level Reporting 303

Description 304

Configuration 305

Limitations and Considerations 306

Discovery Settings in Tenable Vulnerability Management Scans 306

Preconfigured Discovery Settings 316

Assessment Settings in Tenable Vulnerability Management Scans 334

Preconfigured Assessment Settings 349

Report Settings in Tenable Vulnerability Management Scans 356

Advanced Settings in Tenable Vulnerability Management Scans 358

Preconfigured Advanced Settings 369

Credentials in Tenable Vulnerability Management Scans 377

-7-
Add a Credential to a Scan 380

Edit a Credential in a Scan 382

Add a Credential to a User-defined Template 383

Edit a Credential in a User-defined Template 385

Convert a Scan-specific Credential to a Managed Credential 385

Cloud Services 386

Database Credentials 390

Cassandra 390

Delinea Secret Server Auto-Discovery 390

DB2 392

MongoDB 392

MySQL 393

Oracle 394

PostgreSQL 395

SQL Server 395

Sybase ASE 396

Database Credentials Authentication Types 397

Client Certificate 397

Password 398

Import 399

BeyondTrust 400

CyberArk 401

CyberArk (Legacy) 403

Delinea 406

-8-
Delinea Auto Discovery 407

HashiCorp Vault 408

Lieberman 411

QiAnXin 414

Senhasegura 415

Host 416

Privilege Escalation 483

Miscellaneous 489

Mobile 497

Patch Management 503

Plaintext Authentication 512

Compliance in Tenable Vulnerability Management Scans 518

SCAP Settings in Tenable Vulnerability Management Scans 521

Configure Plugins in Tenable Vulnerability Management Scans 523

Tenable Web App Scanning Scan Settings 525

Basic Settings in Tenable Web App Scanning Scans 527

Scope Settings in Tenable Web App Scanning Scans 533

Assessment Settings in Tenable Web App Scanning Scans 538

Report Settings in Tenable Web App Scanning Scans 542

Advanced Settings in Tenable Web App Scanning Scans 543

Credentials in Tenable Web App Scanning Scans 549

Tenable Web App Scanning Selenium Commands 550

HTTP Server Authentication Settings in Tenable Web App Scanning Scans 554

Web Application Authentication 554

-9-
Client Certificate Authentication 558

Plugin Settings in Tenable Web App Scanning Scans 559

Scan Distribution 561

Overview 562

How Tenable Vulnerability Management Distributes Scans 562

Scan Job Creation and Queuing 562

Scan Task Assignment 563

View Live Results 564

Scan Routing 564

Configuration Guidelines 564

Scan Best Practices 567

Introduction 567

General Best Practices 568

Role-Based Access Control (RBAC) 568

Credentialed Scanning 568

Proper Inventory of Assets 568

Deleting Assets 568

Agent Scanning 569

Scan Hygiene 569

API Scan Creation Best Practices 570

Server with Multiple NICs 570

Firewall and Layer 3 Switches 571

Agents and Non-Credentialed Scans 571

Ephemeral Assets 571

- 10 -
Scanning during Maintenance Windows 572

Scan Limitations 572

Triggered Agent Scans 574

Triggered vs. Window Scans 575

Disable and Re-enable Triggered Scans 575

Find Triggered Scan Details 575

Continuous Assessment Scanning 576

Vulnerability Intelligence 581

Search Known Vulnerabilities 582

Export CVE Details 582

View Vulnerability Profiles 584

Vulnerability Information 585

How Does This Affect Me 591

Sources 592

Vulnerability Metrics 593

Identify Your Exposure 595

CVEs 597

My Findings 599

My Affected Assets 600

Plugins 601

Tag Affected Assets 601

Export Findings or Assets 603

Vulnerability Intelligence Filters 604

Vulnerability Categories 607

- 11 -
Exposure Response 609

Create Initiatives 609

Edit or Delete Initiatives 611

Review Initiatives 613

Findings on Assets 613

How Am I Doing? 614

What's New? 616

My Findings and Affected Assets 616

Export from Exposure Response 617

Tag Affected Assets 618

My Findings 620

My Affected Assets 622

Plugins 623

View the Combination Timeline 624

Manage Combinations 624

Create Combinations 625

Edit or Delete Combinations 626

Copy Shared Combinations 628

Exposure Response Filters 628

Use Report Cards 635

Explore 638

Assets 639

Use the Assets Page 640

View Asset Details 642

- 12 -
Asset Types 649

Export Assets 653

Explore Assets Export Fields and Associated CSV Keys 655

Move Assets Between Networks 664

Add Assets to Current Scans 665

Edit Asset ACR 666

Delete Assets 668

Asset Filters 670

Asset Columns 678

Findings 685

Use the Findings Page 686

View Findings Details 688

Findings Types 696

Create Recast Rules from the Findings Page 698

Generate Findings Reports 701

Export Findings 702

Findings Export Fields and Associated CSV Keys 705

Findings Filters 716

Findings Columns 755

Saved Views 766

Saved Views 767

Access Saved Views 767

Manage Saved Views 768

Assets 786

- 13 -
Use the Assets Workbench 787

Host Assets 788

Cloud Resources 793

Web Applications 794

Domain Inventory 797

View Asset Details 799

Host Asset Details 800

Cloud Resource Details 806

Web Application Details 809

Domain Inventory Preview 813

Asset Filters 814

Open Ports and the Assets workbench 837

Working with Ports 838

Supported Plugins 838

Asset Widgets 839

Edit the ACR for Host Assets 840

Move Assets to Another Network 842

Remove and Prevent Duplicate Assets 843

Download Inventory Data 844

Delete Assets 845

Findings 847

Use the Findings Workbench 848

Vulnerabilities 849

Cloud Misconfigurations 852

- 14 -
Host Audits 854

Web Application Findings 856

View Finding Details 857

Vulnerability Details 858

Cloud Misconfiguration Details 868

Host Audit Details 873

Web Application Findings Details 877

Findings Filters 883

Group Your Findings 901

Create Recast Rules from Findings 907

Generate a Findings Report 910

Solutions 913

View Solutions 913

Solutions Filters 914

Export Solutions 916

View Solution Details 917

Reports 920

Report Templates 921

Create a Report 921

Generate a Report 927

View Report Details 927

Share Report Templates 929

Edit an Existing Report 931

Filter Reports 932

- 15 -
Schedule a Report 934

Email Report Results 939

Edit a Report Schedule 939

Delete a Report 941

Exports 943

Scheduled Exports 944

View Your Scheduled Exports 945

Disable a Scheduled Export 947

Enable a Disabled Scheduled Export 948

Edit a Scheduled Export 949

Delete a Scheduled Export 951

Export Activity 952

Filter your Exports 955

Export Filters 957

Renew an Export Expiration Date 959

Stop an Export 960

Download Export Activity 961

Export your Export Activity 962

Delete an Export 966

Remediation 968

View Remediations 968

Remediation Filters 970

Remediation Projects 971

Create a New Remediation Project 972

- 16 -
Create a New Remediation Project From Findings 975

View Remediation Project Details 978

Remediation Project Details 979

Edit a Remediation Project 981

Activate a Remediation Project 982

Suspend a Remediation Project 984

Close a Remediation Project 985

Export Remediation Projects 986

Delete a Remediation Project 989

Remediation Goals 991

Fixed-Scope and Ongoing Remediation Goals 992

Create a New Remediation Goal 993

View Remediation Goal Details 996

Edit a Remediation Goal 997

Activate a Remediation Goal 999

Suspend a Remediation Goal 1001

Close a Remediation Goal 1002

Export Remediation Goals 1004

Delete a Remediation Goal 1008

Settings 1011

General Settings 1012

SAML 1019

View SAML Configurations 1021

Add a SAML Configuration 1023

- 17 -
Edit a SAML Configuration 1027

Disable a SAML Configuration 1032

Enable a SAML Configuration 1033

Enable Automatic Account Provisioning 1034

Disable Automatic Account Provisioning 1036

Delete a SAML Configuration 1037

License Information 1037

Access Control 1045

Users 1046

Create a User Account 1047

Edit a User Account 1051

View Your List of Users 1054

Tenable Vulnerability Management Password Requirements 1055

Change Another User's Password 1055

Assist a User with Their Account 1056

Generate Another User's API Keys 1057

Unlock a User Account 1059

Disable a User Account 1059

Enable a User Account 1060

Manage User Access Authorizations 1061

Export Users 1062

Delete a User Account 1065

User Groups 1068

Create a User Group 1069

- 18 -
Edit a User Group 1071

Export Groups 1072

Delete a Group 1076

Permissions 1078

Create and Add a Permission Configuration 1081

Add a Permission Configuration to a User or Group 1083

Edit a Permission Configuration 1085

Export Permission Configurations 1086

Remove a Permission Configuration from a User or Group 1090

Delete a Permission Configuration 1093

Roles 1094

Tenable-Provided Roles and Privileges 1096

Custom Roles 1104

Create a Custom Role 1109

Duplicate a Role 1111

Edit a Custom Role 1113

Delete a Custom Role 1113

Export Roles 1114

API Access Security 1117

Activity Logs 1119

Export Activity Logs 1122

Access Groups 1125

Transition to Permission Configurations 1126

Convert an Access Group to a Permission Configuration 1128

- 19 -
Access Group Types 1129

Restrict Users for All Assets Group 1130

Create an Access Group 1132

Configure User Permissions for an Access Group 1134

Edit an Access Group 1137

View Assets Not Assigned to an Access Group 1139

View Your Assigned Access Groups 1140

Delete an Access Group 1141

Access Group Rule Filters 1142

Scan Permissions Migration 1147

Language 1148

Exports 1149

Scheduled Exports 1150

View Your Scheduled Exports 1152

Disable a Scheduled Export 1153

Enable a Disabled Scheduled Export 1154

Edit a Scheduled Export 1155

Delete a Scheduled Export 1157

Export Activity 1158

Filter your Exports 1161

Export Filters 1163

Renew an Export Expiration Date 1165

Stop an Export 1166

Download Export Activity 1167

- 20 -
Export your Export Activity 1168

Delete an Export 1172

Recast Rules 1173

About Recast and Accept Rules 1175

Recast Rules 1175

Accept Rules 1176

About Change Result and Accept Rules 1177

Create Recast Rules from Settings 1178

Manage Recast Rules 1182

Tags 1184

Examples: Asset Tagging 1187

Tag Format and Application 1189

Create a Manual or Automatic Tag 1190

Considerations for Tags with Rules 1193

Tag Rules 1194

Create a Tag Rule 1194

Edit a Tag Rule 1200

Delete A Tag Rule 1202

Tag Rules Filters 1203

Create a Tag via Asset Filters 1211

Edit a Tag or Tag Category 1212

Edit a Tag via Asset Filters 1214

Add a Tag to an Asset 1216

Remove a Tag from an Asset 1219

- 21 -
Export Tags 1222

Delete a Tag Category 1227

Delete a Tag 1228

Search for Assets by Tag from the Tags Table 1230

Sensors 1231

Agents 1231

Agent Settings 1233

Modify Remote Agent Settings 1233

Modify Global Agent Settings 1243

Agent Groups 1244

Create an Agent Group 1245

Add an Agent to an Agent Group 1246

Edit an Agent Group 1247

Delete an Agent Group 1249

Remove an Agent from an Agent Group 1250

View Agents in an Agent Group 1252

Agent Group Filters 1252

Agent Profiles 1253

Add or Remove Agents from Agent Profiles 1266

Freeze Windows 1269

Create a Freeze Window 1269

Edit a Freeze Window 1270

Enable or Disable a Freeze Window 1271

Export Freeze Windows 1272

- 22 -
Delete a Freeze Window 1275

Retrieve the Tenable Agent Linking Key 1276

Download Linked Agent Logs 1277

Restart an Agent 1278

Unlink an Agent 1280

Rename an Agent 1281

View Linked Agent Health Events 1282

Health Event Troubleshooting 1286

Export Linked Agents 1292

Export Linked Agent Details 1295

Filter Agents 1298

Agent Filters 1300

Agent Status 1302

Plugin Updates 1303

Connection Disruptions 1303

Agent Safe Mode 1304

Restart the agents 1306

Rebuild or reset the agent plugins 1307

Upgrade or downgrade the agent version 1308

Networks 1308

Create a Network 1310

View or Edit a Network 1311

Add a Scanner to a Network 1312

Remove a Scanner from a Network 1313

- 23 -
Add an Agent to a Network 1314

Remove an Agent from a Network 1317

Move Assets to a Network via Settings 1319

Delete Assets in a Network 1323

Delete Assets Manually 1323

Delete Assets Automatically 1324

Export Networks 1324

Delete a Network 1327

Linked Scanners 1329

View Linked Scanners 1330

Rename a Linked Scanner 1331

Download Linked Scanner Logs 1332

Export Linked Scanners 1333

Export Linked Scanner Details 1337

Differential Plugin Updates 1339

Scanner Groups 1340

Create a Scanner Group 1341

Modify a Scanner Group 1342

Configure User Permissions for a Scanner Group 1344

Delete a Scanner Group 1346

Add a Sensor to a Scanner Group 1348

Remove a Sensor from a Scanner Group 1350

View Sensors in a Scanner Group 1351

View All Running Scans for a Sensor 1352

- 24 -
OT Connectors 1352

Cloud Sensors 1355

Tenable FedRAMP Moderate Cloud Sensors 1359

Sensor Security 1359

Link a Sensor 1362

Regenerate a Linking Key 1370

View Sensors and Sensor Groups 1371

View Sensor Details 1374

Edit Sensor Settings 1375

Edit Sensor Permissions 1377

Enable or Disable a Sensor 1378

Remove a Sensor 1379

Credentials 1380

Create a Managed Credential 1381

Edit a Managed Credential 1383

Configure User Permissions for a Managed Credential 1384

Export Credentials 1386

Delete a Managed Credential 1389

Exclusions 1391

Create an Exclusion 1391

Edit an Exclusion 1392

Import an Exclusion 1393

Exclusion Import File 1393

Export an Exclusion 1395

- 25 -
Delete an Exclusion 1398

Exclusion Settings 1399

Connectors 1402

Amazon Web Services Connector 1403

AWS Cloud Connector (Discovery Only) 1404

AWS Connector with Keyless Authentication (Discovery Only) 1405

Configure AWS for Keyless Authentication (Discovery Only) 1408

Create an AWS Connector with Keyless Authentication (Discovery Only) 1411

AWS Connector with Key-based Authentication 1413

Configure AWS for Key-based Authentication 1415

Configure Linked AWS Accounts for Key-based Authentication 1417

Create an AWS Connector with Key-based Authentication 1420

Microsoft Azure Connector 1421

Configure Microsoft Azure (Discovery Only) 1422

Create Azure Application 1423

Obtain Azure Tenant ID (Directory ID) 1428

Obtain Azure Subscription ID 1429

Grant the Azure Application Reader Role Permissions 1431

Link Azure Subscriptions 1436

Create a Microsoft Azure Connector 1440

Google Cloud Platform Connector 1443

Configure Google Cloud Platform (GCP) 1444

Create a Google Cloud Platform Connector (Discovery Only) 1448

Create a GCP Connector with Workload Identity Federation Authentication

(Discovery Only) 1450

- 26 -
Add Principal to Service Account in GCP 1452

Create a GCP Workload Identity Pool and Download the Configuration File 1453

Manage Existing Connectors 1455

Launch a Connector Import Manually 1455

View Connectors Details 1456

View Connector Event History 1457

Edit a Connector 1458

Delete a Connector 1461

Tenable Data Stream 1462

Configure Tenable Data Stream 1463

Tenable Data Stream Best Practices 1465

Manifest Files 1467

Manifest File Properties 1467

Assets Payload Files 1472

Assets Properties 1475

Asset Enriched Attributes Payload Files 1487

Asset Enriched Attributes Properties 1488

Findings Payload Files 1489

Findings Properties 1493

Host Audit Payload Files 1523

Host Audit Properties 1525

Tags Payload Files 1533

Tags Properties 1534

Web App Scanning Asset Payload Files 1536

- 27 -
Web App Scanning Asset Properties 1539

Web App Scanning Findings Payload Files 1549

Web App Scanning Findings Properties 1554

Welcome to Tenable Lumin 1583

Get Started with Tenable Lumin 1583

Tenable Lumin Metrics 1587

Improve Your Tenable Lumin Metrics 1612

Edit an ACR Manually 1614

Tenable Lumin Data Timing 1617

View the Tenable Lumin Dashboard 1619

Export the Tenable Lumin Dashboard Landing Page 1621

Export a Widget from the Tenable Lumin Dashboard 1623

Update the Tenable Lumin Industry Benchmark 1625

Tenable Lumin Dashboard Widgets 1627

View the CES Details Panel 1638

View Assessment Maturity Details 1647

View Remediation Maturity Details 1653

View Business Context/Tag Asset Details 1660

View Mitigations Details in Tenable Lumin 1667

Plugins for Mitigation Detection 1670

Export Mitigations 1672

Mitigations Export File Contents 1673

View and Download Exported Mitigations 1674

View Recommended Actions 1675

- 28 -
Export Recommended Actions 1678

l Tenable Vulnerability Management Introduction (Tenable University)

Tenable One Exposure Management Platform

Tenable One is an Exposure Management Platform to help organizations gain visibility across the
modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk
to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources,
containers, web apps, and identity systems, builds on the speed and breadth of vulnerability
coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and
communicate cyber risk. Tenable One allows organizations to:

l Gain comprehensive visibility across the modern attack surface

l Anticipate threats and prioritize efforts to prevent attacks

l Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of

the Tenable One Exposure Management platform.

Tip: For additional information on getting started with Tenable One products, check out the Tenable One
Deployment Guide.

Get Started with Tenable Vulnerability Management

- 30 -
This topic explains how to plan a Tenable Vulnerability Management deployment. It includes high-
level guidance to build a deployment plan, configure scanners and application settings, start
analyzing vulnerability data, and—when ready—expand into Tenable One.

Tip: Click a box to view the relevant task.

Plan Your Deployment

Establish a deployment plan:

1. Contact your Tenable representative and get your product access information and account
credentials.

2. Analyze your network topology, considering Tenable-recommended best practices, as

described in the General Requirements Guide.

3. Choose additional Tenable product licenses based on your organizational needs:

- 31 -
l If you want to assess your exposure, obtain a Tenable Lumin license.

l If you want to scan web applications, obtain a Tenable Web App Scanning license.

l If you want to evaluate risk on your containers, obtain a Tenable Container Security
license.

4. Choose a scanning plan, including the scans to run, consulting the Professional Services Scan
Strategy guide if needed.

5. Design an analysis workflow, identifying key stakeholders and considering what data you
intend to share.

Install and Configure Sensors

To install and configure sensors:

1. Install the sensors chosen in your deployment plan:

l Install Tenable Nessus as described in the Tenable Nessus User Guide.

l Install Tenable Agents as described in the Tenable Agent Deployment and User Guide.

l Install Tenable Network Monitor and then configure your installation as described in in
the Tenable Agent Deployment and User Guide.

l Install Tenable Core and Tenable Web App Scanning as described in the Tenable Core
User Guide.

2. Link sensors to Tenable Vulnerability Management, as described in Link a Sensor.

3. Configure your first active scan using the Basic Network Scan template:

a. Create a scanner group, as described in Create a Scanner Group.

b. Create a scan using the Basic Network Scan template, as described in Create a Scan.

4. Configure your first agent scan using the Basic Agent Scan template:

a. Create an agent group, as described in Create an Agent Group.

b. Create an agent scan using the Basic Agent Scan template, as described in Create a
Scan.

5. Launch your first Tenable Nessus scan and agent scan, as described in Launch a Scan.

- 32 -
6. Confirm that scans completed, accessing all targeted areas of your network. Review
discovered assets.

Configure Application Settings

Configure other settings in Tenable Vulnerability Management:

1. Create user accounts for the users in your organization.

2. Create user groups to control user permissions for the resources in Tenable Vulnerability
Management.

3. Add asset tags to organize and identify the assets to scan.

4. Set up asset discovery with connectors, Professional Services integrations, or integrated

products (as described in the Integration Guides section of the Tenable Vulnerability
Management Documentation page).

5. Configure managed credentials, scan-specific credentials, or policy-specific credentials for a

Tenable Nessus scan, as described in Credentials. For more information about configuring
and troubleshooting credentialed scans, see Tenable Nessus Credentialed Checks.

a. Launch your credentialed Tenable Nessus scan and credentialed agent scan, as
described in Launch a Scan.

b. Confirm your credentialed scan completed, accessing all targeted areas of your network.

Analyze Your Attack Surface

Use the following features in Tenable Vulnerability Management to understand your

vulnerabilities:

1. View your scans and scan details.

2. View scanned assets and vulnerabilities on the Findings and Assets workbenches.

3. With Vulnerability Intelligence, view known vulnerabilities by category and compare them to
your own exposure.

4. With Exposure Response, create initiatives to track remediation projects.

- 33 -
5. With reports, share scan and vulnerability information with your organization.

6. Use custom dashboards to get visual overviews of your attack surface.

Expand into Tenable One

Note: This requires a Tenable One license. For more information about trying Tenable One, see Tenable
One.

Integrate Tenable Vulnerability Management with Tenable One and leverage the following features:

l Access the Exposure View page, where you can gain critical business context by getting
business-aligned cyber exposure score for critical business services, processes and functions,
and track delivery against SLAs. Track overall VM risk to understand the risk contribution of
assets to your overall Cyber Exposure Score, including by asset class, vendor, or by tags.
o View and manage cyber exposure cards.
o View CES and CES trend data for the Global and Vulnerability Management exposure
cards.
o View Remediation Service Level Agreement (SLA) data.
o View Tag Performance data.

l Access the Exposure Signals page, where you can generate exposure signals that use
queries to search for asset violations. Simply put, if an asset is impacted by a weakness
related to the query, then the asset is considered a violation. Using this, you can gain visibility
into your most critical risk scenarios.

l Find top active threats in your environment with up-to-date feeds from Tenable
Research.

l View, generate, and interact with the data from queries and their impacted asset
violations.

l Create custom exposure signals to view business-specific risks and weaknesses

l Access the Inventory page, where you can enhance asset intelligence by accessing deeper
asset insights, including related attack paths, tags, exposure cards, users, relationships, and

- 34 -
more. Improve risk scoring by gaining a more complete view of asset exposure, with an asset
exposure score that assesses total asset risk and asset criticality.
o View and interact with the data on the Assets tab:
n Review your AD assets to understand the strategic nature of the interface. This
should help set your expectations on what features to use within Tenable Exposure
Management, and when.
n Familiarize yourself with the Global Asset Search and its objects and properties.
Bookmark custom queries for later use.
n Find devices, user accounts, software, cloud assets, SaaS applications, networks,
and their weaknesses.

n Drill down into the Asset Details page to view asset properties and all associated
context views.
o View and interact with the data on the Weaknesses tab:
n View key context on vulnerability and misconfiguration weaknesses to make the
most impactful remediation decisions.
o View and interact with the data on the Software tab:
n Gain full visibility of the software deployed across your business and better
understand the associated risks.
n Identify what software may be out of date, and which pieces of software may soon
be End of Life (EoL).
o View and interact with the data on the Findings tab:
n View instances of weaknesses (vulnerabilities or misconfigurations) appearing on
an asset, identified uniquely by plugin ID, port, and protocol.
n Review insights into those findings, including descriptions, assets affected,
criticality, and more to identify potential security risks, visibility on under-utilized
resources, and support compliance efforts.

- 35 -
l Access the Attack Path page, where you can optimize risk prioritization by exposing risky
attack paths that traverse the attack surface, including web apps, IT, OT, IoT, identities, ASM,
and prevent material impact. Streamline mitigation by identifying choke points to disrupt attack
paths with mitigation guidance, and gain deep expertise with AI insights (Not supported in
FedRAMP environments).
o View the Dashboard tab for a high-level view of your vulnerable assets such as the
number of attack paths leading to these critical assets, the number of open attack
techniques and their severity, a matrix to view paths with different source node exposure
score and ACR target value combinations, and a list of trending attack paths.
n Review the Top Attack Path Matrix and click the Top Attack Paths tile to view
more information about paths leading to your “Crown Jewels”, or assets with an
ACR of 7 or above.

You can adjust these if needed to ensure you’re viewing the most critical attack path
data.
o On the Top Attack Techniques tab, view all attack techniques that exist in one or more
attack paths that lead to one or more critical assets by pairing your data with advanced
graph analytics and the MITRE ATT&CK® Framework to create attack techniques,
which allow you to understand and act on the unknowns that enable and amplify threat
impact on your assets and information.
o On the Top Attack Paths tab, generate attack path queries to view your assets as part of
potential attack paths:
n Generate an Attack Path with a Built-in Query
n Generate an Attack Path Query with the Attack Path Query Builder
n Generate an Asset Query with the Asset Query Builder

Then, you can view and interact with the Attack Path Query and Asset Query data via the
query result list and the interactive graph.
o Interact with the MITRE ATT&CK Heatmap tab.

l View and interact with the data in the Tags page:

- 36 -
o Create and manage tags to highlight or combine different asset classes.
o View the Tag Details page to gain further insight into the tags associated with your
assets.

Tenable Vulnerability Management Licenses

This topic breaks down the licensing process for Tenable Vulnerability Management as a standalone
product. It also explains how assets are counted, lists add-on components you can purchase,
explains how licenses are reclaimed, and notes plugins whose output is excluded from your license
count.

Licensing Tenable Vulnerability Management

To use Tenable Vulnerability Management, you purchase licenses based on your organizational
needs and environmental details. Tenable Vulnerability Management then assigns those licenses to
your assets: assessed resources from the past 90 days, either identified on scans or imported with
vulnerabilities (for example, servers, storage devices, network devices, virtual machines, or
containers).

When your environment expands, so does your asset count, so you purchase more licenses to
account for the change. Tenable licenses use progressive pricing, so the more you purchase, the
lower the per-unit price. For prices, contact your Tenable representative.

Tip: To view your current license count and available assets, in the Tenable top navigation bar, click
and then click License Information. To learn more, see License Information Page.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more,
contact your Tenable representative.

How Assets Are Counted

When Tenable Vulnerability Management scans an asset, it compares it to previously discovered
assets. In general, if the new asset does not match a previously discovered asset and has been
assessed for vulnerabilities, it counts towards your license.

Tenable Vulnerability Management uses a complex algorithm to identify new assets without creating
duplicates. The algorithm looks at the asset’s BIOS UUID, MAC address, NetBIOS name, fully

- 37 -
qualified domain name (FQDN), and more. Authenticated scanners or agents also assign a Tenable
UUID to each asset to mark it as unique. For more information, see the Tenable Vulnerability
Management FAQ.

The following table describes when assets count towards your license.

Counted Towards Your License Not Counted Towards Your License

l An asset identified by an active scan. l A scan configured with the Host

Discovery template or configured to use
l An asset identified by an agent scan.
only the discovery plugins.
l An asset import containing vulnerabilities
l An asset import containing no
(for example, a scan result from Tenable
vulnerabilities (for example,
Nessus Professional).
ServiceNow data).
l Host and Tenable Web App Scanning
l A linked instance of Tenable Network
asset types, if the last licensed scan was
Monitor running in discovery mode.
within the past 90 days.
l A discovery-only connector, until and
l An asset identified by a scan with plugin
unless the asset is scanned for
debugging enabled. To prevent such
vulnerabilities Scanned Mobile Device
assets from counting against your
Management assets.
license, delete them.
l Some plugin output, as described in
Excluded Plugin Output.

Tenable Vulnerability Management Components

You can customize Tenable Vulnerability Management for your use case by adding components.
Some components are add-ons that you purchase.

Included with Purchase Add-on Component

l Unlimited Tenable Nessus scanners. l Tenable PCI ASV.

l Unlimited Tenable Agents. l Tenable Attack Surface

Management.
l Unlimited Tenable Network Monitors with
vulnerability detection.

- 38 -
l Access to the Tenable Vulnerability Management
API.

Reclaiming Licenses
When you purchase licenses, your total license count is static for the length of your contract unless
you purchase more licenses. However, Tenable Vulnerability Management reclaims licenses under
some conditions—and then reassigns them to new assets so that you do not run out of licenses.

The following table explains how Tenable Vulnerability Management reclaims licenses.

Asset Type License Reclamation Process

Deleted Tenable Vulnerability Management removes deleted assets from the Assets
assets workbench and reclaims their licenses within 24 hours.

Aged out In Settings > Sensors > Networks, if you enable Asset Age Out, Tenable
assets Vulnerability Management reclaims assets after they have not been scanned
for a period you specify.

Assets from Tenable Vulnerability Management reclaims assets from connectors the day
connectors after they are terminated. You can observe this event in each connector.

All other Tenable Vulnerability Management reclaims all other assets—such as those
assets imported from other products or assets with no age-out setting—after they
have not been scanned for 90 days.

Exceeding the License Limit

To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated
threats, Tenable licenses are elastic. However, when you scan more assets than you have licensed,
Tenable clearly communicates the overage and then reduces functionality in three stages.

Scenario Result

You scan more assets than are A message appears in Tenable Vulnerability
licensed for three consecutive days. Management.

You scan more assets than are A message and warning about reduced functionality

- 39 -
licensed for 15+ days. appears in Tenable Vulnerability Management.

You scan more assets than are A message appears in Tenable Vulnerability
licensed for 30+ days. Management; scan and export features are disabled.

Tip: Improper scan hygiene or product misconfigurations can cause scan overages, which result in inflated
asset counts. To learn more, see Scan Best Practices.

Expired Licenses
The Tenable Vulnerability Management licenses you purchase are valid for the length of your
contract. 30 days before your license expires, a warning appears in the user interface. During this
renewal period, work with your Tenable representative to add or remove products or change your
license count.

After your license expires, you can no longer sign in to the Tenable platform.

Excluded Plugin Output

The plugins listed in this section do not count towards your license limit.

Note: Plugin IDs are static, but Tenable products may sometimes update plugin names. For the latest
information on plugins, see Tenable Plugins.

Tenable Nessus Plugins in Discovery Settings

Configure the following Tenable Nessus plugins in Discovery Settings. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

10180 Ping the remote host

10335 Nessus TCP scanner

11219 Nessus SYN scanner

14274 Nessus SNMP Scanner

14272 Netstat Portscanner (SSH)

- 40 -
34220 Netstat Portscanner (WMI)

34277 Nessus UDP Scanner

Tenable Nessus Plugins on the Plugins Page

Configure the following Tenable Nessus plugins on the Plugins page. These plugins do not count
towards your license.

Tenable Nessus Plugin ID Plugin Name

45590 Common Platform Enumeration (CPE)

54615 Device Type

12053 Host Fully Qualified Domain Name (FQDN)

11936 OS Identification

10287 Traceroute Information

22964 Service Detection

11933 Do not scan printers

87413 Host Tagging

19506 Nessus Scan Information

33812 Port scanners settings

33813 Port scanner dependency

209654 OS Fingerprints Detected

204872 Integration Status

Tenable Network Monitor Plugins

The following Tenable Network Monitor plugins do not count towards your license.

Tenable Network Monitor Plugin ID Plugin Name

- 41 -
0 Open Ports

12 Host TTL discovered

18 Generic Protocol Detection

19 VLAN ID Detection

20 Generic IPv6 Tunnel Traffic Detection

113 VXLAN ID Detection

132 Host Attribute Enumeration

System Requirements

Display Settings
Minimum screen resolution: 1440 x 1024

Supported Browsers
Tenable Vulnerability Management supports the latest versions of the following browsers.

Note: Before reporting issues with Tenable Vulnerability Management, ensure your browser is up to date.

l Google Chrome

l Apple Safari

l Mozilla Firefox

l Microsoft Edge

Note: Tenable Vulnerability Management is not supported on mobile browsers.

Sensor Connection Requirements

Tenable Vulnerability Management requires access to specific addresses and ports for inbound and
outbound traffic with Tenable Nessus scanners, Tenable Agents, and Tenable Sensor Proxy:

- 42 -
l 162.159.129.83/32

l 162.159.130.83/32

l 162.159.140.26/32

l 172.66.0.26/32

l 2606:4700:7::1a

l 2a06:98c1:58::1a

l 2606:4700:7::a29f:8153

l 2606:4700:7::a29f:8253

l *.cloud.tenable.com with the wildcard character (*) to allow cloud.tenable.com and all
subdomains, such as sensor.cloud.tenable.com

Tip: For information about the port requirements for Tenable Security Center, Tenable Nessus
scanners, and Tenable Agents, see the following topics:
l Tenable Security Center Port Requirements
l Tenable Nessus Port Requirements
l Tenable Agent Port Requirements

Log in to Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Note: If you bookmark a Tenable Vulnerability Management page within your browser, you must still log in
before accessing the bookmarked page.
In some cases, you may also need to navigate through the Workspace page and navigate to the Tenable
Vulnerability Management application before accessing the bookmarked page.

Before you begin:

- 43 -
l Obtain credentials for your Tenable Vulnerability Management user account.

Note: If you are an administrator logging in to your Tenable Vulnerability Management instance for
the first time, Tenable provides your first-time credentials during setup. After you log in for the first
time, you can set your new password. If you are logging in to Tenable Vulnerability Management
after initial setup, your username is the email address you used to register for your Tenable
Vulnerability Management account.

l Review the System Requirements in the General Requirements User Guide and confirm that
your computer and browser meet the requirements.

Note: If your account is configured to use SAML, you can log in to Tenable Vulnerability Management
directly through your SAML provider. For more information, see SAML.

To log in to Tenable Vulnerability Management:

1. In a supported browser, navigate to https://cloud.tenable.com.

The Tenable Vulnerability Management login page appears.

2. In the username box, type your Tenable Vulnerability Management username.

3. In the password box, type the Tenable Vulnerability Management password you created
during registration.

4. (Optional) To retain your username for later sessions, select the Remember Me check box.

5. Click Sign In.

The Workspace page appears.

Note:Tenable Vulnerability Management logs you out after a period of inactivity (typically, 30
minutes).

CVSS vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to
quantify the risk and urgency of a vulnerability.

Note: When you view these metrics on an analysis page organized by plugin (for example, the
Vulnerabilities by Plugin page), the metrics represent the highest value assigned or calculated

- 44 -
for a vulnerability associated with the plugin.
For Tenable Lumin-specific information about VPR and the other Tenable Lumin metrics, see
Tenable Lumin Metrics.

CVSS
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values
retrieved from the National Vulnerability Database (NVD) to describe risk associated with
vulnerabilities. CVSS scores power a vulnerability's Severity and Risk Factor values.

Note: If a vulnerability's related plugin has CVSS vectors, the Risk Factor is calculated based on the
CVSSv2 vector and equates to the CVSSv2 score Severity. If a plugin does not have CVSS vectors,
Tenable independently calculates the Risk Factor.

Tenable Vulnerability Management imports a CVSS score every time a scan sees a vulnerability.

CVSS-Based Severity

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Configure Your Severity Metric.

Tenable Vulnerability Management analysis pages provide summary information about

vulnerabilities using the following CVSS categories. For more information about the icons used for
each severity, see Vulnerability Severity Indicators.

Severity CVSSv2 Range CVSSv3 Range CVSSv4 Range

Critical The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is 10.0. score is between 9.0 score is between 9.0
and 10.0. and 10.0.

High The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 7.0 score is between 7.0 score is between 7.0
and 9.9. and 8.9. and 8.9.

Medium The plugin's highest The plugin's highest The plugin's highest

- 45 -
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 4.0 score is between 4.0 score is between 4.0
and 6.9. and 6.9. and 6.9.

Low The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv4
score is between 0.1 score is between 0.1 score is between 0.1
and 3.9. and 3.9. and 3.9.

Info The plugin's highest The plugin's highest The plugin's highest
vulnerability CVSSv2 vulnerability CVSSv3 vulnerability CVSSv3
score is 0. score is 0. score is 0.

- or - - or - - or -

The plugin does not The plugin does not The plugin does not
search for search for search for
vulnerabilities. vulnerabilities. vulnerabilities.

CVSS-Based Risk Factor

For each plugin, Tenable interprets CVSS scores for the vulnerabilities associated with the plugin
and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The Vulnerability
Details page shows the highest risk factor value for all the plugins associated with a vulnerability.

Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS
scores. In these cases, Tenable determines the risk factor based on vendor advisories.

Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a
custom risk factor based on information provided in related security advisories.

Vulnerability Priority Rating

Video: Vulnerability Priority Rating in Tenable Vulnerability Management

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher

- 46 -
likelihood of exploit.

VPR Category VPR Range

Critical 9.0 to 10.0

High 7.0 to 8.9

Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs (for example, many vulnerabilities with the Info severity) do not receive
a VPR. Tenable recommends remediating these vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Vulnerability Management provides a VPR value the first time you scan a vulnerability on
your network. Then, Tenable Vulnerability Management automatically provides new and updated
VPR values daily.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores
and summary data in:

l The Tenable-provided Vulnerability Management Overview dashboard

l The Explore Findings page

l The Vulnerabilities by Plugin page

VPR Key Drivers

Some key drivers that you can view to explain a vulnerability's VPR include, but are not limited to:

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Age of Vuln The number of days since the National Vulnerability Database (NVD)
published the vulnerability.

- 47 -
CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact Score not provide a score, Tenable Vulnerability Management displays a Tenable-
predicted score.

Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal
and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The
possible values (High, Functional, PoC, or Unproven) parallel the CVSS
Exploit Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.

Threat The relative intensity based on the number and frequency of recently
Intensity observed threat events related to this vulnerability: Very Low, Low, Medium,
High, or Very High.

Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

- 48 -
l A discussion of the vulnerability on hacker forums

Vulnerability Severity Indicators

The Tenable Vulnerability Management interface uses different icons for each severity category and
accepted or recasted status.

Icon Category And

Critical You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Critical.

High You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to High.

Medium You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Medium.

Low You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Low.

Info You have not accepted or recasted the risk.

You accepted the risk.

You recasted the severity to Info.

- 49 -
Vulnerability Mitigation
Tenable Vulnerability Management vulnerabilities exist in one of two categories: Active or Fixed.
When Tenable Vulnerability Management discovers a vulnerability on an asset, the vulnerability
remains in the Active category until it is mitigated or fixed. Then, the vulnerability moves to the Fixed
category.

Active Vulnerabilities
Active vulnerabilities are any vulnerabilities in the New, Active, or Resurfaced states. For more
information, see Vulnerability States.

Fixed Vulnerabilities
The Fixed category contains vulnerabilities that Tenable Vulnerability Management determines are
not vulnerable, based on the scan definition, the results of the scan, and authentication information.
To be considered for mitigation, a vulnerability must be active and successfully authenticated.

A vulnerability is mitigated when:

l The vulnerability's IP address or another combination of identifying attributes (IAs) is on the

scan's target list. For more information on IAs, see the Tenable Community.

l The vulnerability's plugin ID is listed in the scan policy.

l The vulnerability's port is on the list of scanned port ranges, and the remote port is found open.

l A vulnerability with that combination of IP address, port, protocol, and plugin ID is not listed in
the scan results.

Mitigation Exceptions
Note the following exceptions for vulnerability mitigation:

l Vulnerabilities identified during a thorough scan by a plugin with the thorough_tests attribute
can only be mitigated by another thorough scan.

l Vulnerabilities identified during a paranoid scan by a plugin with the requires_paranoid_

scanning attribute can only be mitigated by another paranoid scan.

- 50 -
l Vulnerabilities discovered by a local or combined plugin reported on port 0 or 445 via a
credential scan can only be mitigated by another credential scan.

l The list of scanned ports can be expanded to “all” ports when one of the following plugins
triggered the host:14272 (SSH netstat), 34220 (WMI netstat), 14274 (SNMP).

l Agent scans cannot mitigate vulnerabilities discovered by a combined type plugin reported on
a remote port (not 0/445).

Vulnerability States
Tenable assigns a state to vulnerabilities detected on your network. You can track and filter by
vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time. To
filter for vulnerabilities by their state, use the Findings workbench.

Vulnerability
Description
State

New Indicates that Tenable Vulnerability Management detected the vulnerability

once.

Active Indicates that Tenable Vulnerability Management detected the vulnerability

more than once.

Note: When you filter for Active vulnerabilities, Tenable Vulnerability

Management also returns New vulnerabilities. For filtering purposes, New is a
subcategory of Active.

Fixed Indicates that Tenable Vulnerability Management detected the vulnerability

on a host, but no longer detects it.

Note: To view Fixed vulnerabilities by date range, use the Last Fixed filter.

Resurfaced Indicates that Tenable Vulnerability Management previously marked the

vulnerability as Fixed, but has detected it again. When a vulnerability is
Resurfaced, it remains in this state until a scan identifies the vulnerability
as remediated. Then, the vulnerability returns to Fixed.

- 51 -
Note: The API uses different terms for vulnerability states than the user interface. In the API, the new and
active states are both labeled as open. The resurfaced state is labeled as reopened. The fixed state is the
same.

Log Out of Tenable Vulnerability Management

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To log out of Tenable Vulnerability Management:

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

2. Click Sign Out.

Navigate Tenable Vulnerability Management

Tenable Vulnerability Management includes several helpful shortcuts and tools that highlight
important information and help you to navigate the user interface more efficiently:

Quick Actions Menu

The quick actions menu displays a list of the most commonly performed actions.

- 52 -
To access the quick actions menu:

1. In the upper-right corner, click the Quick Actions button.

The quick actions menu appears.

2. Click a link to begin one of the listed actions.

Resource Center

The Resource Center displays a list of informational resources including product announcements,
Tenable blog posts, and user guide documentation.

To access the Resource Center:

1. In the upper-right corner, click the button.

The Resource Center menu appears.

- 53 -
2. Click a resource link to navigate to that resource.

Notifications

In Tenable Vulnerability Management, the Notifications panel displays a list of system notifications.
The button shows the current number of unseen notifications. When you open the Notifications
panel, Tenable Vulnerability Management marks those notifications as seen. Once you have seen a
notification, you can clear it to remove it from the Notifications panel.

Note:Tenable Vulnerability Management groups similar notifications together.

To view notifications:

- 54 -
l In the upper-right corner, click the button.

The Notifications panel appears and displays a list of system notifications.

In the Notifications panel, you can do the following:

o To clear one notification, next to the notification, click the button.

o To expand a group of notifications, at the bottom of the grouped notification, click More
Notifications.
o To collapse an expanded group of notifications, at the top of the expanded notifications,
click Show Less.
o To clear an expanded group of notifications, at the top of the expanded notifications, click
Clear Group.
o To clear all notifications, at the bottom of the panel, click Clear All.

Settings

Click the button to navigate directly to the Settings page, where you can configure your system
settings.

Note: For more information, see Settings within the Tenable Vulnerability Management User Guide.

Workspace

When you log in to Tenable, the Workspace page appears by default. On the Workspace page, you
can switch between your Tenable applications or set a default application to skip the Workspace
page in the future. You can also switch between your applications from the Workspace menu, which
appears in the top navigation bar.

Important: Tenable disables application tiles for expired applications. Tenable removes expired application
tiles from the Workspace page and menu 30 days after expiration.

Open the Workspace Menu

To open the Workspace menu:

- 55 -
1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. Click an application tile to open it.

View the Workspace Page

To view the Workspace page:

1. From any Tenable application, in the upper-right corner, click the button.

The Workspace menu appears.

2. In the Workspace menu, click Workspaces.

- 56 -
The Workspace page appears.

On the Workspace page, you can do the following:

l Where applicable, at the bottom of a tile, view the percentage of your license utilization for the
application. Click See More to navigate directly to the License Information page for the
selected application.

Tip: For more information on how Tenable licenses work and how assets or resources are licensed in
each product, see Licensing Tenable Products.

l
Set a default application:

- 57 -
When you log in to Tenable, the Workspace page appears by default. However, you can set a
default application to skip the Workspace page in the future.

By default, users with the Administrator, Scan Manager, Scan Operator, Standard, and Basic roles
can set a default application. If you have another role, contact your administrator and request the
Manage permission under My Account. For more information, see Custom Roles.

To set a default login application:

1. In the top-right corner of the application to choose, click the button.

A menu appears.

2. In the menu, click Make Default Login Page.

This application now appears when you log in.

l
Remove a Default Application:

To remove a default login application:

1. In the top-right corner of the application to remove, click the button.

A menu appears.

2. Click Remove Default Login Page.

The Workspace page now appears when you log in.

l
Request Access to a Tenable application:
Some applications, like Tenable Identity Exposure, require you to request access to the
application. You can do this directly via the Workspace page.

To request access to a Tenable application:

- 58 -
1. In the lower-right corner of the tile, click Request.

You navigate directly to the request page for the selected application.

User Account Menu

The user account menu provides several quick actions for your user account.

To access the user account menu:

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

- 59 -
2. Do one of the following:

l Click My Profile to configure your own user account. You navigate directly to the My
Account settings page. See My Account for more information.

l Click Sign out to sign out of Tenable Vulnerability Management.

l Click What's new to navigate directly to the Tenable Vulnerability Management Release
Notes.

l Click View Documentation to navigate directly to the Tenable Vulnerability Management

User Guide documentation.

For additional information about navigating the Tenable Vulnerability Management interface, see the
following topics:

My Account

Breadcrumbs

Planes

Tables

Query Builder

Saved Queries

Export Findings or Assets

My Account
From the My Account page, you can make changes to your own user account.

- 60 -
To access the My Account page:

1. In the upper-right corner, click the blue user circle.

The user account menu appears.

- 61 -
2. Click My Profile.

The My Account page appears.

View Your Account Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the My Account page, you can view details about your account, including your log in
details, user role, and the groups and permissions assigned to you.

To view your account details:

- 62 -
1. Access the My Account page.

2. On the left side of the page, you can select from the following:

Option Action

Update l Click Update Account.

Account
The Update Account section appears, showing the following
details for your account:
o Full Name
o Email
o Username
o Role

- 63 -
l (Optional) Update your basic account information, including
name and email address.

Note: You cannot change your username or role.

l (Optional) Change your password.

l (Optional) Configure or disable two-factor authentication on

your account.

l (Optional) Enable or disable Explore beta features on your

account.

Groups l Click Groups.

Note: You cannot change your groups settings on the My

Accounts page. For more information, see User Groups.

l In the Groups table, view:

o The user groups you are assigned to.
o The number of members in each user group.

Permissions l Click Permissions.

Note: Permissions, when applied a user, allow that user to perform

certain actions to specified asset tags (i.e., objects) and the assets
to which those objects apply. Permissions can be applied to
individual users or to all members of a user group. For more
information, see Permissions.

Note: You cannot change your permissions settings on the My

Accounts page.

l In the Permissions table, view:

o The names of the permissions assigned to your account.
o The actions those permissions allow you to perform.

- 64 -
o The objects each permission applies to.

API Keys l Click API Keys.

l View a description of API keys.

l Generate API Keys.

Caution: Any existing API keys are replaced when you click the
Generate button. You must update the applications where the
previous API keys were used.

Caution: Be sure to copy the access and secret keys before you
close the API Keys tab. After you close this tab, you cannot retrieve
the keys from Tenable Vulnerability Management.

Note: User accounts expire according to when the Tenable Vulnerability Management container they
belong to was created. Tenable controls this setting directly. For more information, contact Tenable
Support.

Update Your Account

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

To update your account:

1. Access the My Account page.

2. (Optional) Edit your Name.

3. (Optional) Edit your Email.

A valid email address must be in the format:

name@domain

- 65 -
where domain corresponds to a domain approved for your Tenable Vulnerability Management
instance.

This email address overrides the email address set as your Username. If you leave this option
empty, Tenable Vulnerability Management uses the Username value as your email address.

Note: During initial setup, Tenable configures approved domains for your Tenable Vulnerability
Management instance. To add domains to your instance, contact Tenable Support.

4. Click Save.

Tenable Vulnerability Management saves the changes to the account.

5. (Optional) Change your password.

6. (Optional) Configure two-factor authentication.

7. (Optional) Generate an API key.

Change Your Password

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

You can change the password for your own account as any type of user. The method of changing
your password varies slightly based on the role assigned to your user account.

To change another user's password, see Change Another User's Password.

To change your password:

1. Access the My Account page.

2. In the Current Password box, type your current password.

3. In the New Password box, type a new password. See Tenable Vulnerability Management
Password Requirements for more information.

4. Click the Save button.

- 66 -
Tenable Vulnerability Management saves the new password and terminates any currently
active sessions for your account. Tenable Vulnerability Management then prompts you to re-
authenticate.

5. Log in to Tenable Vulnerability Management using your new password.

Configure Two-Factor Authentication

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see
the Tenable FedRAMP Product Offering.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

On the My Account page, you can configure two-factor authentication for your account.

Tip: Administrators can also enforce two-factor authentication for other accounts when creating or editing a
user account.

Note: Before configuring two-factor authentication, check the International Phone Availability list to ensure you
are able to receive text messages from Tenable Vulnerability Management.

To add or modify two-factor authentication:

1. Access the My Account page.

2. In the Enable Two Factor Authentication section, do one of the following:

l To enable SMS two factor authentication:

a. Click Enable SMS Two Factor Authentication.

The Two-Factor Setup plane appears.

b. In the Current Password box, type your Tenable Vulnerability Management

password.

c. In the Phone Number box, type your mobile phone number.

- 67 -
Note: By default, Tenable Vulnerability Management treats mobile numbers as U.S.
numbers and prepends the +1 country code. If your mobile phone number is a non-U.S.
number, be sure to prepend the appropriate country code.

d. Click Next.

The Verification Code plane appears and Tenable Vulnerability Management

sends a text message with a verification code to the phone number.

e. In the Verification Code box, type the verification code you received.

f. Click Next.

A Two-Factor Setup Successful message appears and Tenable Vulnerability

Management applies your settings to your Tenable Vulnerability Management
account.

g. (Optional) To configure whether Tenable Vulnerability Management sends a

verification code to the email associated with your user account:

a. Select or clear the Send backup email check box.

b. Click Update.

Tenable Vulnerability Management updates your backup email settings.

Note: Once you save the phone number for this configuration, you cannot edit or change the
phone number. You must configure a new authentication setup for any additional phone
numbers you want to use.

l To enable authenticator application based authentication:

a. Click Enable Authenticator App.

The Two-Factor Setup plane appears.

b. In the Current Password box, type your Tenable Vulnerability Management

password.

c. Click Next.

The Time-based One-Time Password plane appears.

- 68 -
d. In the authenticator application of your choice, scan the QR code.

In the authenticator application, a Tenable Vulnerability Management verification

code appears.

e. In the Verification Code box, type the code provided by your authenticator
application.

Note: If you do not type the correct verification code, Tenable Vulnerability Management
locks the QR code. Delete the setup from your authenticator application and scan a new
QR code.

f. Click Next.

A Two-Factor Setup Successful message appears and Tenable Vulnerability

Management applies your settings to your Tenable Vulnerability Management
account.

To disable two-factor authentication in the new interface:

1. Do one of the following:

l In the upper-left corner, click the button.

The left navigation plane appears.

a. In the left navigation plane, click Settings.

The Settings page appears.

b. Click the My Account tile.

The My Account page appears, where you can view and update your account
details.

l In the upper-right corner, click the blue user circle.

The user account menu appears.

- 69 -
a. Click My Profile.

The My Account page appears.

2. In the Change Password section, in the Current Password box, type your current password.

3. In the Enable Two Factor Authentication section, click Disable.

A Disable Two-Factor confirmation message appears.

4. Read the warning message, then click Continue.

Tenable Vulnerability Management disables two-factor authentication for your account.

Generate API Keys

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

The API keys associated with your user account enable you to access the API for all Tenable
Vulnerability Management products for which your organization is licensed.

Note: Tenable Vulnerability Management API access and secret keys are required to authenticate with the
Tenable Vulnerability Management API.

- 70 -
Note: The API keys associated with your user account enable you to access the API for all Tenable
Vulnerability Management products for which your organization is licensed. You cannot set separate keys
for individual products. For example, if you generate API keys in Tenable Vulnerability Management, this
action also changes the API keys for Tenable Web App Scanning and Tenable Container Security.

Note: Be sure to use one API key per application. Examples include, but are not limited to:
l Tenable Vulnerability Management integration
l Third-party integration
l Other custom applications, including those from Tenable Professional Services

The method to generate API keys varies depending on the role assigned to your user account.
Administrators can generate API keys for any user account. For more information, see Generate
Another User's API Keys. Other roles can generate API keys for their own account.

To generate API keys for your own account:

1. Access the My Account page.

2. Click the API Keys tab.

The API Keys section appears.

3. Click Generate.

The Generate API Keys window appears with a warning.

Caution: Any existing API keys are replaced when you click the Generate button. You must update
the applications where the previous API keys were used.

4. Review the warning and click Generate.

Tenable Vulnerability Management generates new access and secret keys, and displays the
new keys in the Custom API Keys section of the page.

Tip: If the Generate button is inactive, contact your administrator to ensure they've enabled
API access for your account. For more information, see Edit a User Account.

5. Copy the new access and secret keys to a safe location.

- 71 -
Caution: Be sure to copy the access and secret keys before you close the API Keys tab. After you
close this tab, you cannot retrieve the keys from Tenable Vulnerability Management.

Unlock Your Account

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Basic, Scan Operator, Standard, Scan Manager, or
Administrator

Tenable Vulnerability Management locks you out if you attempt to log in and fail 5 consecutive times.

Note: If you no longer have access to the email address specified in your account, an administrator for your
Tenable Vulnerability Management instance can reset your password instead. If you are unsure which email
address to use, contact your Tenable representative.

Note: A user can be locked out of the user interface but still submit API requests if they are assigned the
appropriate authorizations (api_permitted). For more information, see the Tenable Developer Portal.

To unlock your account:

1. On the Tenable Vulnerability Management login page, click the Forgot your password? link.

The password reset page appears.

2. In the Username box, enter your Tenable Vulnerability Management username.

3. Where applicable, respond to the CAPTCHA security challenge.

4. Click Send.

Tenable Vulnerability Management sends password recovery instructions to the email address
specified in your user account.

5. Reset your password using the instructions in the email message. See Password
Requirements for more information.

Breadcrumbs

- 72 -
In the Tenable Vulnerability Management interface, certain pages display breadcrumbs in the top
navigation bar. From left to right, the breadcrumbs show the path of pages you visited to reach your
current page:

To navigate breadcrumbs:
l In the top navigation bar, click a link in the breadcrumb trail to return to a previous page.

Planes
Tenable Vulnerability Management combines fixed pages with overlapping planes.

To navigate planes in the new interface:

1. Access a plane using one of the following methods:

l Click a widget on a dashboard.

l
Use the left navigation plane as follows:
a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click a menu option.

With the exception of the left navigation plane, planes open from the right side of the screen.

2. Manipulate a plane using the following buttons at the left edge of the plane:

Button Short Name Action

expand Expand a plane. Some planes can expand to full screen.

retract Retract an expanded plane to its default size.

close Close a plane.

expand preview Expand a preview plane.

- 73 -
retract preview Retract an expanded plane to the preview plane.

3. Return to a previous plane or page (and close a new plane or planes) by clicking the previous
plane.

Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Tenable Vulnerability Management Workbench Tables

Tenable Vulnerability Management Workbench tables are any tables in the Tenable Vulnerability
Management interface outside of the Explore section. These tables feature search and navigational
capabilities. They also include the ability to drag and drop columns in any order, change column
width, and sort the data in multiple columns at one time. For more information, see Tenable
Vulnerability Management Workbench Tables.

Explore Tables
Explore tables are any tables within the Explore section in the Tenable Vulnerability Management
user interface. They include many of the features of Tenable Vulnerability Management Workbench
tables, but include additional customization and filtering capabilities. For more information, see
Explore Tables.

Use Tables
In Tenable Vulnerability Management, you can use and interact with tables in the following ways:

Customize Table Columns

You can customize the columns in any Tenable Vulnerability Management table.

To customize table columns:

1. Above a table, click Columns.

- 74 -
A dialog appears.

2. In the dialog:

Action Description

Add or remove a column Select or clear the check box next to the column.

Find a column to add Search for a column and select its check box.

Reorder columns Click and drag columns from top to bottom.

Change column width Hover on the separator between column headings

and drag left or right.

Reset column width to default Click Reset Column Width.

Reset all column Click Reset to Defaults.

customizations to default

Right-Click Menu

Within any table, you can right-click to access a menu with additional options.

- 75 -
To access the right-click menu:

1. In the table, right-click the row for which you want to view menu items.

The right-click menu appears.

The options in the menu depend on the type of table you are viewing, however the following
options are always available:

l Copy to Clipboard — Click to copy the table value to your clipboard.

l Filter By Value — Click to automatically filter the table by rows that include the selected
value.

Note: By default, Tenable Vulnerability Management applies the AND operator to the filter. To
use the OR operator, you must use the Query Builder.

l Filter Out Value — Click to automatically filter the table by rows that do not include the
selected value.

Note: By default, Tenable Vulnerability Management applies the AND operator to the filter. To
use the OR operator, you must use the Query Builder.

Filter a Table

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

In Tenable Vulnerability Management, a Filters box appears above individual tables in various
pages and planes.

To filter a table:

1. Next to Filters, click the button.

The filter settings appear.

2. (Optional) In Tenable Vulnerability Management, to quick-select filters, click Select Filters.

A drop-down list appears.

- 76 -
a. In the drop-down list, search for the filter you want to apply.

The list updates based on your search criteria.

b. Select the check box next to the filter or filters you want to apply.

The selected filters appear in the filter section.

3. In the Select Category drop-down box, select an attribute.

For example, you might select Severity if filtering findings or Asset ID if filtering assets.

4. In the Select Operator drop-down box, select an operator.

Note: When using the contains or does not contain operators, use the following best
practices:
l For the most accurate and complete search results, use full words in your search
value.
l Do not use periods in your search value.
l Remember that when filtering assets, the search values are case sensitive.
l Where applicable, Tenable recommends using the contains or does not contain
instead of the is equal to or is not equal to operators.

5. In the Select Value box, do one of the following:

Value Type Action

Text Type the value on which you want to filter.

An example of the expected input is present in the box until you start
typing. If what you type is invalid for the attribute, a red outline appears
around the text box.

Single valid If a default value is associated with the attribute, Tenable Vulnerability
value Management selects the default value automatically.

To change the default value, or if there is not an associated default value

present:

a. Click the box to display the drop-down list.

- 77 -
b. Search for and select one of the listed values.

Multiple To select one or more values:

valid
a. Click the box to display the drop-down list.
values
b. Search for and select a value.

The selected value appears in the box.

c. Repeat until you have selected all appropriate values

d. Click outside the drop-down list to close it.

To deselect values:

a. Roll over the value you want to remove.

The button appears over the value.

b. Click the button.

The value disappears from the box.

6. (Optional) In the lower-left corner of the filter section:

l To add another filter, click the Add button.

l To clear all filters, click the Reset Filters button.

7. Click Apply.

Tenable Vulnerability Management applies your filter or filters to the table.

8. (Optional) Save your filter or filters for later use.

9. (Optional) Clear the filters you applied:

a. In the table header, click Clear All Filters.

Tenable Vulnerability Management clears all filters from the table, including saved
searches.

Note: Clearing filters does not change the date range selected in the upper-right corner of the
page. For more information, see Tables.

- 78 -
Explore Tables

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

The Findings and Assets workbenches use Explore tables to present your organization's data. You
can filter these tables to view specific assets or findings.

Use Filters

In Explore tables on the Findings and Assets workbenches, you can use filters to view specific
findings or assets.

Note: To optimize performance, Tenable limits the number of Findings filters that you can apply to 18 and
the number of Asset filters that you can apply to 35.

Tip: For a list of available filters, see Findings Filters or Asset Filters.

Note: When filtering findings to generate a Findings Report, you can apply a maximum of 5 filters to each
report.

To use filters in Explore tables:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, click Findings or Assets.

3. Do one of the following:

Filter the table in Basic mode

a. In the upper-left corner, click the button.

The filters plane expands with a list of default filters selected.

b. Click Select Filters.

The Select Filters box appears with all available filters.

- 79 -
c. Select the filters you want to apply.

d. Click outside the Select Filters box.

The Select Filters box closes.

e. For each filter, choose the appropriate operator and option. For example, to return
vulnerabilities with Critical Severity, select an operator of is equal to and the Critical
option, as shown in the following image:

Search operators are contextual, depending on the filter you select. For a complete
reference, see the following table:

Operator Description

exists Filters for items for which the selected filter exists.

does not Filters for items for which the selected filter does not exist.
exist

is equal to Filters for items that match the filter value.

is not equal Filters for items that do not include the filter value.
to

- 80 -
Operator Description

is greater Filters for items with a value greater than the specified filter value. If
than you want to include the value you specify in the filter, then use the is
greater than or equal to operator.
is greater
than or
equal to

is less than Filters for items with a value less than the specified filter value. If
you want to include the value you specify in the filter, then use the is
is less than
less than or equal to operator.
or equal to

within last Filters for items with a date within a number of hours, days, months,
or years before today. Type a number, then select a unit of time.

after Filters for items with a date after the specified filter value.

before Filters for items with a date before the specified filter value.

older than Filters for items with a date more than a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

is on Filters for items with a specified date.

between Filters for items with a date between two specified dates.

contains Filters for items that contain the specified filter value.

does not Filters for items that do not contain the specified filter value.
contain

wildcard Filters for items with a wildcard (*) as follows:

l Begin or end with – Filters for values that begin or end with
text you specify. For example, to find all values that begin with
"1", type 1*. To find all values that end in "1", type *1.

- 81 -
Operator Description

l Contains –Filters for values that contain text you specify. For
example, to find all values with a "1" between the first and last
characters, type *1*.

l Turn off case sensitivity – Filters for values without case

sensitivity. For example, to search for findings with a Plugin
Name of "TLS Version 1.2 Protocol Detection" or "tls version
1.2 protocol detection", type *tls version 1.2 protocol
detection.

f. (Optional) To remove or reset filters, do one of the following:

l To clear the values for a filter, hover on the right side of the filter and click Clear.

l To remove a filter, hover on the right side of the filter and click Remove.

l On the Findings workbench, to reset filters to the default set, at the top of the filters
plane, click Reset.

l On the Assets workbench, to remove all filters, at the top of the filters plane, click
Clear All.

g. Click Apply.

Tenable Vulnerability Management filters your data.

Filter the table in Advanced mode

a. In the upper-left corner, click Advanced.

A box appears with the current filters displayed.

- 82 -
b. Click inside the box.

A drop-down appears.

c. In the drop-down, select the AND or OR conditions or type them in the box.

d. In the drop-down, select a filter or type its name in the box.

e. In the drop-down, select one of the following operators or type it in the box.

Note: If you want to filter on a value that starts with (') or ("), or includes (*) or (,), then you must
wrap the value in quotation marks (").

Note: Filters can have a maximum of two nesting levels.

Operator Description

exists Filters for items for which the selected filter exists.

does not Filters for items for which the selected filter does not exist.
exist

is equal to Filters for items that match the filter value.

is not equal Filters for items that do not include the filter value.
to

within last Filters for items with a date within a number of hours, days, months,

- 83 -
Operator Description

or years before today. Type a number, then select a unit of time.

after Filters for items with a date after the specified filter value.

before Filters for items with a date before the specified filter value.

older than Filters for items with a date more than a number of hours, days,
months, or years before today. Type a number, then select a unit of
time.

is on Filters for items with a specified date.

between Filters for items with a date between two specified dates.

contains Filters for items that contain the specified filter value.

does not Filters for items that do not contain the specified filter value.
contain

wildcard Filters for items with a wildcard (*) as follows:

l Begin or end with – Filters for values that begin or end with
text you specify. For example, to find all values that begin with
"1", type 1*. To find all values that end in "1", type *1.

l Contains –Filters for values that contain text you specify. For
example, to find all values with a "1" between the first and last
characters, type *1*.

l Turn off case sensitivity – Filters for values without case

sensitivity. For example, to search for findings with a Plugin
Name of "TLS Version 1.2 Protocol Detection" or "tls version
1.2 protocol detection", type *tls version 1.2 protocol
detection.

f. In the drop-down, select a filter value or type one in the box.

g. (Optional) To add or remove filters, do one of the following:

- 84 -
l To add multiple filters, press Space and then select another condition, operator,
filter, and value.

l To remove one filter, click the button on the right side of the filter.

l To remove all filters, on the right side of the text box, click the button.

h. Click Apply.

Tenable Vulnerability Management filters your data.

4. (Optional) Save the filters to access later or share with other team members.

Tip: Tenable Vulnerability Management runs Findings searches in the background so that you can
navigate away from the Findings page and return when a complex search is complete. You can also
Cancel a search. Finally, Tenable Vulnerability Management caches your most recent search for 30
minutes, notes the date and time in the top toolbar, and saves the state of the Findings page for your
next visit.

Use the Context Menu

In Explore tables, on the Findings and Assets workbenches, right-click any row to show a menu with
contextual options for both findings and assets. In the menu, the following options always appear.

Option Description

View Open the details page for the finding or asset.

All Details

View Open the details page for the finding or asset in a new browser tab.
All Details in
New Tab

Copy to Get any value from an Explore table. For example, when creating a tag, copy
Clipboard an operating system value from a field on the Assets workbench and paste it
into your tag.

Filter by Filter an Explore table by any value. For example, on the Findings
Value workbench, right-click on an IPv4 address and click this option to view all
findings with that IPv4 address.

- 85 -
Option Description

Filter Out Remove all entries with a certain value from an Explore table. For example,
Value on the Assets workbench, right click an operating system type to filter out all
assets with that operating system.

Customize Explore Tables

In the Explore section, on the Findings or Assets workbenches, you can customize the table
columns.

To customize an Explore table:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, under Explore, click Findings or Assets.

3. On the right side, above the table, click Columns.

The Customize Columns dialog appears.

4. Do one of the following:

- 86 -
Action Description

Add or remove a In the Customize Columns dialog, select or clear the check
column box next to the column.

Find a column to add In the Customize Columns dialog, search for a column and
select its check box.

Reorder columns In the Customize Columns dialog, click and drag columns
from top to bottom.

Change column width In the Assets or Findings tables, hover on the separator
between column headings and drag left or right.

Reset column width to In the Customize Columns dialog, click Reset Column
default Width.

Reset all column In the Customize Columns dialog, click Reset to Defaults.
customizations to
default

Query Builder
In Tenable Vulnerability Management, you can use the Query Builder to view specific data via
queries.

Important! When you run a query using the Query Builder, it applies to all data on the page, including the
quick filters on the left side of your data table. These quick filters, on the other hand, only affect the data
within the table itself. Any filters applied on the left side of the page do not affect the Query Builder.

How Queries Work

Queries are joined by Conditions (for example, AND). They have three components:

- 87 -
l Filter — The search criteria (for example, for a finding, Severity).

l Operator — The condition to filter on (for example, is not equal to).

l Value — The value to search (for example, a Severity of High).

Tip: You can nest queries with parentheses. For example, to search for high-severity findings
where the VPR is greater than seven or the CVSSv3 Base Score is greater than six, use:
Severity is equal to High AND (VPR is greater than 7 OR CVSSv3 is greater than 6) .

Build a Query
To build a query with the Query Builder:

1. Click the query box.

A pane appears with a list of filters, which vary in each section of Tenable Vulnerability
Management.

2. Under Filters, choose a filter.

A list of operators appears.

3. Under Operators, choose an operator.

For filters where the value is text or a number, a hint appears. Otherwise, a list of options
appears.

4. Under Value, type a value or select one from the list.

5. (Optional) Add another query (that is, type a Condition and then add a Filter, an Operator, and
a Value).

Tip: Under Nesting Operators, select an opening parentheses ( or NOT( to start building a nested
query.

6. Press Enter to run the query.

Edit a Query
To edit a query, do one of the following.

- 88 -
Action Description

Replace a query In the query box, click the component to replace. A list of options
component appears.

Delete a query On the query component, click the X.

component

Clear a query On the right side of the query box, click the X.

Keyboard Shortcuts
Use the following keyboard shortcuts in the Query Builder.

Shortcut Description

Up Arrow or Down Navigate lists of open-ended values such as text or numbers.

Arrow

Right Arrow or Left Move the cursor in your query or choose a date in the date picker.
Arrow

Enter Select a query component or date. If no component is selected, apply

the query.

Esc Close a list (for example, the Filters list).

Ctrl-C or ⌘ -C Copy the highlighted text.

Ctrl-V or ⌘ -V Paste your clipboard contents into the Query Builder.

Ctrl-Z or ⌘ -Z Undo the last action.

Ctrl-Y or ⌘ -Y Redo the last action.

Saved Queries
In Tenable Vulnerability Management, you can build custom queries with the Query Builder and
save them to reuse or share. In the user interface, this feature is called Saved Queries.

You can access the Saved Queries menu to the left of the search/query bar within the Tenable
Vulnerability Management user interface.

- 89 -
Additionally, when viewing your Saved Queries, you can view Tenable Queries which highlight
common key performance indicators (KPIs).

Tenable Queries
Asset Tenable Queries Findings Tenable Queries

External Assets (ASM) — Assets or domains AI Inventory — AI-related Vulnerabilities

discovered by Tenable Attack Surface and Web Application findings identified by
Management, integrated with the steps described Tenable's plugins.
in Manage Integrations in the Tenable Attack
Surface Management User Guide. This filter does
not appear for Domain Inventory assets.

Network Devices — Assets identified as a CISA Known Exploitable —

networking devices, including routers, switches, Vulnerabilities that appear in the CISA
firewalls and SSL gateways. This filter does not Known Exploited Vulnerabilities Catalog.
appear for Domain Inventory, Cloud Resource, or
Emerging Threats — Vulnerabilities being
Web Application assets.
actively monitored by Tenable in three
areas:

l Vulnerabilities Being Monitored —

Publicly discussed, but no exploit or
proof of concept has been
disclosed.

l Vulnerabilities of Interest —
Publicly discussed and have a proof
of concept that could lead to
widespread use by attackers.

l Vulnerabilities of Concern — Widely

discussed and large-scale abuse by
attackers is being observed.

- 90 -
In the News — Vulnerabilities being widely
reported in the press with notable
coverage over the past 30 days.

Persistently Exploited — Vulnerabilities

being leveraged by threat actors over an
extended period of time in targeted
attacks, ransomware, or malware
campaigns. These vulnerabilities are
curated by the Tenable Research team.

Ransomware — Vulnerabilities used in

current or historical ransomware attacks,
as determined from evidence gathered by
the Tenable Research team.

Recently Exploited — Vulnerabilities with

notable coverage in the press over the
past 30 days, and for which Tenable has
evidence of active exploitation.

Top 50 VPR — The top 50 vulnerabilities

by Vulnerability Priority Rating (VPR).

Manage Queries
You can manage your queries in the following ways:

Save a Query

To save a query:

1. In a query box, use the Query Builder to refine results.

2. To the left of the query box, click Saved Queries.

A drop-down appears.

- 91 -
3. Click Save As New Query.

4. In New Query Name, type a name and click the button.

Set a Default Query

You can set any query to be your default query when navigating to the Tenable Vulnerability
Management page.

To set a default query:

1. To the left of a query box, click Saved Queries.

A drop-down appears.

2. To the right of the query, click the button.

Tenable Vulnerability Management saves the query as your default, and applies it to the page
automatically.

Run a Saved Query

To run a saved query:

1. To the left of a query box, click Saved Queries.

A drop-down appears.

2. In the drop-down, click a query to run it.

Share a Saved Query

To share a saved query:

1. To the left of a query box, click Saved Queries.

A drop-down appears.

2. To the right of the query to share, click the button.

3. Paste the link to share the query.

- 92 -
Note: Any Tenable Vulnerability Management user can run a shared query, but the assets they can view
are based on permissions. To learn more, see Access Control.

Edit a Saved Query

To edit a saved query:

1. To the left of a query box, click Saved Queries.

A drop-down appears.

2. In the drop-down, click the query to edit.

3. Do one of the following:

Rename the query:

a. Click the button.

b. Type a new name and click the button.

Save the query as a new query:

a. In the filter box, update the query.

b. To the left of the query box, click Saved Queries.

c. In the drop-down that appears, click Save as New Query.

d. Type a new name in the box and click the button.

Delete a Saved Query

To delete a saved query:

1. To the left of a query box, click Saved Queries.

A drop-down appears.

2. Next to the query to delete, click the button.

Export Findings or Assets

- 93 -
You can export data from the Findings and Assets workbenches to CSV or JSON. While these
workbenches contain different data, the basic export process is the same.

To export findings or assets:

1. Do one of the following:

l In the left navigation, click Findings.

The Findings workbench appears.

l In the left navigation, click Assets.

The Assets workbench appears.

2. In the left navigation plane, under Explore, do one of the following:

l To export your organization's scanned vulnerability findings, click Findings.

The Findings workbench appears.

l To export your organization's scanned assets, click Assets.

The Assets workbench appears.

3. Refine the displayed data, as described in Use Filters.

Note: On the Findings workbench, when using the Group By filter, you can only export five findings
at a time.

Note: On the Assets workbench, the Asset ID, Last Authenticated Scan, Last Licensed Scan, and
Source fields are required.

4. Select the check boxs next to the findings or assets to export.

Note: You can manually select up to 200 findings or assets. Otherwise, you must select them all.

5. In the action bar, click Export.

The Export plane appears.

Option Description

- 94 -
Name Type a name for the export.

Formats Select an export format:

l CSV – A CSV file that you can open in a spreadsheet

application such as Microsoft Excel.

Note: For findings exports, the system automatically trims cells

longer than 32,000 characters so they appear correctly in
Microsoft Excel. Select Untruncated Data to disable this.

Note: If your export file contains a cell starting with any of the
following characters (=, +, -, @), the system adds a single quote
(') at the beginning of the cell. For more information, see the
Knowledge Base.

l JSON – A JSON file containing a nested list of findings, with

no empty fields.

Configurations Select the fields to include:

l Under Select Field Set, search for or select the fields to add
to your export.

l To view only selected fields, click View Selected.

l In the Expiration box, type the number of days before the

export file ages out.

Note: In asset exports, Asset ID, Last Authenticated Scan, Last

Licensed Scan, and Source are required.

Schedule Turn on the Schedule toggle to schedule your export:

a. In the Start Date and Time section, choose the date and time
for the export.

b. In the Time Zone drop-down, choose a time zone.

c. In the Repeat drop-down, choose the cadence on which you

- 95 -
want the export to repeat (for example, daily).

d. In the Repeat Ends drop-down, choose the date when

exports end. If you select Never, the export repeats until you
modify or delete it.

Email Turn on the Email Notification toggle to send email notifications:

Notifications
a. In the Add Recipients box, type the emails to notify.

b. In the Password box, type a password for the export file.

Share this password with the recipients so they can download
the export file.

6. Click Export.

Depending on size, the export file may take several minutes to process. When processing
completes, the file downloads to your computer.

Tip: If you close the Export plane before the download completes, you can access the completed
export file in Settings > Exports.

Error Messages
For Tenable Vulnerability Management API status codes, see the Tenable Developer Portal.

Scanning
The following table describes the scanning error messages that may appear in Tenable Vulnerability
Management.

Some scanning errors occur when you exceed the following Tenable Vulnerability Management
scanning limitations:

Scan Limitations

The following table describes scanning limitations in Tenable Vulnerability Management:

Limitation Description

- 96 -
Targeted IP Tenable Vulnerability Management limits the number of IP addresses or
addresses or hostnames you target with a single assessment scan (for more
hostnames per information, see Discovery Scans vs. Assessment Scans). The host target
assessment scan limit is 10 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
10,000 hostnames or IP addresses in a single assessment scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP Tenable Vulnerability Management limits the number of IP addresses or

addresses or hostnames you target with a single discovery scan (for more information,
hostnames per see Discovery Scans vs. Assessment Scans). The host target limit is
discovery scan 1,000 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to target more than
1,000,000 hostnames or IP addresses in a single discovery scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Host scan results Tenable Vulnerability Management limits the number of live hosts for
per scan which a single scan can generate scan results for. The live host scan
results limit is 1.1 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan
results for more than 1,100 live hosts from a single scan. If you exceed the
limit, Tenable Vulnerability Management aborts the scan. Tenable
Vulnerability Management does not apply the live host scan result limit to
discovery scans.

Tenable Vulnerability Management also limits the number of dead hosts

for which a single scan can generate scan results for. The dead host scan
results limit is 100 times your organization's licensed asset count.

For example, if your organization has a licensed asset count of 1,000,

Tenable Vulnerability Management does not allow you to generate scan

- 97 -
results for more than 100,000 dead hosts from a single scan. If you
exceed the limit, Tenable Vulnerability Management aborts the scan.

Targeted IP You cannot specify more than 300,000 comma-separated IP addresses or

addresses or ranges when configuring a scan’s targets.
ranges per scan

Active scans You cannot have more than 25 scans running in your container
simultaneously.

Scan chunks Tenable Vulnerability Management limits scan chunks to 10,000 hosts,
150,000 findings, or 7 GB in total size. If a scan chunk exceeds any of
these values, Tenable Vulnerability Management does not process the
scan and eventually aborts it.

Note: This limits items like MDM assessments, importing Nessus files, and
very large Auto Discovery scenarios (for example, VMware) to individual
scans with less than 10,000 assessed targets.

Scan Tenable Vulnerability Management limits the number of scan

configurations configurations you can create to 10,000 scans. Tenable recommends re-
using scheduled scans instead of creating new scans. This approach
helps to avoid latency issues in the user interface.

For more information about creating, modifying, and launching scans, see Manage Scans. For more
information about scan status values, see Scan Status.

Warning Message Recommended Action

Aborted Task The following targets were If needed, perform a rollover scan
Targets aborted: [scan targets] on the aborted targets.

Aborted Task There were [number] aborted If needed, perform a rollover scan
Targets Summary targets, including [number of on the aborted targets.
targets not in notes] above the
limit for reporting notes.

Account Target The target count exceeds the limit You reached the maximum scan
Limit for this account. Please contact target limit. To increase your scan

- 98 -
Warning Message Recommended Action

customer support to upgrade your target limit by upgrading your

license. license, contact Tenable Support.

Agent Group Error Unexpected error retrieving the

agent groups.

Agent Group The owner does not have access You do not have access to all the
Permissions to all of the configured agent agent groups selected for this
groups. scan. Select the correct groups.
For more information, see Agent
Groups.

Agent Scan Tenable Vulnerability Re-scan the affected agent.

Indexing Error Management aborted a scan task
after an unexpected error
occurred during indexing. You
may need to re-scan the agent.
(Agent: [agent name], Agent
UUID: [agent uuid])

Agent Unscanned Scan not {completed | started}. Re-run the scan.

Agent with plugin set: {pluginSet}
last connected: {lastConnected}
and last scanned {lastScanned}.
(Agent: [agent name], Agent
UUID: [agent uuid])

All Inactive All targets were routed to scanner

Scanners groups with no active scanners.

All Scans Aborted All active scans were aborted. Tenable Vulnerability Management
aborted the scan due to a system
abort request. Re-run the scan.

Auto Routed Custom scan targets are not Select a specific scanner to run
Custom Targets currently supported for auto scans on custom targets.

- 99 -
Warning Message Recommended Action

routed scans.

Auto Routing The scan is configured for auto

Disabled routing, but that feature is not
enabled.

Concurrent Scan Concurrent scan limit reached for You reached the maximum
Limit this account. Please contact concurrent scan limit. Re-run the
customer support to upgrade your scan later.
license.

Concurrent Scan Scan could not be completed: You reached the maximum
Limit Reached concurrent scan limit reached for concurrent scan limit. Re-run the
this account. Please contact scan later.
customer support to upgrade your
license.

Conflict Transition for indexing to pausing The scan is completed and is now
not supported. in the process of indexing. Wait for
the indexing to complete.

Empty Scanner The scan is configured to use a Confirm that the scanner group
Group scanner group with no assigned contains functioning scanners,
scanners. then re-run the scan.

Empty Targets No targets are configured for the Confirm the scan configuration
scan. contains one or more valid targets,
then re-run the scan.

Import Failed Failed to import scan results from Re-run the scan.
the agent. Invalid results, multiple
hosts detected in scan results.
(Agent: [agent name], Agent
UUID: [agent uuid])

Inactive Scanners The scan is configured to use a Confirm that the configured
scanner group with no active scanner is functioning, or that the

- 100 -
Warning Message Recommended Action

scanners. configured scanner group contains

functioning scanners, then re-run
the scan.

Indexing Error Unexpected error during task Re-run the scan for unscanned
processing. Targets may need to targets or targets that need to be
be rescanned : [scan targets] re-scanned.

Initialization Error Unexpected error during Tenable Vulnerability Management

initialization. aborted the scan. Re-run the scan.

Invalid AWS No valid AWS targets are Confirm the scan contains valid
Targets configured for the scan. AWS scan targets and re-run the
scan. For more information, see
Targets.

Invalid PCI The PCI scan can only be Use a Tenable cloud sensor to run
Scanner launched using Tenable Cloud a Tenable PCI ASV scan. For more
Scanners information, see Cloud Sensors.

Invalid Tag Target Failed to resolve a target FQDN or One or more assets in a tag
IP from an asset in the configured configured for the scan requires an
tags. associated scan target. Confirm
the tag configuration, then re-run
the scan. For more information,
see Tags.

Invalid Tag Rule Tags with the "Match All" filter can Adjust your tag rules, then re-run
As Target only have one rule for scans with the scan.
the "Targets defined by tags"
option enabled. Tag category: [tag
category], Tag value: [tag value].

Invalid Target Can't resolve target. Confirm your scan includes valid
scan targets, then re-run the scan.
For more information, see Targets.

- 101 -
Warning Message Recommended Action

Invalid Target An invalid target range is Correct or remove the invalid scan
Range configured for the scan: [scan target range, then re-run the scan.
targets] For more information, see Targets.

Invalid Targets No valid targets are configured for Confirm the scan targets meet the
the scan. following criteria:

l IP addresses use a valid

format

l Use commas to separate lists

of IP addresses

l IP addresses in target groups

use a valid format

For more information, see Targets

and Target Groups.

For more troubleshooting

assistance, see the knowledge
base article.

Job Initialization Unexpected error during Re-run the scan.

Error initialization. Please check the
scan targets and settings for
irregularities and contact support
if the problem persists.

Log4j DNS Failed Unable to resolve DNS [scan Re-run the scan for unscanned
Request target] to check Log4j targets or targets that need to be
Vulnerability. re-scanned.

Max Findings The maximum number of findings Review the Tenable Vulnerability
Error was reached. Management scan limitations and
adjust the scan configuration to
produce an allowed number of

- 102 -
Warning Message Recommended Action

findings.

Max Hosts Scan has exceeded the maximum Review the Tenable Vulnerability
Reached Error number of allowed hosts. Management scan limitations and
adjust the scan configuration to
scan an allowed number of hosts.

Network Some network congestion was To reduce the risk of congestion:

Congestion detected during the scan. This
l Reduce max hosts to a lower
Detected may indicate that one or more of
value
the remote hosts are connected
through a connection that does l Increase the network read
not have enough bandwidth to timeout in your policy
handle the network traffic
generated while scanning.

No Available Unable to find a scanner that is Confirm you selected the correct
Scanner able to run the scan. scanner, then re-run the scan.

No Configured The scan has no configured Agent Add at least one Agent Group to
Agent Groups Groups. the scan.

No Scan Policy The scan must be configured with The scan requires a scan policy.
a scan policy. Configure a scan policy, then re-
run the scan.

No Tag Targets No valid targets were found from

the configured tags.

Notification Error Notifications for this scan may not The scan completed, but failed to
have been sent. send a notification.

Owner Disabled The owner of the scan is disabled. Enable the owner of the scan or
transfer ownership to an enabled
user. For more information, see
Permissions.

- 103 -
Warning Message Recommended Action

Paused Scan Paused scan exceeded timeout of The paused scan exceeded the
Timeout [maximum allowed pause] days. maximum pause duration. Re-run
Some tasks were aborted. Targets the scan for all incomplete scan
may need to be rescanned. targets.

Pending Scan The scan was unable to transition Confirm that the selected scanner
Timeout to running within the expected or scanner group has sufficient
timeout. capacity, then re-run the scan.

Policy The owner of the scan does not You do not have access to the
Permissions have access to the configured scan policy for this scan. Re-run
policy. the scan with correct permissions.
For more information, see
Permissions.

Portscanner Max Portscanners have found more Since this negatively impacts both
Ports Exceeded than [number] ports open for scan accuracy and performance,
target [target name], and the you may want to adjust your
number of reported ports has network security configuration to
been truncated to [number] disable this behavior for
(threshold controlled by scanner vulnerability scans.
preference portscanner.max_
ports). Usually this is due to
intervening network equipment
intercepting and responding to
connection requests as a
countermeasure against
portscanning or other potentially
malicious activity.

Processing Error Unexpected error in processing. Tenable Vulnerability Management

aborted the scan. Re-run the scan.

Routed To The following targets were routed Confirm the scanner group
Inactive Scanners to a scanner group with no active contains functioning scanners,

- 104 -
Warning Message Recommended Action

scanners: [scan targets] then re-run the scan.

Running Scan The scan exceeded the maximum The scan may be taking too long to
Timeout allowed runtime. scan some scan targets. Re-run
the scan.

Scan Aborted Scan aborted because it stalled in Tenable Vulnerability Management

initializing. aborted the scan. Re-run the scan.

Scan Aborted An error occurred while initializing Tenable Vulnerability Management

the scan. failed to initialize the scan. Re-run
the scan.

Scan Aborted Failed to obtain plugin set Tenable Vulnerability Management

information from Tenable Nessus. failed to download the plugin set.
Re-run the scan.

Scan Aborted The assigned scanner was not Tenable Vulnerability Management
found. could not find the selected
scanner. Select a different scanner
and re-run the scan.

Scan Extraction An error occurred during the scan

Error extraction.

Scan Extraction The scan extraction timed out.

Timeout Error

Scan Forbidden Rejected attempt to scan [scan The scan target is excluded from
target], as it violates user-defined scans. If you want to scan this
rules. target, remove it from the exclusion
and re-run the scan. For more
information, see Exclusions.

Alternatively, you many not have

the correct user permissions to run
the scan. Check your user

- 105 -
Warning Message Recommended Action

permissions and re-run the scan.

For more information, see
Permissions.

Scan Force The scan was forcefully stopped,

Stopped which cancels all incomplete tasks
and updates scan status to
Aborted.

Scan Job The scan could not be initialized. Tenable Vulnerability Management
Initialization Error Please check the scan targets failed to launch the scan. Re-run
setting for irregularities and the scan with the correct scan
contact support if the problem target. For more information, see
persists. Targets.

Scanner Disabled The assigned scanner is disabled. A user disabled the selected
scanner. Select a different scanner
and re-run the scan.

Scanner Error Unexpected error retrieving the

assigned scanner.

Scanner Group Unable to load scanner group for Confirm the scan configuration
Error scanner [scanner ID]. contains one or more valid targets,
then re-run the scan.

Scanner Due to detection of scanner This error occurs when a Tenable

Interruptions interruptions during the scan, this Nessus scanner is unable to
scan might have run longer than complete a scan task, and Tenable
expected. Scanner name: Vulnerability Management
[scanner name] reassigns the scan task to another
scanner. This usually happens
when the original scanner goes
offline intentionally (for example, a
user stops, powers off, or unlinks
the scanner) or experiences an

- 106 -
Warning Message Recommended Action

unexpected failure while

completing the scan task (for
example, power or network loss).

Adjust the Tenable Nessus

scanner as needed to prevent
interruptions.

Scanner Not The assigned scanner was not Tenable Vulnerability Management
Found found. could not find the selected
scanner. Select a valid scanner
and re-run the scan.

Scanner The owner of the scan does not You do not have access to the
Permissions have access to the assigned selected scanner. Select a different
scanner. scanner and re-run the scan. For
more information, see
Permissions.

Stalled Task A task was automatically aborted Confirm the scanners are
after stalling on scanner. Targets functioning properly and have
may need to be rescanned: [scan enough capacity for your scans,
targets] then re-run the scan for unscanned
targets or targets that need to be
re-scanned.

Tag Not Found Tenable Vulnerability Open the scan configuration in

Management could not process Tenable Vulnerability Management
the tag. The tag either did not exist to automatically remove any tags
at the time of scanning or the user that no longer existing. Save the
does not have access to the tag. scan configuration and re-run the
Tag UUID: [tag uuid]. scan.

Tag Targets Error Failed to obtain tag targets Tenable Vulnerability Management

- 107 -
Warning Message Recommended Action

associated with scan. could not obtain the scan targets.

Verify the targets and re-run the
scan. For more information, see
Targets.

Target Access The owner of the scan does not You do not have the correct user
Error have access to any configured permissions to run the scan. Check
targets. your user permissions and re-run
the scan. For more information,
see Permissions.

Target Group The owner of the scan does not Confirm the scan owner's
Permissions have access to all of the permissions, then re-run the scan.
configured target groups. For more information, see Target
Groups.

Target Limit The target count exceeds the The scan target range is too large.
maximum allowed for Tenable Confirm the scan configuration
Vulnerability Management. includes a valid target range, then
re-run the scan. For more
information, see Targets.

Target Range A target range exceeds the Confirm or reduce the configured
Limit maximum allowed targets: [scan scan target range and re-run the
targets] scan. For more information, see
Targets.

Targets Unable The following targets are not able Re-run the scan for unscanned
To Complete to complete scanning in the targets or targets that need to be
allowed scan time and will need to scanned again.
be rescanned: [scan targets]

Task Initialization Unexpected error during Re-run the scan for unscanned
Error initialization. Targets may need to targets or targets that need to be
be rescanned: [scan targets] re-scanned.

- 108 -
Warning Message Recommended Action

Task Processing Unexpected error in processing. Re-run the scan for unscanned
Error Targets may need to be targets or targets that need to be
rescanned: [scan targets] re-scanned.

Transition Some tasks stalled when being Failed to complete scan on some
Timeout [resumed, paused, or stopped] scan targets. Re-run the scan for
and were aborted. Targets may all unscanned scan targets.
need to be rescanned.

Unable To Route Unable to find a matching scanner Tenable Vulnerability Management

Targets route for the following targets: could not find one or more scan
[scan targets] targets specified in the scan
configuration. Do the following,
then re-run the scan:

l Confirm the scan

configuration specifies the
correct network.

l Confirm the scan routing

configuration of the scanner
groups in that network.

The total number of scan Review and remove any scan

configurations cannot exceed configurations that your
10,000. organization no longer uses.

The following targets were not Ensure that you are using the
routable: [scan targets] correct scanner to scan the targets
and that there are not any
protective securities between the
scanner and the targets.

Unenforceable Some dynamic rules are disabled Verify that the host names are
Rules because IP address resolution. correct and check your DNS
Rules containing the following configuration.
host names are affected: [rules]

- 109 -
Dashboards
Dashboards are interactive, graphical interfaces that often provide at-a-glance views of key
performance indicators (KPIs) relevant to a particular objective or business process.

The Dashboards page contains tiles that represent:

l Tenable-provided dashboards. For a complete index of Tenable-provided dashboard

templates, see Tenable Vulnerability Management Dashboards.

Note: Depending on your license, more dashboards are included. For example, the Tenable Lumin
dashboard.

l Dashboards you have created. To create a template-based or custom dashboard with

Tenable-provided or custom widgets, see Create a Dashboard.

l Dashboards that other users have shared with you. Click the Shared with Me tab to view
dashboards that others have shared with you.

Vulnerability Management Dashboard

This Tenable-provided dashboard visualizes actionable insights for your vulnerability management
program. Tenable Vulnerability Management updates dashboard data every time you run a scan.

Note: There may be a delay between when a scan completes and when the dashboard data updates while
Tenable Vulnerability Management indexes the data.

To access the Vulnerability Management Overview dashboard:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Vulnerability Management.

The Vulnerability Management Overview dashboard appears.

You can roll over individual items to reveal additional information or click on items to drill down into
details behind the data.

- 110 -
Tip: All charts on the Vulnerability Management Overview show New, Active, and Resurfaced
vulnerability data. However, the counts or data displayed on each chart may differ for other reasons. For
example, the Vulnerability Priority Rating (VPR) widget organizes vulnerabilities by VPR category, but the
Vulnerability Trending widget graphs vulnerabilities by CVSS-based severity category. For more
information about how severity and VPR metrics compare, see CVSS vs. VPR.

In the Vulnerability Management Overview, you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Statistics This widget summarizes the highest severity vulnerabilities on

for your network during the last 30 days.

l View a count of your total vulnerabilities and counts for the

highest severity vulnerabilities (Critical and High) during
the past 30 days.

l To view a list of vulnerabilities, click one of the counts.

The Vulnerabilities page appears, filtered by a severity if

you selected the Critical or High count.

l View a count of your total licensed assets, your assets

discovered during the last 7 days, and your assets
discovered during the last and 30 days.

If necessary, onboard your newly discovered assets.

l To view a list of assets, click one of the counts.

The Assets page appears, filtered by a time range if you

selected the 7 days or 30 days count. For more
information, see View Asset Details.

- 111 -
l View a count of your scans run during the last 90 days and
the percentage that succeeded and failed.

To investigate your failed scans, review your scans with

the status Aborted or Canceled. For more information, see
View Scans.

l To export the data in the widget, click the button and

select a format.

CISA Alerts AA22-011A This widget provides a vulnerability count of risks associated
and AA22-047A with the CISA Alerts AA22-011A and AA22-047A vulnerabilities
that have been identified or mitigated.

l To view a list of related vulnerabilities by plugin, in the

Vulnerabilities column, click one of the tiles.

The Vulnerabilities page appears with results filtered by

vulnerability state.

l To view a list of related vulnerabilities by asset, in the

Assets column, click one of the tiles.

The Vulnerabilities page appears, filtered by vulnerability

state.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget summarizes the number of vulnerabilities on your

Rating (VPR) network, organized by VPR. For more information, see CVSS vs.
VPR.

l To view a list of vulnerabilities filtered by a VPR range,

click one of the tiles.

The Vulnerabilities page appears, filtered by the range

you selected.

l To export the data in the widget, click the button and

- 112 -
select a format.

SLA This widget visualizes vulnerability counts by severity and by

Progress: Vulnerability compliance with your Service Level Agreements (SLAs). To
Age modify how Tenable Vulnerability Management calculates SLA
severity, see General Settings.

l To view a list of vulnerabilities, click one of the tiles.

The Vulnerabilities page appears, filtered by severity.

l To export the data in the widget, click the button and

select a format.

Vulnerability Trending This widget shows the cumulative number of Critical, High,
Medium, and Low severity vulnerabilities on your network over
time. For more information, see CVSS vs. VPR.

l To show or hide data for a severity, click the boxes in the

graph legend.

The system updates the widget to show or hide the data

you selected.

l To view historical vulnerability count and severity data, roll

over a point on the graph.

l To view a list of current vulnerabilities, click a point on the

graph.

The Vulnerabilities page appears, filtered by the severity

you selected and by New, Active, or Resurfaced state.

l To export the data in the widget, click the button and

select a format.

Critical and High This widget summarizes the number of Critical and High
Exploitable Vulnerabilities severity vulnerabilities on your network, organized by
exploitability characteristic category. A single vulnerability may
have multiple exploitability characteristics and count towards

- 113 -
multiple categories.

l To view the counts of your vulnerabilities by decreasing

priority, view the categories and counts from left to right.

l To view a list of vulnerabilities, click one of the bars on the

graph.

The Vulnerabilities page appears, filtered by Critical and

High severity and the exploitability characteristic you
selected.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget summarizes the vulnerabilities that are not yet
Exploitable Vulnerabilities exploitable, determined by their Exploit Code Maturity and
Vulnerability Publication Date.

l To view the counts of your vulnerabilities by decreasing

priority, view the categories and counts from upper left to
lower right. Tenable recommends addressing
vulnerabilities with proof-of-concept before those with no
known exploit.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age This widget summarizes the age of your vulnerabilities (by
Vulnerability First Seen date), organized by severity, to help
you manage your SLAs. For more information about severity,
see CVSS vs. VPR.

l To view a list of vulnerabilities, click one of the vulnerability

counts.

The Vulnerabilities page appears, filtered by the

Vulnerability First Seen date and severity you selected.

- 114 -
l To export the data in the widget, click the button and
select a format.

Vulnerability Management Overview (Explore)

The Vulnerability Management Overview (Explore) dashboard provides executive management with
a summary of risk information at a glance, while enabling security analysts to drill down into
technical details by clicking on the widgets. Tenable Vulnerability Management updates the
dashboard data each time you run a scan.

Note: There may be a delay between the time when a scan completes and when the dashboard data
updates while Tenable Vulnerability Management indexes the data.

Hovering over individual items reveals a data summary that you can click to drill down for further
details.

In the Vulnerability Management Overview (Explore), you can interact with the following widgets:

Widget Action

Cyber Exposure News This widget highlights the most recent Tenable blog posts
Feed related to exposure incidents.

l Click on a tile to navigate to the Tenable blog post.

l Click the or button to collapse or expand the feed.

l Click the or button to scroll through the tiles.

Severity Statistics by The widget provides a count of vulnerabilities collected through

Source multiple sources: Tenable Nessus scan and Tenable Agents.
The numbers displayed in this widget use severity to determine
the precedence of vulnerabilities to mitigate.

l To view the list of assets for a specific category, click on

the summary information in the relevant category.

The Findings page appears with details about the assets

detected for the category.

- 115 -
l To export the data in the widget, click the button and
select a format.

Tenable Research This widget provides two indicators for current major threats
Advisory discovered by Tenable Research. The red indicator signifies the
presence of the relevant vulnerabilities, while the green indicator
is enabled when these vulnerabilities are patched.

l Click on the tiles to display a Findings page with details

about the assets detected for Missing Patches and
Applied Patches.

l To export the data in the widget, click the button and

select a format.

Vulnerability Priority This widget displays vulnerabilities grouped by Vulnerability

Rating (VPR) Priority Rating (VPR). VPR is the output of Tenable's predictive
prioritization process which it is continually updates to
accommodate the evolving threat landscape.

Following the initial scan of an asset on the network, Tenable

computes an initial VPR using a machine-learning algorithm that
analyzes more than 150 different aspects of each vulnerability to
determine the level of risk. Vulnerabilities listed on the left have
the highest VPR, while those on the right have the lowest. For
more information, see CVSS vs. VPR.

l To view the asset details detected in a specific range, click

on a VPR range.

The Findings page appears with details about the assets

detected in the selected range.

l To export the data in the widget, click the button and

select a format.

SLA This widget helps organizations manage Service Level

Progress: Vulnerability Agreements (SLAs) by providing a vulnerability view organized

- 116 -
Age by Vulnerability Priority Rating (VPR) Score and Vulnerability
Age.

Tenable calculates the vulnerabilities that do not meet SLAs

using a date filter for within the last X days. The vulnerabilities
that meet SLAs use a date filter for older than X days.

When you apply default SLA settings:

l Critical: row uses VPR greater than 9.0.

l High: row uses VPR between 7.0-8.9.

l Medium: row uses VPR between 4.0-6.9.

l Low: row uses VPR between 0-3.9.

To know how Tenable Vulnerability Management calculates SLA

severity, see General Settings.

l To view the list of assets detected for a specific category,

click on the summary information under the
SLA categories.

The Findings page appears with details about the assets.

l To export the data in the widget, click the button and

select a format.

Critical and High This widget focuses on the most severe current threats, critical,
Exploitable Vulnerabilities and high exploitable vulnerabilities to help prioritize remediation.
Each bar represents vulnerabilities grouped by an exploitability
characteristic.

l Exploited by Malware: Vulnerabilities that can be

exploited by malicious software, such as viruses, worms,
spyware, adware, and ransomware.

l Remotely Exploitable (Low Complexity): Vulnerabilities

that can easily be exploited remotely and require little skill
or information gathering to exploit.

- 117 -
l Locally Exploitable (Low Complexity): Vulnerabilities that
can easily be exploited with local access and require little
skill or information gathering to exploit.

l Exploited by Framework (Metasploit): Vulnerabilities that

have publicly available exploit code imported into various
exploit frameworks, such as Metasploit, pose risks. These
common exploit frameworks are easily accessible, which
both security researchers and malicious attackers use.

l Remotely Exploitable (High Complexity): Vulnerabilities

that can be exploited remotely, but require a high degree of
skill and information gathering to exploit.

Note: These groupings are not mutually exclusive, as a single

vulnerability can fall into multiple exploitability categories. Tenable
recommends prioritizing remediation starting with vulnerabilities in
the left-most column, Exploited by Malware.

l To view details about assets for a specific category, click

one of the bars on the graph.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Future Threats: Not Yet This widget provides a view of vulnerabilities based on exploit
Exploitable Vulnerabilities code maturity and vulnerability publication date. The columns
display counts of published vulnerabilities within the specified
time period present in the organization. The rows display the
exploit code maturity, where Proof of Concept is more serious
than Unproven Exploit.

l To view the list of assets for a specific category, click on

the counts under the Published categories.

The Findings page appears with details about the assets

- 118 -
detected for the category.

Tip: Tenable recommends addressing vulnerabilities with proof-of-

concept before those with no known exploit.

l To export the data in the widget, click the button and

select a format.

Scan Health This widget provides a summary of scan health in relation to

authentication success and failures. The five columns display
asset counts related to:

l Authentication Success - Scans authenticate successfully

with full administrator/root privileges. Scan results are the
most comprehensive.

l Success but Insufficient Access - Scans authenticate

successfully, but do not have privileged access. Scan
results are limited to the scope of a local non-privileged
user.

l Success but Intermittent Failure - Scan credentials

intermittently fail, which result from session rate limits,
session concurrency limits, or other issues preventing
consistent authentication success.

l Authentication Failure (Credentials) - Incorrect

credentials provided.

l To view the list of assets that falls in a specific category,

click the required category.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Vulnerability Age: This widget provides a view of vulnerabilities based on severity

- 119 -
Managing SLAs and age. The columns display counts of published vulnerabilities
within the specified time period present in the organization. The
rows display the severity level of the vulnerability.

l To view asset details for a specific category, click

vulnerability count in the required category.

The Findings page appears with details about assets

detected for the category.

l To export the data in the widget, click the button and

select a format.

Tenable Web App Scanning Dashboard

The default Web Applications Scanning dashboard displays data Tenable Web App Scanning
collects.

The tables below describes the sections and widgets displayed in the Web Applications Scanning
dashboard. You can view details about the data in a widget by clicking the widget.

Tenable Web App Scanning Statistics

The table below describes the widgets displayed in the Statistics section of the Web Applications
Scanning dashboard. You can view details about the data in a widget by clicking the widget.

Widget Description

Findings Number of findings Tenable Web App Scanning has discovered. The
findings are categorized by severity (Critical and High).

For information about vulnerability ratings and the severity metrics

Tenable uses to analyze risk, see Severity vs. VPR in the Tenable
Vulnerability Management User Guide.

Web Assets Number of assets scanned over time.

Scanned

Incomplete Number of incomplete scans in the past 90 days.

Scans

- 120 -
Widget Description

Non Number of non-authenticated scans in the past 90 days.

Authenticated
Scans

OWASP Top 10
This chart displays the vulnerabilities discovered by Tenable Web App Scanning that appear in the
latest Open Web Application Security Project (OWASP) Top 10 Most Critical Web Application
Security Risks document.

View the Dashboards Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Tenable Vulnerability Management updates dashboard data based on date filters you add when you
Create a Custom Widget for the dashboard.

To view the Dashboards page:

1. Access the Dashboards page in one of the following ways:

l On any Tenable-provided dashboard page, click the Dashboards button.

l On any other page, do the following:

a. In the upper-left corner, click the button.

The left navigation plane appears.

b. In the left navigation plane, click Dashboards.

The Dashboards page appears. The page contains tiles that represent:

- 121 -
l Tenable-provided dashboards

l Dashboards you have created

l Dashboards that other users have shared with you

2. Do any of the following:

l In the upper-left corner, use the Search bar to search for specific dashboards.

l In the upper-left corner, use the drop-down to change the order in which dashboards
appear on the Dashboards page.

l In the Groups section, do any of the following:

o Use the Search Groups bar to search for specific dashboard groups.
o Click the Shared with Me tab to view dashboards that have been shared with you.
o Click the Updates Available tab to view dashboards that are eligible for auto-
update.

l Roll over individual dashboard tiles to reveal additional information.

l Toggle between the grid and list view.

l Set a default dashboard.

l Edit a dashboard.

l Share a dashboard.

l Export a dashboard.

l Duplicate a dashboard.

l Delete a dashboard.

l Click a dashboard tile to view the individual dashboard.

Tenable-Provided Dashboards
On the Dashboards page, Tenable Vulnerability Management shows dashboards in the following
order:

- 122 -
1. Tenable-provided dashboards. For a complete index of Tenable-provided dashboard
templates, see Tenable Vulnerability Management Dashboards.

2. Dashboards you create and dashboards that have been shared with you.

Note: You can change the order in which dashboards appear by using the drop-down in the upper-right
corner of the Dashboards page.

The Tenable-provided dashboards you see depend on the licenses you have, but can include the
following:

Dashboard License

Vulnerability Management Overview Tenable Vulnerability Management

Lumin Tenable Lumin

Web Application Scanning Tenable Web App Scanning

Note: You can export the Vulnerability Management Overview and Asset View dashboard landing pages,
or export individual widgets on those dashboards. For more information, see Export a Full Dashboard and
Export an Individual Dashboard Widget.

Note: If your dashboard fails to show data, you may be filtering the dashboard by a target group with too many
targets. Tenable recommends limiting the number of targets in any individual target group.

Export a Full Dashboard Landing Page

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

In Tenable Vulnerability Management, you can export the following dashboard landing pages:

l Vulnerability Management Overview

l Tenable Lumin

l Tenable Web App Scanning

To export a full dashboard landing page:

- 123 -
1. View the dashboard page you want to export.

2. In the upper-right corner, click Export.

A drop-down menu appears.

3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

Once the export completes, a Success message appears and Tenable Vulnerability
Management downloads the export file to your computer. Depending on your browser settings,
your browser may notify you that the download is complete.

Export an Individual Dashboard Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

In Tenable Vulnerability Management, you can export individual widgets from the following
dashboard landing pages:

l Vulnerability Management Overview

l Tenable Lumin

l Tenable Web App Scanning

To export an individual dashboard widget:

1. View the dashboard page that contains the widget you want to export.

2. In the header of the widget you want to export, click the button.

A drop-down menu appears.

- 124 -
3. From the drop-down menu, select one of the following options:

l Click PDF to export the dashboard in PDF format.

l Click PNG to export the dashboard in PNG format.

l Click JPG to export the dashboard in JPG format.

An In Progress message appears.

View an Individual Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Tenable Vulnerability Management updates dashboard data every time you run a scan.

To view an individual dashboard:

1. View the Dashboards page.

2. Do one of the following:

l In grid view, roll over the tile for the dashboard you want to view.

Dashboard information and options overlay the dashboard tile.

l In list view, roll over the thumbnail dashboard image for the dashboard you want to view.

Dashboard options overlay the thumbnail dashboard image.

3. Click View.

The page for that dashboard appears.

4. Do one of the following:

l Change the dashboard you are viewing:

a. In the upper-right corner, click Jump to Dashboard.

A drop-down box appears.

- 125 -
b. Select the dashboard you want to view.

Tip: Use this option to view legacy versions of Explore dashboards. For more
information, see Enable Explore Dashboards

l Roll over individual widgets to reveal additional information.

l Click on widget elements to drill down into details behind the data.

l Share the dashboard.

l Export the dashboard.

l Edit the dashboard.

l Set the dashboard as default.

l Duplicate the dashboard.

l Create a new dashboard.

l Delete the dashboard.

View the Dashboard Template Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

The Template Library provides a selection of Tenable-provided dashboards.

To view the dashboard template library:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

The Template Library page appears.

On the Template Library page, you can:

- 126 -
l Sort the Template Library page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the page.

l In the upper-left corner, use the Search bar to search for specific dashboards.

l Click the New and Updated tab to view dashboards that are eligible for auto-update.

l Toggle between the grid and list view.

l Preview a dashboard.

l Create a dashboard.

Create a Dashboard
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, Administrator, or Custom Role with appropriate privileges

You can create a custom dashboard or use the Template Library to create a copy from the available
templates. Dashboards let you drill down to view the details of each widget.

Important: The Template Library in Tenable Vulnerability Management includes Explore dashboard
templates. The Explore dashboard templates are marked with Explore at the end of the template name.
For example: Vulnerability Management (Explore). From the dashboards that you create using these
templates, you can drill down to the Findings or Assets pages. To add an Explore dashboard, see Enable
Explore Dashboards.

To create a dashboard:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Do one of the following:

To create a dashboard from a template:

- 127 -
a. Click Template Library.

The Template Library page appears.

b. In the Groups panel on the left, click the group name to view the templates for the
category.

Category Description

Center for CIS Benchmarks are best practices for the secure
Internet Security configuration of a target system. Be sure to use the proper
(CIS) audit file for scans.

Defense The Defense Information Systems Agency (DISA) is a United

Information States Department of Defense combat support agency
Systems Agency composed of military, federal civilians, and contractors.
(DISA) Security Technical Implementation Guides (STIG) is a
configuration standard that consists of cybersecurity
requirements for a specific product. Be sure to use the proper
audit file for scans.

Compliance Tenable allows you to audit configuration compliance with a

Framework variety of standards including GDPR, ISO 27000, HIPAA, NIST
800-53, PCI DSS, and so on. These reports provide summary
and detailed information for all the supported frameworks. Be
sure to use the proper audit file for scans.

Host Audit Organizations such as CIS, DISA, and some vendors create
Plugin Type golden configurations standards, known as benchmarks.
Tenable creates audit files that perform a detailed configuration
review. Scanning the assets with the Host Audit Compliance
Check plugins allows you to do detailed configuration checks.
These reports provide summary and detailed information for all
the Host Audit Compliance Check plugins.

Tenable Best Allows you to implement best practice audits for new
Practice Audits technologies. Be sure to use the proper audit file for scans.

- 128 -
Vendor Based Allows you to implement vendor-specific guidance for new
Audits technologies. Vendors include: Vendor, IBM, Juniper,
Microsoft, NetApp, VMware, and others. Be sure to use the
proper audit file for scans.

Vulnerability Tenable Vulnerability Management provides the most

Management comprehensive vulnerability coverage with real-time
continuous assessment of the organization. These built-in
reports allow organizations to communicate risk based on
prioritization, threat intelligence and real-time insights to
prioritize remediation actions. These reports provide summary
and detailed information on data collected using Tenable
Vulnerability Management applications such as Tenable
Nessus.

Web App Web application security provides the ability to detect and
Scanning mitigate threats and vulnerabilities that may compromise the
confidentiality, integrity, and availability of web applications.
These reports leverage data from Tenable Web App Scanning,
a comprehensive and automated vulnerability scanning tool for
modern web applications.

c. In the library, locate the template you want to use.

d. Hover over the template.

An overlay of template information and options appears.

e. (Optional) To preview the dashboard template, click Preview. For more information, see
Preview a Dashboard.

f. Click Add.

An Added dashboard to Dashboards confirmation message appears.

The new dashboard appears on the Dashboards page with the name Copy of selected
dashboard.

To create a custom dashboard:

- 129 -
a. Click Custom Dashboard.

The Edit Dashboard page appears.

b. Name the dashboard:

a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the updated name.

c. Add a dashboard description:

a. Click the dashboard description.

The description becomes an editable text box.

b. Type a description for the dashboard.

d. Add widgets to the dashboard:

a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

e. Add dashboard filters:

- 130 -
a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

Note: The Edit Filter option does not appear if there are no widgets added to the
dashboard.

b. Configure your dashboard filters as described in Filter a Dashboard.

f. (Optional) Reorder widgets on the dashboard:

a. Hover over the widget you want to move.

b. Press and hold the mouse button to highlight the widget.

The edges of the widget become defined and exhibit a raised appearance.

c. Using the mouse, drag the widget to the new location.

d. Release the mouse button to drop the widget in the new location.

g. (Optional) Delete the dashboard:

o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management discards the newly created dashboard.

What to do next:
l Manage Dashboards

Preview a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

When creating a new dashboard from a template, you can preview the dashboard before adding it to
the Dashboards page.

To preview a dashboard:

- 131 -
1. Create a dashboard.

2. In the Template Library, roll over the template you want to preview.

An overlay of template information and options appears.

3. Click Preview.

A preview of the dashboard appears.

4. To exit the preview, in the top navigation bar, click a link in the breadcrumb trail to return to the
Template Library, or the Dashboards page.

5. To add the template to the Dashboards page, click Add to Dashboards.

An Added dashboard to Dashboards confirmation message appears, and the new dashboard
appears on the Dashboards page with the name Copy of selected dashboard.

Enable Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To use Explore dashboards within Tenable Vulnerability Management, you must first add them to
your interface via the Template Library.

Note: The numerical data that appears on your Explore dashboards may not match the data on your legacy
Tenable Web App Scanning or VM dashboards.

Note: The data on your Explore Tenable Web App Scanning and VM dashboards reflects your complete
scanning history. This differs from the Tenable Web App Scanning and VM dashboards, which display data
for only the last 30 calendar days.

To enable Explore dashboards:

1. View the Dashboards page.

2. Click New Dashboard.

A list of options appears.

3. Click Template Library.

- 132 -
The Template Library page appears.

4. In the upper-left corner, in the Search bar, type "(Explore)".

All available Explore dashboards appear.

If Explore dashboards do not appear, your container may not have enabled them. Please contact
your Customer Success Manager.

5. For each Explore dashboard you want to add to your interface, do the following:

a. Roll over the Explore dashboard template.

An overlay of template information and options appears.

b. Click Add.

An Added dashboard to Dashboards confirmation message appears, and the Explore

dashboard appears on the Dashboards page.

Note: To reenable your Tenable Web App Scanning or VM dashboards, enable the corresponding
workbench.

Manage Dashboards
This section contains the following topics to help you manage your Tenable Vulnerability
Management dashboards:

Dashboard Groups
In Tenable Vulnerability Management, you can organize dashboards into groups via the dashboard
Groups panel. This allows you to track different types of dashboards, and dashboards that others
have shared with you. You can also share a dashboard group with one or more users or user
groups.

The Groups panel automatically expands when you view the Dashboards page. The panel is
separated by Tenable-provided dashboard groups and user-created dashboard groups.

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

- 133 -
Add a Dashboard Group
You can add a dashboard group via the Groups panel on the Dashboards page.

To add a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click Add.

The Edit Group pane appears.

3. In the Group Name box, type a name for your dashboard group.

4. In the Dashboards to Include section, select the check box next to any dashboards you want
to add to the dashboard group.

5. Click Save.

Tenable Vulnerability Management adds the dashboard group to the user-created dashboard
list in the Groups panel.

Share a Dashboard Group

In Tenable Vulnerability Management, you can share user-created dashboard group with other
users or user groups via the Groups panel.

Note: Dashboard groups are not automatically re-shared with a user after they have been updated. For
example:
User A shares a dashboard group with User B. User A then makes a change to the dashboard group. To
see the update, User A must re-share the dashboard group, with User B.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard group:

- 134 -
1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to share.

The group and its included dashboards appears.

3. Click Share Group.

The Share Group pane appears.

4. Do one of the following:

l To share the dashboard group with all users, select the All Users check box.

l To share the dashboard group with specific users or user groups, from the drop-down
box, select the users or user groups with which you want to share the dashboard group.

Tip: You can share with multiple users or user groups.

5. Click Share.

A Group shared successfully message appears. Tenable Vulnerability Management shares

the dashboard group with the designated users or user groups and sends an email indicating
that you shared a dashboard with them.

Edit a Dashboard Group

In Tenable Vulnerability Management, you can edit user-created dashboard groups via the Groups
panel.

To edit a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to edit.

The group and its included dashboards appears.

3. Click Edit Group.

- 135 -
The Edit Group pane appears.

4. (Optional) In the Group Name box, edit the name of the dashboard group.

5. (Optional) In the Dashboards to Include section, select or deselect the dashboards that
appear in the dashboard group.

6. Click Save.

Tenable Vulnerability Management saves your changes to the dashboard group.

Delete a Dashboard Group

In Tenable Vulnerability Management, you can delete user-created dashboard groups via the
Groups panel.

To delete a dashboard group:

1. View the Dashboards page.

By default, the Groups panel expands.

2. In the Groups panel, click the user-created dashboard group you want to delete.

The group and its included dashboards appear.

3. Click Delete Group.

A confirmation message appears.

4. Click Delete.

Tenable Vulnerability Management deletes the dashboard group.

Note: Deleting dashboard groups does not delete the dashboards within the group.

Automatically Update Widgets on a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To provide the most up-to-date vulnerability information, Tenable updates or adds new dashboard
widgets when, for example, a new vulnerability is exposed or when Tenable Vulnerability

- 136 -
Management adds a new vulnerability filter. When Tenable updates these widgets, you can view
and automatically update them in one of the following ways:

l Dashboards page — On the Dashboards page, you can update all updated widgets on a
dashboard at one time.

l Dashboard Template Library — When creating a custom dashboard via the Template Library,
you can view new or updated widgets and add them to the custom dashboard.

Note: On predefined dashboard templates, Tenable Vulnerability Management always includes the
most recent version of widgets.

l Widget Library — In the Widget Library, you can view new or updated widgets and add them to
up to ten individual dashboards.

To update widgets automatically via the Dashboards page:

1. View the Dashboards page.

2. In the Groups section, click the Updates Available tab.

A list of dashboards with updated widgets appears.

Note: You can also see dashboards with new and updated widgets on the All tab. These dashboards
appear with a pulsing blue dot next to the dashboard name.

3. Roll over the dashboard for which you want to update widgets.

An overlay of options appears.

4. Click Apply.

An Update Available message appears that describes the updates to the widgets on the
dashboard.

5. Click Update.

An Update Applied Successfully message appears and Tenable Vulnerability Management

updates the widgets on the dashboard.

To update widgets automatically via the dashboard Template Library:

- 137 -
1. View the dashboard Template Library.

2. Click the New and Updated tab.

A list of dashboard templates with new and updated widgets appears.

3. Roll over the dashboard template you want to add.

An overlay of options appears.

4. Click Add.

An Added Dashboard Template to Dashboards message appears, and the dashboard

template with the new or updated widget appears on the Dashboards page.

To update widgets automatically via the Widget Library:

1. View the Widget Library.

2. Click the New and Updated tab.

A list of new and updated widgets appears.

3. Roll over any widget you want to add to a dashboard.

4. Click Add to Dashboards.

The Add to Dashboards plane appears.

5. In the Dashboards drop-down, select the dashboard or dashboards to which you want to add
the new or updated widget.

6. Click Save.

A Successfully Added to Selected Dashboards message appears and Tenable Vulnerability

Management adds the new or updated widget to the selected dashboards.

Edit a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To edit a dashboard:

- 138 -
1. Do one of the following:

l Access the Edit Dashboard page via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Edit.

l Access the Edit Dashboard page via an individual dashboard:

a. View the dashboard you want to edit.

b. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

c. Click Edit dashboard.

The Edit Dashboard page appears.

2. On the Edit Dashboard page, do any of the following:

l
Rename the dashboard:
a. Click the name of the dashboard.

The name becomes an editable text box.

b. Type a new name for the dashboard.

c. Click the button to confirm the name change.

Tenable Vulnerability Management saves the name.

l
Edit the dashboard description:

- 139 -
a. Click the dashboard description.

The description becomes an editable text box.

b. Type a new description for the dashboard.

l
Edit the dashboard filters:
a. In the upper-right corner of the page, click Edit Filter.

The Filter plane appears.

b. Configure your dashboard filters as described in Filter a Dashboard.

l
Add widgets to the dashboard:
a. In the upper-right corner of the page, click Add Widgets.

A menu appears.

b. Do one of the following:

l To add a widget from a template, click Template Widget.

The Widgets page appears.

o Select the widget as described in Add a Widget to a Dashboard.

l To add a custom widget, click Custom Widget.

The Create Widget page appears.

o Configure the custom widget as described in Create a Custom Widget.

l
Reorder widgets on the dashboard:
a. Roll over the top of the widget until the move cursor appears.

b. Click and drag the widget to the desired location.

l
Resize the widgets on the dashboard:
a. Roll over the lower-right corner of the widget until the resize cursor appears.

b. Click and drag the widget to the desired size.

- 140 -
The widgets shift to accommodate the new widget size.

l
Delete the dashboard:
o In the lower-left corner of the page, click Delete Dashboard.

Tenable Vulnerability Management removes the dashboard from the Dashboards

page.

3. Click Done Editing.

You return to the selected dashboard and Tenable Vulnerability Management applies your
changes. If the dashboard is shared with other users, those users automatically receive the
updated dashboard.

Set a Default Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

You can set any dashboard as the default dashboard to make it your landing page. If you do not set
a default dashboard, Tenable Vulnerability Management uses the Tenable-provided Vulnerability
Management Overview dashboard as the default.

When you set a dashboard as default, on the Dashboards page, the Default label appears in the
header of the dashboard tile.

Note: If you delete a dashboard set as default, the product Tenable-provided dashboard becomes the
default.

To set a default dashboard:

1. Do one of the following:

l Set a default dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

- 141 -
l Set a default dashboard via an individual dashboard:

a. View the dashboard you want to make the default.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Select Make Default.

A Successfully set as default dashboard confirmation message appears, and Tenable

Vulnerability Management sets the dashboard as the default.

Note: You may have to log out and log back in to see the updated default dashboard.

Rename a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To rename a dashboard:

1. View the dashboard you want to rename.

2. On the dashboard page, roll over the dashboard name.

The name becomes highlighted and shows a button.

3. Click the button or double-click the name.

The name field becomes a text box.

4. Enter a new name for the dashboard.

5. Click the button to confirm the name change.

A confirmation appears at the top of the page.

The new name appears.

Duplicate a Dashboard

- 142 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To duplicate a dashboard:

1. Do one of the following:

l To duplicate a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

l To duplicate a dashboard via an individual dashboard:

a. View the dashboard you want to duplicate.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Duplicate.

A Successfully copied the dashboard confirmation message appears, and Tenable

Vulnerability Management copies the dashboard on the Dashboards page.

Filter a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

You can apply filters at the dashboard level to all widgets within that dashboard.

Note: You can apply configurations to individual widgets. The widget-level configuration takes precedence
over dashboard-level configuration.

To filter a dashboard in the new interface:

- 143 -
1. View the dashboard you want to filter.

2. In the dashboard header, click the More button.

Note: The More button is not available on Tenable-provided dashboards.

A drop-down appears.

3. Click Filter.

The Filter plane appears.

4. In the Select Filter Type drop-down, select the assets you want the dashboard to analyze.
See the following table for options and requirements.

Option Description Requirement

All Assets (Default) This option includes This is the default option and includes
all the assets in the all assets in the dashboard. There is
dashboard. not a requirement for this option.

Target Group This option only includes An extra field for Select Target
assets in a specific target Groups appears when you select this
group. option. Select the desired target
group from the drop-down list.

Custom This option only includes A text box appears when you select
assets with a specific this option. Enter one or more of the
hostname, IP address, FQDN, custom option formats (hostname, IP
or CIDR. address, FQDN, or CIDR). Separate
multiple items with commas.

Important: Make sure that the

number of IP addresses in your
search filter is less than or equal to
25.

Important: Make sure that the

number of Hostnames in your search

- 144 -
filter is less than or equal to 300.

5. Click Apply.

The icon appears in the header of all the dashboard widgets.

6. In the widgets section, roll over the icon to view the added filter.

Note: The following are the filtering limitations for Explore widgets:

l Explore widgets do not support Target Groups.

l Cloud Misconfigurations widgets do not support filtering by IP or hostname.
l Cloud Misconfigurations and Web Application Findings widgets do not support tags.

Note: You can filter only with the tags you can access. You cannot apply tags that you do not have access
to.

Filter a Dashboard by Time

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

You can filter a dashboard to show only vulnerabilities within a specific timeframe — in hours, days,
months, or years. Filters are available only for custom dashboards or dashboards created using the
template library.

Note: Filter by time option is available only for Explore dashboards and Explore widgets.

To filter a dashboard by a specific timeframe:

1. View the dashboard you want to filter.

2. To filter your dashboard data for a specific timeframe, do one of the following:

l In the All drop-down box, select the required timeframe: All, 7 days ago, 14 days ago,
30 days ago, 60 days ago, 90 days ago.

- 145 -
l For a custom timeframe, in the Last Seen box, type the value to view the data within the
last number of days, hours, years, or months.

Tenable Vulnerability Management displays the vulnerabilities for the selected timeframe on
the dashboard.

Share a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, Administrator, or Custom Role with appropriate privileges

Tenable Vulnerability Management users can share a dashboard with one or more users, or one or
more user groups. Shared dashboards appear automatically for the users or groups with which they
are shared. Additionally, when you update a shared dashboard, the users with which it is shared
automatically receive the updated dashboard.

Note: You cannot edit dashboards that are shared with you. You can, however, duplicate or delete a
dashboard that is shared with you.

Note: Shared content may appear differently to the users with which it is shared based on the access group
to which they belong.

To share a dashboard:

1. Do one of the following:

l To share a dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

A drop-down list appears.

c. Click Share.

l To share a dashboard via an individual dashboard:

- 146 -
a. View the dashboard you want to share.

b. In the upper-right corner, click Share.

The Share panel appears,

2. Do one of the following:

l To share the dashboard with all users, select the All Users check box.

l To share the dashboard with specific users or user groups, from the drop-down box,
select the users or user groups with which you want to share the dashboard.

Tip: You can share with multiple users or user groups.

3. Click Share.

A Dashboard shared successfully message appears. Tenable Vulnerability Management

shares the dashboard with the designated users or user groups and sends an email indicating
that a dashboard has been shared with them.

Manage Dashboard Exports

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

With the export feature, you can export dashboard data in CSV, PDF, and detailed PDF formats.
You can create dashboard exports on demand or schedule automated exports to specified
recipients.

You can also manage your dashboard exports. You can download them, view your export history,
delete your exports, or delete their configuration.

Note: While you cannot export the Vulnerability Management Overview and Asset View dashboards, you
can export their associated landing pages, or export individual widgets on those dashboards. For more
information, see Export a Full Dashboard Landing Page and Export an Individual Dashboard Widget.

Export a Dashboard

To export a dashboard in CSV format:

- 147 -
1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to CSV.

l Export the dashboard while viewing the individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click CSV.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To export a dashboard in PDF format:

You can use the Export PDF feature to share customized dashboards externally. The exported
PDF is a generated report of the selected dashboard.

To export a PDF:

- 148 -
1. Do one of the following:

l Export the dashboard via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export to PDF or, where available, Export to PDF - Detailed.

Note: By default, the following dashboards support PDF-Detailed exports:

l Executive Summary
l Exploitable by Malware
l Exploitable Framework Analysis
l Measuring Vulnerability Management
l Mitigation Summary
l Outstanding Remediation Tracking
l Prioritize Assets
l Vulnerabilities by Common Ports
l Vulnerability Management
l Web Services

l Export the dashboard via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. Click PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information that is included in the report.

- 149 -
The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

Note: If you select PDF - Detailed and there are user-created filters applied to one or more widgets
on the dashboard, a Confirm Export message appears indicating that Tenable Vulnerability
Management does not apply user-created filters to any additional chapters. Click Confirm to continue
with the export.

An Export in Progress confirmation message appears.

The export request and status appears in the Downloads section on the Exports plane.

When the export completes, Tenable Vulnerability Management downloads the export file to
your computer. Depending on your browser settings, your browser may notify you that the
download is complete.

To schedule a dashboard export:

The Schedule Export option allows you to export a dashboard at specified times.

To schedule an export:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Schedule Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard you want to export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

- 150 -
The Schedule Export plane appears.

2. Do one of the following:

l If you have never exported and/or scheduled an export for the dashboard, the Schedule
options automatically appear.

l If you have already exported the dashboard, in the Schedule section, click Add New.

The Schedule options appear.

l If you have already scheduled an export for the dashboard, you cannot create another
one. You must first cancel the scheduled dashboard export.

3. Select CSV, PDF or, where available, PDF - Detailed.

Note: The PDF report contains the displayed information for the selected dashboard. The
information that you see on the screen is the information included in the report.

The PDF - Detailed report has in-depth information, including vulnerability details, that goes beyond
the items displayed.

4. In the Schedule section, set the following parameters:

Option Description

Name A name for the scheduled export.

Start Date and Time The date and time that you want the export to begin.

Repeat The frequency that you want Tenable Vulnerability Management

to send the export:

l Daily — The export occurs daily at the time specified.

l Weekly — The export occurs every week on the same day

- 151 -
at the time specified (for example, Weekly on Tuesday).

l Monthly — The export occurs once a month on the day of

the week and time specified (for example Monthly on Last
Tuesday)

l Custom — The export occurs at a custom interval. If you

select Custom, more options appear:

a. In the Repeat Every section, in the drop-down, select

how often you want the export to repeat. For example,
if you want the export to repeat every 2 days, then in
the first drop-down box, select 2 and in the second
drop-down box, select Days.

l Does not Repeat — The export does not repeat.

Password Protection Specifies the export as encrypted or unencrypted.

If you toggle this option on, an Encryption Password box

appears. Type the password you want to use to encrypt the
export file.

Note: Once you save the scheduled export, you cannot edit the
Encryption Password. Instead, you must create a copy of the
dashboard, create a scheduled export, and then select the desired
password.

Add Recipients (Optional) The email address for the person that receives the
report. You can specify multiple email addresses as a comma-
separated list.

5. Click Schedule.

The scheduled export appears in the Schedule Export plane.

Download a Dashboard Export

To download a dashboard export:

- 152 -
1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard with the export you want to download.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, next to the export download you want to download, click the
button.

Tenable Vulnerability Management downloads the export file to your computer.

View Dashboard Export History

To view dashboard export history:

1. View the dashboard for which you want to view export history.

2. In the upper-right corner, click Export.

A drop-down list appears.

3. In the drop-down list, click History.

The Export History plane appears.

On the Export History plane, you can view:

- 153 -
l The schedule for the dashboard export.

l Available downloads of previous dashboard exports.

You cannot access the Export History plane if the dashboard has not yet been exported.

Delete a Dashboard Export Download

To delete a dashboard export download:

1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete an export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Downloads section, roll over the export download you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Delete.

A Download deleted successfully message appears and Tenable Vulnerability Management

removes the export download from the Schedule Export plane.

Delete a Dashboard Export Configuration

- 154 -
To delete a dashboard export configuration:
1. Do one of the following:

l Access the Schedule Export plane via the Dashboards page:

a. View the Dashboards page.

b. In the dashboard header, click the button.

A drop-down list appears.

c. Click Export.

l Access the Schedule Export plane via an individual dashboard:

a. View the dashboard for which you want to delete a scheduled export.

b. In the upper-right corner, click Export.

A drop-down list appears.

c. From the drop-down list, click Schedule.

The Schedule Export plane appears.

2. In the Schedule section, roll over the scheduled export configuration you want to delete.

3. Click the button.

A Confirm Deletion message appears.

4. Click Confirm.

A Successfully deleted export configuration message appears and Tenable Vulnerability

Management removes the export configuration from the Schedule section of the Schedule
Export plane.

Delete a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Note: In Tenable Vulnerability Management, you can only delete custom dashboards. You cannot delete
Tenable-Provided Dashboards.

- 155 -
To delete a dashboard:

1. Do one of the following:

l Delete a dashboard from the Dashboards page:

a. View the Dashboards page.

b. In the dashboard tile header, click the button.

l Delete a dashboard from the individual dashboard:

a. View the dashboard page you want to delete.

b. In the dashboard header, click the More button.

A drop-down list appears.

2. Click Delete.

A Confirm Deletion confirmation message appears.

3. Click Delete.

A Successfully deleted the dashboard confirmation message appears and Tenable

Vulnerability Management removes the dashboard from the Dashboards page.

Manage Widgets
You can use the widget library to create and edit widgets to use across your dashboards.

To manage widgets in the widget library:

l View the Widget Library

l Create a Custom Widget

l Edit a Custom Widget

l Add a Widget to a Dashboard

On your dashboards, you can further configure widgets to modify your dashboards.

To manage widgets on a dashboard:

- 156 -
l Configure a Widget

l Duplicate a Widget

l Rename a Widget

l Delete a Widget from a Dashboard

View the Widget Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

The widget library provides a selection of Tenable-provided widgets to add to your template-based
or custom dashboard.

Note: The Tenable-provided Vulnerability Trending widget is not available in the widget library. All other
Tenable-provided widgets appear in the widget library.

To view the widget library:

1. View the Dashboards page.

2. In the upper-right corner of the page, click the Widget Library button.

The Widgets page appears.

3. (Optional) In the upper-left corner of the page, click the tab for the dashboard widgets you want
to view. For example, if you want to only widgets associated with Tenable Vulnerability
Management, click the Vulnerability Management tab.

Note: The tabs that appear on the Widgets page depend on the licenses (for example, Tenable
Lumin, Tenable Web App Scanning) you have enabled in Tenable Vulnerability Management.

On the Widgets page you can:

l Sort the Widgets page:

a. In the upper-right corner of the page, click the button in the drop-down box.

b. Select the criteria by which you want to sort the widgets page.

l In the upper-left corner, use the Search bar to search for specific widgets.

- 157 -
l Click the New and Updated tab to view dashboard widgets that are eligible for auto-
update.

l Add the widget to a dashboard.

l Delete a widget from the widget library.

Delete a Widget from the Widget Library

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Note: You can only delete custom widgets. You cannot delete pre-configured Tenable Vulnerability
Management widgets.

To delete a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the header of the widget you want to delete, click the button.

A drop-down menu appears.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Vulnerability Management removes the widget from the widget plane, and a message
confirming the deletion appears at the top of the plane.

Create a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

In Tenable Vulnerability Management, you can create custom widgets to add to dashboards you
define, giving you custom views of your data.

- 158 -
To create a custom widget:

1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click New Custom Widget.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click New Custom Widget.

The Create Custom Widget page appears.

2. Under Chart Type, choose an option:

l Bar

l Column

l Doughnut

l Matrix

l Multi-series Bar

l Multi-series Column

l Stacked Bar

l Stacked Column

l Table

3. In the Data Set drop-down, select the type of information Tenable Vulnerability Management
uses to update the widget:

- 159 -
l Vulnerabilities

l Assets

Note: If you selected ring chart or bar chart in the charts section, selecting the Assets dataset
resets the chart selection to a table.

The chart type, Data Grouping, and Display Fields options update based on your selection.

4. In the Group By drop-down box, select how you want to group the data:

l By Plugin (Vulnerabilities dataset only)

l By Asset (Vulnerabilities dataset only)

l By CVE (Vulnerabilities dataset only)

l Asset List (Assets dataset only)

5. (Optional) To filter the widget data using filters:

a. Click the button to expand the filter options.

b. In the drop-down box, select category, operator, and value types.

c. (Optional) Click the Add button to specify more filters.

Note: Some filters are unsupported by certain Group By options in specific environments and you
will not be able to select them. Please contact the Tenable support team in these cases.

Note: If you previously created a tag, it appears in the custom widget's list of filters.

Note: If you exceed the current asset query limitation of 5,000, a message appears in your interface.
Refine the query to a smaller set of asset tags.

Note: Tenable Vulnerability Management does not currently support tag filters in exports.

6. (Optional) To filter the widget data using an existing saved search, in the Saved Searches
drop-down box, select the saved search you want to use to filter your widget data.

- 160 -
Note: If you do not have any saved searches, this option does not appear. To create a new saved
search, see Saved Search.

7. In the Name box, type a name for the custom widget.

In the Widget Preview, the title updates automatically.

8. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the description hover text updates
automatically.

9. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

10. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Create a Custom Widget for Explore Dashboards

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, Administrator, or Custom Role with appropriate privileges

Required Tenable Web App Scanning User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can use the custom widget option to create uniquely defined widgets, which you can then add to
any user-defined Explore dashboards. You can create custom widgets with vulnerabilities and
assets data. Vulnerabilities can include host vulnerabilities, Tenable Web App Scanning
vulnerabilities, and vulnerabilities from Legacy Tenable Cloud Security. Adding a mix of these
custom widgets to your dashboard provides you with a holistic view of the vulnerability environment.

You can drill down from the custom widgets to the Findings and Assets pages.

To create a custom widget:

- 161 -
1. Do one of the following:

l Create a custom widget via the widget library:

a. View the widget library.

b. In the upper-right corner of the page, click the New Custom Widget button.

The Create Custom Widget page appears.

l Create a custom widget while editing a dashboard:

a. Edit a dashboard.

b. In the upper-right corner of the page, click Add Widgets.

A menu appears.

c. Click Custom Widget.

The Create Custom Widget page appears.

2. In the Chart Type section, select the chart type for your custom widget:

l Chart types for findings:

l Bar

l Column

l Doughnut

l Matrix

l Multi-series Bar

l Multi-series Column

l Stacked Bar

l Stacked Column

l Table

- 162 -
l Chart types for assets:

l Bar

l Column

l Doughnut

l Table

3. In the Name box, type a name for the custom widget.

In the Widget Preview, the title updates automatically.

4. (Optional) In the Description box, type a description for the custom widget.

In the Widget Preview, the icon appears and the contextual description updates
automatically.

5. In the Data Set drop-down box, select the type of information Tenable Vulnerability
Management uses to update the widget:

l Findings

l Assets

The Chart Type, Group By, and Sort Fields options update based on your selection.

If you
Options
selected...

Findings Provide the following details:

a. In the Entity drop-down box, select the type of vulnerability for

which you want to create a widget. You can select from the
following:

l Host Audits — Includes host vulnerabilities.

l Vulnerabilities — Includes the list of findings.

l Web Application Findings — Includes vulnerabilities from

Tenable Web App Scanning.

- 163 -
l Cloud Misconfigurations— Includes vulnerabilities from
Legacy Tenable Cloud Security.

b. In the Limit box, enter the number of records you want to show on
the widget. Type a number between 1 and 200.

c. In the Group By drop-down box, select how you want to group the
data. The values in the Group By drop-down changes based on
the Entity you select.

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group vulnerabilities. For Matrix,
Multi-series Bar, Multi-series Column, Stacked Bar, and
Stacked Column chart types, you must select two options for
grouping vulnerabilities.

For more information about all filters, see Findings Filters.

d. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

e. In the Sort Fields drop-down box, select how you want to sort the
data on the widget. You can sort by one of these options:

l Count

l Value in Group By

f. In the Sort Order drop-down box, select whether you want the sort
in ascending or descending order.

Assets Provide the following details:

a. In the Limit box, enter the number of records you want to show on
the widget. Type a number between 1 and 200.

- 164 -
b. In the Group By drop-down box, select how you want to group the
data:

l System Type

l Name

l Operating System

l SSH Fingerprint

l Fully Qualified Domain

l Mac Addresses

l Asset Types

Note: For Bar, Column, Doughnut, and Table chart types, you
can select only one option to group assets. For Matrix, Multi-
series Bar, Multi-series Column, Stacked Bar, and Stacked
Column chart types, you must select two options for grouping
assets.

c. In the Stats drop-down box, select the statistics you want to show
on the widget.

For all chart types except Table, count is the default statistic
option. For the Table chart type, you can select from multiple
options.

6. For each filter you want to use, do the following:

Note: Tenable recommends that you use simple instead of complex queries or one level of nested
filters when creating your custom widgets. Widgets can only have a maximum of one level of nested
filters, provided no additional context filters are applied when the widgets are added to the
dashboards. An example of a query with one level of nesting:
(CVSSv3 Base Score is greater than 8.9 OR VPR is greater than 8.9) AND State is
not equal to Fixed

a. Click Select Filters.

The Select Filters drop-down box appears.

- 165 -
b. Click the filter you want to apply.

The filter appears in the box.

c. In the filter, click the ˅ button.

A list of filter value and operator options appears.

d. In the first drop-down box, select the operator you want to apply to the filter.

e. In the second drop-down box, select one or more values to apply to the filter.

f. Select Match All from the drop-down box. By default, Tenable Vulnerability Management
sets the filter to Match All.

7. Click Update Preview to update the widget preview.

Note: While Name, Description, and the chart type all update in the widget preview automatically, all
other configuration options refresh after you click Update Preview.

8. Click Save and Exit.

Tenable Vulnerability Management saves the custom widget to the widget library, and you can
add the widget to any user-defined dashboards.

Edit a Custom Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Note: You cannot edit Tenable-provided widgets.

To edit a custom widget:

1. View the widget library.

2. Click the My Widgets tab.

All user-created widgets appear.

3. In the upper-right corner of the widget you want to edit, click the button.

A menu appears.

- 166 -
4. Click Edit.

The widget options appear.

5. Edit the widget options.

6. Click Save and Exit.

A confirmation appears.

Note: A custom widget that was previously included in dashboards before you edited the widget does not
update to reflect your edits. To include the edited widget, you must add the widget again as described in
Add a Widget to a Dashboard.

Add a Widget to a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Use the following steps to add a widget to your template-based and custom dashboards.

You can add custom widgets, widgets from Tenable-provided dashboards, and other general
purpose Tenable-provided widgets.

To add a widget to a dashboard:

Note: These steps describe how to add a template widget to a dashboard. See custom widgets for
information on how to create custom widgets and add them to your dashboard.

1. View the widget library.

2. For each widget you want to add:

a. Do one of the following:

l Scroll through the list of widgets.

l Use the Search box to find a specific widget.

Tip: You can hover over a widget tile for brief descriptions of each widget. For detailed
descriptions about widgets originating from Tenable-provided dashboards, see Tenable-
Provided Dashboards.

- 167 -
b. Roll over the widget you want to add.

The Add to Dashboards button appears.

c. Click Add to Dashboards.

The Add to Dashboards plane appears.

d. In the Dashboards drop-down box, select the dashboard or dashboards to which you
want to add the widget.

e. Click Save.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard or dashboards.

f. Click Add.

Tenable Vulnerability Management adds the widget to the bottom of the appropriate
dashboard.

3. Click Done.

You return to the Dashboards page.

Configure a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To configure a widget:

1. View the dashboard page that contains the widget you want to configure.

2. In the upper-right corner of the widget you want to change, click the button.

A menu appears.

3. Click Configure.

The widget summary plane appears.

4. On the widget summary plane, do any of the following:

- 168 -
l
Rename the widget:
a. Do one of the following:

l Click the name of the widget.

l In the widget summary plane, roll over the widget name and click the
button.

The name field becomes an editable text box.

b. Type a new name for the widget.

c. Click the button to confirm the name change.

A confirmation message appears at the top of the page, and the new name
appears in the widget header.

l
Edit the widget description:
a. Do one of the following:

l Click the widget description.

l In the widget summary plane, roll over the widget description and click the
button.

The description field becomes an editable text box.

b. Type a new description for the widget.

c. Click the button to confirm the change.

A confirmation message appears at the top of the page, and the new description
appears in the widget header.

l
Duplicate the widget:
o In the Actions row, click the button.

A confirmation message appears and Tenable Vulnerability Management adds the

duplicated widget to the dashboard.

- 169 -
l
Delete the widget from the dashboard:
a. In the Actions row, click the button.

A Confirm Deletion message appears.

b. Click Delete.

A confirmation message appears and Tenable Vulnerability Management removes

the dashboard from the Dashboards page.

l
Apply filters to the widget:

Option Description Requirement

All Assets (Default) This option This is the default option and
includes all the assets in the includes all assets in the
dashboard. dashboard. There is not a
requirement for this option.

Custom This option only includes When you select this option, a text
assets with a specific box appears. Enter one or more of
hostname, IP address, the custom option formats
FQDN, or CIDR. (hostname, IP address, FQDN, or
CIDR). You must separate
multiple items with a comma.

Tags This option uses tags to filter When you select this option, a
asset results or vulnerability drop-down box appears. Select or
results. type the tag name by which you
want to filter results. Tenable
Note: Because the Vulnerability Management filters
ACR Widget uses Tenable
the results by the selected tags.
Lumin data, this widget
does not support filtering by
tag. Note: Tenable Vulnerability
Management supports a
maximum of 100 filters.

- 170 -
Note: Once you apply a filter to a widget, a icon appears in the widget header. Roll over the
icon to view the applied filter.

5. Click Apply.

A confirmation message appears and Tenable Vulnerability Management applies your

changes to the widget.

Duplicate a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To duplicate a widget:

1. View the dashboard page that contains the widget you want to duplicate.

2. In the upper-right corner of the widget you want to duplicate, click the button.

A menu appears.

3. Click Duplicate.

The duplicated widget appears at the bottom of the page.

4. (Optional) Change the name of the widget.

5. (Optional) Reorder the widget sections.

Rename a Widget

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To rename a widget:

1. View the dashboard page that contains the widget you want to change.

2. In the upper-right corner of the widget you want to rename, click the button.

A menu appears.

- 171 -
3. Click Configure.

The widget summary plane appears.

4. In the widget summary plane, roll over the widget name.

The button appears next to the name.

5. Click the button or double-click the name.

The name field becomes an editable text box.

6. Type a new name for the widget.

7. Click the button to confirm the name change.

A confirmation message appears at the top of the page.

The new name appears in the widget header.

Delete a Widget from a Dashboard

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

To remove a widget from a dashboard:

1. View the dashboard page that contains the widget you want to remove.

2. In the upper-right corner of the widget you want to remove, click the button.

A menu appears.

3. Click Delete.

Tenable Vulnerability Management prompts you to confirm the removal.

4. Click Delete.

A confirmation message appears at the top of the page.

Tenable Vulnerability Management removes the widget from the dashboard. Remaining
widgets adjust to fill the new space.

- 172 -
Scans
You can create, configure, and manage scans in Tenable Vulnerability Management.

Section Description

Manage Scans Create, import, and launch scans. View and manage scans and scan
results.

Scans (Unified Create, launch, and manage Tenable Vulnerability Management and
Configuration) Tenable Web App Scanning scans in the Tenable Vulnerability
Overview Management unified user interface.

Scan Templates Use a Tenable-provided scanner template, agent template or a user-

and Settings defined template to configure scan settings.

Sensors Link your sensors, such as Tenable Nessus scanners, Tenable Agents,
and Tenable Network Monitors, to Tenable Vulnerability Management.

Note: For information about scanning in Tenable Web App Scanning, see the Tenable Web App Scanning
Getting Started Guide.

Manage Scans
To manage your Tenable Vulnerability Management and Tenable Web App Scanning scans in the
unified Scans user interface, see Scans Overview.

To manage your Tenable Web App Scanning scans in Tenable Web App Scanning, see the Tenable
Web App Scanning Getting Started Guide.

Scans Overview
The Scans page allows you to create, launch, and configure Tenable Vulnerability Management
scans and Tenable Web App Scanning scans.

Tip: Before you begin, check out the Tenable Vulnerability Management scan limitations.

- 173 -
Caution: Tenable occasionally performs maintenance on Tenable Vulnerability Management. To avoid
performance issues, Tenable recommends not running or scheduling scans during maintenance windows.
For current maintenance status and updates, see the Tenable Status page.

Create a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

In Tenable Vulnerability Management, you can create scans using scan templates. For general
information about templates and settings, see Scan Templates and Settings.

When you create a scan, Tenable Vulnerability Management assigns you owner permissions for the
scan.

Tip: To quickly target specific vulnerabilities that previous scans have identified on your assets, create a
Tenable Vulnerability Management remediation scan.

Note: If you are scanning a Linux machine with Tenable Vulnerability Management, the Linux machine's
shell configuration file must have a PS1 variable of four or more characters (for example, PS1='\u@\h:~\$
'). Having a PS1 variable of less than four characters (for example, PS1='\$ ') can drastically increase the
overall scan time.

Caution:Tenable occasionally performs maintenance on Tenable Vulnerability Management. To avoid

performance issues, Tenable recommends not running or scheduling scans during maintenance windows.
For current maintenance status and updates, see the Tenable Status page.

Before you begin:

l Review the Tenable Vulnerability Management scan limitations.

l If you want to create a scan from a user-defined template, create a user-defined template as
described in Create a User-Defined Template.

l Create an access group for any targets you want to use in the scan and assign Can Scan
permissions to the appropriate users.

To create a scan:

- 174 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

This also determines whether you are creating a Tenable Vulnerability Management or
Tenable Web App Scanning scan.

3. In the upper-right corner of the page, click the Create a Scan button.

The Select a Scan Template page appears.

4. Do one of the following:

l If you are creating a Tenable Vulnerability Management scan, use the following
procedure:

a. Click the Nessus Scanner, Nessus Agent, or User Defined tab to view available
templates for your scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the organizational

and security-related aspects of a scan
template. This includes specifying the name
of the scan, its targets, whether you want to

- 175 -
schedule the scan, and who has permissions
for the scan.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes
identifying malware, assessing the
vulnerability of a system to brute force
attacks, and the susceptibility of web
applications.

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

Plugins Select security checks by plugin family or individual

plugin.

d. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

- 176 -
Note: If you scheduled the scan to run at a later time, the Save & Launch option is
not available.

Note: If you are editing an imported scan, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

a. Click the Web Application or User Defined tab to view available templates for your
scan.

The tab appears.

Note: Users with Scan Operator permissions can see and use only the user-defined
templates shared with their account.

b. Click the tile for the template you want to use for your scan.

The Create a Scan page appears.

c. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

vulnerabilities the scan identifies. This includes identifying
malware, assessing the vulnerability of a system to brute
force attacks, and the susceptibility of web applications.
For more information, see Assessment Settings in

- 177 -
Tenable Web App Scanning Scans.

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual

plugin.

d. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is
not available.

Note: If you are editing an imported scan, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

View Scans

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

You can view configured and imported scans. If you have appropriate permissions, you can also
perform actions to manage the scans.

Note: You can export the archived scan results, but you cannot view them in Tenable Vulnerability
Management. This limitation applies to both imported scan results and scan results that Tenable
Vulnerability Management collects directly from scanners. After 15 months, Tenable Vulnerability
Management removes the scan data entirely.

Before you begin:

- 178 -
l Create or import one or more scans.

To view scans in the Scans section:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

4. Do any of the following:

Section Action

Search box Search the table by scan name or status. For more information, see
Tables.

Filter Filter the table with Tenable-provided scan filters.

Create In the upper-right corner, click the Create Scan button to create a new
Scan scan.
button

Tools In the upper-right corner, click the Tools button. A menu appears with
button the following options:

l Import Scan (Tenable Vulnerability Management scans only)

l Manage Sensors

l Manage Credentials

l Manage Exclusions

Scans l View summary information about each scan:

table l Name — The scan name.

- 179 -
If you have assigned permissions for the scan to other users,
the label Shared appears next to the scan name.

l Schedule — The scan schedule.

l Last Modified — (Tenable Web App Scanning scans only) The

date and time the scan was last modified.

l Last Run — The date and time the scan was last run.

l Status — The status of the scan.

l Sort, increase or decrease the number of rows per page, or navigate

to another page of the table. For more information, see Tables.

l View details for a scan.

l Launch a scan.

l Change the read status for a scan.

l Export scan results.

l Move a scan to the trash.

l Delete a scan permanently.

l Move a scan to a different folder.

View Scan Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

You can view scan results for scans you own and scans that were shared with you.

Consider the following when viewing scan results:

l You can view details for an individual scan based on the permissions configured for the scan.
However, when you view aggregated scan results in dashboards and other analysis views (for

- 180 -
example, the Vulnerabilities or Assets tables), your access is based on the access groups
you belong to.

l You can export the archived scan results, but you cannot view them in Tenable Vulnerability
Management. This limitation applies to both imported scan results and scan results that
Tenable Vulnerability Management collects directly from scanners. After 15 months, Tenable
Vulnerability Management removes the scan data entirely.

l When you view results from the latest run of the scan, Tenable Vulnerability Management
categorizes the scan as Read. The Read status is specific to your user account only. You can
also manually change the read status.

l Tenable Vulnerability Management retains scan data for 15 months. If you want to store scan
data for longer than 15 months, you can export the scan data for storage outside of Tenable
Vulnerability Management.

l You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

To view scan details for an individual scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scan table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

5. Do any of the following:

Section Action

Scan Actions menu l Launch a scan.

l Edit a scan configuration.

- 181 -
l Export scan results.

l Move a scan to a different folder.

l Change the read status for a scan.

l Delete a scan permanently.

l Copy a scan.

l Move a scan to the trash.

See All Details button Click the See All Details button to open the Scan
Details page and view the scan's vulnerabilities and
affected assets, target information, and scan history.
You can also use the Scan Details page to export the
scan, edit the scan configuration, move the scan to the
trash folder, and submit the scan for PCI validation.

The scan details page includes the following features

and information:

Page header
l (Rollover scans only) Download a list of a rollover
scan's remaining targets.

l Export the currently visible scan results.

l Edit the scan configuration.

l Move a scan to the trash folder.

Severity summaries
The number of vulnerabilities with a Critical, High,
Medium, and Low severity in the scan results.

Details section
View details about the scan run:

- 182 -
l Status — The status of the scan.

l Start Time — The start date and time for the scan.

l Template — The Tenable-provided template on

which the scan configuration is based.

l Scanner — The scanner that performed the scan.

l Scanner Groups — The scanner group or groups

to which Tenable Vulnerability Management
assigned the scan. This detail appears only if
scan routing is enabled for the scan.

l Targets — The targets that the scan evaluated.

Vulns by Plugin tab

View the vulnerabilities in the scan results, organized
by plugin.

Note: This tab does not appear for scan results older than
35 days.

Note: When you view scan results of a plugin that has

multiple CVEs, one scan result row appears for that
plugin in the Vulns by Plugin table. However, if you
export that plugin's scan results in a CSV file, Tenable
Vulnerability Management generates one row of scan
results per CVE.

l View information about each vulnerability:

l Severity icon — The severity of the

vulnerability.

l Name — The name of the plugin that

identified the vulnerability.

l Family — The family of the plugin that

- 183 -
identified the vulnerability.

l Instances — The number of vulnerability

instances.

Tip: A vulnerability instance is a single

instance of a vulnerability appearing on an
asset, identified uniquely by plugin ID, port,
and protocol.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

per page, or navigate to another page of the
table, see Tables.

l To view details for a vulnerability, click a row of

the table.

The Vulnerability Details page appears. For

more information, see Vulnerability Details.

Vulns by Asset tab

View the vulnerabilities in the scan results, organized
by asset. By default, assets in the table are sorted by
decreasing number of vulnerabilities, then by
decreasing severity.

Tip: This tab does not appear for scan results older than
35 days.

l View information about each vulnerability:

l Assets — The asset identifier. Tenable

Vulnerability Management assigns this
identifier based on the presence of certain
asset attributes in the following order:

- 184 -
o Agent Name (if agent-scanned)
o NetBIOS Name
o FQDN
o IPv4 address

For example, if scans identify a NetBIOS

name and an IPv4 address for an asset, the
NetBIOS name appears as the Asset
Name.

l Vulnerabilities — A visual summary of the

vulnerabilities on the asset, organized by
severity.

l Vuln Count — The total number of

vulnerabilities on the asset.

l Critical — The total number of vulnerabilities

on the asset with a critical severity.

l High — The total number of vulnerabilities

on the asset with a high severity.

l Audits — A visual summary of the audits on

the vulnerability, organized by severity.

l Audit Count — The total number of audits on

the asset.

l To filter the data displayed in the table, see Filter

a Table.

l To sort, increase or decrease the number of rows

per page, or navigate to another page of the
table, see Tables.

l To view details for an asset, click a row of the

- 185 -
table.

The Asset Details page appears. For more

information, see View Legacy Workbench Asset
Details.

Audit tab
View compliance audit check results. This tab only
appears if the scan results include data from
compliance audit checks.

Tip: This tab does not appear for scan results older than
35 days.

On this tab, you can view:

l View tiles representing the number of audit

checks identified the last time the scan was
completed organized by severity level.

l View a table of audits detected during the scan.

Each row represents a specific audit, and
includes the following information:
o Status — The status of the audit, for
example Passed, Warning, or Failed.
o Name — The name of the compliance
check.
o Family — The compliance check family to
which the audit belongs.
o Count — The number of times the audit was
identified.

l To view additional information about a specific

audit check, click a row in the audits table.

- 186 -
The Audit Details page appears.

l Overview — Information about the audit

check, including a description of the check
and the audit file used for the check.

l Assets — A list of assets where the scan

performed the audit check.

Summary tab
(Rule-based scans only) Shows the scan's description,
triggers, an explanation of rule-based scanning, and a
link to the vulnerabilities workbench.

Warnings tab
View warnings about problems Tenable Vulnerability
Management or the scanner encountered while
running the scan. This tab only appears if Tenable
Vulnerability Management or the scanner encountered
an issue while running the scan. This tab does not
appear for scan results older than 35 days.

Review the warnings to determine how to resolve the

scan problem. For example, if an Invalid Target note is
present, check the target parameters in the scan
configuration.

Tip: In the scan warnings table header, click

Download All Warnings to download a JSON file of all
the scan result's warnings. The button is not shown if the
scan was archived.

Remediations tab
View remediation details.

- 187 -
Note: The Remediation tab only appears if there are
known remediations for the scan.

This tab contains a table listing each remediation

action. On this tab, you can view:

l Vulnerabilities — The number of vulnerabilities

resolved by the recommended remediation.

l Assets — The number of assets scanned.

History tab
View the scan history.

This tab contains a table listing each time the scan has
run. For the scan run currently displaying in the Scan
Details page, Tenable Vulnerability Management adds
the label Current to the run. By default, the latest scan
run is labeled Current.

Note: Scan history is unavailable for imported scans,

configured scans that have not yet run, and triggered
scans.

Note: Tenable Vulnerability Management retains

scan data for 15 months. If you want to store scan
data for longer than 15 months, you can export the
scan data for storage outside of Tenable
Vulnerability Management.
An exception to this is that Tenable Vulnerability
Management only retains up to 15 triggered scan
histories at a time for each scan, showing a scan
history entry for each 12-hour window of the past
seven days.

On this tab, you can:

- 188 -
l View summary information about each time the
scan was run:

l Start Time — The start date and time for the

scan.

l End Time — The end date and time for the

scan.

l Duration — The duration of the scan .

l Status — The status of the scan.

l Filter the data displayed in the table.

l Sort, increase or decrease the number of rows

per page, or navigate to another page of the
table. For more information, see Tables.

l View details for a historical scan by clicking a row

in the table.

Tenable Vulnerability Management marks the run

you selected as Current and updates the Scan
Details section to show data for the selected run.

If the historical scan results are younger than 35

days, Tenable Vulnerability Management also
updates the tabs on the Scan Details page.

If the historical scan results are older than 35

days, the additional tabs are absent from the
Scan Details page. Use export instead to obtain
the results.

Activity section A history of the scan's activity.

In this section, you can view the date and time when
the scan Started, Completed, and when it was
Modified, Canceled, or manually Aborted.

- 189 -
Vulnerabilities by The number of vulnerabilities with a Critical, High,
Severity/VPR Breakdown Medium, and Low severity in the scan results.
section

Scan Duration section The amount of time elapsed between the start and end
of the scan.

Targets section The number of targets scanned.

Type section The scan type.

Template section The scan template used.

Schedule section The scan schedule.

View Scan Vulnerability Details

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

You can view a scan's vulnerability details by plugin or by asset (Tenable Vulnerability Management
scans only) from the Scans section.

To view a scan's vulnerability details from the Scans section:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scans table, click the scan where you want to view details.

The scan details plane appears below the scan table. By default, this plane shows details for
the latest run of the scan.

- 190 -
5. In the scan details plane, click the See All Details button.

The Scan Details page appears. The Vulns by Plugin tab shows by default.

6. If you would rather view vulnerabilities by the affected asset, click the Vulns by Asset tab.

The vulnerabilities by asset table appears.

Note: You can view a maximum of 5,000 rows at a time in the Vulns by Asset table.

7. From either the Vulns by Plugin tab or the Vulns by Asset tab, do one of the following:

l Filter the plugins table by vulnerability attributes.

l Search the plugins table.

l View the number of plugin results, next to the Search box.

l On the Vulns by Plugin tab, click a vulnerability to view its details. For more information,
see View Finding Details.

l On the Vulns by Asset tab, click an asset row to view its vulnerability details. For more
information, see View Asset Details.

Scan Filters

On the Scans page, you can filter scans using Tenable-provided filters. The Tenable Vulnerability
Management scan view allows you to filter by scan status, and the Tenable Web App Scanning scan
view allows you to filter by multiple values.

Filter Description

Status The status of the scan. For more information about

scan statuses, see Scan Status.

Created Date (Tenable Web App The date the scan configuration was created.
Scanning scans only)

Description (Tenable Web App The description of the scan configuration.

Scanning scans only)

Finalized Date (Tenable Web App The date on which the scan last completed.
Scanning scans only)

- 191 -
Last Modified Date (Tenable Web App The date on which the scan configuration was last
Scanning scans only) modified.

Last Scanned Date (Tenable Web The date on which the scan was last ran.
App Scanning scans only)

Name (Tenable Web App Scanning The name of the scan configuration.
scans only)

Schedule (Tenable Web App Whether a scan schedule is enabled or on demand.

Scanning scans only)

Target (Tenable Web App Scanning The target URL used to launch the scan.
scans only)

Template (Tenable Web App The Tenable-provided scan template the scan
Scanning scans only) configuration was based on.

User Template (Tenable Web App The user-defined scan template the scan
Scanning scans only) configuration was based on.

Launch a Scan
In addition to configuring a scan's Schedule settings to launch the scan at scheduled times, you can
launch a scan manually. You can only launch a new scan when the previous scan has the
Completed, Aborted, or Canceled status (for more information, see Scan Status).

To launch a standard scan manually, see Launch a Scan.

Alternatively, you can launch a rollover scan to scan the remaining targets of a previous scan that
ended prematurely (for more information, see Launch a Rollover Scan). You can also launch a
remediation scan to run a follow-up scan against existing scan results (for more information, see
Launch a Remediation Scan).

- 192 -
Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

Launch a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

Use the following steps to launch a scan manually. You can launch the scan using the targets as
configured in the scan, or you can launch the scan with custom targets that override the configured
targets.

To launch a scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

4. In the scans table, roll over the scan you want to launch.

The action buttons appear in the row.

5. Do one of the following:

l To launch the scan using the targets as configured in the scan, click the button in the
row.

l If you have previously launched the scan and want to use custom targets that override
the configured targets:

a. In the row, click the button.

The Custom Launch Scan plane opens.

- 193 -
b. In the Targets box, type a comma-separated string of targets.

c. Click Launch.

Tenable Vulnerability Management launches the scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Rollover Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

When you launch a rollover scan, the scan runs only against targets and hosts that Tenable
Vulnerability Management did not scan previously. This happens when a scan ends before scanning
all the assigned targets, which can occur when:

l A user manually stops the scan

l The scan times out due to the Scan Window setting

l The scanner aborts scan tasks or does not initialize properly

In some cases, you may see Completed scans that you can perform rollover scans for. This
indicates that even though all the assigned targets were scanned, some individual scan tasks may
have failed.

Rollover scans allow you to achieve complete scan coverage for all your assets, and you can use
the rollover feature to split up large, network-impacting scans. You can launch a rollover scan from
Scans page. Tenable Vulnerability Management marks scans that you can launch a rollover scan
for in the scan table with the Rollover tag in the Name column.

To view the remaining targets that the rollover scan will run against, see Download Rollover Targets.
If you want to restart the scan and rescan all the targets, see Launch a Scan.

Note: You cannot launch rollover Web Application scans.

To launch a rollover scan:

- 194 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

For more information about scan folders, see Organize Scans by Folder.

4. In the scans table, roll over the scan you want to launch.

5. In the row, click the button.

A menu appears.

6. Click the Launch Rollover option.

Tenable Vulnerability Management launches the rollover scan.

You can follow the scan's progress by checking its Scan Status on the Scans page.

Launch a Remediation Scan

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Access Group Permissions: Can Scan

You can create a remediation scan to run a follow-up scan against existing scan results. A
remediation scan evaluates a specific plugin against a specific scan target or targets where a
vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the scan
targets have been successful. If a remediation scan cannot identify a vulnerability on targets where
the vulnerability was previously identified, the system changes the status of the vulnerability to
Fixed.

Tenable Vulnerability Management automatically creates remediation scans from the Tenable-
provided Advanced Network Scan template and populates certain settings based on the assets and
vulnerabilities you selected.

You can perform remediation scans for scan results from certain sensors only:

- 195 -
Sensor Type Supported?

Tenable Vulnerability Management Cloud Sensor yes

On-premises Tenable Nessus yes

Tenable Nessus scanner for Amazon Web Services (AWS) yes

Tenable Web App Scanning no

Tenable Network Monitor no

Tenable Agent no

To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

To launch a remediation scan:

- 196 -
1. Set the scope for the remediation scan:

Remediation Scan
Action
Scope

All vulnerabilities on This scope is not supported.

all affected assets

All vulnerabilities on To set this scope:

an individual asset
a. View asset details.

b. On the asset details page, click the Findings tab.

The Findings tab appears.

c. In the ribbon of the Findings table (next to the

Vulnerability/Host Audit drop-down menu), select the blank
checkbox to select all vulnerabilities.

d. In the ribbon of the Findings table, click Launch

Remediation Scan.

All vulnerabilities on This scope is not supported.

multiple assets

An individual To set this scope:

vulnerability on an
a. View asset details.
individual asset
b. On the asset details page, click the Findings tab.

The Findings tab appears.

c. In the Findings table, select the checkbox next to the

vulnerability you want to select.

d. In the ribbon of the Findings table, click Launch

Remediation Scan.

Multiple This scope is not supported.

- 197 -
vulnerabilities on all
affected assets

Multiple To set this scope:

vulnerabilities on an
a. View asset details.
individual asset
b. On the asset details page, click the Findings tab.

The Findings tab appears.

c. In the Findings table, select the checkbox next to each

vulnerability you want to select.

d. In the ribbon of the Findings table, click Launch

Remediation Scan.

Multiple This scope is not supported.

vulnerabilities on
multiple assets

An individual finding To set this scope:

a. View findings details for a host vulnerability finding or web

application vulnerability finding.

b. On the findings details page, in the upper-right corner, click

the Actions button.

The actions menu appears.

c. In the actions menu, click Launch Remediation Scan.

The Create a Scan - Remediation Scan appears.

Tenable Vulnerability Management automatically creates the remediation scan from the
Tenable-provided Advanced Network Scan template and populates certain settings based on
the assets and vulnerabilities you selected.

2. On the Create a Scan page:

- 198 -
a. Verify the settings that Tenable Vulnerability Management populated based on the
vulnerabilities and assets you selected.

b. Configure additional settings for the scan.

The number of manual changes you must make depends on the plugins involved in the
remediation scan.

The following table defines the inherited and default values for settings in the remediation
scan.

Setting
Setting Remediation Scan Value
Category

Basic Name Specifies an editable scan name in the format

"Remediation scan of plugin # number" where
number is the number of the plugin that identified
the vulnerability.

Folder Cannot be configured. Remediation scans

appear in the Remediation Scans folder only.

Scanner Specifies the scanner that performs the scan.

The scanner you select depends on the location

of the targets included in the remediation scan.
For example:

l By default, this value is the cloud scanner

for your geographical region (for example,
US Cloud Scanner). However, a cloud
scanner cannot scan non-routable IP
addresses. If the scan targets include non-
routable IP addresses, select a linked
scanner instead.

l Select a scanner group if you want to:

o Improve scan speed by balancing the

- 199 -
scan load among multiple scanners.
o Rebuild scanners and link new
scanners in the future without having
to update scanner designations in
scan configurations.

Network (Required if the scanner is set to Auto-Select) Do

one of the following:

l If your scans involve separate

environments with overlapping IP ranges,
select the network that contains the
scanner groups that you configured for
scan routing.

l If your scans do not involve separate

environments with overlapping IP ranges,
retain the Default network.

Targets Specifies the scan targets based on the assets

you selected for the remediation scan.

User Specifies default settings for the Advanced

Permissions Network Scan template.

By default, only you have access to the individual

scan results for the remediation scan. The
Default user permissions are set to No Access. If
you want to share the remediation scan with
other users, configure the user permissions.

Schedule Cannot be configured. If you do not launch a

remediation scan when you create it, you can
launch the scan manually later.

all other settings Specifies default settings for the Advanced

- 200 -
Network Scan template.

Discovery all Specifies default settings for the Advanced

Network Scan template.

Note: The default Port Scan Range scans

common ports only. If the plugins used in the
remediation scan require specific ports, configure
this setting for a range that includes those ports.

Assessment all Specifies default settings for the Advanced

Network Scan template.

Report all Specifies default settings for the Advanced

Network Scan template.

Advanced all Specifies default settings for the Advanced

Network Scan template.

Credentials all By default, there are no credentials configured. If

the plugins in the remediation scan require
credentials, configure them in the remediation
scan.

Note: Remediation scans work best for un-

credentialed network scan results. Use caution
when running a remediation scan for a plugin that
requires scan credentials. If you neglect to add
scan credentials when required for a specific
plugin, or if you type the credentials incorrectly, the
system may identify the related vulnerabilities as
fixed. In fact, the vulnerabilities do not appear in
the scan results because the system could not
complete the credentialed scan.

Compliance all By default, no compliance audits are configured.

If the plugins in the remediation scan require
compliance audit settings, configure the

- 201 -
appropriate settings.

Plugins limited Specifies plugins limited to the following:

l the plugins you selected for remediation

scanning

l any plugins on which the selected plugins

are dependent

3. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Tenable Vulnerability Management saves and launches the scan.

What to do next:
l In the Remediation Scans folder on the Scans page:
o View the scan status to determine when the scan completes.
o Edit the scan configuration.
o Change the read status of the scan results.
o Launch the scan.

l Once the scan completes:

a. On the Findings page, search for the plugin.

b. Verify that the status for the selected vulnerabilities is now Fixed on the assets that the
remediation scan targeted.

Stop a Running Scan

- 202 -
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

When you stop a scan, Tenable Vulnerability Management terminates all tasks for the scan and
categorizes the scan as canceled. The scan results associated with the scan reflect only the
completed tasks. You cannot stop individual tasks, only the scan as a whole.

To stop a running scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the scans table, roll over the scan you want to stop.

3. In the row, click the button.

A menu appears.

4. Click Stop.

A confirmation window appears.

5. In the confirmation window, click Stop.

Tenable Vulnerability Management stops the scan. The Status column updates to reflect the
status of the scan.

Pause or Resume a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

You can pause scans that you want to stop temporarily. When you pause a scan, Tenable
Vulnerability Management pauses all active tasks for that scan and concludes the scanner's local
scan task. Paused scans do not consume scanner resources, and other scans can run while there is
a paused scan. Tenable Vulnerability Management does not dispatch new tasks from a paused scan

- 203 -
job. If the scan remains in a paused state for more than 14 days, the scan times out. Tenable
Vulnerability Management terminates the related tasks on the scanner and categorizes the scan as
aborted.

You can resume scans that you previously paused. When you resume a scan, Tenable Vulnerability
Management instructs the scanner to start the tasks from the point at which the scan was paused. If
Tenable Vulnerability Management encounters problems when resuming the scan, the scan fails,
and Tenable Vulnerability Management categorizes the scan as aborted. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the scan remains in a paused
state for more than 14 days, the scan times out. Tenable Vulnerability Management terminates the
related tasks on the scanner and categorizes the scan as aborted.

To pause or resume a scan:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the scans table, roll over the scan.

3. Do one of the following:

l To pause the scan, click the button in the row.

l To resume the scan, click the button in the row.

A confirmation window appears.

4. In the confirmation window, click Pause or Resume as appropriate.

Tenable Vulnerability Management pauses or resumes the scan.

Change Scan Ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Scan Permissions: Owner

Before you begin:

- 204 -
l If the scan is based on a user-defined template, assign the new owner at least Can View
permissions for that template. Otherwise, the new owner cannot view the scan configuration.

Note: Only the scan owner can change scan ownership. Therefore, if an administrator needs to change the
ownership of another user's scan, they must first assist the user with their account and then assign
ownership to the appropriate user.

To change the ownership of a scan in the new interface:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. (Optional) Search for the scan you want to edit. For more information, see Tables.

5. In the scans table, click the scan you want to edit.

The scan details appear.

6. Click the button next to the scan name.

The Edit a Scan page appears.

7. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

8. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

9. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

- 205 -
10. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

11. (Optional) Edit the Tenable Vulnerability Management permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

12. Click Save.

Tenable Vulnerability Management assigns ownership to the selected user and assigns your
user account the permissions you selected. If you removed all permissions for your user
account from the scan, the scan no longer appears in any of your scan folders.

Change the Scan Read Status

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

On the Scans page, a scan appears in bold in the scans table if you have not yet viewed (read) the
results of the latest run of the scan.

If you view the scan results, Tenable Vulnerability Management categorizes the scan as "read" and
removes the bold formatting from the scan in the scans table.

You can also manually change the scan read status.

To change the scan read status:

1. View your scans.

2. In the scans table, roll over the scan you want to change.

- 206 -
3. Click the button.

A menu appears.

4. Do one of the following:

l If you have already read the scan, click Mark Unread.

l If you have not read the scan, click Mark Read.

Tenable Vulnerability Management changes the read status for the scan.

Edit a Scan Configuration

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

To edit a scan configuration:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. (Optional) Search for the scan you want to edit. For more information, see Tables.

5. In the scans table, click the scan you want to edit.

The scan details appear.

6. Click the button next to the scan name.

The Edit a Scan page appears.

7. Change the scan configuration. For more information about scan configuration settings, see
Scan Settings.

- 207 -
8. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Configure vSphere Scanning

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Control

You can configure a scan to scan the following virtual environments:

l ESXi/vSphere that vCenter manages

l ESXi/vSphere that vCenter does not manage

l Virtual machines

Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.

About VMware Credentialed Checks

Configuring the vCenter API or ESXi API credentials enables the collection of VMware Installation
Bundle (VIB) package details for ESXi servers, which are used in the ESX Local Security Checks
plugin family. Both of these credentials enable the collection of ESXi VIBs. Configuring an SSH
credential to a targeted ESXi server also enables the collection of VIBs.

In addition to collection of ESXi VIBs, the vCenter credential enables auto-discovery of ESXi servers
and vCenter compliance checks. In the case of vCenter compliance checks, the vCenter server
must be configured as a target.

- 208 -
These credentials do not collect any host-level data about the vCenter server. To collect host-level
data, configure an additional credential to the vCenter server (for example, SSH or Windows).

Tenable also collects ESXi and vCenter versions by detecting the software on the targeted hosts
using remote, unauthenticated checks. Current vCenter and ESXi vulnerability results are based on
this data.

For more information on VMware/vCenter, refer to the VMware integration documentation.

Scenario 1: Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the Targets section, type the IP address or addresses of the ESXi host or hosts.

4. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware ESX API.

7. In the Username box, type the username associated with the local ESXi account.

8. In the Password box, type the password associated with the local ESXi account.

9. If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do
not verify SSL Certificate toggle. Otherwise, leave the toggle enabled.

10. Click Save.

11. Do one of the following:

- 209 -
l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information plugin
always shows Credentialed Checks: No in the vCenter scan results. To verify that the authentication
was successful, check to see that the Nessus Scan Information plugin shows Credentialed Checks:
Yes in the scan results of the ESXis.

Scenario 2: Scanning vCenter-Managed ESXi/vSpheres

Note: The REST API requires a vCenter admin account with read permissions, and a VMware vSphere
Lifecycle manager account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

1. Create an advanced network Tenable Vulnerability Management scan.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

3. In the Targets section, type the IP addresses of:

l the vCenter host

l the ESXi host or hosts

Note: Listing the vCenter as a target results in the scan collecting the vCenter version and its
vulnerabilities, but not operating system-level details. Listing the vCenter server as a target is also
required for vCenter compliance scanning.

4. In the left navigation menu, click Credentials.

- 210 -
The Credentials page appears. This page contains a table of credentials configured for the
scan.

5. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

6. In the Miscellaneous section, select VMware vCenter API.

7. In the vCenter Host box, type the IP address of the vCenter host.

8. In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.

9. In the Username box, type the username associated with the vCenter account.

10. In the Password box, type the password associated with the vCenter account.

11. If the vCenter host is SSL enabled, enable the HTTPS toggle.

12. If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the Verify
SSL Certificate toggle. Otherwise, leave the toggle disabled.

13. Click Save.

14. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Section 3: Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP
address or addresses of your virtual machines in the Targets text box. For more information, see
Create a Scan.

- 211 -
VMware vCenter Support Matrix

Feature Requires Authentication Supported vCenter Version

Vulnerability Management No 7.x, 8.x

Auto Discovery Yes 7.0.3+, 8.x

Audit / Compliance Yes 6.x, 7.x, 8.x

VIB Enumeration Yes 7.0.3+, 8.x

Active / Inactive VMs Yes 7.0.3+, 8.x

Copy a Scan Configuration

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Owner

When you copy a scan configuration, Tenable Vulnerability Management assigns you owner
permissions for the copy and assigns the copy scan permissions from the original scan.

Note: You cannot copy a scan from the Remediation Scans folder.

To copy a scan configuration:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. In the scans table, roll over the scan you want to copy.

5. In the row, click the button.

A menu appears.

- 212 -
6. Click Copy.

The Copy to Folder plane appears, which contains a list of your scan folders.

7. Click the folder where you want to save the copy.

8. Click Copy.

Tenable Vulnerability Management creates a copy of the scan with Copy of prepended to the
name and assigns you owner permissions for the copy. The copy appears in the scans table of
the folder you selected.

Export Scan Results

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

You can export both imported scan results and results that Tenable Vulnerability Management
collects directly from scanners.

Tenable Vulnerability Management retains individual scan results until the results are 15 months
old.

Notes:
l Filters are not applicable for Tenable Web App Scanning exports, All results will are
exported.
l For archived scan results (that is, results older than 35 days), Tenable Vulnerability
Management limits export types to .nessus and .csv files.
l When a scan is actively running, the Export button does not appear in the Tenable
Vulnerability Management interface. Wait until the scan completes, then export the scan
results.

To export results for an individual scan:

1. In the left navigation, click Scans.

The Scans page appears.

- 213 -
2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

4. Do one of the following:

Location Scope of Export

Scans table a. In the scans table, roll over the scan you want to export.

b. Click the button.

A menu appears.

c. Click Export.

The Export plane appears.

Note: You cannot export scan results from the Scans table if the scan has
multiple targets. For scans with multiple targets, you can export scan results
for each target from the Scan Details page.

Scan a. In the scans table, click the scan you want to export.
Details
The scan details plane appears below the scan table.

b. Click the Scan Actions button.

A menu appears.

c. Click Export.

The Export plane appears.

5. Select an export format:

Supported for
Format Description Archived
Scan Results

Tenable Vulnerability Management Scans

- 214 -
PDF - An Adobe .pdf file. No
Custom
Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

PDF - An Adobe .pdf file. No

Executive
Summary Note:Tenable Vulnerability Management cannot export
PDF files with more than 400,000 individual scan
results.

HTML - A web-based .html file. No

Custom

HTML - A web-based .html file. No

Executive
Summary

Nessus A .nessus file in XML format that contains the list of Yes
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML. If you import a .nessus file as a
user-defined scan template, you must re-apply your
passwords to any credentials.

Unlike other export formats, the .nessus file includes

individual open port findings. This ensures that you
can still view open port findings in Tenable Security
Center if your organization integrates Tenable
Vulnerability Management with Tenable Security
Center.

CSV A .csv text file with only scan results. Yes

- 215 -
Note: When exporting scan results as a .csv file,
the severities always show CVSSv2 scores
regardless of your configured severity metric.
When exporting compliance scan results as a
.csv file, the Risk column results are replaced
with the following values:
l PASSED results show as None
l WARNING results show as Medium
l FAILED results show as High

Tenable Web App Scanning Scans

HTML A web-based .html file that contains the list of n/a

targets, scan results, and scan notes.

PDF An Adobe .pdf file that contains the list of targets, n/a
scan results, and scan notes.

Note:Tenable Vulnerability Management cannot export

PDF files with more than 400,000 individual scan
results.

Nessus A .nessus file in XML format that contains the list of n/a
targets, scan settings defined by the user, and scan
results. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the XML.

CSV A .csv text file with only scan results. n/a

JSON A .json file that contains the list of targets, scan n/a
settings defined by the user, scan results, and scan
notes. Tenable Vulnerability Management strips
password credentials and does not export them as
plain text in the JSON file.

- 216 -
6. For Tenable Vulnerability Management scans, if you select the PDF - Custom or HTML -
Custom formats:

l In the Data section, select the Vulnerabilities, Audits, and Remediations checkboxes to
include vulnerability data, audit (compliance), and remediation patch information in the
export, respectively. You can also leave them unselected to omit the relevant data from
the export.

The Data section options available for each scan result vary depending on the scan
result's data. For example, if the scan result does not include remediation patch
information, the Remediations checkbox does not show.

l In the Group by section, select Asset to group vulnerabilities, audits, and remediations
by asset, or select Plugin to group them by plugin.

7. Click Export.

Tenable Vulnerability Management generates the export file. Depending on your browser
settings, your browser may automatically download the export file to your computer, or may
prompt you to confirm the download before continuing.

Import a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

You can import scan results into Tenable Vulnerability Management.

Imported scans always belong to the default network. For more information, see Networks.

Note: You can only import Tenable Vulnerability Management scans.

Note: Tenable Vulnerability Management supports scan imports up to 4GB in size.

To import a scan in the new interface:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the upper-right corner of the page, click the Tools button.

- 217 -
A menu appears.

3. Click Import Scan.

Your file directory appears.

4. Browse to and select the scan file you want to import.

If the scan file is a .nessus or .db file, the Import plane appears.

Note: To learn more about the .nessus file format, see Nessus File Format.

If the scan file is any other file type, the Scan Import window appears.

5. Do one of the following:

l If the scan file is a .nessus or .db file:

a. In the Password box, type the password to allow Tenable Vulnerability

Management to view the scan.

b. (Optional) To show the scan results in dashboards, select the Show in

Dashboard? check box.

c. Click Import.

l If the scan file is any other file type, specify if you want the scan results to appear in
dashboards:
o Click Yes to show the scan results in dashboards.
o Click No to prevent the scan results from appearing in dashboards.

Note: Clicking Cancel cancels the import.

The Scans page appears, and the imported scan appears in the scans table.

Tenable Vulnerability Management begins processing the imported scan results. Once this
process is complete, the imported data appears in the individual scan details and aggregated
data views (such as dashboards). This process can take up to 30 minutes, depending on the
size of the import file.

- 218 -
Tip: If the imported data does not appear in the individual scan results or aggregated data views after
a reasonable processing time, verify that you are assigned adequate permissions for the imported
targets in access groups.

Organize Scans by Folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

In Tenable Vulnerability Management, the Scans page contains a Folders section that automatically
groups your configured and imported scans into default folders. To organize your scans further, you
can create custom folders.

To organize your scans by folder:

1. View scans in default folders.

Note: You cannot rename or delete the default folders.

By default, Tenable Vulnerability Management provides the following folders:

Folder Description

My Scans Contains scans that you have created or imported.

This folder appears by default when you access the Scans page.

All Scans l (Administrators) Contains scans created by any users.

l (All other users) Contains:

o Scans that you have created
o Any shared scans for which you have Can View
permissions or higher
o Scans that have been moved to the Trash folder

Remediation Contains any remediation scans you own or that another user has
Scans shared with you.

- 219 -
Trash Contains scans that you have moved to the trash. If you have Can
Configure permissions for a scan in this folder, you can permanently
delete the scan for all users.

If you delete a custom folder that contains scans, Tenable

Vulnerability Management automatically moves any scans in the
deleted folder to the Trash folder.

2. (Optional) Manage custom folders using the following procedures:

Manage scan folders

Use the following procedures to manage your custom scan folders:

Create a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

The custom scan folders you create appear only to you and cannot be shared with other users. You
are the only user who can view, rename, or delete the scan folders you create.

Note: The custom folders you create appear only to you and cannot be shared with other users.

To create a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. Next to Folders, click the button.

The New Folder box appears at the bottom of the folder list.

3. In the New Folder box, type a name for the folder.

4. Click the button.

A Folder added successfully message appears and the new folder appears in the Folders
section.

- 220 -
Move a scan to a scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

You can move a scan from a default folder to either the My Scans default folder or a custom scan
folder. You can also move a scan from a custom folder to the My Scans default folder or a different
custom folder.

If you move a scan from the All Scans default folder, the scan appears in both the folder you select
and the All Scans folder.

If you move a scan from the My Scans default folder, the scan appears in the custom folder only.

For information about moving a scan to the trash, see Move a Scan to the Trash Folder.

Note: You cannot move scans to or from the Remediation Scans folder.

To move a scan to a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

3. In the scan table, roll over the scan you want to move.

The action buttons appear in the row.

4. Do one of the following:

l Tenable Vulnerability Management scans:

a. In the row, click the button.

A menu appears.

- 221 -
b. In the menu, click Move.

The Move to Folder plane appears. This plane contains a list of your scan folders.

l Tenable Web App Scanning scans:

a. In the row, click the button.

The Move to Folder plane appears. This plane contains a list of your scan folders.

5. Search for a folder:

a. In the search box, type the folder name.

b. Click the button.

Tenable Vulnerability Management limits the list to folders that match your search.

6. In the folder list, click the folder where you want to move the scan.

7. Click Move.

Tenable Vulnerability Management moves the scan to the selected folder.

Rename a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

You can rename custom scan folders only. You cannot rename the default scan folders.

Renaming a scan folder affects your user account only, because the custom folders you create
appear only to you and cannot be shared with other users.

To rename a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, roll over the folder you want to rename.

The action buttons appear in the row.

3. In the row, click the button.

- 222 -
An editable box replaces the folder name.

4. In the box, type a new name for the folder.

5. Click the button.

Tenable Vulnerability Management updates the folder name and a Folder updated
successfully message appears.

Delete a custom scan folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

You can delete custom scan folders only. You cannot delete the default scan folders that Tenable
Vulnerability Management provides (All Scans, My Scans, and Trash).

Deleting a scan folder affects your user account only, because the custom folders you create appear
only to you and cannot be shared with other users.

If you delete a scan folder that contains inactive scans, Tenable Vulnerability Management moves
the folder's scans to the Trash folder. If you delete a scan folder that contains at least one active
(Pending or Running) scan, Tenable Vulnerability Management moves the folder's scans to the My
Scans folder.

To delete a scan folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, roll over the folder you want to delete.

The action buttons appear in the row.

3. In the row, click the button.

A confirmation window appears.

4. Click Delete to confirm the action.

A Folder deleted successfully message appears, and Tenable Vulnerability Management

deletes the folder.

- 223 -
Move a Scan to the Trash Folder

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can View

When you move a shared scan to the Trash folder, Tenable Vulnerability Management moves the
scan for your account only. The scan remains in the original folder for all other users who have Can
View permissions or higher for the scan.

Scans moved to the Trash folder also appear in the All Scans folder, marked with the label, Trash.

Note: After you move a scan to the Trash folder, the scan remains in the Trash folder until the scan owner
or an administrator permanently deletes the scan.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.
l For more information about Tenable Vulnerability Management scan schedules, see
Schedule.
l For more information about Tenable Web App Scanning scan schedules, see Schedule.

Note: You cannot move scans from the Remediation Scans folder to the Trash folder. Instead, delete
remediation scans directly in the folder.

To move a scan or scans to the Trash folder:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click the folder that contains the scan you want to move.

The scans table lists scans in the selected folder.

4. Do one of the following:

- 224 -
l
Select a single scan:
a. In the scans table, roll over the scan you want to move.

b. Click the button.

A menu appears.

c. Click Trash.

l
Select multiple scans:
a. In the scans table, select the check box next to each scan you want to move.

The action bar appears at the top of the table.

b. In the action bar, click Trash.

Tenable Vulnerability Management moves the scan or scans you selected to the Trash
folder.

Delete a Scan

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Scan Permissions: Can Configure

When you permanently delete a scan, you delete the scan configuration and scan results for all
users the scan is shared with.

The workflow for deleting a remediation scan differs from the workflow described in this procedure.
For more information, see the Delete a remediation scan steps at the end of this topic.

Caution: After you delete a scan, you cannot recover the scan or any scan data associated with the scan.
Delete only scans you are certain you no longer need to view or run.

Before you begin:

l Move the scan to the Trash folder.

To delete a scan:

- 225 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the Folders section, click the Trash folder.

The scan table updates to show the scans in the trash folder.

4. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:
a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the scan or scans you selected.

Delete a remediation scan

Required Scan Permissions: Can Configure

When you delete a remediation scan, you delete the scan configuration and scan results for all users
the scan is shared with.

- 226 -
Note:Tenable Vulnerability Management deletes scan results older than 90 days.

To delete a remediation scan:

1. In the upper-left corner, click the button.

The left navigation plane appears.

2. In the left navigation plane, click Scans.

The Scans page appears.

3. In the Folders section, click the Remediation Scans folder.

Note: The Remediation Scans folder only shows for Tenable Vulnerability Management scans.

The scan table updates to show remediation scans that you own or that other users have
shared with you. By default, the rows are sorted by Created Date.

4. Do one of the following:

l
Select a single scan:
a. In the scans table, roll over the scan you want to delete.

b. In the row, click the button.

A menu appears.

c. Click Delete.

A confirmation window appears.

l
Select multiple scans:
a. In the scans table, select the check box next to the scans you want to delete.

The action bar appears at the top of the table.

b. In the action bar, click the Delete button.

A confirmation window appears.

5. In the confirmation window, click Delete.

- 227 -
Tenable Vulnerability Management deletes the scan or scans you selected.

Note: Tenable Vulnerability Management keeps up to 10,000 of the most recent remediation scan
results. Once you have more than 10,000 remediation scan results, Tenable Vulnerability
Management deletes the scan results, starting with the oldest result.

Discovery Scans vs. Assessment Scans

You can perform two types of scans using Tenable products: discovery scans and assessment
scans. Tenable recommends performing discovery scans to get an accurate picture of the assets on
your network and assessment scans to understand the vulnerabilities on your assets.

For information about how discovered and assessed assets are counted towards your license, see
Tenable Vulnerability Management Licenses.

Type Description Licensing

Discovery scans Find assets on your network. Assets identified by

discovery scans do
For example:
not count toward
l a scan configured with the your license.
Host Discovery template.

l a scan configured to use only

discovery plugins.

l a scan configured to use

Tenable Network Monitor in
discovery mode.

Assessment scans Find vulnerabilities on your assets. In general, assets

assessed by
For example, run an authenticated
assessment scans
or unauthenticated scan using a
count toward your
Tenable Nessus scanner or Tenable
license.
Agent.

Authenticated Scans

Configure authenticated scans, also

known as credentialed scans, by

- 228 -
adding access credentials to your
assessment scan configuration.

Credentialed scans can perform a

wider variety of checks than non-
credentialed scans, which can result
in more accurate scan results. This
facilitates scanning of a very large
network to determine local
exposures or compliance violations.

Credentialed scans can perform any

operation that a local user can
perform. The level of scanning
depends on the privileges granted to
the user account. The more
privileges the scanner has via the
login account (e.g., root or
administrator access), the more
thorough the scan results.

For more information, see

Credentials in Tenable Vulnerability
Management Scans.

Unauthenticated Scans

If you do not add access credentials

to your assessment scan
configuration, Tenable Vulnerability
Management performs a limited
number of checks when scanning
your assets.

Identify Assets That Have Not Been Assessed

Tenable Vulnerability Management can discover, or see, assets without assessing the assets for
vulnerabilities (for example, via a host discovery scan, Tenable Network Monitor running in

- 229 -
discovery mode, or connectors). Assets that have been seen but not assessed do not count towards
your asset license limit. For a list of conditions that cause an asset to be assessed, see How Assets
are Counted. However, once assessed, the asset is always categorized as assessed, even if it ages
out of the license count.

This licensing exception allows you to discover assets on your network without the large number of
assets counting towards your license limit. After you discover your assets, you can then identify
which assets have not yet been assessed for vulnerabilities, and choose which of those assets you
want to scan and manage going forward.

To identify assets that have not been assessed:

1. Discover assets using any of the following methods:

l Create and launch a host discovery scan in Tenable Vulnerability Management.

l Configure Tenable Network Monitor with discovery mode enabled, linked to Tenable
Vulnerability Management.

l Configure a connector.

Assets discovered by these methods do not count towards your asset license limit until they
have been assessed for vulnerabilities.

2. Filter for assets that have not been assessed.

a. In the assets table, create a filter with the following settings:

l In the Category box, select Asset Assessed.

l In the Operator box, select is equal to.

l In the Value box, select false.

a. Click Apply.

Tenable Vulnerability Management filters for assets that have not yet been assessed for
vulnerabilities.

Note: Unassessed assets (where Asset Assessed is equal to false) can differ from unlicensed
assets (where Is Licensed (VM) is equal to false). Once you scan an asset for vulnerabilities,
Tenable Vulnerability Management categorizes the asset as assessed from that point on, but

- 230 -
the licensing status of an asset can change over time as assets are deleted or age out of your
organization's license count.

b. (Optional) Save the search for later use.

3. (Optional) Tag assets to identify assets that have not been assessed.

a. Create tags to identify assets that have not been assessed.

For example, Assets:NotYetAssessed.

b. Manually apply the tag to assets, or create tag rules that automatically filter for assets
that have not been assessed.

For example, to create a dynamic tag for assets that have not yet been assessed, set the
tag rules to filter for Asset Assessed is equal to false.

4. (Optional) Create a scan to target assets using the tag you created.

Scan Failovers
If Tenable Vulnerability Management assigns a scan job to a scanner, and the scanner goes offline
while scanning, the following happens:

1. The scan job times out if the assigned scanner does not respond to Tenable Vulnerability
Management after two hours.

2. Tenable Vulnerability Management removes the scan job from the scanner and attempts the
scan job on another scanner in the same scanner group, or on the same scanner if it comes
back online.

3. Tenable Vulnerability Management attempts steps 1 and 2 three times. If the scan job is not
completed after three attempts, Tenable Vulnerability Management aborts the scan job.

Scan Status
Tenable Vulnerability Management provides a scan status for each of your configured scans.

If the scan is in progress, Tenable Vulnerability Management shows the number of scan tasks
completed as a percentage.

- 231 -
For example, if you scan less than 120 IP addresses in a single scan, Tenable Vulnerability
Management creates a single scan task and the progress percentage changes from 0% to 100%
when it completes.

However, if you target more than 120 IP addresses, Tenable Vulnerability Management creates
multiple scan tasks. After each task completes, the percentage changes to reflect the number of
completed tasks. For example, a scan that targets 300 IP addresses is split into three scan tasks,
and as each task completes, the progress bar updates the percentage to reflect the completed
tasks.

Note: Pausing a scan causes Tenable Vulnerability Management to move any completed results to
processing. When you resume the scan, Tenable Vulnerability Management creates a new scan task or
tasks for incomplete results. Therefore, pausing a scan can cause the progress percentage to update.

Tip: For Tenable Vulnerability Management scans, you can hover over the scan status to view more status
information in a pop-up window, such as the number of targets scanned and the elapsed or final scan time.
The window shows different information based on the scan's current status.

Tenable Vulnerability Management scans can have the following status values:

Status Description

Tenable Vulnerability Management Scans

Tip: The typical Tenable Vulnerability Management scan status flow is as follows: Initializing,
Running, Publishing Results, Completed.

Aborted Either the latest run of the scan is incomplete because Tenable Vulnerability
Management or the scanner encountered problems during the run, or the
scan remained queued without running for four or more hours. For more
information about the problems encountered during the run, view the scan
warnings.

Canceled At user request, Tenable Vulnerability Management successfully stopped the

latest run of the scan.

Completed The latest run of the scan is complete.

Disabled (Triggered agent scans only) The scan configuration is disabled and does not
launch scans based on the configured triggers. You can enable or disable

- 232 -
Status Description

triggered agent scan configurations in the scan table's Actions menu.

Empty The scan is either empty (the scan is new or has yet to run) or pending
(Tenable Vulnerability Management is processing a request to run the scan).

Enabled (Triggered agent scans only) The scan configuration is enabled and launches
scans based on the configured triggers. You can enable or disable triggered
agent scan configurations in the scan table's Actions menu.

Imported A user imported the scan. You cannot run imported scans. Scan history is
unavailable for imported scans.

Pausing A user paused the scan, and Tenable Vulnerability Management is

processing the action.

Paused At user request, Tenable Vulnerability Management successfully paused

active tasks related to the scan. The paused tasks continue to fill the task
capacity of the scanner that the tasks were assigned to. Tenable Vulnerability
Management does not dispatch new tasks from a paused scan job. If the
scan remains in a paused state for more than 14 days, the scan times out.
Tenable Vulnerability Management then aborts the related tasks on the
scanner and categorizes the scan as aborted.

Pending Tenable Vulnerability Management has the scan queued to launch and is
assigning scan tasks to the assigned sensors.

Note: Tenable Vulnerability Management aborts scans that remain in

Pending status for more than four hours. If Tenable Vulnerability
Management aborts your scan, modify your scan schedule to reduce the
number of overlapping scans. If you still have issues, contact Tenable
Support.

Publishing Tenable Vulnerability Management processes and stores the scan results
Results data for you to view and use in the Tenable Vulnerability Management user
interface. The Publishing Results status begins once the Running status
reaches 100%.

- 233 -
Status Description

Resuming Tenable Vulnerability Management is in the process of restarting tasks after

the user resumed the scan. Tenable Vulnerability Management instructs the
scanner to start the tasks from the point at which the scan was paused. If
Tenable Vulnerability Management or the scanner encounters problems
when resuming the scan, the scan fails, and Tenable Vulnerability
Management updates the scan status to aborted.

Running The scan is currently running. While this status is shown, the scan's sensors
complete their assigned scan tasks, and Tenable Vulnerability Management
processes the scan results. The progress bar shows next to the status when a
scan is running. The progress bar shows the percentage of the completed
tasks.

Stopping A user stopped the scan, the scan timed out or reached the end of the
configured scan window, or Tenable Vulnerability Management is stopping
the scan after all associated scan tasks are complete.

Shared Collections
On the Scans page in Tenable Vulnerability Management, you can create and manage shared
collections. Shared collections allow you to quickly and conveniently share scan configurations with
specific groups and other Tenable Vulnerability Management users.

- 234 -
Note: Shared collections are only available for vulnerability management scans.

Create a shared collection

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Shared Collections section, click Create.

- 235 -
The Create Shared Collection pane opens.

3. Enter the following information for the shared collection:

Setting Description

Name (Required) The name of the shared collection.

Description The description of the shared collection.

Add Users or Determines what users and groups have access to the shared
Groups collection. To add a new user or group:

a. Click the Select Users or Groups dropdown.

A list of your organization's users and groups appear.

Note that your user account is already listed as Owner. Each

shared collection can only have one Owner, but ownership can
be transferred by the current owner or by an administrator.

b. Search for and select the user or group that you want to add
permission for.

Tip: You can scroll to the bottom of the dropdown and select All
Users to set global permissions.

The selected user or group appears below the dropdown.

c. Select the Can View dropdown next to the selected user or

group.

l To give the user or group view access, select Can View.

l To give the user or group editing access, select Can Edit.

Note: Users with the Administrator role automatically have

Can Edit access to all shared collections.

Note: To give a group Can Edit access to a shared collection,

every user in the group must have the Scan Operator privilege

- 236 -
or higher for shared collections (or a custom role with the
Manage Shared Collections privilege). After you give a group
Can Edit access, you can add users with lower privileges to
the group, but those users are not able to modify the shared
collection.

d. Repeat steps a-c to add your desired users and groups.

4. Click Save.

Tenable Vulnerability Management creates the new shared collection. You can view the new
collection under the Shared Collections header on the Scans page.

Add scans to a shared collection

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Note: To add a scan configuration to a shared collection, you must have Can View permission or higher for
the scan configuration you are adding and Can Edit or Owner permission for the shared collection you are
adding to.

1. In the left navigation, click Scans.

The Scans page appears.

2. Search for the scan or scans that you want to add to a shared collection.

3. Do one of the following:

l To add a single scan to a shared collection:

a. In the scan row of the scan table, right-click or click in the Actions column.

A list of actions appears.

b. Click Add to Shared Collection.

The Add to Shared Collection pane appears.

l To add multiple scans to a shared collection:

- 237 -
a. In the scans table, select the checkboxes of each scan that you want to add.

b. Right-click in the scans table or click More in the table header.

A list of actions appears.

c. Click Add to Shared Collection.

The Add to Shared Collection pane appears.

4. Select the shared collection to add the scan or scans to.

5. Click Save. Tenable Vulnerability Management adds the scan or scans to the shared
collection.

Remove scans from a shared collection

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Note: To remove a scan configuration from a shared collection, you must have Can View permission or
higher for the scan configuration you are removing and Can Edit or Owner permission for the shared
collection you are removing from.

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Shared Collections section, open the shared collection you want to remove scans from .

3. Do one of the following:

l To remove a single scan to a shared collection:

a. In the scan row of the scan table, right-click or click in the Actions column.

A list of actions appears.

b. Click Remove from Shared Collection.

The Remove Scans from Shared Collection window appears.

l To remove multiple scans to a shared collection:

- 238 -
a. In the scans table, select the checkboxes of each scan that you want to remove.

b. Right-click in the scans table or click More in the table header.

A list of actions appears.

c. Click Remove from Shared Collection.

The Remove from Shared Collection pane appears.

4. Click Continue. Tenable Vulnerability Management removes the scan or scans from the
shared collection.

Edit a shared collection

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Shared Collections section, hover over the shared collection you want to edit.

3. Click to edit the shared collection.

The Edit Shared Collection pane opens.

- 239 -
4. Edit the following settings as needed:

Setting Description

Name (Required) The name of the shared collection.

Description The description of the shared collection.

Add Users or Determines what users and groups have access to the shared
Groups collection. To add a new user or group:

a. Click the Select Users or Groups dropdown.

A list of your organization's users and groups appear.

b. Search for and select the user or group that you want to add
permission for.

Tip: You can scroll to the bottom of the dropdown and select All
Users to set global permissions.

The selected user or group appears below the dropdown.

c. Select the Can View dropdown next to the selected user or

group.

l To give the user or group view access, select Can View.

l To give the user or group editing access, select Can Edit.

Note: Users with the Administrator role automatically have

Can Edit access to all shared collections.

d. Repeat steps a-c to add your desired users and groups.

5. Click Save. Tenable Vulnerability Management updates the shared collection.

Delete a shared collection

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

- 240 -
Note: Only the shared collection's Owner can delete the shared collection.

1. In the left navigation, click Scans.

The Scans page appears.

2. In the Shared Collections section, hover over the shared collection you want to delete.

3. Click to delete the shared collection.

A confirmation window appears in the upper-right corner.

4. Click Delete to confirm the deletion.

The shared collection is deleted. The scan data in the deleted shared collection is still
available in your standard folders.

Scan Templates
Scan templates contain granular configuration settings for your scans. You can use Tenable's scan
templates to create custom scan configurations for your organization. Then, you can run scans
based on Tenable's scan templates or your custom configurations' settings.

When you create a scan configuration, the Select a Scan Template page appears. Tenable
Vulnerability Management provides separate templates for Tenable Vulnerability Management and
Tenable Web App Scanning. Within Tenable Vulnerability Management scanning, Tenable
Vulnerability Management provides separate templates for scanners and agents, depending on
which sensor you want to use for scanning:

If you have custom configurations, they appear in the User Defined tab. For more information about
user-defined templates, see User-Defined Templates.

When you configure a Tenable-provided scan template, you can modify only the settings included
for the scan template type. When you create a user-defined scan template, you can modify a custom
set of settings for your scan.

For descriptions of all scan template settings, see Scan Settings.

Tip: For information and tips on optimizing your Tenable Vulnerability Management scan configurations,
see the Tenable Vulnerability Management Scan Tuning Guide.

- 241 -
Tenable-Provided Tenable Nessus Scanner Templates
There are three scanner template categories in Tenable Vulnerability Management:

l Vulnerability Scans (Common) — Tenable recommends using vulnerability scan templates for
most of your organization's standard, day-to-day scanning needs.

l Configuration Scans — Tenable recommends using configuration scan templates to check

whether host configurations are compliant with various industry standards. Configuration
scans are sometimes referred to as compliance scans. For more information about the checks
that compliance scans can perform, see Compliance in Tenable Vulnerability Management
Scans and SCAP Settings in Tenable Vulnerability Management Scans.

l Tactical Scans — Tenable recommends using the tactical scan templates to scan your network
for a specific vulnerability or group of vulnerabilities. Tactical scans are lightweight, timely scan
templates that you can use to scan your assets for a particular vulnerability. Tenable frequently
updates the Tenable Vulnerability Management Tactical Scans library with templates that
detect the latest vulnerabilities of public interest, such as Log4Shell.

The following table describes the available Tenable Nessus Scanner templates:

Template Description

Vulnerability Scans (Common)

Advanced The most configurable scan type. You can configure this scan template to
Network Scan match any policy. This template has the same default settings as the basic
scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow Tenable Vulnerability Management

experts to scan more deeply using custom configuration, such as faster or
slower checks, but misconfigurations can cause asset outages or network
saturation. Use the advanced templates with caution.

Note: Tenable automatically updates this template with any newly-released

plugin families in which plugins rely on network traffic for detection.

Basic Network Performs a full system scan that is suitable for any host. Use this template
Scan to scan an asset or assets with all of Nessus's plugins enabled. For

- 242 -
example, you can perform an internal vulnerability scan on your
organization's systems.

Credentialed Authenticates hosts and enumerates missing updates.

Patch Audit
Use this template with credentials to give Tenable Vulnerability
Management direct access to the host, scan the target hosts, and
enumerate missing patch updates.

Host Discovery Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated
information such as IP address, FQDN, operating systems, and open
ports, if available. After you have a list of hosts, you can choose what hosts
you want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive

network monitor, such as Tenable Network Monitor, run this scan weekly
to discover new assets on your network.

Note: Assets identified by discovery scans do not count toward your license.

Internal PCI Performs an internal PCI DSS (11.2.1) vulnerability scan.

Network Scan
This template creates scans that you can use to satisfy internal (PCI DSS
11.2.1) scanning requirements for ongoing vulnerability management
programs that satisfy PCI compliance requirements. You can use these
scans for ongoing vulnerability management and to perform rescans until
passing or clean results are achieved. You can provide credentials to
enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or
"clean" scans on at least a quarterly basis, you must also perform scans after
any significant changes to your network (PCI DSS 11.2.3).

Legacy Web App Uses a Tenable Nessus scanner to scan your web applications.
Scan
Note: Unlike the Tenable Web App Scanning scanner, the Tenable Nessus
scanner does not use a browser to scan your web applications. Therefore, a
Legacy Web App Scan is not as comprehensive as Tenable Web App Scanning.

- 243 -
Mobile Device Assesses mobile devices via Microsoft Exchange or an MDM.
Scan

PCI Quarterly Performs quarterly external scans as required by PCI.

External Scan
Note: Because the nature of a PCI ASV scan is more paranoid and may lead to
false positives, the scan data is not included in the aggregate Tenable
Vulnerability Management data. This is by design.

Note:Tenable Vulnerability Management excludes PCI Quarterly External

scan data from dashboards, reports, and workbenches intentionally. This is
due to the scan's paranoid nature, which may lead to false positives that
Tenable Vulnerability Management would otherwise not detect. For more
information, see Tenable PCI ASV Scans.

Configuration Scans

Audit Cloud Audits the configuration of third-party cloud services.

Infrastructure
You can use this template to scan the configuration of Amazon Web
Service (AWS), Google Cloud Platform, Microsoft Azure, Rackspace,
Salesforce.com, and Zoom, given that you provide credentials for the
service you want to audit.

MDM Config Audits the configuration of mobile device managers.

Audit
The MDM Config Audit template reports on a variety of MDM
vulnerabilities, such as password requirements, remote wipe settings, and
the use of insecure features, such as tethering and Bluetooth.

Offline Config Audits the configuration of network devices.

Audit
Offline configuration audits allow Tenable Vulnerability Management to
scan hosts without the need to scan over the network or use credentials.
Organizational policies may not allow you to scan devices or know
credentials for devices on the network for security reasons. Offline
configuration audits use host configuration files from hosts to scan instead.
Through scanning these files, you can ensure that devices' settings comply
with audits without the need to scan the host directly.

- 244 -
Tenable recommends using offline configuration audits to scan devices
that do not support secure remote access and devices that scanners
cannot access.

Policy Audits system configurations against a known baseline.

Compliance
Auditing Note: The maximum number of audit files you can include in a single Policy
Compliance Auditing scan is limited by the total runtime and memory that the
audit files require. Exceeding this limit may lead to incomplete or failed scan
results. To limit the possible impact, Tenable recommends that audit selection
in your scan policies be targeted and specific for the scan's scope and
compliance requirements.

The compliance checks can audit against custom security policies, such as
password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can test
for a large percentage of anything that can be described in a Windows
policy file. For Unix systems, the compliance audits test for running
processes, user security policy, and content of files.

SCAP and OVAL Audits systems using SCAP and OVAL definitions.
Auditing
The National Institute of Standards and Technology (NIST) Security
Content Automation Protocol (SCAP) is a set of policies for managing
vulnerabilities and policy compliance in government agencies. It relies on
multiple open standards and policies, including OVAL, CVE, CVSS, CPE,
and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable
required for auditing. For those systems, you must make an
exception for either the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can
perform Linux and Windows SCAP CHECKS to test compliance
standards as specified in NIST’s Special Publication 800-126.

- 245 -
Tactical Scans

Active Directory Use a Domain User account to query AD identity information. This policy
Identity enumerates Active Directory identity information via LDAPS. It requires
Domain User credentials, LDAPS configuration, and an Active Directory
Domain Controller as the scan target.

Active Directory Scans for misconfigurations in Active Directory.

Starter Scan
Use this template to check Active Directory for Kerberoasting, Weak
Kerberos encryption, Kerberos pre-authentication validation, non-expiring
account passwords, unconstrained delegation, null sessions, Kerberos
KRBTGT, dangerous trust relationships, Primary Group ID integrity, and
blank passwords.

Credential A lightweight scan template used to verify that host credential pairs for
Validation Windows and Unix successfully authenticate to scan targets. Use this scan
template to quickly diagnose credential pair issues in your network.

Find AI Scans for AI, LLM, and ML-related vulnerabilities.

Malware Scan Scans for malware on Windows and Unix systems.

Nessus 10.8.0 / Scan to find, reset, and update Tenable Agents on versions 10.8.0 and
10.8.1 Agent 10.8.1. For more information, see the upgrade notes of the Tenable Agent
Reset 10.8.2 release notes.

Ping-Only A simple scan to discover live hosts with minimal network traffic.
Discovery

Tenable-Provided Tenable Agent Templates

There are two agent template categories in Tenable Vulnerability Management:

l Vulnerability Scans — Tenable recommends using vulnerability scan templates for most of your
organization's standard, day-to-day scanning needs.

l Inventory Collection — Unlike standard Tenable Agent vulnerability scans, the Collect
Inventory template provides faster scan results and reduce the scan's system footprint. Agent-
based inventory scans gather basic information from a host and upload it to Tenable

- 246 -
Vulnerability Management. Then, Tenable Vulnerability Management analyzes the information
against missing patches and vulnerabilities as Tenable releases coverage. This reduces the
performance impact on the target host while also reducing the time it takes for an analyst to
see the impact of a recent patch.

Note: If a plugin requires authentication or settings to communicate with another system, the
plugin is not available on agents. This includes, but is not limited to:
l Patch management
l Mobile device management
l Cloud infrastructure audit
l Database checks that require authentication

The following table describes the available Tenable Agent templates:

Template Description

Vulnerability Scans

Advanced An agent scan without any recommendations, so that you can fully
Agent Scan customize the scan settings. In Tenable Vulnerability Management, the
Advanced Agent Scan template allows for two scanning methods:

l Scan Window - Specify the timeframe during which the agent must
report to be included and visible in vulnerability reports.

l Triggered Scans - Provide the agent with specific criteria that indicates
when to launch a scan. The agent launches the scan when one (or
more) of the criteria are met. For more information, see Basic Settings
in the Tenable Vulnerability Management User Guide.

Note: When you create an agent scan using the Advanced Agent Scan template,
you must also select the plugins you want to use for the scan.

Agent Agent detection of Apache Log4j CVE-2021-44228.

Log4Shell

Basic Agent Scans systems connected via Tenable Agents.

- 247 -
Template Description

Scan

Malware Scan Scans for malware on systems connected via Tenable Agents.

Tenable Agent detects malware using a combined allow list and block list
approach to monitor known good processes, alert on known bad processes,
and identify coverage gaps between the two by flagging unknown processes
for further inspection.

PCI Internal Perform an internal PCI DSS 4.0 credentialed vulnerability scan.
Nessus Agent
This template creates scans that you can use to satisfy internal (PCI DSS
4.0) scanning requirements for ongoing vulnerability management programs
that satisfy PCI compliance requirements. You can use these scans for
ongoing vulnerability management and to perform rescans until passing or
clean results are achieved. You can provide credentials to enumerate
missing patches and client-side vulnerabilities.

PCI DSS 4.x provides the ability to use a customized approach objective.
Using PCI DSS 4.x, this template provides the most comprehensive view of
local vulnerabilities on your systems.

For systems where agents cannot be installed, the defined approach in

11.3.1.2 (by way of the Internal PCI Network Scan template) is still
applicable. Internal, uncredentialed network scans are still required to cover
vulnerabilities related to network services by port scans.

Note: Tenable highly recommends configuring the Open Agent Port profile
setting for any agents that run scans based on this template to avoid asset
duplication. For more information, see Agent Profiles.

Note: Tenable assessors do not review internal PCI scans for false positives or
compensating controls. Therefore, Tenable highly recommends using your
organization's internal security assessor (ISA) or qualified security assessor
(QSA) to validate internal scan findings.

Policy Audits system configurations against a known baseline for systems

Compliance connected via Tenable Agents.

- 248 -
Template Description

Auditing The compliance checks can audit against custom security policies, such as
password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can test
for a large percentage of anything that can be described in a Windows policy
file. For Unix systems, the compliance audits test for running processes,
user security policy, and content of files.

SCAP and Audits systems using SCAP and OVAL definitions for systems connected
OVAL Agent via Tenable Agents.
Auditing
The National Institute of Standards and Technology (NIST) Security Content
Automation Protocol (SCAP) is a set of policies for managing vulnerabilities
and policy compliance in government agencies. It relies on multiple open
standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC
policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable required
for auditing. For those systems, you must make an exception for either
the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can perform
Linux and Windows SCAP CHECKS to test compliance standards as
specified in NIST’s Special Publication 800-126.

Inventory Collection

Collect Scans with a compiled, limited selection of software inventory plugins.

Inventory
This template provides faster scan results and a reduced system footprint
because the agent only performs checks that collect asset information (for
example, installed software and IP addresses). This scanning method is
sometimes referred to as inventory scanning in the Tenable Vulnerability
Management user interface and documentation.

- 249 -
Template Description

Collect Inventory scans provide coverage for:

l RedHat local security checks

l Oracle Linux local security checks

l CentOS local security checks

l Amazon Linux local security checks

l Debian local security checks

l Fedora local security checks

l SUSE local security checks

l Ubuntu local security checks

l Windows/Microsoft bulletin checks (All Windows roll-up checks since

2017)

Collect Inventory scans do not currently provide coverage for:

l Malware and compliance checks

l Third-party Linux application detection (for example, Apache HTTP or

Postgres) for instances not installed via dpkg or rpm

l Third-party Windows applications (for example, Google Chrome or

Mozilla Firefox)

l Microsoft product Patch Tuesday updates (for example, Exchange or

Sharepoint)

Note: An asset that Tenable Vulnerability Management has performed inventory

scanning on continues to report vulnerabilities until the asset ages out, even if
the asset is offline.

Tenable-Provided Tenable Web App Scanning Templates

The following table describes the available Tenable Web App Scanning scan templates:

- 250 -
Template Description

API A scan that checks an API for vulnerabilities. This scan analyzes RESTful
APIs described via an OpenAPI (Swagger) specification file. File attachment
size is limited to 1 MB.

Tip: If the API you want to scan requires keys or a token for authentication, you can
add the expected custom headers in the Advanced settings in the HTTP Settings
section.

Note: The API scan template is available as a public beta. Its functionality is
subject to change as ongoing improvements are made throughout the beta period.

Note: API scans support only one target at a time.

Config Audit A high-level scan that analyzes HTTP security headers and other externally
facing configurations on a web application to determine if the application is
compliant with common security industry standards.

If you create a scan using the Config Audit scan template, Tenable Web App
Scanning analyzes your web application only for plugins related to security
industry standards compliance.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via

local checks.

Overview A high-level preliminary scan that determines which URLs in a web application
Tenable Web App Scanning scans by default.

The Overview scan template does not analyze the web application for active
vulnerabilities. Therefore, this scan template does not offer as many plugin
family options as the Scan template.

PCI A scan that assesses web applications for compliance with Payment Card
Industry Data Security Standards (PCI DSS) for Tenable PCI ASV.

Quick Scan A high-level scan similar to the Config Audit scan template that analyzes
HTTP security headers and other externally facing configurations on a web
application to determine if the application is compliant with common security

- 251 -
industry standards. Does not include scheduling.

If you create a scan using the Quick Scan scan template, Tenable
Vulnerability Management analyzes your web application only for plugins
related to security industry standards compliance.

Scan A comprehensive scan that assesses web applications for a wide range of
vulnerabilities.

The Scan template provides plugin family options for all active web application
plugins.

If you create a scan using the Scan template, Tenable Web App Scanning
analyzes your web application for all plugins that the scanner checks for when
you create a scan using the Config Audit, Overview, or SSL TLS templates,
as well as additional plugins to detect specific vulnerabilities.

A scan run with this scan template provides a more detailed assessment of a
web application and take longer to complete that other Tenable Web App
Scanning scans.

SSL TLS A scan to determine if a web application uses SSL/TLS public-key encryption
and, if so, how the encryption is configured.

When you create a scan using the SSL TLS template, Tenable Web App
Scanning analyzes your web application only for plugins related to SSL/TLS
implementation. The scanner does not crawl URLs or assess individual pages
for vulnerabilities.

User-Defined Templates

Required Template Permissions: Owner

Tenable provides a variety of scan templates for specific scanning purposes. If you want to
customize a Tenable-provided scan template and share it with other users, you can create a user-
defined scan template.

For information about any scan settings, see Scan Settings.

- 252 -
You can create, edit, copy, export, or delete user-defined Tenable Vulnerability Management and
Tenable Web App Scanning Scan templates from the Scans page. You can also import and export
Tenable Vulnerability Management scan templates.

To manage your user-defined scan templates:

1. In the left navigation, click Scans.

The Scans page appears.

2. In the upper-right corner of the page, click the Tools button.

A menu appears.

3. Select Manage Scan Templates.

The Scan Templates page appears.

4. Below Scan Templates, choose to view Vulnerability Management Scan Templates or Web
Application Scan Templates.

The scan template table updates based on your selection.

Click a template to view or edit its settings and parameters, or use the following procedures to
further manage your user-defined templates:

Create a user-defined template

You can create user-defined scan templates to save and share custom scan settings with other
Tenable Vulnerability Management users.

When you define a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

To create a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

- 253 -
3. In the upper-right corner of the page, click the Create Template button.

The Select a Template page appears.

4. Click the tile for the template you want to use as the base for your user-defined scan template.

The Create a Template page appears.

5. Do one of the following:

l If you are creating a Tenable Vulnerability Management scan template, use the following
procedure:

- 254 -
a. Configure the scan template:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the name of the

scan template, its description, and who has
permissions for the scan template.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

Plugins Select security checks by plugin family or individual

plugin.

l If you are creating a Tenable Web App Scanning scan, use the following procedure:

- 255 -
a. Configure the scan:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual

plugin.

6. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of scan templates on the Scan Templates page.

Edit a user-defined template

Required Template Permissions: Can Configure

To edit a user-defined scan template:

- 256 -
1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the scan templates table, click the scan template you want to edit.

The Edit a Scan Template page appears.

6. Do one of the following:

- 257 -
l If you are editing a Tenable Vulnerability Management scan template, use the following
procedure:

- 258 -
a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan

template.

l Basic Settings — Specifies the name of the

scan template, its description, and who has
permissions for the scan template.

l Discovery Settings — Specifies how a scan

performs discovery and port scanning.

l Assessment Settings — Specifies how a scan

l Report Settings — Specifies whether the scan

generates a report.

l Advanced Settings — Specifies advanced

controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Compliance/SCAP Specify the platforms you want to audit. Tenable,

Inc. provides best practice audits for each platform.
Additionally, you can upload a custom audit file.

Plugins Select security checks by plugin family or individual

plugin.

- 259 -
l If you are editing a Tenable Web App Scanning scan template, use the following
procedure:

a. Configure the scan template options:

Tab Action

Settings Configure the settings available in the scan template. For

more information, see Basic Settings in Tenable Web App
Scanning Scans.

Scope Specify the URLs and file types that you want to include in
or exclude from your scan. For more information, see
Scope Settings in Tenable Web App Scanning Scans.

Assessment Specify how a scan identifies vulnerabilities and what

Advanced Specify advanced controls for scan efficiency.

Credentials Specify credentials you want Tenable Vulnerability

Management to use to perform a credentialed scan.

Plugins Select security checks by plugin family or individual

plugin.

7. Click Save.

Tenable Vulnerability Management saves the user-defined scan template and adds it to the list
of templates on the Scan Templates page.

Copy a user-defined template

When you copy a user-defined scan template, Tenable Vulnerability Management assigns you
owner permissions for the copy. You can share the copy by assigning template permissions to other
users, but only you can delete the copied scan template.

- 260 -
To copy a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the scans table, roll over the scan you want to launch.

6. In the row, click the button.

A menu appears.

7. In the menu, click the button.

A Template copied message appears. Tenable Vulnerability Management creates a copy of

the scan template with Copy of prepended to the name and assigns you owner permissions for
the copy. The copy appears in the scan templates table.

Export a user-defined template (Tenable Vulnerability Management only)

You can export a user-defined scan template for later import.

Note: Tenable Vulnerability Management does not export passwords, credentials, and file-based settings
(for example, .audit files and the SSH known_hosts file) in user-defined scan templates.

To export a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans

3. In the upper-right corner of the page, click the Tools button.

- 261 -
A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. In the scans table, roll over the scan template you want to export.

6. In the row, click the button.

A menu appears.

7. In the row, click the button.

Tenable Vulnerability Management exports the user-defined scan template as a .nessus file.

Note: To learn more about the .nessus file format, see Nessus File Format.

Import a user-defined template (Tenable Vulnerability Management only)

When you import a scan template, Tenable Vulnerability Management assigns you owner
permissions for the scan template. You can share the scan template by assigning template
permissions to other users, but only you can delete the scan template.

Tenable Vulnerability Management does not include passwords or compliance audit files in
exported user-defined scan templates. You must add these settings in manually after importing the
scan template.

To import a user-defined scan template:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

- 262 -
5. In the upper-right corner of the page, click the Import button.

Your file manager appears.

6. Select the scan template you want to import.

7. Click Open.

A Template uploaded message appears, and the scan template appears on the Scan
Templates page.

What to do next:
l As needed, add passwords and compliance audit files to the imported template.

Delete a user-defined template

If you delete a user-defined scan template, Tenable Vulnerability Management deletes it from all
user accounts.

Before you begin:

l Delete any scans that use the template you want to delete. You cannot delete a scan template
if a scan is using the template.

To delete a user-defined scan template or templates:

1. In the left navigation, click Scans.

The Scans page appears.

2. Below Scans, choose to view Vulnerability Management Scans or Web Application Scans.

3. In the upper-right corner of the page, click the Tools button.

A menu appears.

4. Select Manage Scan Templates.

The Scan Templates page appears.

5. Select the scan template or templates you want to delete:

- 263 -
l
Select a single scan template:
a. In the scans table, roll over the scan you want to launch.

b. In the row, click the button.

A menu appears.

c. In the menu, click the button.

A confirmation window appears.

l
Select multiple scan templates:
a. In the scan templates table, select the check box for each scan template you want
to delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

6. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the user-defined scan template or templates you
selected.

Change user-defined template ownership

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

Required Template Permissions: Owner

To change the ownership of a user-defined scan template in the new interface:

1. Edit a user-defined template.

2. In the left navigation menu, in the Settings section, click Basic.

The Basic settings appear.

- 264 -
3. In the User Permissions section, next to the permission drop-down for Owner, click the
button.

A list of available user accounts appears.

4. Select a user from the list.

Tenable Vulnerability Management automatically adds you to the list of users and assigns Can
View permissions to your user account.

5. (Optional) Remove all permissions for your user account:

a. In the user list, roll over your user account.

The button appears at the end of the listing.

b. Click the button.

Tenable Vulnerability Management removes your account from the list of users.

6. (Optional) Edit permissions for your user account:

a. Next to the permission drop-down for your user account, click the button.

b. Select a permission.

7. Click Save.

Tenable assigns ownership to the selected user and assigns your user account the
permissions you selected. If you removed all permissions for your user account from the
template, the template no longer appears in the templates table.

Scan Settings
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or user-defined template is based.

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

- 265 -
Scan settings are organized into the following categories:

Tenable Vulnerability Management Scans Tenable Web App Scanning Scans

l Basic Settings in User-Defined Templates l Basic Settings in User-Defined

Templates
l Basic Settings in Tenable Vulnerability
Management Scans l Basic Settings in Tenable Web App
Scanning Scans
l Discovery Settings in Tenable Vulnerability
Management Scans l Scope Settings in Tenable Web App
Scanning Scans
l Assessment Settings in Tenable
Vulnerability Management Scans l Report Settings in Tenable Web App
Scanning Scans
l Report Settings in Tenable Vulnerability
Management Scans l Assessment Settings in Tenable Web
App Scanning Scans
l Advanced Settings in Tenable
Vulnerability Management Scans l Advanced Settings in Tenable Web
App Scanning Scans
l Credentials in Tenable Vulnerability
Management Scans l Credentials in Tenable Web App
Scanning Scans
l Compliance in Tenable Vulnerability
Management Scans l Plugin Settings in Tenable Web App
Scanning Scans
l SCAP Settings in Tenable Vulnerability
Management Scans

l Configure Plugins in Tenable Vulnerability

Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

- 266 -
l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

However, certain Basic settings are unique to creating a user-defined template, and do not
appear when configuring an individual scan. For more information, see Basic Settings in User-
Defined Templates.

l You can configure certain settings in a user-defined template, but cannot modify those settings
in an individual scan based on a user-defined template. These settings include Discovery,
Assessment, Report, Advanced, Compliance, SCAP, and Plugins. If you want to modify
these settings for individual scans, create individual scans based on a Tenable-provided
template instead.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Tenable Vulnerability Management Scan Settings

You can configure these settings in individual scans or in user-defined templates from which you
create individual scans.

Tenable Vulnerability Management scan settings are organized into the following categories:

l Basic Settings in User-Defined Templates

l Basic Settings in Tenable Vulnerability Management Scans

l Discovery Settings in Tenable Vulnerability Management Scans

l Assessment Settings in Tenable Vulnerability Management Scans

l Report Settings in Tenable Vulnerability Management Scans

l Advanced Settings in Tenable Vulnerability Management Scans

l Credentials in Tenable Vulnerability Management Scans

l Compliance in Tenable Vulnerability Management Scans

- 267 -
l SCAP Settings in Tenable Vulnerability Management Scans

l Configure Plugins in Tenable Vulnerability Management Scans

Settings in User-Defined Templates

When configuring settings for user-defined templates, note the following:

l If you configure a setting in a user-defined template, that setting applies to any scans you
create based on that user-defined template.

l You base a user-defined template on a Tenable-provided template. Most of the settings are
identical to the settings you can configure in an individual scan that uses the same Tenable-
provided template.

l If you configure Credentials in a user-defined template, other users can override these
settings by adding scan-specific or managed credentials to scans based on the template.

Basic Settings in Tenable Vulnerability Management Scans

Note: This topic describes Basic settings you can set in individual scans. For Basic settings in user-defined
templates, see Basic Settings in User-Defined Templates.

You can use Basic settings to specify organizational and security-related aspects of a scan
configuration. This includes specifying the name of the scan, its targets, whether the scan is
scheduled, and who has access to the scan.

Note: To learn more about scan limitations in Tenable Vulnerability Management, see Scan Limitations.

The Basic settings include the following sections:

- 268 -
l General

l Schedule

l Notifications

l User Permissions

General
The general settings for a scan.

Setting Default Value Description

Name None Specifies the name of the scan.

Description None (Optional) Specifies a description of the scan.

Scan Results Show in Specifies whether the results of the scan should
dashboard appear in workbenches, dashboards, and reports, or
be kept private.

When set to Keep private, the scan results Last Seen

dates do not update and you must access the scan
directly to view the results.

Private scan results do not show new Active findings

in the workbenches, dashboards, and reports, and
they do not transition the vulnerability states of
previously discovered findings to Fixed or
Resurfaced.

Note: Show in dashboard is always enabled for

triggered scans.

Folder My Scans Specifies the folder where the scan appears after
being saved.

You cannot specify a folder when you launch a

remediation scan. All remediation scans appear in the
Remediation Scans folder only.

- 269 -
Agent Groups None (Tenable Agent templates only) Specifies the agent
group or groups you want the scan to target. In the
drop-down box, select an existing agent group, or
create a new agent group.

Template n/a Specifies which scan template the scan configuration

uses. This setting is visible only if you own the scan
configuration.

Scanner Type Internal Scanner Specifies whether a local, internal scanner or a cloud-
managed scanner performs the scan, and determines
whether the Scanner field lists local or cloud-
managed scanners to choose from.

Scanner Auto-Select Specifies the scanner that performs the scan.

Select a scanner based on the location of the targets

you want to scan. For example:

l Select a linked scanner to scan non-routable

IP addresses.

Note: Auto-select is not available for cloud

scanners.

l Select a scanner group if you want to:

o Improve scan speed by balancing the scan
load among multiple scanners.
o Rebuild scanners and link new scanners in
the future without having to update
scanner designations in scan
configurations.

l Select Auto-Select to enable scan routing for

the targets.

Network Default Select the network of scanners and asset that you
want to scan with.

- 270 -
Unless your organization has created and uses
custom networks for specific business needs (for
example, scanning different sub-organizations,
differentiating between external and internal asset
scanning, or differentiating between ephemeral and
static asset scanning), Tenable recommends using
the Default network, which all scanners and scanner
groups are assigned to by default.

For more information about networks, see Networks.

Tags None Select one or more tags to scan all assets that have
any of the specified tags applied. To see a list of
assets identified by the specified tags, click View
Assets.

IP Selection Internal (Tenable Nessus scanner templates only) (Required)

Select whether to run a tag-based scan on Internal or
External IP addresses.

l Internal — RFC 1918 (private) IP addresses.

l External — Non-RFC 1918 (public) IP

addresses.

Note: You can use your organization's non-cloud

scanners to scan both Internal and External targets.
Cloud scanners can only be used to scan External
targets.

Tip: If you need to scan both External and Internal

targets with the same tag or tags, create two different
scan configurations; one scan that targets External IPs,
and one scan that targets Internal IPs.

Tenable Vulnerability Management evaluates the

identifiers to determine a single target in the following
order:

- 271 -
1. Last scan target

2. Most recent IPv4

3. Most recent IPv6

4. Most recent FQDN added

Note: Scan routing is available for linked scanners only.

Use Tag Rules Existing tagged (Tenable Nessus scanner templates only) (Required)
as Targets assets only Specifies whether Tenable Vulnerability Management
scans tagged assets only, or any assets that which the
selected tags' rules apply to.

l Existing tagged assets only — Tenable

Vulnerability Management scans all existing
assets that have any of the specified tags
applied.

l Targets defined by tags — Tenable Vulnerability

Management scans all assets whose IP address
or DNS matches the rules of the specified tag.
The Targets defined by tags option only works
for the following tag rules: IPv4, IPv6, and DNS.

Note: If you select the Match All filter, you

can have only one tag rule. Otherwise, the
tag resolves to empty targets.
If you select the Match Any filter, you are
allowed to have more than one tag rule. All
tag rules resolve as targets as long as the
rules are for IPv4, IPv6, and DNS.

For example, you create a scan policy that scans for a

tag with a tag rule that specifies a certain IPv4 range.
The example tag name is My IPv4s.

l If you choose Existing tagged assets only,

- 272 -
Tenable Vulnerability Management only scans
assets that are already tagged with the My IPv4s
tag.

l If you choose Targets defined by tags, Tenable

Vulnerability Management scans any assets
whose IPv4 addresses are within the range
specified in the My IPv4s tag rule.

For more information about tags and tag rules, see

Tags and Tag Rules.

Scan Window Disabled (Tenable Nessus Scanner templates only) Specifies

the timeframe after which the scan automatically
stops. Use the drop-down box to select an interval of
time, or click to type a custom scan window.

Note: The scan window timeframe only applies to the

scan job. After the scan job completes within the
timeframe, or once the scan job stops due to the scan
window ending, Tenable Vulnerability Management may
still need to index the scan job. This can cause the scan
not to show as Completed after the scan window is
complete. Once Tenable Vulnerability Management
indexes the scan, it shows as Completed.

Scan Type Scan Window (Tenable Agent templates only) (Required) Specifies
whether the agent scans occur based on a scan
window or triggers:

l Scan Window — Specifies the timeframe during

which agents must report in order to be included
and visible in vulnerability reports. Use the drop-
down box to select an interval of time, or click
to type a custom scan window.

Window scans must be explicitly launched or

scheduled to launch at a particular time.

- 273 -
l Triggered Scan — Specifies the triggers that
cause agents to report in. Use the drop-down
boxes to select from the following trigger types:

l Interval — The time interval (hours)

between each scan (for example, every 12
hours).

l File Name — The file name that triggers

the agent scan. The scan triggers when
the file name is detected in the trigger
directory.

Tip: You can set multiple triggers for a single

scan, and the scan searches for the triggers in
their listed order (in other words, if the first trigger
does not trigger the scan, it searches for the
second trigger).

To learn more about triggered agent scanning,

see Triggered Agent Scans.

Note: Tenable Vulnerability Management ignores

triggered agent scan data that is older than 14
days. This ensures that Tenable Vulnerability
Management is not processing stale data from
agents that have been offline for extended
periods of time.

Info-level Triggered agent (Tenable Agent vulnerability templates only)

Reporting scans — After 10 (Required) Specifies how often the agent scan should
scans report unchanged Info-severity vulnerability findings.
To learn more about this setting, see Info-level
Scan Window
Reporting.
agent scans —
After 10 days You can configure the agent scan to report all severity
findings by launching a new baseline scan after one of
Note: Tenable the following intervals:

- 274 -
highly
l After number of scans — The agent scan reports
recommends all findings every x number of scans. You
using the choose from the following increments: 4, 7, 10,
default values.
15, or 20 scans.
Only lower the
value if doing so l After number of days — The agent scan reports
is necessary for
all findings after a set number of days after the
your
organization. previous day on which the agent scan last
reported all findings. You choose from the
following increments: 7, 10, 20, 30, 60, or 90
days.

You can only set triggered agent scans to After

number of scans. You can set Scan Window
scans to either After number of scans or After
number of days.

Target Groups None You can select or add a new target group to which the
scan applies. Assets in the target group are used as
scan targets.

Note: Tenable plans to deprecate target groups in the

near future. Currently, you can still create and manage
target groups. However, Tenable recommends that you
instead use tags to group and scan assets on your
Tenable Vulnerability Management instance.

Targets None Specifies one or more targets to be scanned. If you

select a target group or upload a target file, you are
not required to specify additional targets.

Targets can be specified using a number of different

formats.

The targets you specify must be appropriate to the

scanner you select for the scan. For example, cloud
scanners cannot scan non-routable IP addresses.
Select an internal scanner instead.

- 275 -
Tip: You can force Tenable Vulnerability Management
to use a given hostname for a server during a scan by
using the hostname[ip] syntax (for example,
www.example.com[192.168.1.1]). However, you
cannot use this approach if you enable scan routing for
the scan.

Note: You cannot apply more than 300,000 IP address

targets to a scan. To learn more about scan limitations
in Tenable Vulnerability Management, see Scan
Limitations.

Note: See Permissions for more information on how

permissions affect targets.

Upload Targets None Uploads a text file that specifies the targets.

The targets file must be formatted in the following

manner:

l ASCII file format

l Only one target per line

l No extra spaces at the end of a line

l No extra lines following the last target

Note: Unicode/UTF-8 encoding is not supported.

Select Targets n/a (--aws-scannerTenable Nessus scanners only)

Opens a window that allows you to select from a list of
visible network scans via AWS IMDSv2. Use this page
to select the AWS targets to scan, then click Confirm.

Policy None This setting appears only when the scan owner edits
an existing scan that is based on a user-defined scan
template.

Note: After scan creation, you cannot change the

- 276 -
Tenable-provided scan template on which a scan is
based.

In the drop-down box, select a user-defined scan

template on which to base the scan. You can select
user-defined scan templates for which you have Can
View or higher permissions.

In most cases, you set the user-defined scan template

at scan creation, then keep the same template each
time you run the scan. However, you may want to
change the user-defined scan template when
troubleshooting or debugging a scan. For example,
changing the template makes it easy to enable or
disable different plugin families, change performance
settings, or apply dedicated debugging templates with
more verbose logging.

When you change the user-defined scan template for

a scan, the scan history retains the results of scans
run under the previously assigned template.

Schedule
The scan schedule settings.

By default, scans are not scheduled. When you first access the Schedule section, the Enable
Schedule setting appears, set to Off. To modify the settings listed on the following table, click the
Off button. The rest of the settings appear.

Note: Scheduled scans do not run if they are in the scan owner's Trash folder.

Caution: Tenable occasionally performs maintenance on Tenable Vulnerability Management. To avoid

performance issues, Tenable recommends not running or scheduling scans during maintenance windows.
For current maintenance status and updates, see the Tenable Status page.

Setting Default Description

- 277 -
Value

Frequency Once Specifies how often the scan is launched.

l Once: Schedule the scan at a specific time.

l Daily: Schedule the scan to occur every 1-20

days, at a specific time.

l Weekly: Schedule the scan to occur every 1-

20 weeks, by time and day or days of the
week.

l Monthly: Schedule the scan to occur every 1-

20 months, by:

l Day of Month: The scan repeats

monthly on a specific day of the month
at the selected time. For example, if you
select a start date of October 3, the scan
repeats on the 3rd of each subsequent
month at the selected time.

l Week of Month: The scan repeats

monthly on a specific day of the week.
For example, if you select a start date of
the first Monday of the month, the scan
runs on the first Monday of each
subsequent month at the selected time.

Note: If you schedule your scan to recur

monthly and by time and day of the month,
Tenable recommends setting a start date no
later than the 28th day. If you select a start date
that does not exist in some months (for
example, the 29th), Tenable Vulnerability
Management cannot run the scan on those
days.

l Yearly: Schedule the scan to occur every 1-

- 278 -
20 years, by time and date.

Starts Varies Specifies the exact date and time when a scan
launches.

The starting date defaults to the date when you are

creating the scan. The starting time is the nearest
half-hour interval. For example, if you create your
scan on 09/08/2023 at 9:16 AM, the default starting
date and time is set to 09/08/2023 and 09:30.

Timezone Zulu Specifies the timezone of the value set for Starts.

Repeat Every Varies Specifies the interval at which a scan is relaunched.

The default value of this item varies based on the
frequency you choose.

Repeat On Varies Specifies what day of the week a scan repeats. This
item appears only if you specify Weekly for
Frequency.

The value for Repeat On defaults to the day of the

week on which you create the scan.

Repeat By Day of the Specifies when a monthly scan is relaunched. This

Month item appears only if you specify Monthly for
Frequency.

Summary N/A Provides a summary of the schedule for your scan

based on the values you have specified for the
available settings.

Notifications
The notification settings for a scan.

Default
Setting Description
Value

Email None Specifies zero or more email addresses (separated by commas)

- 279 -
Recipient(s) that are alerted when a scan completes and the results are
available.

Result Filters None Defines the type of information to be emailed.

User Permissions
You can share the scan with other users by setting permissions for users or groups. When you
assign a permission to a group, that permission applies to all users within the group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Can View Groups and users with this permission can view the results of the scan,
export the scan results, and move the scan to the Trash folder. They cannot
view the scan configuration or permanently delete the scan.

Can Execute In addition to the tasks allowed by Can View, groups and users with this
permission can launch, pause, and stop a scan. They cannot view the scan
configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or
the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting. They
cannot change the scan's ownership (only the scan owner can change scan
ownership) or permanently delete the scan.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of
the permissions assigned to that user in the individual scan.

- 280 -
l An administrator always has the equivalent of Can Edit
permissions, regardless of the permissions set for the administrator
account in the individual scan. This does not apply to user-defined
scan templates.

Basic Settings in User-Defined Templates

Note: This topic describes Basic settings you can set in user-defined templates. For Basic settings in
individual scans, see Basic Settings in Tenable Vulnerability Management Scans .

You can use Basic settings to specify basic aspects of a user-defined template, including who has
access to the user-defined template.

The Basic settings include the following sections:

l General

l Permissions

General
The general settings for a user-defined template.

Default
Setting Description
Value

Name None Specifies the name of the user-defined template.

Description None (Optional) Specifies a description of the user-defined

template.

Permissions
You can share the user-defined template with other users by setting permissions for users or
groups. When you assign a permission to a group, that permission applies to all users within the
group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.

- 281 -
Permission Description

No Access (Default user only) Groups and users set to this permission cannot interact
with the scan in any way.

Note: In addition to Can Execute permissions for the scan, users running a scan
must have Can Scan permissions in an access group for the specified target, or
the scanner does not scan the target.

Can Edit In addition to the tasks allowed by Can Execute, groups and users with this
permission can view the scan configuration and modify any setting for the
scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

l A basic user cannot run a scan or configure a scan, regardless of
the permissions assigned to that user in the individual scan.
l An administrator always has the equivalent of Can Edit
permissions, regardless of the permissions set for the administrator
account in the individual scan. This does not apply to user-defined
scan templates.

Authentication
In user-defined templates, you can use Authentication settings to configure the authentication
Tenable Vulnerability Management performs for credentialed scanning.

Tip: The Authentication settings are equivalent to the Scan-wide Credential Type Settings in Tenable-
provided scan templates.

- 282 -
Setting Default Value Description

SNMPv1/v2c

equivalent to Scans > Credentials > Plaintext Authentication > SNMPv1/v2c

UDP Port 161 Ports where Tenable Vulnerability Management

attempts to authenticate on the host device.
Additional 161
UDP port #1

Additional UDP 161

port #2

Additional UDP 161

port #3

HTTP

equivalent to Scans > Credentials > Plaintext Authentication > HTTP

Re-authenticate 0 The time delay between authentication attempts.

delay (seconds) Setting a time delay is useful to avoid triggering brute
force lockout mechanisms.

Follow 30x 0 If a 30x redirect code is received from a web server,

redirections (# of this setting directs Tenable Vulnerability Management
levels) to follow the link provided or not.

Invert Disabled A regex pattern to look for on the login page, that if
authenticated found, tells Tenable Vulnerability Management that
regex authentication was not successful (e.g., Authentication
failed!).

Use Disabled Rather than search the body of a response, Tenable

authenticated Vulnerability Management can search the HTTP
regex on HTTP response headers for a given regex pattern to better
headers determine authentication state.

- 283 -
Case insensitive Disabled he regex searches are case sensitive by default. This
authenticated instructs Tenable Vulnerability Management to ignore
regex case.

telnet/rsh/rexec

equivalent to Scans > Credentials > Plaintext Authentication > telnet/ssh/rexec

Perform patch Disabled Tenable Vulnerability Management uses telnet to

audits over telnet connect to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rsh to

audits over rsh connect to the host device for patch audits.

Perform patch Disabled Tenable Vulnerability Management uses rexec to

audits over rexec connect to the host device for patch audits.

Windows

equivalent to Scans > Credentials > Host > Windows

Never send Enabled By default, for security reasons, this option is enabled.
credentials in the
clear

Do not use Enabled If the Do not use NTLMv1 authentication option is

NTLMv1 disabled, then it is theoretically possible to trick
authentication Tenable Vulnerability Management into attempting to
log into a Windows server with domain credentials via
the NTLM version 1 protocol. This provides the remote
attacker with the ability to use a hash obtained from
Tenable Vulnerability Management. This hash can be
potentially cracked to reveal a username or password.
It may also be used to directly log into other servers.
Force Tenable Vulnerability Management to use
NTLMv2 by enabling the Only use NTLMv2 setting at
scan time. This prevents a hostile Windows server
from using NTLM and receiving a hash. Because
NTLMv1 is an insecure protocol, this option is enabled

- 284 -
by default.

Start the Remote Disabled This option tells Tenable Vulnerability Management to
Registry service start the Remote Registry service on computers being
during the scan scanned if it is not running. This service must be
running in order for Tenable Vulnerability Management
to execute some Windows local check plugins.

Note: This option is disabled by default to improve

default scan performance. Additionally, enabling this
option can have implications depending on your network
security implementation. For example, certain access
control configurations for your network firewall might
blacklist your scanner for attempting to negotiate Server
Message Block Protocol (SMB protocol) connections.

Enable Disabled This option allows Tenable Vulnerability Management

administrative to access certain registry entries that can be read with
shares during the administrator privileges.
scan
Note: This option is disabled by default to improve
default scan performance. Additionally, enabling this
option can have implications depending on your network
security implementation. For example, certain access
control configurations for your network firewall might
blacklist your scanner for attempting to negotiate Server
Message Block Protocol (SMB protocol) connections.

SSH

equivalent to Scans > Credentials > Host > SSH

known_hosts file None If you upload an SSH known_hosts file, Tenable

Vulnerability Management only attempts to log in to
hosts in this file. This can ensure that the same
username and password you are using to audit your
known SSH servers is not used to attempt a log into a
system that may not be under your control.

- 285 -
Preferred port 22 The port on which SSH is running on the target system.

Client version OpenSSH_5.0 The type of SSH client Tenable Vulnerability

Management impersonates while scanning.

Attempt least Cleared Enables or disables dynamic privilege escalation.

privilege When enabled, Tenable Vulnerability Management
attempts to run the scan with an account with lesser
privileges, even if the Elevate privileges with option is
enabled. If a command fails, Tenable Vulnerability
Management escalates privileges. Plugins 101975 and
101976 report which plugins ran with or without
escalated privileges.

Note: Enabling this option may increase scan run time by

up to 30%.

Amazon AWS

equivalent to Scans > Credentials > Cloud Services > Amazon AWS

Regions to Rest of the In order for Tenable Vulnerability Management to audit

access World an Amazon AWS account, you must define the regions
you want to scan. Per Amazon policy, you need
different credentials to audit account configuration for
the China region than you do for the rest of the world.

Possible regions include:

l GovCloud — If you select this region, you

automatically select the government cloud (e.g.,
us-gov-west-1).

l Rest of the World — If you select this region, the

following additional options appear:

l us-east-1

l us-east-2

- 286 -
l us-west-1

l us-west-2

l ca-central-1

l eu-west-1

l eu-west-2

l eu-central-1

l ap-northeast-1

l ap-northeast-2

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l China — If you select this region, the following

additional options appear:

l cn-north-1

l cn-northwest-1

HTTPS Enabled Whether Tenable Vulnerability Management

authenticates over an encrypted (HTTPS) or an
unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management verifies

Certificate the validity of the SSL digital certificate.

Rackspace

equivalent to Scans > Credentials > Cloud Services > Rackspace

Location – Location of the Rackspace Cloud instance. Possible

locations include:

l Dallas-Fort Worth (DFW)

- 287 -
l Chicago (ORD)

l Northern Virginia (IAD)

l London (LON)

l Syndney (SYD)

l Hong Kong (HKG)

Microsoft Azure

equivalent to Scans > Credentials > Cloud Services > Amazon AWS

Subscription IDs – List subscription IDs to scan, separated by a comma. If

this field is blank, all subscriptions are audited.

Scan Targets

In Tenable Vulnerability Management, you can use a number of different formats when specifying
targets for a scan. The following tables contain target formats, examples, and a short explanation of
what occurs when Tenable Vulnerability Management scans that target type.

Note: Tenable limits the number of targets that you can scan in a single scan. For more information, see
Scan Limitations.

Note: For previously scanned assets, you can configure scan targets based on host attributes like
operating system or installed software, instead of host identifiers like IP address.

Tip: If a hostname target looks like either a link6 target (start with the text "link6") or one of the two IPv6
range forms, put single quotes around the target to ensure that Tenable Vulnerability Management
processes it as a hostname.

Target
Example Explanation
Description

A single IPv4 192.168.0.1 Scans the single IPv4 address.

address

A single IPv6 2001:db8::2120:17ff:fe56:333b Scans the single IPv6 address.

address

- 288 -
Target
Example Explanation
Description

A single link fe80:0:0:0:216:cbff:fe92:88d0%eth0 Scans the single IPv6 address.

local IPv6 Use interface indexes, not
address with a interface names, for the scope
scope identifier identifier on Windows
platforms.

A list of IPv4 192.168.0.1, 192.168.0.32, Scans a list of different IPv4

addresses 192.168.0.200, 192.168.0.255 addresses.

An IPv4 range 192.168.0.1-192.168.0.255 Scans all IPv4 addresses

with a start and between the start address and
end address end address, including both
addresses.

Caution: When entering a

target range, do not enter a
space before or after the
hyphen (for example,
192.168.0.1 - 192.168.0.255).
Tenable Vulnerability
Management does not accept
ranges in this format.

An IPv4 192.168.0-1.3-5 Scans all combinations of the

address with values given in the octet
the last octet ranges. In this example, scans:
range replaced 192.168.0.3, 192.168.0.4,
with numeric 192.168.0.5, 192.168.1.3,
ranges 192.168.1.4 and 192.168.1.5

Caution: When entering a

target range, do not enter a
space before or after the
hyphen (for example,
192.168.0 - 1.3 - 5). Tenable

- 289 -
Target
Example Explanation
Description

Vulnerability Management
does not accept ranges in this
format.

An IPv4 subnet 192.168.0.0/24 Scans all addresses within the

with CIDR specified subnet. The address
notation given is not the start address.
Specifying any address within
the subnet with the same CIDR
scans the same set of hosts.

An IPv4 subnet 192.168.0.0/255.255.255.128 Scans all addresses within the

with netmask specified subnet. The address
notation is not a start address.
Specifying any address within
the subnet with the same
netmask scans the same
hosts.

A host www.yourdomain.com Scans the single host.

resolvable to
If Tenable Vulnerability
either an IPv4
Management can resolve the
or an IPv6
hostname to multiple
address
addresses, Tenable
Vulnerability Management
scans the first resolved IPv4
address or, if Tenable
Vulnerability Management
cannot resolve an IPv4
address, the first resolved IPv6
address.

A host www.yourdomain.com/24 Resolves the hostname to an

- 290 -
Target
Example Explanation
Description

resolvable to IPv4 address, then scans all

an IPv4 addresses within the specified
address with subnet.
CIDR notation
Tenable Vulnerability
Management treats this format
like any other IPv4 address
with CIDR notation.

A host www.yourdomain.com/255.255.252.0 Resolves the hostname to an

resolvable to IPv4 address, then scans all
an IPv4 addresses within the specified
address with subnet.
netmask
Tenable Vulnerability
notation
Management treats this format
like any other IPv4 address
with netmask notation.

The text link6 link6 Scans all hosts that respond to

optionally or multicast ICMPv6 echo
followed by an link6%16 requests sent out on the
IPv6 scope interface specified by the
identifier scope identifier to the ff02::1
address. If no IPv6 scope
identifier is given, the requests
are sent out on all interfaces.
Use interface indexes, not
interface names, for the scope
identifier on Windows
platforms.

Some text with Test Host 1[10.0.1.1] Scans the IPv4 or IPv6 address
either a single or within the brackets, like a

- 291 -
Target
Example Explanation
Description

IPv4 or IPv6 Test Host 2[2001:db8::abcd] normal single target.

address within
square
brackets

Target Groups

You can still use target groups to manage your scan targets. However, Tenable recommends that you
instead use tags to group and scan your assets when possible. In the future, when tagging features and
options match those currently available in target groups, Tenable will convert your target groups into tags
and retire your existing target groups. No action is required on your part, and Tenable will provide you with
60 calendar days notice before converting and retiring your target groups. For more information, contact
your Tenable representative.

A target group allows you to construct a list of scan targets by FQDN, CIDR notation, or IP address
range. You can then specify which users in your organization can use the target group in scan
configurations or filtering dashboards (including workbenches).

Note: Tenable recommends limiting the number of targets in any single target group. When filtering a
dashboard by a target group with too many targets, Tenable Vulnerability Management may fail to show
data.

Note: Scan targets listed by CIDR notation must be in one of the following formats:

l xx.xx.0.0/16
l xx.xx.xx.0/24

If you grant a user permissions in a target group, the user can use the target group in the Target
Groups option for scan configuration. However, you must also grant the user Can Scan permissions
in an access group for the targets, or Tenable Vulnerability Management excludes the targets from
the scan results. For more information, see Permissions.

To manage target groups, use the following procedures:

Create a target group

System target groups:

- 292 -
Required User Role: Administrator

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

To create a target group in the new interface:

1. In the left navigation, click Settings.

The Settings page appears.

2. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

3. If you want to edit a user target group, click User. Otherwise, stay on the System target groups
tab.

4. In the upper-right corner of the page, click the Create Target Group button.

The Create a Target Group page appears.

5. Configure the General settings:

Setting Description

Name A name for the target group.

Targets A comma-separated list of FQDNs, CIDR notation, or IP address ranges

that you want to scan.

Note: Scan targets listed by CIDR notation must be in one of the following
formats:
l xx.xx.0.0/16
l xx.xx.xx.0/24

Note: For the IP address range format (example: 192.168.0.1-192.168.0.255 ),

- 293 -
Setting Description

Tenable Vulnerability Management supports a maximum count of "-" to 1023.

Upload A text file containing a comma-separated list of FQDNs or IP address

Targets ranges that you want to scan.

The system adds the uploaded targets to the Targets box after you save
the target group.

6. Configure the user permissions for the group.

Note: If you grant a user permissions in a target group, the user can use the target group in the
Target Groups option for scan configurations. However, you must also grant the user Can Scan
permissions in an access group for the targets, or Tenable Vulnerability Management excludes the
targets from the scan results. For more information, see Access Groups.

7. Click Save.

One of the following occurs:

l If you configured user permissions for the target group, Tenable Vulnerability
Management creates the target group and adds it to the table on the Target Groups
page.

l If you retained the default No Access permissions for the target group, a confirmation
window appears.

In response, do one of the following:

l If the default configuration is appropriate for the target group, click Continue to
confirm your action.

l If the default configuration is not appropriate for the target group, click Cancel to
return to user permissions configuration for the target group.

Configure user permissions for a target group

System target groups:

Required User Role: Administrator

- 294 -
Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

Note: For auditing cloud infrastructure, Tenable Vulnerability Management requires a target group with
Can Scan permissions to be present on 127.0.0.1.

Note: To enable the user to use a target group in the Target Groups option for scan configurations, you must
also grant the user Can Scan permissions in an access group for the targets. If you do not, Tenable
Vulnerability Management excludes the targets from the scan results. For more information, see Access
Groups.

To configure permissions for a target group:

1. Create or edit a target group.

2. In the User Permissions section, do one of the following:

l
Change the permissions for the Default user

Note: The Default user represents any users that have not been specifically added to the
target group.

a. Next to the permission drop-down for the Default user, click the button.

b. Select a permissions level.

c. Click Save.

l
Add permissions
a. Next to User Permissions, click the button.

The Add User Permission plane appears.

b. In the Add users or groups box, type the name of a user or group.

- 295 -
As you type, a filtered list of users and groups appears.

c. Select a user or group from the search results.

The selected user or group appears in the list of users and groups.

By default, Tenable Vulnerability Management assigns Can Use permissions to

the new user or group.

d. Next to the permission drop-down for the user or group, click the button.

e. Select a permissions level.

f. Click Save.

l
Edit permissions
a. Next to the permission drop-down for the user or group, click the button.

b. Select a permissions level.

c. Click Save.

l
Delete permissions
a. In the list of users, roll over the user or group you want to delete.

b. Click the button next to the user or user group.

The user or group disappears from the permissions list.

c. Click Save.

Edit a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

- 296 -
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

Note: System target groups and related functionality asset isolation are deprecated. To control
scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in scan
configurations and dashboard filters. However, Tenable recommends using user target groups
instead.

To edit a target group in the new interface:

1. In the left navigation, click Settings.

The Settings page appears.

2. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

3. If you want to edit a user target group, click User. Otherwise, stay on the System target groups
tab.

4. In the target groups table, click the target group you want to edit.

The Update a Target Group page appears.

5. Edit the General settings for the target group:

Setting Description

Name A name for the target group.

Targets A comma-separated list of FQDNs, CIDR notation, or IP address ranges

that you want to scan.

Upload A text file containing a comma-separated list of FQDNs or IP address

Targets ranges that you want to scan.

- 297 -
Setting Description

The system adds the uploaded targets to the Targets box after you save
the target group.

6. Configure user permissions for the target group.

7. Click Save.

A confirmation window appears.

8. In the confirmation window, click Continue.

Tenable Vulnerability Management saves the changes to the target group.

Import a target group

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

You can import a target group as a .csv file.

Tip: To create or modify the .csv file, Tenable recommends using a robust editor such as Microsoft Excel.

Before you begin:

l Create a .csv file in the specified format.

To import a target group:

1. In the left navigation, click Settings.

The Settings page appears.

2. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

3. If you want to import a user target group, click User. Otherwise, stay on the System target
groups page.

- 298 -
Note: System target groups and related functionality asset isolation are deprecated. To
control scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in
scan configurations and dashboard filters. However, Tenable recommends using user
target groups instead.

4. In the upper-right corner of the page, click the Import button.

Your operating system's file manager appears.

5. Select a .csv file to import.

Tenable Vulnerability Management imports the file and adds the target groups to the target
groups box.

Target Group Import File Format

Each line of the target group import file must have the following fields:

Field Name Description

id Numeric field used to identify the target group.

name Field used to identify the name of the target group. You can use any
combination of alphanumeric characters or symbols in the name field.

members Field used to identify the host address or addresses to include in the
target group.

creation_date Numeric field in UNIX timestamp format.

last_ Numeric field in UNIX timestamp format.

modification_
date

Export a target group

Required Tenable Vulnerability Management User Role: Standard, Scan Manager, or Administrator

Required Target Group Permissions: Can Use

- 299 -
You can export a target group as a .csv file. Depending on your browser, the target group may
download automatically.

To export a target group or groups in the new interface:

1. In the left navigation, click Settings.

The Settings page appears.

2. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

3. If you want to export a user target group, click User. Otherwise, stay on the System target
groups tab.

Note: System target groups and related functionality asset isolation are deprecated. To
control scan permissions, use access groups instead.
You can still create and edit system target groups, as well as use system target groups in
scan configurations and dashboard filters. However, Tenable recommends using user
target groups instead.

4. Select the target group or groups you want to export.

l
Select a single target group.
a. In the target groups table, roll over the target group you want to export.

The action buttons appear in the row.

b. In the row, click the button.

Tenable Vulnerability Management automatically exports the target group or

groups you selected as a single .csv file.

l
Select multiple target groups.
a. In the target groups table, select the check boxes for each target group you want to
export.

- 300 -
The action bar appears at the bottom of the page.

b. Next to Target Groups, click the button.

Target Group Export File Header Fields

The following table describes the headers that appear in the exclusion export file.

Field Name Description

id Numeric identifier for the target group.

name Alphanumeric name of the target group.

members Host address(es) to be included in the target group.

creation_date Date (in UNIX timestamp format) when the target group was created.

last_modification_ Date (in UNIX timestamp format) when the target group was last
date modified.

Delete a target group

System target groups:

Required User Role: Administrator

Required Target Group Permissions: Any

User target groups:

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or
Administrator

Required Target Group Permissions: Can Change

To delete a target group in the new interface:

- 301 -
1. In the left navigation, click Settings.

The Settings page appears.

2. Click the Target Groups tile.

The Target Groups page appears. By default, the System tab is active. This tab contains a
table of system target groups.

3. If you want to delete a user target group, click User. Otherwise, stay on the System target
groups tab.

4. Select the target group or groups you want to delete:

l
Select a single target group.
a. In the target groups table, roll over the target group you want to delete.

The action buttons appear in the row.

b. In the row, click the button.

A confirmation window appears.

l
Select multiple target groups.
a. In the target groups table, select the check box for each target group you want to
delete.

The action bar appears at the bottom of the page.

b. In the action bar, click the button.

A confirmation window appears.

5. In the confirmation window, click Delete.

Tenable Vulnerability Management deletes the target group or groups you selected.

Target group permissions

The following table describes user permissions for both system and user target groups.

- 302 -
Permission Description

System Target Group

No Access (Default user only) Users assigned this permission cannot use the system
target group to filter dashboards.

Can Use Note: System target groups are deprecated; Tenable recommends using user
target groups instead.

Users assigned this permission can use hosts in the user target groups to
filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for
scan configurations, you must also grant the user Can Scan permissions in an
access group for the targets. If you do not, Tenable Vulnerability Management
excludes the targets from the scan results. For more information, see Access
Groups.

User Target Group

No Access (Default user only) Users assigned this permission cannot configure scans
for hosts in the user target group or use hosts in the user target group to filter
dashboards.

Can Use Users assigned this permission can use hosts in the user target groups to
filter dashboards and configure scans.

Note: To enable the user to use a target group in the Target Groups option for
scan configurations, you must also grant the user Can Scan permissions in an
access group for the targets. If you do not, Tenable Vulnerability Management
excludes the targets from the scan results. For more information, see Access
Groups.

Can Change In addition to using hosts in this user target group when configuring scans
and filtering dashboards, users assigned this permission can modify any
setting for the target group except permissions.

Info-level Reporting

- 303 -
Info-level Reporting is a scan setting available for agent vulnerability scan templates. The setting
specifies how often the agent scan should report unchanged Info-severity vulnerability findings.

Description

Info-severity findings can account for up to 90% of agent scan findings. Most Info-level findings do
not change from scan to scan and have minimal impact on your overall network exposure.
Configuring Info-level Reporting can help minimize your scan processing times by decreasing the
number of unchanged Info-severity findings that Tenable Vulnerability Management processes after
every agent scan.

After you configure an agent scan, the first execution of that scan always reports all detected
findings regardless of severity level. This is known as a baseline scan. Subsequent scans return all
vulnerability findings with a severity of Low or higher, and any new or changed Info-level findings.
Agents do not re-report existing, unchanged Info-level findings to Tenable Vulnerability
Management until a new baseline scan is performed.

When you view agent vulnerability scan results in the Tenable Vulnerability Management user
interface, baseline scans are indicated with the baseline icon ( ). For example:

- 304 -
Note: The baseline icon does not appear for triggered scans, regardless of whether or not the
scan was a baseline scan.
The baseline icon always appears for scans whose scan configurations do not have the Info-
level Reporting setting. This is because every execution of that scan includes all findings and is,
therefore, a baseline scan.
The baseline icon does not appear for scans whose configurations have the Info-level
Reporting setting, but were run before the Info-level Reporting feature was released.

Configuration

You can configure the agent scan to report all severity findings by launching a new baseline scan
after one of the following intervals:

l After number of scans — The agent scan reports all findings every x number of scans. You
choose from the following increments: 7, 10, 15, or 20 scans.

For example, if you set the value to the default of 10, the agent scan reports all findings in its
next scan and then reports all findings again during every 10th scan. All interim scans only
return findings with a severity of Low or higher, as well as any new or changed Info-level
findings.

l After number of days — The agent scan reports all findings after a set number of days after the
previous day on which the agent scan last reported all findings. You choose from the following
increments: 7, 10, 20, 30, 60, or 90 days.

For example, if you set the value to the default of 10, the agent scan reports all findings in its
next scan. For 10 days, all interim scans return all findings with a severity of Low or higher and
any new or changed Info-level findings. After the 10-day period passes, the agent scan reports
all findings again in its next scan.

You can only set triggered agent scans to After number of scans. You can set Scan Window
scans to either After number of scans or After number of days.

The default value for triggered agent scans is After 10 scans, and the default value for Scan
Window agent scans is After 10 days. Tenable recommends using the default values. Only
lower the value if doing so is necessary for your organization.

In addition to Info-level Reporting, you can enable Force refresh of all Info-severity vulnerabilities
on next scan to force the agent scan to report all findings in the next scan. After the next scan

- 305 -
completes and reports all findings, the Info-level Reporting setting determines how often the scan
reports Info-severity findings.

Note: All vulnerability findings with a severity of Low or higher and new or changed Info-severity
vulnerabilities are always reported after every scan.

Limitations and Considerations

l Only agents version 10.5.0 and later can use the Info-level Reporting setting. Any agents on
earlier versions always perform baseline scans.

l The Info-level Reporting setting is not supported when Tenable Vulnerability Management is
connected to Tenable Security Center.

l Agent scans with configured Compliance settings do not support the Info-level Reporting
setting. All agent scans with Compliance settings configured are baseline scans.

l If you recast an Info-level plugin to a higher severity level (for example, Low or Medium), the
plugin is still affected by Info-level Reporting and excluded from non-baseline scans if the
plugin output has not changed.

l Each individual agent calculates the After number of scans value separately. Therefore,
triggered scans can return a combination of baseline and non-baseline results.

l Plugins 19506 (Nessus Scan Information) and 42980 (SSL Certificate Expiry) are always
reported in full with every scan.

Discovery Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Discovery settings in the scan.
You can only modify these settings in the related user-defined template.

The Discovery settings relate to discovery and port scanning, including port ranges and methods.

Certain Tenable-provided scanner templates include preconfigured discovery settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured discovery settings, you can manually configure Discovery settings in
the following categories:

- 306 -
l Host Discovery

l Port Scanning

l Service Discovery

l Identity

Host Discovery
By default, some settings in the Host Discovery section are enabled. When you first access the
Host Discovery section, the Ping the remote host option appears and is set to On.

Default
Setting Description
Value

Ping the Remote On If set to On, the scanner pings remote hosts on multiple
Host ports to determine if they are alive. Additional options
General Settings and Ping Methods appear.

If set to Off, the scanner does not ping remote hosts on

multiple ports during the scan.

Note: To scan VMware guest systems, Ping the remote

host must be set to Off.

Scan Unresponsive Disabled Specifies whether the Nessus scanner scans hosts that
Hosts do not respond to any ping methods. This option is only
available for scans using the PCI Quarterly External
Scan template.

General Settings

Use Fast Network Disabled When disabled, if a host responds to ping, Tenable
Discovery Vulnerability Management attempts to avoid false
positives, performing additional tests to verify the
response did not come from a proxy or load balancer.
These checks can take some time, especially if the
remote host is firewalled.

When enabled, Tenable Vulnerability Management

- 307 -
does not perform these checks.

Ping Methods

ARP Enabled Ping a host using its hardware address via Address
Resolution Protocol (ARP). This only works on a local
network.

TCP Enabled Ping a host using TCP.

Destination Ports Built-In Destination ports can be configured to use specific

(TCP) ports for TCP ping. This specifies the list of ports that
are checked via TCP ping.

Type one of the following: built-in, a single port, or a

comma-separated list of ports.

For more information about which ports built-in

specifies, see the knowledge base article.

ICMP Enabled Ping a host using the Internet Control Message

Protocol (ICMP).

Assume ICMP Disabled Assume ICMP unreachable from the gateway means
Unreachable From the host is down. When a ping is sent to a host that is
the Gateway Means down, its gateway may return an ICMP unreachable
the Host is Down message. When this option is enabled, when the
scanner receives an ICMP Unreachable message, it
considers the targeted host dead. This approach helps
speed up discovery on some networks.

Note: Some firewalls and packet filters use this same

behavior for hosts that are up, but connected to a port or
protocol that is filtered. With this option enabled, this
leads to the scan considering the host is down when it is
indeed up.

UDP Disabled Ping a host using the User Datagram Protocol (UDP).
UDP is a stateless protocol, meaning that

- 308 -
communication is not performed with handshake
dialogues. UDP-based communication is not always
reliable, and because of the nature of UDP services
and screening devices, they are not always remotely
detectable.

Maximum Number 2 Specifies the number of attempts to retry pinging the

of Retries remote host.

Fragile Devices

Scan Network Disabled When enabled, the scanner scans network printers.
Printers

Scan Novell Disabled When enabled, the scanner scans Novell NetWare
Netware Hosts hosts.

Scan Operational Disabled When enabled, the scanner performs a full scan of
Technology Operational Technology (OT) devices such as
Devices programmable logic controllers (PLCs) and remote
terminal units (RTUs) that monitor environmental
factors and the activity and state of machinery.

When disabled, the scanner uses ICS/SCADA Smart

Scanning to cautiously identify OT devices and stops
scanning them once they are discovered.

Wake-on-LAN

List of None The Wake-on-LAN (WOL) menu controls which hosts

MAC Addresses to send WOL magic packets to before performing a
scan.

Hosts that you want to start prior to scanning are

provided by uploading a text file that lists one MAC
address per line.

For example:

- 309 -
33:24:4C:03:CC:C7
FF:5C:2C:71:57:79

Boot Time Wait (In 5 minutes The amount of time to wait for hosts to start before
Minutes) performing the scan.

Port Scanning
The Port Scanning section includes settings that define how the port scanner behaves and which
ports to scan.

Default
Setting Description
Value

Ports

Consider Disabled When enabled, if a port is not scanned with a selected port
Unscanned scanner (for example, the port falls outside of the specified
Ports as range), the scanner considers it closed.
Closed

Port Scan Default Specifies the range of ports to be scanned.

Range
The supported ranges are:

l default — Instructs the scanner to scan approximately

4,790 commonly used ports specified in the nessus-
services file. You can also combine the default
keyword with other ports and port ranges.

Note: You can convert the nessus-services file to

a custom list of ports by performing four consecutive
regular expression (regex) replace-all operations in
a text editor that supports such operations:
l .*\s+(\d+)\/(tcp|udp)(\r\n|\r|\n) to
$1\/$2,
l (\d+)\/(tcp|udp) to $2:$1

- 310 -
Default
Setting Description
Value

l tcp to T
l udp to U

You can find the nessus-services file in the

following directories, depending on your operating
system:
l Linux — /opt/nessus/var/nessus/nessus-
services
l Windows —
C:\ProgramData\Tenable\Nessus\nessus\nes
sus-services
l macOS —
/Library/Nessus/run/var/nessus/nessus-
services

l all — Instructs the scanner to scan all 65,536 ports,

including port 0. You cannot combine the all keyword
with other ranges.

l A comma-separated list of ports (for example,

21,23,25,80,110), port ranges (for example, 1-
1024,9000-9200 or 1-65535 to scan all ports but 0 and
T:1-1024,U:300-500 or 1-1024,T:1024-65535,U:1025
to scan separate or overlapping TCP and UDP port
ranges), or combinations thereof.

If you disable the UDP, SYN, or TCP port scanner settings in

the scan policy Discovery settings, those ports are not
scanned despite what range of ports you specify. The UDP
and TCP port scanner settings are disabled by default; the
SYN port scanner setting is enabled by default.

Local Port Enumerators

- 311 -
Default
Setting Description
Value

SSH (netstat) Enabled When enabled, the scanner uses netstat to check for open
ports from the local machine. It relies on the netstat command
being available via an SSH connection to the target. This scan
is intended for Linux-based systems and requires
authentication credentials. To use this setting, you must first
configure SSH Credentials.

WMI (netstat) Enabled When enabled, the scanner uses netstat to determine open
ports while performing a WMI-based scan.

In addition, the scanner:

l Ignores any custom range specified in the Port Scan

Range setting.

l Continues to treat unscanned ports as closed if the

Consider unscanned ports as closed setting is
enabled.

If any port enumerator (netstat or SNMP) is successful, the

port range becomes all. To use this setting, you must first
configure Windows Credentials.

SNMP Enabled When enabled, if the appropriate credentials are provided by

the user, the scanner can better test the remote host and
produce more detailed audit results. For example, there are
many Cisco router checks that determine the vulnerabilities
present by examining the version of the returned SNMP
string. This information is necessary for these audits.

Only Run Enabled When this setting is enabled, the scanner relies on local port
Network Port enumeration before relying on network port scans. If a local
Scanners if port enumerator runs, all network port scanners are disabled
Local Port for the asset.
Enumeration
When this setting is disabled, the scanner performs network

- 312 -
Default
Setting Description
Value

Failed port scans regardless of the local port enumeration status.

Verify Open Disabled When enabled, if a local port enumerator (for example, WMI
TCP Ports or netstat) finds a port, the scanner also verifies that the port is
Found By open remotely. This approach helps determine if some form of
Local Port access control is being used (for example, TCP wrappers or a
Enumerators firewall).

Network Port Scanners

TCP Disabled Use the built-in Tenable Nessus TCP scanner to identify open
TCP ports on the targets, using a full TCP three-way
handshake. If you enable this option, you can also set the
Override Automatic Firewall Detection option.

SYN Enabled Use the built-in Tenable Nessus SYN scanner to identify open
TCP ports on the target hosts. SYN scans do not initiate a full
TCP three-way handshake. The scanner sends a SYN packet
to the port, waits for SYN-ACK reply, and determines the port
state based on a response or lack of response.

If you enable this option, you can also set the Override
Automatic Firewall Detection option.

Override Disabled This setting can be enabled if you enable either the TCP or
Automatic SYN option.
Firewall
When enabled, this setting overrides automatic firewall
Detection
detection.

This setting has three options:

l Use aggressive detection attempts to run plugins even

if the port appears to be closed. It is recommended that
this option not be used on a production network.

l Use soft detection disables the ability to monitor how

- 313 -
Default
Setting Description
Value

often resets are set and to determine if there is a

limitation configured by a downstream network device.

l Disable detection disables the firewall detection

feature.

UDP Disabled This option engages the built-in Tenable Nessus UDP
scanner to identify open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible

for a port scanner to tell the difference between open and
filtered UDP ports. Enabling the UDP port scanner may
dramatically increase the scan time and produce unreliable
results. Consider using the netstat or SNMP port enumeration
options instead if possible.

Service Discovery
The Service Discovery section includes settings that attempt to map each open port with the service
that is running on that port.

Default
Setting Description
Value

General Settings

Probe All Ports Enabled When enabled, the scanner attempts to map each open
to Find Services port with the service that is running on that port, as defined
by the Port scan range option.

Caution: In some rare cases, probing might disrupt some

services and cause unforeseen side effects.

Search for On Controls how the scanner tests SSL-based services.

SSL/TLS Based
Services Caution: Testing for SSL capability on all ports may be

- 314 -
Default
Setting Description
Value

disruptive for the tested host.

Search for SSL/TLS/DTLS Services (enabled)

Search for Known Specifies which ports on target hosts the scanner searches
SSL/TLS On SSL/TLS for SSL/TLS services.
ports
This setting has three options:

l None

Note: Setting this option to None enables the global_

settings/disable_test_ssl_based_services KB item.

l Known SSL/TLS ports

l All TCP ports

Search for None Specifies which ports on target hosts the scanner searches
DTLS On for DTLS services.

This setting has the following options:

l None

l Known DTLS ports

l All UPD ports

Identify 60 When enabled, the scanner identifies SSL and TLS

Certificates certificates that are within the specified number of days of
Expiring Within expiring.
x Days

Enumerate All True When enabled, the scanner ignores the list of ciphers
SSL/TLS advertised by SSL/TLS services and enumerates them by
Ciphers attempting to establish connections using all possible
ciphers.

- 315 -
Default
Setting Description
Value

Enable CRL False When enabled, the scanner checks that none of the
Checking identified certificates have been revoked.
(Connects to
the Internet)

Identity
The Identity section allows you to enable or disable the collection of Active Directory data.

General Settings

Collect Disabled Enable this setting to allow Tenable Vulnerability Management

Identity Data to gather user, computer, and group objects from Active
from Active Directory (AD). This setting requires that you specify an AD
Directory user account for the scan. You also need to enable LDAPS on
the domain controller that the scan is targeting.

When enabled, upon launch, the scan configuration uses

LDAP Active Directory plugins to query AD for identity
vulnerability data on all targeted domain controllers.

Note: This setting is only applicable in Tenable One Enterprise

customers, and is only intended for use by Tenable One
Enterprise customers who do not already have Tenable Identity
Exposure deployed.

Preconfigured Discovery Settings

Certain Tenable-provided scanner templates include preconfigured discovery settings, described in

the following table. The preconfigured discovery settings are determined by both the template and
the Scan Type that you select.

Template Scan Type Preconfigured Settings

- 316 -
Vulnerability Scans (Common)

Advanced Network – All defaults

Scan

Basic Network Scan Port scan (common ports) l General Settings:

(default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)

- 317 -
o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Credentialed Patch Port scan (common ports) l General Settings:

Audit (default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP

- 318 -
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)

o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Host Discovery Host enumeration (default) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP

- 319 -
o ARP
o ICMP (2 retries)

OS Identification l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP

Port scan (common ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP

- 320 -
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)

o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Internal PCI Network Port scan (common ports) l General Settings:

Scan (default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports

- 321 -
o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)

o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

- 322 -
Custom All defaults

Legacy Web App Scan Port scan (common ports) l General Settings:
(default) o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan common ports
o Use netstat if
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Port Scan (all ports) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Port Scanner Settings:

o Scan all ports (1-65535)

o Use netstat if

- 323 -
credentials are provided

o Use SYN scanner if

necessary

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Mobile Device Scan – –

PCI Quarterly External – Scan unresponsive hosts default

Scan

Configuration Scans

Audit Cloud – –
Infrastructure

MDM Config Audit – –

Offline Config Audit – –

Policy Compliance Default (default) l General Settings:

Auditing o Ping the remote host
o Always test the local
Tenable Nessus host

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

- 324 -
SCAP and OVAL Host enumeration (default) l General Settings:
Auditing o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Custom All defaults

Tactical Scans

Badlock Detection Quick l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on
ports where it is
commonly used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

- 325 -
o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Bash Shellshock Quick l General Settings:

Detection o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on
ports where it is
commonly used

l Scan all devices, including:

o Printers

- 326 -
o Novell Netware hosts

- 327 -
Normal (default) l General Settings:
o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

l Scan all devices, including:

o Printers
o Novell Netware hosts

Custom All defaults

DROWN Detection Quick l General Settings:

- 328 -
o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 23, 25,
80, and 443
o Detect SSL/TLS on
ports where it is
commonly used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

- 329 -
Custom All defaults

Intel AMT Security Quick l General Settings:

Bypass o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 16992,
16993, 623, 80, and 443

o Detect SSL/TLS on
ports where it is
commonly used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

- 330 -
o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Malware Scan Host enumeration (default) l General Settings:

o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

Host enumeration (include l General Settings:

fragile hosts) o Always test the local
Nessus host
o Use fast network
discovery

l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

l Scan all devices, including:

o Printers
o Novell Netware hosts

- 331 -
Custom All defaults

Shadow Brokers Scan Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

l Scan all devices, including:

o Printers
o Novell Netware hosts

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

l Scan all devices, including:

o Printers
o Novell Netware hosts

- 332 -
Custom All defaults

Spectre and Meltdown Normal (default) l General Settings:

Detection o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

WannaCry Quick l General Settings:

Ransomware o Ping the remote host
Detection
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan TCP ports 139

- 333 -
and 445
o Detect SSL/TLS on
ports where it is
commonly used

Normal (default) l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan the default
Nessus port range
o Detect SSL/TLS on
ports where it is
commonly used

Thorough l General Settings:

o Ping the remote host
o Always test the local
Nessus host

l Service Discovery Settings:

o Scan all TCP ports
o Detect SSL on all open
ports

Custom All defaults

Assessment Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Assessment settings in the scan.
You can only modify these settings in the related user-defined template.

- 334 -
You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a
system to brute force attacks, and the susceptibility of web applications.

Certain Tenable-provided scanner templates include preconfigured assessment settings.

If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured assessment settings, you can manually configure Assessment
settings in the following categories:

l General

l Brute Force

l SCADA

l Web Applications

l Windows

l Malware

l Databases

Note: The following tables include settings for the Advanced Network Scan template. Depending on the
template you select, certain settings may not be available, and default values may vary.

General
The General section includes the following groups of settings:

l Accuracy

l Antivirus

l SMTP

Setting Default Value Description

Accuracy

Override Disabled In some cases, Tenable Vulnerability Management cannot

Normal remotely determine whether a flaw is present or not. If report

- 335 -
Accuracy paranoia is set to Show potential false alarms, a flaw is
reported every time, even when there is a doubt about the
remote host being affected. Conversely, a paranoia setting
of Avoid potential false alarms causes Tenable
Vulnerability Management to not report any flaw whenever
there is a hint of uncertainty about the remote host. As a
middle ground between these two settings, disable this
setting.

Perform Disabled Causes various plugins to work harder. For example, when
thorough looking through SMB file shares, a plugin analyzes 3
tests (may directory levels deep instead of 1. This could cause much
disrupt your more network traffic and analysis in some cases. By being
network or more thorough, the scan is more intrusive and is more likely
impact scan to disrupt the network, while potentially providing better audit
speed) results.

Antivirus

Antivirus 0 Configure the delay of the Antivirus software check for a set
definition number of days (0-7). The Antivirus Software Check menu
grace period allows you to direct Tenable Vulnerability Management to
(in days) allow for a specific grace time in reporting when antivirus
signatures are considered out of date. By default, Tenable
Vulnerability Management considers signatures out of date
regardless of how long ago an update became available
(e.g., a few hours ago). You can configure this option to
allow for up to 7 days before reporting them out of date.

SMTP

Third party Tenable Vulnerability Management attempts to send spam through each SMTP
domain device to the address listed in this field. This third party domain address must
be outside the range of the site being scanned or the site performing the scan.
Otherwise, the test may be aborted by the SMTP server.

From The test messages sent to the SMTP server(s) appear as if the messages

- 336 -
address originated from the address specified in this field.

To address Tenable Vulnerability Management attempts to send messages addressed to

the mail recipient listed in this field. The postmaster address is the default value
since it is a valid address on most mail servers.

Brute Force
The Brute Force section includes the following groups of settings:

l General Settings

l Oracle Database

Default
Setting Description
Value

General Settings

Only use Enabled In some cases, Tenable Vulnerability Management can test
credentials default accounts and known default passwords. This can
provided by cause the account to be locked out if too many consecutive
the user invalid attempts trigger security protocols on the operating
system or application. By default, this setting is enabled to
prevent Tenable Vulnerability Management from performing
these tests.

Oracle Database

Test default Disabled Test for known default accounts in Oracle software.
accounts
(slow)

SCADA
Default
Setting Description
Value

ICCP/COTP TSAP The ICCP/COTP TSAP Addressing menu determines a

- 337 -
Default
Setting Description
Value

Addressing Weakness Connection Oriented Transport Protocol (COTP) Transport

Service Access Points (TSAP) value on an ICCP server by trying
possible values.

Web Applications
The Web Applications section includes the following groups of settings:

l General Settings

l Web Crawler

l Application Test Settings

Setting Default Value Description

Scan web Disabled By default, Tenable Vulnerability

applications Management does not scan web
applications. To edit the following settings,
enable this setting.

Use a custom Mozilla/4.0 (compatible; Specifies which type of web browser

User-Agent MSIE 8.0; Windows NT 5.1; Tenable Vulnerability Management
Trident/4.0) impersonates while scanning.

Web Crawler

Start crawling / The URL of the first page that is tested. If

from multiple pages are required, use a colon
delimiter to separate them (e.g.,
/:/php4:/base).

Excluded /server_ Specifies portions of the web site to exclude

pages (regex) privileges\.php|logout from being crawled. For example, to
exclude the /manual directory and all Perl
CGI, set this field to: (^/manual) <> (\.pl
(\?.*)?$).

- 338 -
Setting Default Value Description

Tenable Vulnerability Management

supports POSIX regular expressions for
string matching and handling, as well as
Perl-compatible regular expressions
(PCRE).

Maximum 1000 The maximum number of pages to crawl.

pages to crawl

Maximum 6 Limit the number of links Tenable

depth to crawl Vulnerability Management follows for each
start page.

Follow Disabled If selected, Tenable Vulnerability

dynamically Management follows dynamic links and
generated may exceed the parameters set above.
pages

Application Test Settings

Enable generic Disabled Enables the following settings.

web application
tests

Abort web Disabled If Tenable Vulnerability Management

application cannot log in to the target via HTTP, then
tests if HTTP do not run any web application tests.
login fails

Try all HTTP Disabled This option instructs Tenable Vulnerability

methods Management to also use POST requests
for enhanced web form testing. By default,
the web application tests only use GET
requests, unless you enable this option.
Generally, more complex applications use
the POST method when a user submits

- 339 -
Setting Default Value Description

data to the application. When enabled,

Tenable Vulnerability Management tests
each script or variable with both GET and
POST requests. This setting provides more
thorough testing, but may considerably
increase the time required.

Attempt HTTP Disabled When performing web application tests,

Parameter attempt to bypass filtering mechanisms by
Pollution injecting content into a variable while also
supplying the same variable with valid
content. For example, a normal SQL
injecton test may look like
/target.cgi?a='&b=2. With HTTP Parameter
Pollution (HPP) enabled, the request may
look like /target.cgi?a='&a=1&b=2.

Test embedded Disabled Embedded web servers are often static and
web servers contain no customizable CGI scripts. In
addition, embedded web servers may be
prone to crash or become non-responsive
when scanned. Tenable recommends
scanning embedded web servers
separately from other web servers using
this option.

Test more than Disabled This setting manages the combination of

one parameter argument values used in the HTTP
at a time per requests. The default, without checking this
form option, is testing one parameter at a time
with an attack string, without trying non-
attack variations for additional parameters.
For example, Tenable Vulnerability
Management would attempt

- 340 -
Setting Default Value Description

/test.php?arg1=XSS&b=1&c=1, where b
and c allow other values, without testing
each combination. This is the quickest
method of testing with the smallest result
set generated.

This setting has four options:

l Test random pairs of parameters:

This form of testing randomly checks
a combination of random pairs of
parameters. This is the fastest way to
test multiple parameters.

l Test all pairs of parameters (slow):

This form of testing is slightly slower
but more efficient than the one value
test. While testing multiple
parameters, it tests an attack string,
variations for a single variable and
then use the first value for all other
variables. For example, Tenable
Vulnerability Management would
attempt
/test.php?a=XSS&b=1&c=1&d=1
and then cycle through the variables
so that one is given the attack string,
one is cycled through all possible
values (as discovered during the
mirror process) and any other
variables are given the first value. In
this case, Tenable Vulnerability
Management would never test for
/test.php?a=XSS&b=3&c=3&d=3

- 341 -
Setting Default Value Description

when the first value of each variable is

l Test random combinations of three

or more parameters (slower): This
form of testing randomly checks a
combination of three or more
parameters. This is more thorough
than testing only pairs of parameters.
Increasing the amount of
combinations by three or more
increases the web application test
time.

l Test all combinations of parameters

(slowest): This method of testing
checks all possible combinations of
attack strings with valid input to
variables. Where all pairs testing
seeks to create a smaller data set as
a tradeoff for speed, all combinations
makes no compromise on time and
uses a complete data set of tests.
This testing method may take a long
time to complete.

Do not stop Stop after one flaw is found This setting determines when a new flaw is
after first flaw is per web server (fastest) targeted. This applies at the script level.
found per web Finding an XSS flaw does not disable
page searching for SQL injection or header
injection, but unless otherwise specified,
there is at most one report for each type on
a given port. Note that several flaws of the
same type (for example, XSS or SQLi) may

- 342 -
Setting Default Value Description

be reported if they were caught by the same

attack.

If this option is disabled, as soon as a flaw

is found on a web page, the scan moves on
to the next web page.

If you enable this option, select one of the

following options:

l Stop after one flaw is found per web

server (fastest) — (Default) As soon
as a flaw is found on a web server by
a script, Tenable Vulnerability
Management stops and switches to
another web server on a different
port.

l Stop after one flaw is found per

parameter (slow) — As soon as one
type of flaw is found in a parameter of
a CGI (for example, XSS), Tenable
Vulnerability Management switches
to the next parameter of the same
CGI, the next known CGI, or to the
next port or server.

l Look for all flaws (slowest) —

Perform extensive tests regardless of
flaws found. This option can produce
a very verbose report and is not
recommend in most cases.

URL for http://rfi.nessus.org/rfi.txt During Remote File Inclusion (RFI) testing,

Remote File this setting specifies a file on a remote host
Inclusion to use for tests. By default, Tenable

- 343 -
Setting Default Value Description

Vulnerability Management uses a safe file

hosted by Tenable for RFI testing. If the
scanner cannot reach the Internet, you can
use an internally hosted file for more
accurate RFI testing.

Maximum run 5 This option manages the amount of time in

time (min) minutes spent performing web application
tests. This option defaults to 60 minutes
and applies to all ports and CGIs for a given
website. Scanning the local network for
web sites with small applications typically
completes in under an hour, however web
sites with large applications may require a
higher value.

Windows
The Windows section contains the following groups of settings:

l General Settings

l User Enumeration Methods

Default
Setting Description
Value

General Settings

Request Disabled If enabled, domain users are queried instead of local

information about users.
the SMB Domain

User Enumeration Methods

You can enable as many of the user enumeration methods as appropriate for user discovery.

SAM Registry Enabled Tenable Vulnerability Management enumerates users via

- 344 -
the Security Account Manager (SAM) registry.

ADSI Query Enabled Tenable Vulnerability Management enumerates users via

Active Directory Service Interfaces (ADSI). To use ADSI,
you must configure credentials under Credentials >
Miscellaneous > ADSI.

WMI Query Enabled Tenable Vulnerability Management enumerates users via

Windows Management Interface (WMI).

RID Brute Disabled Tenable Vulnerability Management enumerates users via

Forcing relative identifier (RID) brute forcing. Enabling this setting
enables the Enumerate Domain Users and Enumerate
Local User settings.

Enumerate Domain Users (available with RID Brute Forcing enabled)

Start UID 1000 The beginning of a range of IDs where Tenable

Vulnerability Management attempts to enumerate domain
users.

End UID 1200 The end of a range of IDs where Tenable Vulnerability
Management attempts to enumerate domain users.

Enumerate Local User (available with RID Brute Forcing enabled)

Start UID 1000 The beginning of a range of IDs where Tenable

Vulnerability Management attempts to enumerate local
users.

End UID 1200 The end of a range of IDs where Tenable Vulnerability
Management attempts to enumerate local users.

Malware
The Malware section contains the following groups of settings:

l General Settings

l Hash and Whitelist Files

- 345 -
l Yara Rules

l File System Scanning

Default
Setting Description
Value

Hash and Allow List Files

Custom Netstat IP None A text file that contains a list of known bad IP
Threat List addresses that you want to detect.

Each line in the file must begin with an IPv4 address.

Optionally, you can add a description by adding a
comma after the IP address, followed by the
description. You can also use hash-delimited
comments (e.g., #) in addition to comma-delimited
comments.

Note: Tenable does not detect private IP ranges in the

text file.

Provide your own list None A text file with one MD5 hash per line that specifies
of known bad MD5 additional known bad MD5 hashes.
hashes
Optionally, you can include a description for a hash by
adding a comma after the hash, followed by the
description. If any matches are found when scanning
a target, the description appears in the scan results.
You can also use hash-delimited comments (for
example, fop) in addition to comma-delimited
comments.

Provide your own list None A text file with one MD5 hash per line that specifies
of known good MD5 additional known good MD5 hashes.
hashes
Optionally, you can include a description for each
hash by adding a comma after the hash, followed by
the description. If any matches are found when

- 346 -
scanning a target, and a description was provided for
the hash, the description appears in the scan results.
You can also use hash-delimited comments (for
example, #) in addition to comma-delimited
comments.

Hosts file allow list None Tenable Vulnerability Management checks system
hosts files for signs of a compromise (for example,
Plugin ID 23910 titled Compromised Windows System
(hosts File Check)). This option allows you to upload a
file containing a list of IPs and hostnames you want
Tenable Vulnerability Management to ignore during a
scan. Include one IP and one hostname (formatted
identically to your hosts file on the target) per line in a
regular text file.

Yara Rules

Yara Rules None A .yar file containing the YARA rules to be applied in
the scan. You can only upload one file per scan, so
include all rules in a single file. For more information,
see yara.readthedocs.io.

File System Scanning

Scan file system Disabled If enabled, Tenable Vulnerability Management can

scan system directories and files on host computers.

Caution: Enabling this setting in scans targeting 10 or

more hosts could result in performance degradation.

Windows Directories (available if Scan file system is enabled)

Scan %Systemroot% Disabled Enables file system scanning to scan %Systemroot%.

Scan Disabled Enables file system scanning to scan

%ProgramFiles% %ProgramFiles%.

Scan %ProgramFiles Disabled Enables file system scanning to scan %ProgramFiles

- 347 -
(x86)% (x86)%.

Scan Disabled Enables file system scanning to scan

%ProgramData% %ProgramData%.

Scan User Profiles Disabled Enables file system scanning to scan user profiles.

Custom Filescan None A custom file that lists directories to be scanned by

Directories malware file scanning. List each directory on one line.

Linux Directories

Scan $PATH Disabled Enables file system scanning to scan $PATH.

Scan /home Disabled Enables file system scanning to scan /home.

MacOS Directories

Scan $PATH Disabled Enables file system scanning to scan $PATH.

Scan /Users Disabled Enables file system scanning to scan /Users.

Scan /Applications Disabled Enables file system scanning to scan /Applications.

Scan /Library Disabled Enables file system scanning to scan /Library.

Databases
Default
Setting Description
Value

Oracle Database

Use Disabled When enabled, if at least one host credential and one
detected SIDs Oracle database credential are configured, the scanner
authenticates to scan targets using the host credentials,
and then attempts to detect Oracle System IDs (SIDs)
locally. The scanner then attempts to authenticate using
the specified Oracle database credentials and the
detected SIDs.

If the scanner cannot authenticate to scan targets using

- 348 -
host credentials or does not detect any SIDs locally, the
scanner authenticates to the Oracle database using the
manually specified SIDs in the Oracle database
credentials.

Preconfigured Assessment Settings

Certain Tenable-provided Tenable Nessus templates include preconfigured assessment settings,

described in the following table. The preconfigured assessment settings are determined by both the
template and the Mode that you select.

Template Mode Preconfigured Settings

Vulnerability Scans (Common)

Advanced Network – All defaults

Scan

Basic Network Default l General Settings:

Scan o Avoid false alarms
o Disable CGI scanning

l Web Applications:
o Disable web application
scanning

Scan for known web l General Settings:

vulnerabilities o Avoid potential false
alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories

- 349 -
(max)
o Test for known
vulnerabilities in commonly
used web applications
o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false
alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories
(max)
o Test for known
vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 5 minutes
(max)

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false
alarms
o Enable CGI scanning
o Perform thorough tests

l Web Applications:

- 350 -
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories
(max)
o Test for known
vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

Credentialed Patch – All defaults

Audit

Host Discovery – –

Internal PCI Default l General Settings:

Network Scan o Avoid false alarms
o Disable CGI scanning

l Web Applications:
o Disable web application
scanning

Scan for known web l General Settings:

vulnerabilities o Avoid potential false
alarms

- 351 -
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories
(max)
o Test for known
vulnerabilities in commonly
used web applications
o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false
alarms
o Enable CGI scanning

Scan for all web l General Settings:

- 352 -
vulnerabilities (complex) o Avoid potential false
alarms
o Enable CGI scanning
o Perform thorough tests

Custom All defaults

Legacy Web App Scan for known web l General Settings:

Scan vulnerabilities o Avoid potential false
alarms
o Enable CGI scanning

l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)

- 353 -
o Traverse 6 directories
(max)
o Test for known
vulnerabilities in commonly
used web applications
o Generic web application
tests disabled

Scan for all web l General Settings:

vulnerabilities (quick) o Avoid potential false
(Default)
alarms
o Enable CGI scanning

Scan for all web l General Settings:

vulnerabilities (complex) o Avoid potential false
alarms
o Enable CGI scanning
o Perform thorough tests

- 354 -
l Web Applications:
o Start crawling from "/"
o Crawl 1000 pages (max)
o Traverse 6 directories
(max)
o Test for known
vulnerabilities in commonly
used web applications
o Perform each generic web
app test for 10 minutes
(max)
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution

Custom All defaults

Mobile Device – –
Scan

PCI Quarterly – –
External Scan

Configuration Scans

Audit Cloud – –
Infrastructure

MDM Config Audit – –

Offline Config Audit – –

Policy Compliance – –
Auditing

SCAP and OVAL – –

- 355 -
Auditing

Tactical Scans

Badlock Detection – Web Crawler defaults

Bash Shellshock – Web Crawler defaults

Detection

DROWN Detection – –

Intel AMT Security – –

Bypass

Malware Scan – Malware defaults

Shadow Brokers – –
Scan

Spectre and –
Meltdown
Detection – –

WannaCry – –
Ransomware
Detection

Report Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Report settings in the scan. You
can only modify these settings in the related user-defined template.

The Report settings include the following groups of settings:

l Processing

l Output

Default
Setting Description
Value

Processing

- 356 -
Default
Setting Description
Value

Override normal Disabled When disabled, provides the standard level of plugin
verbosity activity in the report. The output does not include the
informational plugins 56310, 64582, and 58651.

When enabled, this setting has two options:

l I have limited disk space. Report as little

information as possible — Provides less
information about plugin activity in the report to
minimize impact on disk space.

l Report as much information as possible —

Provides more information about plugin activity in
the report. When this option is selected, the
output includes the informational plugins 56310,
64582, and 58651.

Show missing Enabled When enabled, includes superseded patch information

patches that have in the scan report.
been superseded

Hide results from Enabled When enabled, the list of dependencies is not included
plugins initiated as in the report. If you want to include the list of
a dependency dependencies in the report, disable this setting.

Output

Max Ports Reported 1,024 (Agent scans only) Determines the maximum number
of ports that can be included in the agent scan report.

Designate hosts by Disabled Uses the host name rather than IP address for report
their DNS name output.

Display hosts that Disabled Reports hosts that successfully respond to a ping.
respond to ping

Display Disabled When enabled, hosts that did not reply to the ping

- 357 -
Default
Setting Description
Value

unreachable hosts request are included in the security report as dead

hosts. Do not enable this option for large IP blocks.

Caution: Enabling this setting causes the scan to create a

finding for every target in the scan, whether responsive or
not. This may cause the scan to abort if the number of
hosts returned exceeds your license limit. For more
information, see Scan Limitations.

Display Unicode Disabled When enabled, Unicode characters appear in plugin

characters output such as usernames, installed application names,
and SSL certificate information.

Note: Plugin output may sometimes incorrectly parse or

truncate strings with Unicode characters. If this issue
causes problems with regular expressions in plugins or
custom audits, disable this setting and scan again.

Advanced Settings in Tenable Vulnerability Management Scans

Note: If a scan is based on a user-defined template, you cannot configure Advanced settings in the scan.
You can only modify these settings in the related user-defined template.

The Advanced settings provide increased control over scan efficiency and the operations of a scan,
as well as the ability to enable plugin debugging.

Certain Tenable-provided scanner templates include preconfigured advanced settings.

If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner template
that does not include preconfigured advanced settings, you can manually configure Advanced
settings in the following categories:

l General Settings

l Performance Options

l Unix Find Command Options

- 358 -
l Agent Performance (Agent scans only)

l Windows File Search Options

l Debug Settings

l Stagger Scan Start (Agent scans only)

l Compliance Output Settings

l Vulnerability Options

Note: The following tables include settings for the Advanced Network Scan template. Depending on the
template you select, certain settings may not be available, and default values may vary.

Default
Setting Description
Value

General Settings

Enable Safe Enabled When enabled, disables all plugins that may have an
Checks adverse effect on the remote host.

Stop scanning Disabled When enabled, Tenable Vulnerability Management stops

hosts that scanning if it detects that the host has become
become unresponsive. This may occur if users turn off their PCs
unresponsive during a scan, a host has stopped responding after a
during the scan denial of service plugin, or a security mechanism (for
example, an IDS) has started to block traffic to a server.
Normally, continuing scans on these machines sends
unnecessary traffic across the network and delay the
scan.

Scan IP Disabled By default, Tenable Vulnerability Management scans a

addresses in a list of IP addresses in sequential order. When this option
random order is enabled, Tenable Vulnerability Management scans the
list of hosts in a random order within an IP address range.
This approach is typically useful in helping to distribute
the network traffic during large scans.

Automatically Disabled When enabled, if a credentialed scan tries to connect via

- 359 -
Default
Setting Description
Value

accept detected SSH to a host that presents a disclaimer prompt, the

SSH disclaimer scanner provides the necessary text input to accept the
prompts disclaimer prompt and continue the scan.

When disabled, credentialed scans on hosts that present

a disclaimer prompt fail because the scanner cannot
connect to the device and accept the disclaimer. The
error appears in the plugin output.

Scan targets with Disabled When disabled, to avoid overwhelming a host, Tenable
multiple domain Vulnerability Management prevents a single scanner
names in parallel from simultaneously scanning multiple targets that
resolve to a single IP address. Instead, Tenable
Vulnerability Management scanners serialize attempts to
scan the IP address, whether it appears more than once
in the same scan task or in multiple scan tasks on that
scanner. Scans may take longer to complete.

When enabled, a Tenable Vulnerability Management

scanner can simultaneously scan multiple targets that
resolve to a single IP address within a single scan task or
across multiple scan tasks. Scans complete more
quickly, but hosts could potentially become
overwhelmed, causing timeouts and incomplete results.

Create unique Enabled When enabled, the scanner creates a unique identifier
identifier on (Tenable UUID) . Tenable Vulnerability Management and
hosts scanned Tenable Security Center use the Tenable UUID to merge
using credentials incoming scan data with historical results for the asset
and ensure that license counts are accurately reflected.

For more information, see Why Tenable Tags and Agent

IDs are created during authenticated scans.

Trusted CAs None Specifies CA certificates that the scan considers as

- 360 -
Default
Setting Description
Value

trusted. This allows you to use self-signed certificates for

SSL authentication without triggering plugin 51192 as a
vulnerability in your Tenable Vulnerability Management
environment.

Note: In addition to this setting, you can configure trusted

CAs at the individual scanner level (for more information,
see Trust a Custom CA in the Tenable Nessus User Guide).
There is no precedence or hierarchy between trusted CAs
configured in the Tenable Vulnerability Management scan
configuration and trusted CAs configured on the Tenable
Nessus scanner. Tenable Vulnerability Management uses
the correct certificate needed to complete the scan and
ignores irrelevant certificates, regardless of which product
you configure them in.

Performance Options

Slow down the Disabled When enabled, Tenable detects when it is sending too
scan when many packets and the network pipe is approaching
network capacity. If network congestion is detected, throttles the
congestion is scan to accommodate and alleviate the congestion. Once
detected the congestion has subsided, Tenable automatically
attempts to use the available space within the network
pipe again.

Use Linux kernel Disabled When enabled, Tenable Vulnerability Management uses
congestion the Linux kernel to detect when it sends too many
detection packets and the network pipe approaches capacity. If
detected, Tenable Vulnerability Management throttles the
scan to accommodate and alleviate the congestion. Once
the congestion subsides, Tenable Vulnerability
Management automatically attempts to use the available
space within the network pipe again.

- 361 -
Default
Setting Description
Value

Network timeout 5 Specifies the time that Tenable waits for a response from
(in seconds) a host unless otherwise specified within a plugin. If you
are scanning over a slow connection, you may want to
set this to a higher number of seconds.

Max 5 Specifies the maximum number of checks a Tenable

simultaneous scanner will perform against a single host at one time.
checks per host

Max Depends on Specifies the maximum number of hosts that Tenable

simultaneous the Tenable- Vulnerability Management submits for scanning at the
hosts per scan provided same time in an individual scan task.
template
To further refine scan performance using host limits,
used for the
Tenable recommends adjusting Advanced settings for
scan
your individual scanners (for example, max_hosts,
global.max_hosts, and global.max_scans). For more
information, see Advanced Settings in the Tenable
Nessus User Guide.

If you set Max simultaneous hosts per scan to more

than scanner’s max_hosts setting, Tenable Vulnerability
Management caps Max simultaneous hosts per scan at
the max_hosts value. For example, if you set the Max
simultaneous hosts per scan to 150 and scanner's
max_hosts is set to 100, with more than 100 targets,
Tenable Vulnerability Management scans 100 hosts
simultaneously.

Note: You can only adjust individual scanner settings for

your organization's managed scanners. You cannot modify
the settings of Tenable-hosted scanners.

Max number of None Specifies the maximum number of established TCP

concurrent TCP

- 362 -
Default
Setting Description
Value

sessions per host sessions for a single host.

This TCP throttling option also controls the number of

packets per second the SYN scanner sends, which is 10
times the number of TCP sessions. For example, if this
option is set to 15, the SYN scanner sends 150 packets
per second at most.

Max number of None Specifies the maximum number of established TCP

concurrent TCP sessions for each scan task, regardless of the number of
sessions per hosts being scanned.
scan
Note: The MAX NUMBER OF CONCURRENT TCP SESSIONS
PER SCAN setting is not enforceable in a Discovery scan.
The global.max_simult_tcp_sessions Nessus Engine
setting (that you set on each scanner) is an absolute cap
that applies across all running scans on a scanner. (For
example, if you have four scanners and do not want them to
generate more than 10000 simultaneous TCP sessions in
total at any point in time, you can set that global setting to
2500 for each individual scanner.)

For scanners installed on any Windows host, you must

set this value to 19 or less to get accurate results.

Unix Find Command Options

Command 240 The maximum number of seconds the find command is

Timeout allowed to run on Unix systems. Not all Find commands
use this timeout.

Note: For all Find command executions in the plugin to

complete, and to prevent the plugin from timing out, its
plugin timeout should be adjusted with timeout_<plugin
ID> in the scanner's Advanced Settings,

- 363 -
Default
Setting Description
Value

Exclude Filepath None A plain text file containing a list of filepaths to exclude
from all plugins that search using the find command on
Unix systems.

In the file, enter one filepath per line, formatted per

patterns allowed by the Unix find command -path
argument. For more information, see the find command
man page.

Exclude None A plain text file containing a list of filesystems to exclude

Filesystem from all plugins that search using the find command on
Unix systems.

In the file, enter one filesystem per line, using filesystem

types supported by the Unix find command -fstype
argument. For more information, see the find command
man page.

Include Filepath None A plain text file containing a list of filepaths to include
from all plugins that search using the find command on
Unix systems.

In the file, enter one filepath per line, formatted per

patterns allowed by the Unix find command -path
argument. For more information, see the find command
man page.

Including filepaths increases the locations that are

searched by plugins, which extends the duration of the
scan. Make your inclusions as specific as possible.

Tip: Avoid having the same filepaths in Include Filepath

and Exclude Filepath. This conflict may result in the
filepath being excluded from the search, though results may
vary by operating system.

- 364 -
Default
Setting Description
Value

Agent Performance Options

Use Tenable Disabled When enabled, instead of running native operating

supplied binaries system commands of find and unzip, plugins use
for 'find' and binaries included within the plugin feed for agent-based
'unzip' scanning. This allows CPU consumption to be controlled
for the Tenable Agent find command. Another benefit to
enabling this setting is that if find or unzip are not found
natively on the operating system, using the commands
from the feed allows full plugin execution with these
commands to continue.

This setting works in tandem with the Scan Performance

setting, which you can set locally on the agent. If you
enable this setting and have adjusted the Scan
Performance to a setting other than the default (High),
the resulting scan findings may be different than previous
scans with the same configuration. This is because the
scan may experience timeouts in finding files due to the
lower CPU resources.

Note: Due to the need for thorough and complete results,

audits do not leverage the find or unzip binaries from the
Tenable feed.

Note: With this setting enabled, CPU usage may spike up

or close to 100% when the plugin requests a batch of
results to process. The CPU then drops down to a lower
level until the next batch is requested for processing.

Windows File Search Options

Windows None A plain text file containing a list of filepaths to exclude

Exclude Filepath from all plugins that search using Tenable's unmanaged
software directory scans.

- 365 -
Default
Setting Description
Value

In the file, enter one absolute or partial filepath per line,

formatted as the literal strings you want to exclude. You
can include absolute or relative directory names,
examples such as E:\, E:\Testdir\, and \Testdir\.

Tip: The default exclusion paths include

\Windows\WinSxS\ and \Windows\servicing\ if you do
not configure this setting. If you configure this setting,
Tenable recommends adding those two paths to the file;
those directories are very slow and do not contain
unmanaged software.

Windows Include None A plain text file containing a list of filepaths to include
Filepath from all plugins that search using Tenable's unmanaged
software directory scans.

In the file, enter one absolute or partial filepath per line,

formatted as the literal strings you want to exclude. You
can only include absolute directory names, examples
such as E:\, E:\Testdir\, and C:\.

Note: The Windows Include Filepath overrides the default

included directory (for example, the C: drive on Windows).
Therefore, if you want to include the default directory in
addition to other directories, you must list the default
directory in an additional filepath line.

Caution: Avoid having the same filepaths in the Windows

Include Filepath and Windows Exclude Filepath settings.
This conflict results in the filepath being excluded from the
search.

Debug Settings

Enable plugin Disabled Attaches available debug logs from plugins to the
debugging vulnerability output of this scan.

- 366 -
Default
Setting Description
Value

Audit Trail Default Controls verbosity of the plugin audit trail.

Verbosity
Options include:

l No audit trail — (Default) Tenable Vulnerability

Management does not generate a plugin audit trail.

l All audit trail data — The audit trail includes the

reason why plugins were not included in the scan.

l Only scan errors — The audit trail includes only

errors encountered during the scan.

Stagger Scan Start

Maximum delay 0 (Agents 8.2 and later) If set, each agent in the agent
(minutes) group delays starting the scan for a random number of
minutes, up to the specified maximum. Staggered starts
can reduce the impact of agents that use a shared
resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window,

Tenable shortens your maximum delay to ensure that
agents begin scanning at least 30 minutes before the
scan window closes.

Compliance Output Settings

Maximum 128,000 KB Controls the maximum output length for each individual
Compliance compliance check value that the target returns. If a
Output Length in compliance check value that is greater than this setting's
KB value, Tenable Vulnerability Management truncates the
result.

Note: If you notice that your compliance scan processing is

slow, Tenable recommends reducing this setting to
increase the processing speed.

- 367 -
Default
Setting Description
Value

Maximum 300 seconds Controls the maximum timeout duration for compliance
Compliance checks.
Check Timeout in
This setting is used by checks with long run times,
Seconds
especially checks that run commands on remote targets
for Windows and Unix audits. This timeout setting
overrides all other timeout settings when it is available.

Generate gold Disabled Determines whether Tenable Vulnerability Management

image .audit attaches a compliance gold image .audit file to the scan
results. You can download the gold image audit from the
vulnerabilities tab labeled Compliance Export Gold
Image Audit.

For more information, see Compliance Export Gold

Image.

Generate Disabled Determines whether Tenable Vulnerability Management

XCCDF result file attaches XCCDF results files to the scan results. You can
download the generated XCCDF result files from the
vulnerabilities tab labeled Export compliance results to
XCCDF.

For more information, see Compliance Export XCCDF

Results.

Generate JSON Disabled Determines whether Tenable Vulnerability Management

result file attaches a .audit JSON file to the scan results. You can
download the JSON files from the vulnerabilities tab
labeled Export compliance results to JSON.

For more information, see Compliance Export

JSON Results.

Vulnerability Options

- 368 -
Default
Setting Description
Value

Scan for Disabled Determines whether the scan searches for unpatched
unpatched vulnerabilities. This includes CVEs marked as Will Not
vulnerabilities Fix by the related vendor.
(no patches or
Enabling this setting may increase your overall findings
mitigations
count; each platform and package combination results in
available)
an individual plugin. If additional CVEs are found to affect
a platform and package combination, the CVEs are
added to the existing plugin.

Note: If you configure a scan to produce findings for

unpatched vulnerabilities and then the setting is unchecked,
Tenable Vulnerability Management remediates unpatched
findings in the next scan. Additionally, if multiple scans
target the same device and one has enabled findings for
unpatched vulnerabilities and another does not, the findings
results may vary per scan.

Custom Red Hat Disabled, Upload a .json file that maps internal custom or mirrored
Repository requires you repositories to their official Red Hat repository
Mapping to upload a counterparts. For more information on how this works,
.json file see How Red Hat Local Vulnerability Checks Use
Repositories To Determine Scope.

Preconfigured Advanced Settings

Certain Tenable-provided Nessus Scanner templates include preconfigured advanced settings,

described in the following table. The preconfigured advanced settings are determined by both the
template and the Mode that you select.

Template Scan Type Preconfigured Settings

Vulnerability Scans (Common)

Advanced Network Scan – All defaults

Basic Network Scan Default (default) l Performance options:

- 369 -
o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

l Performance options:
o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

- 370 -
o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

Credentialed Patch Audit Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

- 371 -
Host Discovery – –

Internal PCI Network Default (default) l Performance options:

Scan o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

Legacy Web App Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host

- 372 -
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

Mobile Device Scan – Debug Settings defaults

PCI Quarterly External Default (default) l Performance options:

Scan o 20 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 15 second network read
timeout

- 373 -
o Slow down the scan when
network congestion is detected

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom l Performance Options (default

options)

l Unix Find Command Exclusions

(default options)

Configuration Scans

Audit Cloud – Debug Settings defaults

Infrastructure

MDM Config Audit – –

Offline Config Audit – Debug Settings defaults

Policy Compliance Default (default) l Performance options:

Auditing o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)

- 374 -
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

SCAP and OVAL Default (default) l Performance options:

Auditing o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

- 375 -
Scan low l Performance options:
bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

Tactical Scans

Badlock Detection – All defaults

Bash Shellshock – All defaults

Detection

DROWN Detection – All defaults

Intel AMT Security – All defaults

Bypass

Malware Scan Default (default) l Performance options:

o 30 simultaneous hosts (max)
o 4 simultaneous checks per host
(max)
o 5 second network read timeout

l Asset identification options:

- 376 -
o Create unique identifier on
hosts scanned using
credentials

Scan low l Performance options:

bandwidth links o 2 simultaneous hosts (max)
o 2 simultaneous checks per host
(max)
o 15 second network read
timeout
o Slow down the scan when
network congestion is detected

l Asset identification options:

o Create unique identifier on
hosts scanned using
credentials

Custom All defaults

Shadow Brokers Scan – All defaults

Spectre and Meltdown – All defaults

Detection

WannaCry Ransomware – All defaults

Detection

Credentials in Tenable Vulnerability Management Scans

You can use credentials to grant a Tenable Vulnerability Management scanner local access to scan
a target system without requiring an agent. Credentialed scans can perform a wider variety of
checks than non-credentialed scans, which can result in more accurate scan results. This approach
facilitates scanning of a very large network to determine local exposures or compliance violations.

- 377 -
Credentialed scans can perform any operation that a local user can perform. The level of scanning
depends on the privileges granted to the user account. The more privileges the scanner has via the
login account (for example, root or administrator access), the more thorough the scan results.

In Tenable Vulnerability Management, you can create credentials for use in scans in the following
ways:

Category Description Permissions

Scan-specific l You configure and store these credentials in an User

individual scan. Permissions in
Basic settings in
l If you delete the scan, you also delete the
the scan
credentials.

l If you want to use the credentials in a different scan,

you must either convert the scan-specific credential
to a managed credential or recreate the scan-
specific credential settings in the other scan.

Template- l You configure and store these credentials in a user- User

specific defined template. You can then use the template to Permissions in
create individual scans. Basic settings in
the template
l If you add credentials to a user-defined template,
other users can override those credentials by
adding scan-specific or managed credentials to
scans created from the template. Tenable
recommends adding managed credentials to scans,
instead of adding credentials to user-defined
templates.

l If you delete the template, you also delete the

template-specific credentials. However, Tenable
Vulnerability Management retains the credentials in
any scans you used the template to create before
deletion.

l If you want to use the credentials in a different

- 378 -
template, you must recreate the template-specific
credentials in the other template.

Managed l Tenable Vulnerability Management stores Configure User

managed credentials centrally in the credential Permissions for
manager. You can configure managed credentials a Credential
directly in the credential manager or during scan
configuration. You can also convert a scan-specific
credential to a managed credential during scan
configuration.

l You can use managed credentials in multiple

scans. You can also grant other users permissions
to use managed credentials in scans.

l You cannot use managed credentials in templates.

The settings you configure for a credential vary based on the credential type. Credential types
include:

l Cloud Services

l Database

l Host

l Miscellaneous

l Mobile Device Management

l Patch Management

l Plaintext authentication

For more information, see:

l Add a Credential to a Scan

l Edit a Credential in a Scan

l Convert a Scan-specific Credential to a Managed Credential

- 379 -
l Add a Credential to a User-defined Template

l Edit a Credential in a User-defined Template

Note: Tenable Vulnerability Management opens several concurrent authenticated connections. Ensure that
the host being audited does not have a strict account lockout policy based on concurrent sessions.

Note: By default, when creating credentialed scans or user-defined templates, hosts are
identified and marked with a Tenable Asset Identifier (TAI). This globally unique identifier is
written to the host's registry or file system, and subsequent scans can retrieve and use the TAI.
This option is enabled (by default) or disabled in the Advanced -> General Settings of a scan
configuration or template: Create unique identifier on hosts scanned using credentials.

Note: If a Tenable Vulnerability Management scan contains multiple instances of one type of credential,
Tenable Vulnerability Management attempts to log into a valid target using each credential in sequence, in
the same order in which they were added to the scan. Tenable Vulnerability Management uses the first
credential it is able to log in successfully with to perform credentialed checks on the target. Once Tenable
Vulnerability Management is able to log in successfully with a credential set, it does not attempt to log in
with any of the other credentials in the scan, regardless of their relative levels of access.

Add a Credential to a Scan

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can Control

In the event that a scan contains multiple instances of a single type of credential (SSH logins, SMB
logins, etc.), Tenable Vulnerability Management attempts to use them on a valid target in the order
that they were added to the scan configuration.

Note: The first credential that allows successful login is used to perform credentialed checks on the target.
After a credential provides successful login, Tenable Vulnerability Management does not try any of the
other credentials in the list, even if one of the latter credentials has a greater degree of access or privileges.

To add a credential to a scan:

- 380 -
1. Create or edit a scan.

2. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
scan.

3. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

4. Do one of the following:

Add an existing managed credential.

The Managed Credentials section of the Select Credential Type plane contains any
credentials where you have Can Use or Can Edit permissions.

a. (Optional) Search for a managed credential in the list by typing your search criteria in the
text box and clicking the button.

b. In the Managed Credentials section, click the button to display all managed
credentials.

c. Click each managed credential you want to add.

The Select Credential Type plane remains open.

d. To close the Select Credential Type plane, click the button in the upper-right corner
of the plane.

Add a scan-specific credential.

a. In the Select Credential Type plane, in any section except Managed Credentials, click
the button to display the credentials for that type.

b. Click each credential you want to add.

The settings plane for that credential type appears.

c. Configure the settings for the individual credential configuration.

Add a new managed credential.

- 381 -
a. In any section of the Select Credential Type plane except the Managed Credentials
section, click the button to display the credentials for that type.

b. Click each credential you want to add.

The settings plane for that credential type appears.

c. Configure the settings for the new managed credential.

d. Click the Save to Managed Credentials toggle.

The managed credential settings appear.

e. In the first text box, type a name for the managed credential.

f. (Optional) In the second text box, type a brief description of the managed credential.

g. Configure user permissions for the managed credential.

5. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the scan.

Note: Upon saving, Tenable Vulnerability Management automatically orders the credentials by
ascending ID and groups the credentials by type.

6. Do one of the following:

l If you want to save without launching the scan, click Save.

Tenable Vulnerability Management saves the scan.

l If you want to save and launch the scan immediately, click Save & Launch.

Note: If you scheduled the scan to run at a later time, the Save & Launch option is not
available.

Note: If you are editing an imported scan, the Save & Launch option is not available.

Tenable Vulnerability Management saves and launches the scan.

Edit a Credential in a Scan

- 382 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Can Configure

To edit a credential in a scan:

1. Edit a scan.

2. In the left navigation menu, click Credentials.

A table of credentials configured for the scan appears.

3. In the credentials table, click the credential you want to edit.

The credential settings plane appears.

4. Do one of the following:

l For scan-specific credentials, configure the settings for the credential.

l For managed credentials:

a. Edit the name or description.

b. Configure the credential settings.

c. Configure user permissions for the managed credential.

l
Note: You can only view or edit settings for managed credentials where you have Can Edit
permissions.

5. Click Save to save your changes to the credential.

If you edited a managed credential, Tenable Vulnerability Management determines whether

any other scans use the managed credential and prompts you to confirm the changes.

6. (Managed credentials only) Click Yes to save the changes to the managed credential.

7. Click Save to save your scan changes.

Add a Credential to a User-defined Template

- 383 -
Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Template Permissions: Can Configure

Before you add credentials to a user-defined template, consider the following:

l Other users can override template-specific credentials by adding scan-specific or managed

credentials to scans created from the template. Tenable recommends adding managed
credentials to scans, instead of adding credentials to user-defined templates.

l You cannot use managed credentials in user-defined templates. To use a single set of
credentials for multiple scans, add managed credentials to scans, instead of adding
credentials to user-defined templates.

Note: In scan configurations, the Scan-wide Credential Type settings are located in individual credentials.
In user-defined templates, these settings are located in the Authentication section of the Basic settings for
the template.

To add a template-specific credential:

1. Create or edit a template.

2. In the left navigation menu, click Credentials.

The Credentials page appears. This page contains a table of credentials configured for the
template.

3. Next to Add Credentials, click the button.

The Select Credential Type plane appears.

4. In the Select Credential Type plane, click a credential type.

The settings plane for that credential type appears.

5. Configure the settings for the individual credential configuration.

6. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the template.

- 384 -
7. Click Save to save your template changes.

Tenable Vulnerability Management adds the credential to the credentials table for the
template.

Edit a Credential in a User-defined Template

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Template Permissions: Can Configure

To edit a credential in a user-defined template:

1. Edit a user-defined template.

2. In the left navigation menu, click Credentials.

A table of credentials configured for the template appears.

3. In the credentials table, click the credential you want to edit.

The credential settings plane appears.

4. Configure the settings for the credential.

5. Click Save to save your changes to the credential.

6. Click Save to save your changes to the template.

Convert a Scan-specific Credential to a Managed Credential

Required Tenable Vulnerability Management User Role: Basic, Scan Operator, Standard, Scan
Manager, or Administrator

Required Scan Permissions: Owner

A scan-specific credential can only be used in a single scan. To reuse a scan-specific credential in
multiple scans, convert it to a managed credential.

To convert a scan-specific credential:

- 385 -
1. In the left navigation, click Scans.

The Scans page appears.

2. In the Folders section, click a folder to load the scans you want to view.

The scans table updates to display the scans in the folder you selected.

3. In the scans table, click the scan you want to edit.

The Scan Details page appears.

4. Next to the scan name, click the button.

The Update a Scan page appears.

5. In the left navigation menu, click Credentials.

A table of credentials configured for the scan appears.

6. In the credentials table, click the scan-specific credential you want to convert.

The credential settings plane appears.

7. Click the Save to Managed Credentials toggle.

The managed credential settings appear.

8. In the first text box, type a name for the managed credential.

9. (Optional) In the second text box, type a brief description of the managed credential.

10. Configure user permissions for the managed credential.

11. Click Save to save your credential changes.

Tenable Vulnerability Management closes the settings plane and adds the credential to the
credentials table for the scan.

12. Click Save to save your scan changes.

Cloud Services

Tenable Vulnerability Management can authenticate a scan using accounts in the cloud services
listed below.

- 386 -
Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

AWS

Default
Option Description Required
Value

AWS Access – The AWS access key ID string. yes

Key IDS

AWS Secret – AWS secret key that provides the yes

Key authentication for AWS Access Key ID.

Scan-wide Credential Type Settings

Regions to Rest of the In order for Tenable Vulnerability yes

access World Management to audit an Amazon AWS
account, you must define the regions you
want to scan. Per Amazon policy, you need
different credentials to audit account
configuration for the China region than you
do for the rest of the world.

Possible regions include:

l GovCloud — If you select this region,

you automatically select the
government cloud (e.g., us-gov-west-
1).

l Rest of the World — If you select this

region, the following additional options
appear:

l us-east-1

l us-east-2

l us-west-1

- 387 -
l us-west-2

l ca-central-1

l eu-west-1

l eu-west-2

l eu-central-1

l ap-northeast-1

l ap-northeast-2

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l China — If you select this region, the

following additional options appear:

l cn-north-1

l cn-northwest-1

HTTPS Enabled Whether Tenable Vulnerability Management no

authenticates over an encrypted (HTTPS) or
an unencrypted (HTTP) connection.

Verify SSL Enabled Whether Tenable Vulnerability Management no

Certificate verifies the validity of the SSL digital
certificate.

Microsoft Azure

Default
Option Description Required
Value

Username – Username required to log in to Microsoft yes

Azure.

- 388 -
Password – Password associated with the username. yes

Client Id – The application ID (also known as client yes

ID) for your registered application.

Scan-wide Credential Type Settings

Subscription – List subscription IDs to scan, separated by no

IDs a comma. If this field is blank, all
subscriptions are audited.

Rackspace

Option Default Value Description Required

Username – Username to log in. yes

Password or API – Password or API key associated yes

Key with the username.

Authentication API-Key Select Password or API-Key from yes

Method the drop-down box.

Scan-wide all locations Location of the Rackspace Cloud no

Credential Type selected instance. Possible locations
Settings include:

l Dallas-Fort Worth (DFW)

l Chicago (ORD)

l Northern Virginia (IAD)

l London (LON)

l Syndney (SYD)

l Hong Kong (HKG)

Salesforce.com

Option Default Description Required

- 389 -
Value

Username – Username required to log in to yes

Salesforce.com

Password – Password associated with the yes

Salesforce.com username

Database Credentials

Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

The following topic describes the available Database credentials.

Cassandra

Option Description

Auth Type The authentication method for providing the required credentials.

l Password

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Port The port the database listens on. The default is port 9042.

Delinea Secret Server Auto-Discovery

Option Description Required

Delinea Host The Delinea Secret Server host to pull the secrets from. Yes

Delinea Port The Delinea Secret Server Port for API requests. By Yes
default, Tenable uses 443.

- 390 -
Option Description Required

Delinea Indicates whether to use credentials or an API key for Yes

Authentication authentication. By default, Credentials is selected.
Method

Delinea Login The username to authenticate to the Delinea server. Yes

Name

Delinea The password to authenticate to the Delinea server. This Yes

Password is associated with the provided Delinea Login Name.

Delinea API Key The API key generated in the Secret Server user Yes
interface. This setting is required if the API Key
authentication method is selected.

Query Mode Choose to query accounts using pre-set fields or by Yes

constructing a string of URL query parameters. By
default, Simple is selected.

Folder ID Query accounts with the given folder ID. This option is No
only available if query mode is set to Simple.

Search Text Query accounts matching the given search text. This No
option is only available if query mode is set to Simple.

Search Field The field to search using the given search text. If not No
specified, the query will search the name field. This
option is only available if query mode is set to Simple.

Exact Match Perform an exact match against the search text. By No

default, this is unselected. This option is only available if
query mode is set to Simple.

Query String Provide a string of URL query parameters. This option is Yes
only available if query mode is set to Advanced, and in
that case it is required.

Use Private Key Use key-based authentication for SSH connections No

instead of password authentication.

- 391 -
Option Description Required

Use SSL Use SSL for secure communications. Yes

Verify SSL Verify the Delinea Secret Server SSL certificate. No

Certificate

DB2

The following table describes the additional options to configure for DB2 credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the IBM DB2 database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
50000.

Database The name for your database (not the name of your instance).
Name

MongoDB

Option Description

Auth Type The authentication method for providing the required credentials.

Note: This option is only available for non-legacy versions of the MongoDB

- 392 -
Option Description

authentication method.

l Password

l Client Certificate

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Username (Required) The username for the database.

Password (Required) The password for the supplied username.

Database The name of the database to authenticate to.

Tip: To authenticate via LDAP or saslauthd, type $external.

Port (Required) The TCP port that the MongoDB database instance listens on for
communications from Tenable Vulnerability Management.

MySQL

The following table describes the additional options to configure for MySQL credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

- 393 -
Options Description

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Username The username for a user on the database.

Password The password associated with the username you provided.

Database The TCP port that the MySQL database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
3306.

Oracle

The following table describes the additional options to configure for Oracle credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the Oracle database instance listens on for communications
Port from Tenable Vulnerability Management. The default is port 1521.

Auth Type The type of account you want Tenable Vulnerability Management to use to
access the database instance:

l SYSDBA

- 394 -
Options Description

l SYSOPER

l NORMAL

Service Type The Oracle parameter you want to use to specify the database instance:
SID or SERVICE_NAME.

Service The SID value or SERVICE_NAME value for your database instance.

The Service value you enter must match your parameter selection for the
Service Type option.

PostgreSQL

The following table describes the additional options to configure for PostgreSQL credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Client Certificate

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the PostgreSQL database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
5432.

Database The name for your database instance.

Name

SQL Server

- 395 -
The following table describes the additional options to configure for SQL Server credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l Import

l CyberArk

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Username The username for a user on the database.

Password The password associated with the username you provided.

Database The TCP port that the SQL Server database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
1433.

AuthType The type of account you want Tenable Vulnerability Management to use to
access the database instance: SQL or Windows.

Instance The name for your database instance.

Name

Sybase ASE

The following table describes the additional options to configure for Sybase ASE credentials.

Options Description

Auth Type The authentication method for providing the required credentials.

l Password

l CyberArk

- 396 -
Options Description

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.

Database The TCP port that the Sybase ASE database instance listens on for
Port communications from Tenable Vulnerability Management. The default is port
3638.

Auth Type The type of authentication used by the Sybase ASE database: RSA or Plain
Text.

Database Credentials Authentication Types

Depending on the authentication type you select for your database credentials, you must configure
the options described in this topic.

Client Certificate
The Client Certificate authentication type is supported for PostgreSQL databases only.

Option Description Required

Username The username for the database. yes

Client Certificate The file that contains the PEM certificate for the yes
database.

Client CA Certificate The file that contains the PEM certificate for the yes
database.

Client Certificate The file that contains the PEM private key for the yes
Private Key client certificate.

Client Certificate The passphrase for the private key, if required in no

Private Key your authentication implementation.
Passphrase

- 397 -
Option Description Required

Database Port The port on which Tenable Vulnerability yes

Management communicates with the database.

Database Name The name of the database. no

Password
Database
Option Description Required
Types

Username All The username for a user on the yes

database.

Password All The password for the supplied no

username.

Database All The port on which Tenable Vulnerability yes

Port Management communicates with the
database.

Database DB2 The name of the database. no

Name
PostgreSQL

Auth type Oracle SQL Server values include: yes

SQL Server l Windows

Sybase ASE l SQL

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Sybase ASE values include:

l RSA

- 398 -
Database
Option Description Required
Types

l Plain Text

Instance SQL Server The name for your database instance. no

name

Service type Oracle Valid values include: yes

l SID

l SERVICE_NAME

Service Oracle The SID value for your database no

instance or a SERVICE_NAME value.
The Service value you enter must match
your parameter selection for the Service
Type option.

Import
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid
values to use for each item, see Database Credentials.

You must configure either CyberArk or HashiCorp credentials for a database credential in the same
scan so that Tenable Vulnerability Management can retrieve the credentials.

Database
CSV Format
Credential

DB2 target, port, database_name, username, cred_manager,

accountname_or_secretname

MySQL target, port, database_name, username, cred_manager,

accountname_or_secretname

Oracle target, port, service_type, service_ID, username, auth_type,

cred_manager, accountname_or_secretname

SQL Server target, port, instance_name, username, auth_type, cred_

- 399 -
Database
CSV Format
Credential

manager, accountname_or_secretname

Note: Include the required data in the specified order, with commas between each value, without spaces.
For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_
id,username,SYSDBA,CyberArk,Database-Oracle-SYS.

Note: The value for cred_manager must be either CyberArk or HashiCorp.

BeyondTrust
Option Description Required

Username The username to log in to the host you want to scan. yes

Domain The domain of the username, which is no

recommended if using domain-linked accounts
(managed accounts of a domain that are linked to a
managed system).

BeyondTrust host The BeyondTrust IP address or DNS address. yes

BeyondTrust port The port on which BeyondTrust listens. yes

BeyondTrust API user The API user provided by BeyondTrust. yes

BeyondTrust API key The API key provided by BeyondTrust. yes

Checkout duration The length of time, in minutes, that you want to keep yes
credentials checked out in BeyondTrust. Configure
the checkout duration to exceed the typical duration
of your scans. If a password from a previous scan is
still checked out when a new scan begins, the new
scan fails.

Note: Configure the password change interval in

BeyondTrust so that password changes do not

- 400 -
disrupt your scans. If BeyondTrust changes a
password during a scan, the scan fails.

Use SSL When enabled, the integration uses SSL through no

IIS for secure communications. Configure SSL
through IIS in BeyondTrust before enabling this
option.

Caution: If you do not enable this option the traffic

that is sent is http and will not be accepted by the
Beyond Trust server.

Verify SSL certificate When enabled, the intergation validates the SSL no
certificate. Configure SSL through IIS in
BeyondTrust before enabling this option.

CyberArk
CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service. This can be the host, or the host with a custom
URL added on in a single string.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client The file that contains the PEM certificate used to no

Certificate communicate with the CyberArk host.

Note: Customers self-hosting CyberArk CCP on a Windows

Server 2022 and above should follow the guidance found in

- 401 -
Option Description Required

Tenable’s Community post about CyberArk Client Certification

Authentication Issue.

Client The file that contains the PEM private key for the client yes, if private
Certificate certificate. key is
Private Key applied

Client The passphrase for the private key, if required. yes, if private
Certificate key is
Private Key applied
Passphrase

Get credential The method with which your CyberArk API credentials are yes
by retrieved. Can be Address, Identifier, Parameters, or
Username.

Note: For more information about the Parameters option,

refer to the Parameters Options table.

Note: The frequency of queries for Username is one query

per target. The frequency of queries for Identifier is one query
per chunk. This feature requires all targets have the same
identifier.

Username (If Get credential by is set to Username) The username of no

the CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved from. no

Account Name (If Get credential by is Identifier) The unique account no

name or identifier assigned to the CyberArk API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support SSL

- 402 -
Option Description Required

through IIS and you want to validate the certificate.

CyberArk (Legacy)
CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

Database
Option Description Required
Types

Username All The target system’s username. yes

Central All The CyberArk Central Credential yes

Credential Provider IP/DNS address.
Provider Host

Central All The port on which the CyberArk yes

Credential Central Credential Provider is listening.
Provider Port

CyberArk AIM All The URL of the AIM service. By no

Service URL default, this field uses
/AIMWebservice/v1.1/AIM.asmx.

Central All If the CyberArk Central Credential no

Credential Provider is configured to use basic
Provider authentication, you can fill in this field
Username for authentication.

Central All If the CyberArk Central Credential no

Credential Provider is configured to use basic
Provider authentication, you can fill in this field
Password for authentication.

CyberArk Safe All The safe on the CyberArk Central no

Credential Provider server that
contained the authentication

- 403 -
Database
Option Description Required
Types

information you would like to retrieve.

CyberArk All The file that contains the PEM no

Client certificate used to communicate with
Certificate the CyberArk host.

CyberArk All The file that contains the PEM private no

Client key for the client certificate.
Certificate
Private Key

CyberArk All The passphrase for the private key, if no

Client your authentication implementation
Certificate requires it.
Private Key
Passphrase

CyberArk All The AppId that has been allocated yes

AppId permissions on the CyberArk Central
Credential Provider to retrieve the
target password.

CyberArk All The folder on the CyberArk Central no

Folder Credential Provider server that
contains the authentication information
you would like to retrieve.

CyberArk All The unique name of the credential you yes

Account Details want to retrieve from CyberArk.
Name

PolicyId All The PolicyID assigned to the no

credentials that you want to retrieve
from the CyberArk Central Credential
Provider.

- 404 -
Database
Option Description Required
Types

Use SSL All If CyberArk Central Credential Provider no

is configured to support SSL through
IIS check for secure communication.

Verify SSL All If CyberArk Central Credential Provider no

Certificate is configured to support SSL through
IIS and you want to validate the
certificate, select this option. Refer to
the custom_CA.inc documentation for
how to use self-signed certificates.

Database Port All The port on which Tenable yes

Vulnerability Management
communicates with the database.

Database DB2 The name of the database. no

Name
PostgreSQL

Auth type Oracle SQL Server values include: yes

SQL Server l Windows

Sybase ASE l SQL

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Sybase ASE values include:

l RSA

l Plain Text

- 405 -
Database
Option Description Required
Types

Instance Name SQL Server The name for your database instance. no

Service type Oracle Valid values include: yes

l SID

l SERVICE_NAME

Service Oracle The SID value for your database no

instance or a SERVICE_NAME value.
The Service value you enter must
match your parameter selection for the
Service Type option.

Delinea
Option Description Required

Delinea Secret Name The value of the secret on the Delinea server. The yes
secret is labeled Secret Name on the Delinea
server.

Delinea Host The Delinea Secret Server IP address or DNS yes

address.

Delinea Port The port on which Delinea Secret Server listens. yes

Delinea Indicates whether to use credentials or an API key yes

Authentication for authentication. By default, credentials are
Method selected.

Delinea Login Name The username to authenticate to the Delinea yes

server.

Delinea Password The password to authenticate to the Delinea yes

server. This is associated with the Delinea Login
Name you provided.

- 406 -
Delinea API key The API key provided by Delinea Secret Server. yes

Use SSL Enable if the Delinea Secret Server is configured no

to support SSL.

Verify SSL certificate If enabled, verifies the SSL Certificate on the no

Delinea server.

Delinea Auto Discovery

Option Description Required

Delinea Host The Delinea Secret Server host to pull the secrets from. Yes

Delinea Port The Delinea Secret Server Port for API requests. By Yes
default, Tenable uses 443.

Delinea Indicates whether to use credentials or an API key for Yes

Authentication authentication. By default, Credentials is selected.
Method

Delinea Login The username to authenticate to the Delinea server. Yes

Name

Delinea The password to authenticate to the Delinea server. This Yes

Password is associated with the provided Delinea Login Name.

Delinea API Key The API key generated in the Secret Server user Yes
interface. This setting is required if the API Key
authentication method is selected.

Query Mode Choose to query accounts using pre-set fields or by Yes

constructing a string of URL query parameters. By
default, Simple is selected.

Folder ID Query accounts with the given folder ID. This option is No
only available if query mode is set to Simple.

Search Text Query accounts matching the given search text. This No
option is only available if query mode is set to Simple.

- 407 -
Option Description Required

Search Field The field to search using the given search text. If not No
specified, the query will search the name field. This
option is only available if query mode is set to Simple.

Exact Match Perform an exact match against the search text. By No

default, this is unselected. This option is only available if
query mode is set to Simple.

Query String Provide a string of URL query parameters. This option is Yes
only available if query mode is set to Advanced, and in
that case it is required.

Use Private Key Use key-based authentication for SSH connections No

instead of password authentication.

Use SSL Use SSL for secure communications. Yes

Verify SSL Verify the Delinea Secret Server SSL certificate. No

Certificate

HashiCorp Vault
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged
credentials. Tenable Vulnerability Management can get credentials from HashiCorp Vault to use in a
scan.

Option Description Required

Hashicorp Vault host The Hashicorp Vault IP address or DNS address. yes

Note: If your Hashicorp Vault installation is in a

subdirectory, you must include the subdirectory
path. For example, type IP address or hostname /
subdirectory path.

Hashicorp Vault port The port on which Hashicorp Vault listens. yes

Authentication Type Specifies the authentication type for connecting to yes

- 408 -
the instance: App Role or Certificates.

If you select Certificates, additional options for

Hashicorp Client Certificate and Hashicorp
Client Certificate Private Key appear. Select the
appropriate files for the client certificate and
private key.

Role ID The GUID provided by Hashicorp Vault when you yes

configured your App Role.

Role Secret ID The GUID generated by Hashicorp Vault when yes

you configured your App Role.

Authentication URL The path/subdirectory to the authentication yes

endpoint. This is not the full URL. For example:

/v1/auth/approle/login

Namespace The name of a specified team in a multi-team no

environment.

Vault Type The Tenable Vulnerability Management version: yes

KV1, KV2, AD, or LDAP. For additional
information about Tenable Vulnerability
Management versions, see the Tenable
Vulnerability Management documentation.

KV1 Engine URL (KV1) The URL Tenable Vulnerability yes, if you
Management uses to access the KV1 engine. select the KV1
Vault Type
Example: /v1/path_to_secret. No trailing /

KV2 Engine URL (KV2) The URL Tenable Vulnerability yes, if you
Management uses to access the KV2 engine. select the KV2
Vault Type
Example: /v1/path_to_secret. No trailing /

AD Engine URL (AD) The URL Tenable Vulnerability yes, if you

Management uses to access the active directory select the AD

- 409 -
engine. Vault Type

Example: /v1/path_to_secret. No trailing /

LDAP Engine URL (LDAP) The URL Tenable Vulnerability yes, if you
Management uses to access the LDAP engine. select the
LDAP Vault
Example: /v1/path_to_secret. No trailing /
Type

Username Source (KV1 and KV2) A drop-down box to specify yes

whether the username is input manually or pulled
from Hashicorp Vault.

Username Key (KV1 and KV2) The name in Hashicorp Vault that yes
usernames are stored under.

Password Key (KV1 and KV2) The key in Hashicorp Vault that yes
passwords are stored under.

Secret Name (KV1, KV2, and AD) The key secret you want to yes
retrieve values for.

Use SSL If enabled, Tenable Nessus Manager uses SSL no

for secure communications. Configure SSL in
Hashicorp Vault before enabling this option.

Verify SSL Certificate If enabled, validates the SSL certificate. You must no
configure SSL in Hashicorp Vault before enabling
this option.

Database Port The port on which communicates with the yes

database.

Auth Type The authentication method for the database yes

credentials.

Oracle values include:

l SYSDBA

l SYSOPER

- 410 -
l NORMAL

Service Type (Oracle databases only) Valid values include: SID yes
and SERVICE_NAME.

Service (Oracle database only) A specific field for the yes

configuration for the database.

Lieberman
Lieberman is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.

Option Database Type Description Required

Username All The target system’s username. yes

Lieberman host All The Lieberman IP/DNS address. yes

Note: If your Lieberman installation is

in a subdirectory, you must include
the subdirectory path. For example,
type IP address or hostname /
subdirectory path.

Lieberman port All The port on which Lieberman listens. yes

Lieberman API All The URL Tenable Vulnerability no

URL Management uses to access
Lieberman.

Lieberman user All The Lieberman explicit user for yes

authenticating to the Lieberman API.

Lieberman All The password for the Lieberman yes

password explicit user.

Lieberman All The alias used for the authenticator in no

Authenticator Lieberman. The name should match
the name used in Lieberman.

- 411 -
Option Database Type Description Required

Note: If you use this option, append a

domain to the Lieberman user option,
i.e., domain\user.

Lieberman Client All The file that contains the PEM no

Certificate certificate used to communicate with
the Lieberman host.

Note: If you use this option, you do

not have to enter information in the
Lieberman user, Lieberman
password, and Lieberman
Authenticator fields.

Lieberman Client All The file that contains the PEM private no
Certificate key for the client certificate.
Private Key

Lieberman Client All The passphrase for the private key, if no

Certificate required.
Private Key
Passphrase

Use SSL All If Lieberman is configured to support no

SSL through IIS, check for secure
communication.

Verify SSL All If Lieberman is configured to support no

Certificate SSL through IIS and you want to
validate the certificate, check this
option. Refer to Custom CA
documentation for how to use self-
signed certificates.

System Name All In the rare case your organization no

uses one default Lieberman entry for

- 412 -
Option Database Type Description Required

all managed systems, enter the

default entry name.

Database Port All The port on which Tenable yes

Vulnerability Management
communicates with the database.

Database Name DB2 (PostgreSQL and DB2 databases no

only) The name of the database.
PostgreSQL

Auth type Oracle (SQL Server, Oracle. and Sybase yes

ASE databases only)
SQL Server
SQL Server values include:
Sybase ASE
l Windows

l SQL

Oracle values include:

l SYSDBA

l SYSOPER

l NORMAL

Sybase ASE values include:

l RSA

l Plain Text

Instance Name SQL Server The name for your database no

instance.

Service type Oracle Valid values include: no

l SID

l SERVICE_NAME

- 413 -
Option Database Type Description Required

Service Oracle The SID value for your database yes

instance or a SERVICE_NAME
value. The Service value you enter
must match your parameter selection
for the Service Type option.

QiAnXin
QiAnXin is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from QiAnXin to use in a scan.

Option Description Required

QiAnXin Host The IP address or URL for the QiAnXin host. yes

QiAnXin Port The port on which the QiAnXin API communicates. yes
By default, Tenable uses 443.

QiAnXin API Client ID The Client ID for the embedded account yes
application created in QiAnXin PAM

QiAnXin API Secret ID The Secret ID for the embedded account yes
application created in QiAnXin PAM

Username The username to log in to the hosts you want to yes

scan.

Host IP Specify the host IP of the asset containing the no

account to use. If not specified, the scan target IP
is used.

Platform Specify the platform (based on asset type) of the no

asset containing the account to use. If not
specified, a default target is used based on
credential type (for example, for Windows
credentials, the default is WINDOWS). Possible
values:

- 414 -
Option Description Required

l ACTIVE_DIRECTORY — Windows Domain

Account

l WINDOWS — Windows Local Account

l LINUX — Linux Account

l SQL_SERVER — SQL Server Database

l ORACLE — Oracle Database

l MYSQL — MySQL Database

l DB2 — DB2 Database

l HP_UNIX — HP Unix

l SOLARIS — Solaris

l OPENLDAP — OpenLDAP

l POSTGRESQL — PostgreSQL

Region ID Specify the region ID of the asset containing the Only if using
account to use. multiple
regions

Use SSL When enabled, Tenable uses SSL for secure no

communication. This is enabled by default.

Verify SSL Certificate When enabled, Tenable verifies that the SSL no
Certificate on the server is signed by a trusted CA.

Senhasegura
Option Description Required

Senhasegura Host The IP address or URL for the yes

Senhasegura host.

Senhasegura Port The port on which the Senhasegura API yes

- 415 -
Option Description Required

communicates. By default, Tenable uses

443.

Senhasegura API The Client ID for the applicable yes

Client ID Senhasegura A2A Application for Oauth
2.0 API authentication.

Senhasegura API The Secret ID for the applicable yes

Secret ID Senhasegura A2A Application for Oauth
2.0 API authentication.

Senhasegura The credential ID or identifier for the yes

Credential ID or credential you are requesting to retrieve.
Identifier

Private Key File The Private Key used to decrypt Required if you have
encrypted sensitive data from A2A. enabled encryption of
sensitive data in A2A
Note: You can enable encryption of Application
sensitive data in the A2A Application
Authorizations.
Authorizations. If enabled, you must
provide a private key file in the scan
credentials. This can be downloaded from
the applicable A2A application in
Senhasegura.

HTTPS This is enabled by default. yes

Verify SSL Certificate This is disabled by default. no

Host

Tenable Vulnerability Management supports the following forms of host authentication:

l SNMPv3

l Secure Shell (SSH)

l Windows

- 416 -
Note: Some credential types may not be available for configuration, depending on the scan template you
selected.

SNMPv3
Use SNMPv3 credentials to scan remote systems that use an encrypted network management
protocol (including network devices). Tenable Vulnerability Management uses these credentials to
scan for patch auditing or compliance checks.

Note: SNMPv3 options are only available in the Advanced Network Scan template.

Click SNMPv3 in the Credentials list to configure the following settings:

Option Description Default Required

Username (Required) The username for - yes

the SNMPv3 account that
Tenable Vulnerability
Management uses to
perform checks on the target
system.

Port The TCP port that SNMPv3 161 no

listens on for
communications from
Tenable Vulnerability
Management.

Security level The security level for SNMP: Authentication yes

and privacy
l Authentication without
privacy

l Authentication and
privacy

Authentication The algorithm the remove SHA1 yes (if you select
algorithm service supports: SHA1, authentication)
SHA224, SHA-256, SHA-

- 417 -
Option Description Default Required

384, SHA-512 or MD5.

Authentication (Required) The password - yes (if you select

password associated with the authentication)
Username.

Privacy algorithm The encryption algorithm to AES-192 yes (if you select
use for SNMP traffic: AES, authentication
AES-192, AES-192C, AES- with privacy)
256, AES-256C, or DES.

Privacy password (Required) A password used - yes (if you select

to protect encrypted SNMP authentication
communication. with privacy)

SSH
Use SSH credentials for host-based checks on Unix systems and supported network devices.
Tenable Vulnerability Management uses these credentials to obtain local information from remote
Unix systems for patch auditing or compliance checks. Tenable Vulnerability Management uses
Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-
based checks.

Tenable Vulnerability Management encrypts the data to protect it from being viewed by sniffer
programs.

Note: Non-privileged users with local access on Linux systems can determine basic security issues, such
as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system
configuration data or file permissions across the entire system, an account with root privileges is required.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable
recommends adding no more than 10 SSH credentials per scan.

Select SSH in the Credentials list to configure the settings for the following SSH authentication
methods:

- 418 -
SSH Authentication Method: Public Key
Public Key Encryption, also referred to as asymmetric key encryption, provides a more secure
authentication mechanism by the use of a public and private key pair. In asymmetric cryptography,
the public key is used to encrypt data and the private key is used to decrypt it. The use of public and
private keys is a more secure and flexible method for SSH authentication. Tenable Vulnerability
Management supports both DSA and RSA key formats.

Like Public Key Encryption, Tenable Vulnerability Management supports RSA and DSA OpenSSH
certificates. Tenable Vulnerability Management also requires the user certificate, which is signed by
a Certificate Authority (CA), and the user’s private key.

Note:Tenable Vulnerability Management supports the OpenSSH SSH public key format. Formats from
other SSH applications, including PuTTY and SSH Communications Security, must be converted to
OpenSSH public key format.

The most effective credentialed scans are when the supplied credentials have root privileges. Since
many sites do not permit a remote login as root, Tenable Vulnerability Management can invoke su,
sudo, su+sudo, dzdo, .k5login, or pbrun with a separate password for an account that has been set
up to have su or sudo privileges. In addition, Tenable Vulnerability Management can escalate
privileges on Cisco devices by selecting Cisco ‘enable’ or .k5login for Kerberos logins.

Note:Tenable Vulnerability Management supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms.
Some commercial variants of SSH do not have support for the blowfish algorithm, possibly for export
reasons. It is also possible to configure an SSH server to accept certain types of encryption only. Check
your SSH server to ensure the correct algorithm is supported.

Tenable Vulnerability Management encrypts all passwords stored in policies. However, the use of
SSH keys for authentication rather than SSH passwords is recommended. This helps ensure that
the same username and password you are using to audit your known SSH servers is not used to
attempt a log into a system that may not be under your control.

Note: For supported network devices, Tenable Vulnerability Management only supports the network
device’s username and password for SSH connections.

If an account other than root must be used for privilege escalation, it can be specified under the
Escalation account with the Escalation password.

- 419 -
Option Description Required

Username The username to authenticate to the host. yes

Private Key The RSA or DSA Open SSH key file of the user. yes

Private key The passphrase of the Private Key. no

passphrase

Elevate The privilege escalation method you want to use to no

privileges with increase users' privileges after initial authentication. Your
selection determines the specific options you must
configure. For more information, see Privilege Escalation.

Targets to Specify IPs or CIDR blocks on which this credential is no

prioritize attempted before any other credential. To specify multiple
credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

credential that you know works against your selected
targets. For example, if your scan specifies 100 credentials,
and the successful credential is the 59th credential out of
100, the first 58 credentials have to fail before the 59th
credential succeeds. If you use Targets To Prioritize
Credentials, you configure the scan to use the successful
credential first, which allows the scan to access the target
faster.

SSH Authentication Method: Certificate

Option Description Required

Username The username to authenticate to the host. yes

User The RSA or DSA Open SSH certificate file of the user. yes
Certificate

Private Key The RSA or DSA Open SSH key file of the user. yes

- 420 -
Option Description Required

Private key The passphrase of the Private Key. no

passphrase

Elevate The privilege escalation method you want to use to no

privileges with increase users' privileges after initial authentication. Your
selection determines the specific options you must
configure. For more information, see Privilege Escalation.

Targets to Specify IPs or CIDR blocks on which this credential is no

prioritize attempted before any other credential. To specify multiple
credentials IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a

SSH Authentication Method: CyberArk Vault

CyberArk is a popular enterprise password vault that helps you manage privileged credentials.
Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.

CyberArk

Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM yes
Web Service.

Port The port on which the CyberArk API communicates. By yes

- 421 -
Option Description Required

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client Certificate The file that contains the PEM certificate used to no
communicate with the CyberArk host.

Note: Customers self-hosting CyberArk CCP on a

Windows Server 2022 and above should follow the
guidance found in Tenable’s Community post about
CyberArk Client Certification Authentication Issue.

Client Certificate The file that contains the PEM private key for the client yes, if private
Private Key certificate. key is
applied

Client Certificate The passphrase for the private key, if required. yes, if private
Private Key key is
Passphrase applied

Kerberos Target If enabled, Kerberos authentication is used to log in to no

Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.

KDC Transport The KDC uses TCP by default in Linux implementations. no

For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

- 422 -
Option Description Required

Realm (Required if Kerberos Target Authentication is enabled) yes

The Realm is the authentication domain, usually noted
as the domain name of the target (for example,
example.com). By default, Tenable Vulnerability
Management uses 443.

Get credential by The method with which your CyberArk API credentials yes
are retrieved. Can be Address, Identifier, Parameters,
or Username.

Note: For more information about the Parameters option,

refer to the Parameters Options table.

Note: The frequency of queries for Username is one

query per target. The frequency of queries for Identifier is
one query per chunk. This feature requires all targets have
the same identifier.

Username (If Get credential by is set to Username) The username no

of the CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved no

from.

Address The option should only be used if the Address value is no

unique to a single CyberArk account credential.

Account Name (If Get credential by is Identifier) The unique account no

name or identifier assigned to the CyberArk
API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

- 423 -
Option Description Required

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

Targets to Specify IPs or CIDR blocks on which this credential is no

Prioritize attempted before any other credential. To specify
Credentials multiple IPs or CIDR blocks, use a comma or space-
separated list.

Using this setting can decrease scan times by

prioritizing a credential that you know works against
your selected targets. For example, if your scan
specifies 100 credentials, and the successful credential
is the 59th credential out of 100, the first 58 credentials
have to fail before the 59th credential succeeds. If you
use Targets To Prioritize Credentials, you configure
the scan to use the successful credential first, which
allows the scan to access the target faster.

CyberArk Auto-Discovery

You can now take advantage of a significant improvement to Tenable’s CyberArk Integration which
gathers bulk account information for specific target groups without entering multiple targets. For
more information, see CyberArk Dynamic Scanning in the Tenable CyberArk Integrations Guide.

Option Description Required

CyberArk Host The IP address or FQDN name for the user’s CyberArk yes
Instance.

Note: Customers hosting the PVWA and CCP on separate

servers should only use this field for the PVWA host.

Port The port on which the CyberArk API communicates. By yes

- 424 -
Option Description Required

default, Tenable uses 443.

Note: Customers hosting the PVWA and CCP on separate

servers should only use this field for the PVWA host.

CCP Host The IP address or FQDN name for the user’s CyberArk no
CCP component.

Note: Customers hosting the PVWA and CCP on separate

servers should only use this field for the PVWA host.

CCP Port The port on which the CyberArk CCP (AIM Web no
Service) API communicates. By default, Tenable uses
443.

Note: Customers hosting the PVWA and CCP on separate

servers should only use this field for the PVWA host.

AppID The Application ID associated with the CyberArk yes

API connection.

Safe Users may optionally specify a Safe to gather account no

information and request passwords.

AIM Web Service There are two authentication methods established in the yes
Authentication feature. IIS Basic Authentication and Certificate
Type Authentication. Certificate Authentication can be either
encrypted or unencrypted.

CyberArk PVWA Username to log in to CyberArk web console. This is yes

Web UI Login used to authenticate to the PVWA REST API and gather
Name bulk account information.

CyberArk PVWA Password for the username to log in to CyberArk web yes
Web UI Login console. This is used to authenticate to the PVWA

- 425 -
Option Description Required