Tenable Security Center 6.3.

x User Guide
Last Revised: June 24, 2024

Copyright © 2024 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other
products or services are trademarks of their respective owners.
Table of Contents

Welcome to Tenable Security Center 20

Get Started With Tenable Security Center 20

Tenable Security Center Architecture 24

Considerations for Air-Gapped Environments 26

Requirements 28

Hardware Requirements 29

Cloud Requirements 31

System Requirements 37

Customize SELinux Enforcing Mode Policies for Tenable Security Center 41

Use /dev/random for Random Number Data Generation 42

Tenable Security Center Database Journaling Modes 43

Enable Write-Ahead Logging 44

Disable Write-Ahead Logging 46

License Requirements 47

Apply a New License 54

Update an Existing License 55

Port Requirements 56

Browser Requirements 62

Tenable Integrated Product Compatibility 62

Large Enterprise Deployments 62

Installation and Upgrade 62

Before You Install 63

Install Tenable Security Center 64

-2-
 Quick Setup 66

Install a Tenable Security Center Patch 71

Before You Upgrade 73

Upgrade Tenable Security Center 74

Restore Custom SSL Certificates 76

Update the Apache Configuration File 78

Uninstall Tenable Security Center 79

User Access 80

Log In to the Web Interface 81

Log in to the Web Interface via SSL Client Certificate 82

User Roles 84

Create a User Role 90

Edit a User Role 91

View User Role Details 92

Delete a User Role 93

Organizations and Groups 94

Organizations 94

Add an Organization 99

View Organization Details 100

Delete an Organization 102

Groups 103

Add a Group 104

View Group Details 105

Delete a Group 106

-3-
User Accounts 107

Add a TNS-Authenticated User 108

Add an LDAP-Authenticated User 110

Add a SAML-Authenticated User 112

Manage User Accounts 114

Edit Your User Account 116

View User Details 117

Delete a User 118

Linked User Accounts 120

Add a Linked User 122

Switch to a Linked User Account 124

Edit a Linked User Account 125

Delete a Linked User Account 126

Custom Group Permissions 128

Generate API Keys 130

Delete API Keys 131

User Account Options 132

LDAP Authentication 141

Add an LDAP Server 146

LDAP User Provisioning 146

Configure LDAP User Provisioning 147

Delete an LDAP Server 149

LDAP Servers with Multiple OUs 150

SAML Authentication 153

-4-
 Configure SAML Authentication Automatically via the User Interface 156

Configure SAML Authentication Manually via the User Interface 157

Configure SAML Authentication via the SimpleSAML Module 159

SAML User Provisioning 163

Configure SAML User Provisioning 164

SAML Authentication XML Configuration Examples 165

Certificate Authentication 169

Configure Tenable Security Center to Allow SSL Client Certificate Authentication 170

Configure a CRL in Tenable Security Center 171

Configure OCSP Validation in Tenable Security Center 175

Search 176

Certificates and Certificate Authorities in Tenable Security Center 178

Tenable Security Center Server Certificates 179

Upload a Server Certificate for Tenable Security Center 180

Regenerate the Tenable Security Center Server Certificate 181

Trust a Custom CA 183

System Settings 183

Configuration Settings 184

Edit Plugin and Feed Settings and Schedules 197

Configure Plugin Text Translation 198

API Key Authentication 199

Enable API Key Authentication 200

Disable API Key Authentication 200

Enable Picture in Picture 201

-5-
 Disable Picture in Picture 202

Tenable One Data 202

View Tenable One Metrics 202

View Tenable One Data Synchronization Logs 204

Edit an ACR Manually 206

Diagnostics Settings 208

Generate a Diagnostics File 209

Diagnostics File Options 210

Enable Debugging Logs 213

Download Debugging Logs 214

Disable Debugging Logs 215

Job Queue Events 216

System Logs 216

View System Logs 217

Publishing Sites Settings 217

Keys Settings 218

Add a Key 219

Delete a Key 219

Download the Tenable Security Center SSH Key 220

Notifications 221

User Profile Menu Settings 221

Plugin Filter Components 223

Custom Plugin Packages for NASL and CA Certificate Upload 228

Create the Custom Plugin Package 230

-6-
 Upload the Custom Plugin Package 231

Troubleshooting Issues with the custom_CA.inc File 232

Backup and Restore 233

Perform a Backup 235

Restore a Backup 237

Perform a Configuration Backup 238

Restore a Configuration Backup 240

Tenable One Synchronization 241

Plan Your Tenable One Synchronization 243

Network Support and Repository Overlap 246

Configure Tenable One Synchronization 247

View Tenable One Synchronization Status 252

Disable Tenable One Synchronization 254

Configure Scans 256

Scanning Overview 256

Resources 258

Tenable Nessus Scanners 258

Add a Tenable Nessus Scanner 262

Add a Tenable Vulnerability Management Scanner 264

Tenable Nessus Scanner Statuses 266

Manage Nessus Scanners 270

View Your Nessus Scanners 271

View Details for a Nessus Scanner 273

View Tenable Nessus Instances in Tenable Security Center 275

-7-
 Download Tenable Nessus Scanner Logs 276

Delete a Nessus Scanner 277

Tenable Nessus Network Monitor Instances 278

Add an Tenable Nessus Network Monitor Instance 280

View Your Tenable Nessus Network Monitor Instances 281

Tenable Nessus Network Monitor Instance Settings 282

Tenable Log Correlation Engines 283

Add a Tenable Log Correlation Engine Server 285

Tenable Log Correlation Engine Clients 287

Tenable Log Correlation Engine Client Policies 288

OT Security Instances 288

Repositories 289

Manage Repositories 290

Add a Repository 292

View Your Repositories 293

View Repository Details 294

Export a Repository 297

Import a Repository 299

Delete a Repository 300

Local Repositories 301

IPv4/IPv6 Repositories 301

Mobile Repositories 304

Agent Repositories 314

Universal Repositories 316

-8-
 External Repositories 318

Offline Repositories 318

Remote Repositories 321

Tiered Remote Repositories 322

Configure Tiered Remote Repositories 323

Active Scans 324

Add an Active Scan 325

Configure vSphere Scanning 328

Manage Active Scans 331

Start or Pause a Scan 333

Suspend or Resume a Scheduled Active Scan 334

Run a Diagnostic Scan 335

Active Scan Settings 336

Launch a Remediation Scan 342

Attack Surface Domain Discovery 344

Add a Domain 345

View Domain Details 346

Delete a Domain 346

Active Scan Objects 347

Assets 349

Add a Template-Based Asset 357

Add a Custom Asset 358

View Asset Details 359

View Hosts 361

-9-
 Export Hosts 362

Host Asset Filter Components 363

View Domain Inventory Assets 364

Create a Domain Inventory Asset List 365

Export Domain Inventory Assets 366

Domain Inventory Filter Components 367

Credentials 367

Add Credentials 368

Miscellaneous Credentials 369

API Gateway Credentials 373

Database Credentials 374

IBM DB2 375

Informix/DRDA 376

MySQL 376

Oracle Database 377

PostgreSQL 378

SQL Server 379

Sybase ASE 380

Apache Cassandra 381

MongoDB 381

Database Credentials Authentication Method Settings 382

SNMP Credentials 398

SSH Credentials 398

Privilege Escalation 424

- 10 -
 Windows Credentials 429

Web Authentication Credentials 451

Audit Files 456

Add a Template-Based Audit File 457

Add a Custom Audit File 458

Manage Audit Files 460

Scan Zones 462

Add a Scan Zone 465

View Your Scan Zones 466

Edit a Scan Zone 466

Delete a Scan Zone 467

Scan Policies 468

Add a Scan Policy 469

Scan Policy Templates 470

Scan Policy Options 477

Configure Compliance Options 507

Configure Plugin Options 508

Host 511

Miscellaneous 512

Plaintext Authentication 517

Patch Management 521

View Your Scan Policies 530

View Scan Policy Details 531

Edit a Scan Policy 532

- 11 -
 Share or Revoke Access to a Scan Policy 533

Export a Scan Policy 534

Import a Scan Policy 535

Copy a Scan Policy 537

Delete a Scan Policy 537

Agent Scanning 538

Agent Scans 540

Add an Agent Scan 541

Manage Agent Scans 542

Agent Scan Settings 544

Agent Synchronization Jobs 547

Add an Agent Synchronization Job 547

Manage Agent Synchronization Jobs 549

Agent Synchronization Job Settings 551

Web App Scans 554

Add a Web App Scan 556

Manage Web App Scans 557

Web App Scan Settings 559

Freeze Windows 564

Add a Freeze Window 566

Edit a Freeze Window 566

Delete a Freeze Window 567

Tags 568

Add a Tag 568

- 12 -
 Remove or Delete a Tag 569

Analyze Data 571

Dashboards 571

View a Dashboard 573

Overview Dashboard 574

Health Overview Dashboard 576

LCE Overview Dashboard 579

Set a Dashboard as Your Default Dashboard 580

Add a Template-Based Dashboard 581

Add a Custom Dashboard 582

Dashboard and Component Templates 583

Import a Dashboard 584

Manage Dashboards 585

Edit Settings for a Dashboard 586

Share or Revoke Access to a Dashboard 587

Delete a Dashboard 588

Manage Dashboard Components 589

Add a Template-Based Dashboard Component 591

Add a Custom Dashboard Component 592

Custom Dashboard Component Options 593

Configure a Simple Matrix Dashboard Component 603

Interact with a Customizable Table 606

Scan Results 607

Scan Result Statuses 608

- 13 -
 Manage Scan Results 610

View Scan Results 614

View Scan Result Details 615

Upload Scan Results 618

Solutions Analysis 619

View Solutions 620

View Solution Details 621

Export Hosts Affected by a Solution 623

Vulnerability Analysis 626

Cumulative vs. Mitigated Vulnerabilities 626

View Cumulative or Mitigated Vulnerabilities 627

CVSS vs. VPR 628

CVSS 628

Vulnerability Priority Rating 629

VPR Key Drivers 630

Vulnerability Analysis Tools 631

Vulnerability Analysis Filter Components 636

View Vulnerabilities by Host 650

View Vulnerabilities by Plugin 652

View Vulnerability Instance Details 655

View Host Details 657

View Plugin Details 663

Export Vulnerability Data 664

Web App Scanning Analysis 665

- 14 -
 Web App Scanning Analysis Tools 665

Web App Scanning Analysis Filter Components 668

View Web App Scanning Vulnerability Details 679

Export Web App Scanning Data 681

Event Analysis 682

Event Analysis Tools 685

Event Analysis Filter Components 689

Mobile Analysis 692

Mobile Analysis Filter Components 693

Reports 694

Manage Reports 695

Create a Custom Report 696

Create a Template Report 697

Data Required for Template-Based Reports 699

Report Templates 700

Edit a Report Definition 701

Report Options 702

Edit a Report Outline 710

Add a Custom Chapter to a Report 711

Add a Template Chapter to a Report 712

Add or Edit a Report Element 715

Configure a Grouping Element in a Report 716

Configure a Text Element in a Report 720

Configure a Matrix Element in a Report 722

- 15 -
 Configure a Table Element in a Report 725

Configure a Charts Element in a Report 727

Reorder Report Chapters and Elements 732

Manage Filters for a Chapter Report 732

Manage Filter Components for a Single Element 733

Manage Filter Components for Multiple Elements 735

Manage Filter Components for a Non-Chapter Report 737

View a Report Definition 738

Copy a Report Definition 739

Export a Report Definition 740

Import a Report Definition 741

Delete a Report Definition 742

Launch a Report on Demand 743

Add a Report to a Scan 743

Manage Report Results 744

Stop a Running Report 745

Download a Report Result 745

View a Report Result 746

Publish a Report Result 747

Email a Report Result 747

Copy a Report Result 748

View Errors for a Failed Report 748

Delete a Report Result 749

CyberScope and DISA Report Attributes 749

- 16 -
 Report Images 751

Assurance Report Cards 752

Add a Template-Based Assurance Report Card 753

Add a Custom Assurance Report Card 754

View Your Assurance Report Cards 755

View Details for an Assurance Report Card 756

Edit an Assurance Report Card 757

Share or Revoke Access to an Assurance Report Card 758

Export an Assurance Report Card 759

Copy an Assurance Report Card 761

Delete an Assurance Report Card 761

Assurance Report Card Options 762

Filters 765

Apply a Filter 766

Filter Components 767

Queries 771

Add or Save a Query 771

Load a Query 773

Query Options 774

Edit a Query 777

Workflow Actions 778

Alerts 778

Alert Actions 778

Add an Alert 783

- 17 -
 View Alert Details 784

Alert Options 786

Edit an Alert 787

Evaluate an Alert 788

Delete an Alert 789

Tickets 789

Open a Ticket 790

View Ticket Details 791

Ticket Options 793

Edit a Ticket 794

Resolve and Close a Ticket 794

Accept Risk Rules 795

Add an Accept Risk Rule 796

Delete an Accept Risk Rule 797

Recast Risk Rules 798

Add a Recast Risk Rule 799

Edit a Recast Risk Rule 800

Delete a Recast Risk Rule 801

Additional Resources 803

Start, Stop, or Restart Tenable Security Center 803

License Declarations 804

Encryption Strength 804

Configure SSL/TLS Strong Encryption 806

Configure Tenable Security Center for NIAP Compliance 807

- 18 -
File and Process Allow List 808

Manual Log Correlation Engine Key Exchange 809

Manual Tenable Nessus SSL Certificate Exchange 811

Overview of Tenable Nessus SSL Certificates and Keys 811

Tenable Nessus Certificate Configuration for Unix 812

Tenable Nessus Certificate Configuration for Windows 821

Offline Plugin and Feed Updates for Tenable Security Center 826

Perform an Offline Nessus Plugin Update 826

Perform an Offline Tenable Nessus Network Monitor Plugin Update 828

Perform an Offline Tenable Security Center Feed Update 830

Perform an Offline Tenable Web App Scanning Plugins Update 832

Configure Tenable Nessus + Tenable Web App Scanning for Tenable Security Center
Offline 834

Troubleshooting 835

General Tenable Security Center Troubleshooting 835

Tenable Log Correlation Engine Troubleshooting 837

Tenable Nessus Troubleshooting 839

Tenable Nessus Network Monitor Troubleshooting 841

Error Messages 842

- 19 -
Welcome to Tenable Security Center
This user guide describes how to install, configure, and manage Tenable Security Center™ 6.3.x.

Tenable Security Center is a comprehensive vulnerability management solution that provides

complete visibility into the security posture of your distributed and complex IT infrastructure.
Tenable Security Center consolidates and evaluates vulnerability data from across your entire IT
infrastructure, illustrates vulnerability trends over time, and assesses risk with actionable context
for effective remediation prioritization.

To get started, see Get Started With Tenable Security Center.

For additional information on Tenable Security Center, review the following customer education
materials:

l Tenable Security Center Self Help Guide

l Tenable Security Center Introduction (Tenable University)

Get Started With Tenable Security Center

Use the following getting started sequence to configure and mature your Tenable Security Center
deployment.

1. Prepare

2. Install

3. Configure Scans

4. Refine

5. Expand

Tip: For additional information on Tenable Security Center, review the following customer education
materials:

l Tenable Security Center Self Help Guide

l Tenable Security Center Introduction (Tenable University)

Prepare

- 20 -
Before you begin, learn about Tenable Security Center and establish a deployment plan and analysis
workflow to guide your configurations.

l Access Tenable Support and training resources for Tenable Security Center, including:

l the Tenable University training courses

l the Tenable Scan Strategy guide

l Design a deployment plan by identifying your organization's objectives and analyzing your
network topology. Consider Tenable-recommended best practices for your environment. For
more information about environment requirements, see Requirements. For information about
scan types, see Scanning Overview.

l Design an analysis workflow. Identify key stakeholders in your management and operational
groups, considering the data you intend to share with each stakeholder.

For more information about planning a large enterprise deployment of Tenable Security Center, see
the Tenable Security Center Large Enterprise Deployment Guide.

For more information about the basic architecture of a Tenable Security Center deployment, see
Tenable Security Center Architecture.

Install
Install Tenable Security Center and perform initial configuration.

1. Depending on your environment, install in your environment or deploy or install with Tenable
Core.

For complete information about Tenable Core + Tenable Security Center, see the Tenable
Core User Guide.

2. Perform quick setup, as described in Quick Setup. You can:

l Upload licenses

l Configure one Tenable Nessus scanner

l Configure one Tenable Nessus Network Monitor scanner (requires a Tenable Nessus
Network Monitor activation license)

- 21 -
 l Configure one Tenable Log Correlation Engine server (requires an Tenable Log
Correlation Engine® activation license)

l Create one repository

l Create one organization

l Configure one LDAP server

l Create one administrator user account and one security manager account

l Configure usage statistic collection

Tenable recommends following the quick setup wizard, but you can configure these features
later. For example, do not configure LDAP until you have easy access to all necessary LDAP
parameters.

3. Configure SMTP settings, as described in The Mail option designates SMTP settings for all
email-related Tenable Security Center functions. Available options include SMTP host, port,
authentication method, encryption, and return address. In addition, you can use the Test
SMTP Settings in the upper left corner of the page to validate the settings..

4. Configure scan zones, as described in Add a Scan Zone.

5. Configure additional repositories, if necessary, as described in Repositories.

6. Configure additional scanners, if necessary, as described in Tenable Nessus Scanners,

Tenable Nessus Network Monitor Instances, and Tenable Log Correlation Engines.

7. Configure security settings (e.g., password complexity requirements and custom banners), as
described in Use the Security section to define the Tenable Security Center user interface
login parameters and options for account logins. You can also configure banners, headers,
and classification headers and footers..

Configure Scans
Configure and run basic scans to begin evaluating the effectiveness of your deployment plan and
analysis workflow.

- 22 -
 1. Configure credentials, as described in Credentials.

2. Create static assets, as described in Add a Custom Asset. For more information about asset
types, see Assets.

3. Configure a Host Discovery policy and a Basic Network Scan policy from Tenable-provided
scan policy templates, as described in Add a Scan Policy.

4. Configure and run scans for those policies, as described in Add an Active Scan and Add an
Agent Scan.

5. Confirm that the scans can access all areas of your network with no credential issues.

6. Configure Tenable Nessus Network Monitor scanners, as described in Tenable Nessus

Network Monitor Instances.

7. When the scans complete, create template-based dashboards and reports, as described in
Dashboards and Reports.

8. Search for vulnerabilities by CVE ID, as described in Search.

Tenable recommends frequently reviewing your scan results and scan coverage. You may need to
modify your scan configurations to suit your organization's objectives and reach all areas of your
network.

Refine
Configure other features, if necessary, and refine your existing configurations.

l Configure audit files, as described in Audit Files.

l Create additional scan policies, as described in Add a Scan Policy.

l Configure scan freeze windows, as described in Add a Freeze Window.

l Configure groups, as described in Add a Group.

l Create a custom user role, as described in Create a User Role.

l Create additional user accounts and share objects with users, as described in User Accounts.

l Create dynamic assets and combination assets, as described in Add a Custom Asset. For
more information about asset types, see Assets.

- 23 -
 l Review the plugin update schedule, as described in Edit Plugin and Feed Settings and
Schedules. Consider editing the schedules to suit your needs. For example, you may want to
schedule plugin and feed updates to run a few hours before your scheduled scans.

l Add queries and use filters, as described in Add or Save a Query and Apply a Filter.

l Create custom dashboards and reports, as described in Dashboards and Reports.

l Create Assurance Report Cards (ARCs), as described in Assurance Report Cards.

l Configure alerts, ticketing, accept risk rules, and recast risk rules, as described in Workflow
Actions.

l View vulnerability data and use the built-in analysis tools, as described in Vulnerability
Analysis.

Expand
Review and mature your deployment plan and analysis workflow.

l Conduct weekly meetings to review your organization's responses to identified vulnerabilities.

l Conduct weekly management meetings to oversee your teams executing the analysis
workflow.

l Review scan automation settings and consider revising.

l Review your scan results and scan coverage. You may need to modify your scan
configurations to suit your organization's objectives and reach all areas of your network.

l Optimize and operationalize your custom dashboards to meet the needs of individual user
account holders.

l Optimize and operationalize your custom reports to prepare them for distribution.

l Consider configuring API integrations, as described in the Tenable Security Center API Guide
and the Tenable Security Center API Best Practices Guide.

l Consider synchronizing Tenable Security Center with Tenable Lumin to take advantage of
Cyber Exposure features, as described in Tenable Lumin Synchronization.

Tenable Security Center Architecture

- 24 -
Physical Architecture
At a high level, a Tenable Security Center deployment has two parts:

l A central Tenable Security Center console to manage scans, reports, user access, and other
application tools.

l One or more scanners to collect data and report results to the Tenable Security Center
console.

Logical Architecture
Tenable Security Center is divided into organizations. Each organization has access to one or more
repositories that store scan data. For example, users in Organization 1 can only see repositories
that are assigned to Organization 1, however, a repository can be assigned to more than one
organization.

The highest-level user in an organization is the Security Manager. For more information about user
permissions, see User Roles.

Very broadly, the logical layout / architecture of Tenable Security Center looks like this:

- 25 -
Many environments have just one organization. The following are some common use cases for
multiple organizations:

l Environments where there are multiple departments or entities in a business that are logically
independent, but that are all governed by the same structure.

l Acquisitions – there may be a reason to keep the acquiring company and acquired company
separate.

Considerations for Air-Gapped Environments

Consider the following when deploying Tenable Security Center in an air-gapped (offline)
environment.

Architecture
You must deploy a Tenable Security Center and a set of scanners within each air-gapped network.

- 26 -
If you want to consolidate data from other networks with the data generated in your air-gapped
network, you can use offline repositories to export data from your air-gapped Tenable Security
Center to your other instance of Tenable Security Center. This supports both consolidated and
federated reporting structures.

Upgrades and Updates

Tenable recommends performing Tenable Security Center upgrades at least once a year (quarterly
preferred) and plugin/feed updates at least once a month. After you perform a plugin update, run
comprehensive scans to take advantage of the new vulnerability data and generate current scan
results.

Note: A few plugins require internet access and cannot run in an air-gapped environment. For example,
Tenable Nessus plugin 52669 checks to see if a host is part of a botnet.

After you perform a plugin update or feed update, verify the files as described in the knowledge
base article.

To perform a Tenable Security Center upgrade or a plugin/feed update offline:

Tip: You can use the API to automate some Tenable Security Center upgrade and plugin update
process.

1. Download the files in a browser or via the API.

2. Verify the integrity of the files.

l Tenable Security Center upgrade: Compare the download checksum with the checksum
on the Tenable downloads page

l Plugin/feed update: Download and compare the checksums.

3. Move the files to your Tenable Security Center instance.

4. Upload the files to Tenable Security Center.

l Tenable Security Center upgrade: via the CLI.

l Plugin/feed update: in a browser or via the API.

Tenable Nessus Agents

- 27 -
If you deployed Tenable Nessus Manager to manage Tenable Nessus Agents in an air-gapped
environment, perform an offline software update (nessus-agent-updates-X.X.X.tar.gz on the
Tenable Downloads site) on your Tenable Nessus Manager. Tenable Nessus Manager pushes the
update to the managed Tenable Nessus Agents.

For more information, see the knowledge base article.

Requirements
You can run Tenable Security Center in the following environments.

Environment More Information

Tenable Core Virtual VMware Requirements in the Tenable Core

User Guide
Microsoft Hyper-V

Cloud Amazon Web Services

(AWS)

Hardware

Other Cloud Amazon Web Services Cloud Requirements

platforms (AWS)

Hardware Hardware Requirements

For general information about other requirements to run Tenable Security Center, see:

Hardware Requirements

Cloud Requirements

System Requirements

License Requirements

Port Requirements

Browser Requirements

Tenable Integrated Product Compatibility

Large Enterprise Deployments

- 28 -
Hardware Requirements
You can run Tenable Security Center on hardware, with or without Tenable Core. For more
information about Tenable Core, see the Tenable Core User Guide.

Note:Tenable strongly discourages running Tenable Security Center or Tenable Core + Tenable Security
Center in an environment shared with other Tenable applications.

Storage Requirements
Tenable recommends installing Tenable Security Center on direct-attached storage (DAS) devices
(or storage area networks [SANs], if necessary) with a storage latency of 10 milliseconds or less.

Tenable does not support installing Tenable Security Center on network-attached storage (NAS).

Disk Space Requirements

Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource
requirements to consider for deployments include raw network speed, the size of the network being
monitored, and the configuration of the application. Processors, memory, and network cards are
heavily based on the former. Disk space requirements vary depending on usage based on the
amount and length of time data is stored on the system.

An important consideration is that Tenable Security Center can be configured to save a snapshot of
vulnerability archives each day. In addition, the size of the vulnerability data stored by Tenable
Security Center depends on the number and types of vulnerabilities, not just the number of hosts.
For example, 100 hosts with 100 vulnerabilities each could consume as much data as 1,000 hosts
with 10 vulnerabilities each. In addition, the output for vulnerability check plugins that do directory
listings, etc. is larger than Open Port plugins from discovery scans.

For networks of 35,000 to 50,000 hosts, Tenable has encountered data sizes of up to 25 GB. That
number is based on storage of 50,000 hosts and approximately 500 KB per host.

Additionally, during active scanning sessions, large scans, and multiple smaller scans have been
reported to consume as much as 150 GB of disk space as results are acquired. Once a scan has
completed and its results are imported, that disk space is freed up.

Requirements When Running Basic Network Scans + Local Checks

- 29 -
 # of Hosts Managed by Tenable CPU Disk Space used for
Memory
Security Center Cores Vulnerability Trending

2,500 active IPs 4 2GHz 8 GB RAM 90 days: 125 GB

cores
180 days: 250 GB

10,000 active IPs 8 3GHz 16 GB RAM 90 days: 450 GB

cores
180 days: 900 GB

25,000 active IPs 16 3GHz 32 GB RAM 90 days: 1.2 TB

cores
180 days: 2.4 TB

100,000 active IPs 32 3GHz 64 GB RAM 90 days: 4.5 TB

cores
180 days: 9 TB

Requirements When Running Basic Network Scans + Local Checks + 1 Configuration Audit

# of Hosts Managed by Tenable CPU Disk Space used for

Memory
Security Center Cores Vulnerability Trending

2,500 active IPs 4 2GHz 8 GB RAM 90 days: 225 GB

cores
180 days: 450 GB

10,000 active IPs 8 3GHz 16 GB RAM 90 days: 900 GB

cores
180 days: 1.8 TB

25,000 active IPs 16 3GHz 32 GB RAM 90 days: 2.25 TB

cores
180 days: 4.5 TB

100,000 active IPs 32 3GHz 128 GB RAM 90 days: 9 TB

cores
180 days: 18 TB

Note: Tenable Security Center is a memory and disk I/O-intensive application. If you deploy Tenable
Security Center in a virtualized infrastructure, take care to avoid running Tenable Security Center in a
manner in which it may attempt to draw on oversubscribed resources, especially memory and disk I/O.
Refer to your vendor-specific virtualized infrastructure documentation for guidance on optimizing virtual

- 30 -
 infrastructure resource allocation, such as Best Practices for Oversubscription of CPU, Memory and Storage in
vSphere Virtual Environments for VMware.

Disk Partition Requirements

Tenable Security Center installs into /opt/sc. Tenable highly recommends that you create the /opt
directory on a separate disk partition. If you want to increase performance, consider using two
disks: one for the operating system and one for the system deployed to /opt.

Tenable strongly recommends using high-performance disks. Tenable Security Center is a disk-
intensive application and using disks with high read/write speeds, such as SSDs, results in the best
performance.

If required disk space exists outside of the /opt file system, mount the desired target directory
using the command mount –-bind <olddir> <newdir>. Make sure that the file system is
automatically mounted on reboot by editing the /etc/fstab file appropriately.

Note: Tenable Security Center does not support using symbolic links for /opt/sc/. You can use symbolic
links within /opt/sc/ subdirectories if instructed by Tenable Security Center documentation or Tenable
Support.

Deploying Tenable Security Center on a server configured with RAID disks can also dramatically
boost performance.

Tip:Tenable does not require RAID disks for even our largest customers. However, in one instance,
response times for queries with a faster RAID disk for a customer with more than 1 million managed
vulnerabilities moved from a few seconds to less than a second.

Network Interface Requirements

You can install Tenable Security Center in externally connected or air-gapped environments. For
more information about special considerations for air-gapped environments, see Considerations for
Air-Gapped Environments.

Gigabit or faster network cards are recommended for use on the Tenable Security Center server.
This is to increase the overall performance of web sessions, emails, Tenable Log Correlation Engine
queries, and other network activities.

Cloud Requirements

- 31 -
The primary method to deploy Tenable Security Center in a cloud environment is with Tenable Core
+ Tenable Security Center. For more information, see the Tenable Core User Guide.

However, you can install Tenable Security Center in vendor-supported version of your cloud
environment that meets the operating system requirements to run Tenable Security Center.

The following guidelines can help you install Tenable Security Center in an Amazon Elastic Compute
Cloud (Amazon EC2) cloud-based environment or an Azure Virtual Machine (Azure Virtual Image)
cloud-based environment, but they do not cover all deployment scenarios or cloud environments.
For assistance with a different cloud environment, contact Tenable Professional Services.

l Supported Amazon EC2 Instance Types

l Supported Amazon Machine Images (AMIs)

l Supported Azure Instance Types

l Supported Azure Machine Images

l Tenable Security Center in Kubernetes Requirements

Supported Amazon EC2 Instance Types

You can install Tenable Security Center in an Amazon Elastic Compute Cloud (Amazon EC2) cloud-
based environment that meets all of the following requirements.

Tenable Security Center uses a balance of networking and compute resources and requires
persistent storage for proper operation. To meet these requirements, Tenable supports installing
Tenable Security Center on M5 instances with General Purpose SSD (gp2) EBS storage.

Tenable recommends the following Amazon EC2 instance types based on your Tenable Security
Center deployment size.

Requirements When Running Basic Network Scans + Local Checks

# of Hosts Managed by Disk Space Used for

EC2 Instance Type
Tenable Security Center Vulnerability Trending

1 to 2,500 m5.2xlarge 90 days: 125 GB

180 days: 250 GB

- 32 -
 2,501 to 10,000 m5.4xlarge 90 days: 450 GB

180 days: 900 GB

10,001 to 25,000 m5.8xlarge 90 days: 1.2 TB

180 days: 2.4 TB

25,001 to 50,000 m5.12xlarge 90 days: 4.5 TB

180 days: 9 TB

50,001 or more For assistance with large enterprise deployments greater than
50,000 active IP addresses, contact your Tenable representative.

Requirements When Running Basic Network Scans + Local Checks + 1 Configuration Audit

# of Hosts Managed by Disk Space Used for

EC2 Instance Type
Tenable Security Center Vulnerability Trending

1 to 2,500 m5.4xlarge 90 days: 225 GB

180 days: 450 GB

2,501 to 10,000 m5.8xlarge 90 days: 900 GB

180 days: 1.8 TB

10,001 to 25,000 m5.8xlarge 90 days: 2.25 TB

180 days: 4.5 TB

25,001 to 50,000 m5.12xlarge 90 days: 9 TB

180 days: 18 TB

50,001 or more For assistance with large enterprise deployments greater than
50,000 active IP addresses, contact your Tenable representative.

Supported Amazon Machine Images (AMIs)

- 33 -
Tenable provides an AMI for Tenable Core, but not for other cloud deployments without Tenable
Core. Tenable supports using the following Amazon Marketplace AMI for Tenable Security Center
without Tenable Core:

AMI Required Configuration Changes

CentOS 7 (x86_ l This AMI does not include Java, but Tenable Security Center requires
64) - with OpenJDK or the Oracle Java JRE to export PDF reports.
Updates HVM
You must install OpenJDK or the Oracle Java JRE onto your AMI before
hosting Tenable Security Center. For more information, see
Dependencies.

l This AMI configures an SELinux enforcing mode policy, which requires

customization to be compatible with Tenable Security Center.

You must use the SELinux sealert tool to identify errors and
solutions. For more information, see Customize SELinux Enforcing
Mode Policies for Tenable Security Center.

l You must confirm this AMI meets all other standard requirements for
operating systems. For more information, see Operating System
Requirements.

Supported Azure Instance Types

You can install Tenable Security Center in an Azure Virtual Machine (Azure Virtual Image) cloud-
based environment that meets all of the following requirements.

Tenable recommends the following virtual machine instance types based on your Tenable Security
Center deployment size. You may need to increase the storage allocated to the virtual machine
instance depending on usage.

Requirements When Running Basic Network Scans + Local Checks

# of Hosts Managed by Disk Space Used for

Virtual Machine Instance
Tenable Security Center Vulnerability Trending

1 to 2,500 D3V2 90 days: 125 GB

- 34 -
 180 days: 250 GB

2,501 to 10,000 D4V2 90 days: 450 GB

180 days: 900 GB

10,001 to 25,000 F16 90 days: 1.2 TB

180 days: 2.4 TB

25,001 to 50,000 F32SV2 90 days: 4.5 TB

180 days: 9 TB

50,001 or more For assistance with large enterprise deployments greater than
50,000 active IP addresses, contact your Tenable representative.

Requirements When Running Basic Network Scans + Local Checks + 1 Configuration Audit

# of Hosts Managed by Disk Space Used for

EC2 Instance Type
Tenable Security Center Vulnerability Trending

1 to 2,500 D3V2 90 days: 125 GB

180 days: 250 GB

2,501 to 10,000 D4V2 90 days: 900 GB

180 days: 1.8 TB

10,001 to 25,000 F16 90 days: 2.25 TB

180 days: 4.5 TB

25,001 to 50,000 D32SV3 90 days: 9 TB

180 days: 18 TB

50,001 or more For assistance with large enterprise deployments greater than
50,000 active IP addresses, contact your Tenable representative.

Supported Azure Machine Images

- 35 -
Tenable provides an Azure image for Tenable Core, but not for other cloud deployments without
Tenable Core. Tenable supports using the following Azure image for Tenable Security Center:

AMI Required Configuration Changes

CIS CentOS l This image does not include Java, but Tenable Security Center requires
Linux 7 OpenJDK or the Oracle Java JRE to export PDF reports.
Benchmark L1
You must install OpenJDK or the Oracle Java JRE onto your image
before hosting Tenable Security Center. For more information, see
Dependencies.

l This image configures an SELinux enforcing mode policy, which

requires customization to be compatible with Tenable Security Center.

You must use the SELinux sealert tool to identify errors and
solutions. For more information, see Customize SELinux Enforcing
Mode Policies for Tenable Security Center.

l You must confirm this image meets all other standard requirements for
operating systems. For more information, see Operating System
Requirements.

Tenable Security Center in Kubernetes Requirements

Note: Tenable recommends using an empty Kubernetes cluster for Tenable Security Center deployments.
These requirements assume that the Kubernetes cluster where you install Tenable Security Center has
nothing else installed.

Tenable strongly recommends using high-performance disks when you deploy Tenable Security
Center in a Kubernetes cluster. Tenable Security Center is a disk-intensive application and using
disks with high read/write speeds (for example, SSDs or NVMe SSDs) results in the best
performance. The requirements in the following tables are based on AWS M5 or better processor
specifications. Using slower processors, like those found in AWS M5a instances, will impact
performance for your Tenable Security Center in Kubernetes deployment.

For supported Kubernetes environments and installation instructions, see Tenable Security Center
in Kubernetes.

Requirements When Running Basic Network Scans + Local Checks

- 36 -
 # of Hosts Managed by Tenable Disk Space used for
CPU Memory
Security Center Vulnerability Trending

1 to 2,500 active IPs 8000 m 32 GiB 90 days: 125 GB

180 days: 250 GB

2,501 to 10,000 active IPs 16000 m 64 GiB 90 days: 450 GB

180 days: 900 GB

10,001 to 25,000 active IPs 32000 m 128 GiB 90 days: 1.2 TB

180 days: 2.4 TB

25,001 to 50,000 active IPs 48000 m 192 GiB 90 days: 4.5 TB

180 days: 9 TB

Requirements When Running Basic Network Scans + Local Checks + 1 Configuration Audit

# of Hosts Managed by Tenable Disk Space used for

CPU Memory
Security Center Vulnerability Trending

1 to 2,500 active IPs 16000 m 64 GiB 90 days: 225 GB

180 days: 450 GB

2,501 to 10,000 active IPs 32000 m 128 GiB 90 days: 900 GB

180 days: 1.8 TB

10,001 to 25,000 active IPs 32000 m 128 GiB 90 days: 2.25 TB

180 days: 4.5 TB

25,001 to 50,000 active IPs 48000 m 192 GiB 90 days: 9 TB

180 days: 18 TB

System Requirements

- 37 -
 l Operating System Requirements

l SELinux Requirements

l Secure Environment Requirements

l Dependencies

l Tenable Security Center Communications and Directories

Operating System Requirements

This version of Tenable Security Center is available for:

l Red Hat Enterprise Linux 7 (RHEL 7), 64-bit

l Red Hat Enterprise Linux 8 (RHEL 8), 64-bit

l Red Hat Enterprise Linux 9 (RHEL 9), 64-bit

l CentOS 7, 64-bit

l CentOS Stream 9, 64-bit

l Oracle Linux 8, 64-bit

l Oracle Linux 9, 64-bit

SELinux Requirements
Tenable Security Center supports disabled, permissive, and enforcing mode Security-Enhanced
Linux (SELinux) policy configurations.

l Disabled and permissive mode policies typically do not require customization to interact with
Tenable Security Center.

l Enforcing mode policies require customization to interact with Tenable Security Center. For
more information, see Customize SELinux Enforcing Mode Policies for Tenable Security
Center.

Note: Tenable recommends testing your SELinux configurations before deploying on a live network.

Secure Environment Requirements

- 38 -
Tenable recommends adhering to security best practices, including:

l Configure the operating system to ensure that security controls cannot be bypassed.

l Configure the network to ensure that the Tenable Security Center system resides in a secure
network segment that is not accessible from the Internet.

l Configure network time synchronization to ensure that accurate time stamps are recorded in
reports and log files.

Note: The time zone is set automatically during the installation process with no user interaction. The
time zone configured in php.ini must be synchronized with the system time zone in
/etc/sysconfig/clock.

l Configure access control to ensure that only authorized users have access to the operating
system platform.

l Monitor system resources to ensure that adequate disk space and memory are available, as
described in Hardware Requirements. If system resources are exhausted, Tenable Security
Center may not log audit data during system administrator troubleshooting or other activities.
For more information about troubleshooting resource exhaustion, see General Tenable
Security Center Troubleshooting.

For information about secure administration of a Red Hat installation, see the Red Hat Enterprise
Linux Security Guide for your version.

Note: As with any application, the security and reliability of the installation is dependent on the
environment that supports it. It is strongly recommended that organizations deploying Tenable Security
Center have an established and applied IT management policy that covers system administration integrity,
resource monitoring, physical security, and disaster recovery.

Dependencies
Note: Either OpenJDK or the Oracle Java JRE along with their accompanying dependencies must be
installed on the system along with any additional Java installations removed for reporting to function
properly.

Note: If you are running Tenable Security Center 5.20.0, you must upgrade pyTenable to version 1.4.2 or
later.

- 39 -
 Note: Tenable does not recommend forcing the installation without all required dependencies. If your
version of Red Hat or CentOS is missing certain dependencies, it will cause problems that are not readily
apparent with a wide variety of functions. Tenable Support has observed different types of failure modes
for Tenable Security Center when dependencies are missing.

Note: To run Tenable Security Center 6.0.0, you must install binutils and initscripts. If you try to migrate
from an earlier version of Tenable Security Center to Tenable Security Center 6.0.0 on a system that does
not have binutils or initscripts installed, the migration will fail.

All dependencies must be installed on the system prior to installing the Tenable Security Center
package. While they are not all required by the installation RPM file, some functionality of Tenable
Security Center may not work properly if the packages are not installed.

Note: Tenable recommends using the latest stable production version of each package.

For a list of required packages, run the following command against the Tenable Security Center
RPM file:

# yum deplist SecurityCenter-x.x.x-el6.x86_64.rpm

- or -

# dnf deplist SecurityCenter-x.x.x-el8.x86_64.rpm

To determine which version of a dependency is installed on your system, run the following
command for each of the packages (replace “libtool” with the appropriate package):

# yum list installed | grep libtool

- or -

# dnf list installed | grep libtool

If one of the prerequisite packages is missing, it can be installed using the “yum” or “dnf” package
managers. For example, install Java 1.8.0 with “yum” using the command below:

# yum -y install java-1.8.0-openjdk.x86_64

- 40 -
Tenable Security Center Communications and Directories
The following table summarizes the components’ primary directories and communication methods.

Note: Tenable Security Center does not support using symbolic links for /opt/sc/. You can use symbolic
links within /opt/sc/ subdirectories if instructed by Tenable Security Center documentation or Tenable
Support.

Tenable Security Center Directories

Installation /opt/sc
Directory

User Data /opt/sc/orgs/<Organization Serial Number>

Repositories /opt/sc/repositories/<Repository Number>

Admin Logs /opt/sc/admin/logs/

Organization Logs /opt/sc/orgs/<Organization Number>/logs/

Communication l User Access — HTTPS

Interfaces l Feed Updates — Acquired over SSL from Tenable servers directly
to Tenable Security Center or for offline installation. Plugin
packages are secured via 4096-bit RSA digital signatures.

For more information, see Port Requirements.

For information about data encryption in Tenable Security Center, see Encryption Strength.

Customize SELinux Enforcing Mode Policies for Tenable Security Center

Security-Enhanced Linux (SELinux) enforcing mode policies require customization to interact with
Tenable Security Center.

Tenable Support does not assist with customizing SELinux policies, but Tenable recommends
monitoring your SELinux logs to identify errors and solutions for your policy configuration.

Before you begin:

- 41 -
 l Install the SELinux sealert tool in a test environment that resembles your production
environment.

To monitor your SELinux logs to identify errors and solutions:

1. Run the sealert tool, where /var/log/audit/audit.log is the location of your SELinux
audit log:

sealert -a /var/log/audit/audit.log

The tool runs and generates a summary of error alerts and solutions. For example:

SELinux is preventing /usr/sbin/sshd from write access on the sock_file /dev/log

SELinux is preventing /usr/libexec/postfix/pickup from using the rlimitinh access
on a process.

2. Execute the recommended solution for each error alert.

3. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

Tenable Security Center restarts.

4. Run the sealert tool again to confirm you resolved the error alerts.

Use /dev/random for Random Number Data Generation

Required User Role: Root user

If your organization requires Tenable Security Center to use /dev/random instead of

/dev/urandom to generate random number data for secure communication functions, modify the
random data source using an environment variable.

Unlike /dev/urandom, /dev/random blocks HTTPS and SSL/TLS functions if there is not enough
entropy to perform the functions. The functions resume after the system generates enough
entropy.

Note: If /dev/random blocks during an installation or upgrade, the system waits up to 10 minutes for more
entropy to be generated before halting the operation.

Tenable does not recommend using /dev/random unless required by your organization.

- 42 -
To use /dev/random for random number data generation in Tenable Security Center:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. In the CLI in Tenable Security Center, run the following command:

export TSC_ENTROPY_CHECK=true

Tenable Security Center recognizes the environment variable and uses /dev/random.

What to do next:
l Install or upgrade Tenable Security Center in order for your changes to take effect, as
described in Install Tenable Security Center or Upgrade Tenable Security Center.

Tenable Security Center Database Journaling Modes

By default, Tenable Security Center databases that can significantly impact performance use write-
ahead logging (WAL) journaling mode. All other databases use DELETE mode. Tenable Security
Center also supports converting WAL journaling mode databases to DELETE mode.

For Tenable Security Center installations where WAL is not enabled, enabling WAL may resolve
issues with excessive database locks. If your Tenable Security Center does not experience database
locking issues, Tenable recommends leaving your Tenable Security Center databases in the default
journaling mode.

Tenable strongly recommends performing a backup before converting database journaling modes
and performing regular backups after converting database journaling modes. For more information,
see Backup and Restore.

For general information about SQLite3 database journaling modes, see the SQLite3 documentation.

For more information, see:

l Enable Write-Ahead Logging

l Disable Write-Ahead Logging

Note: If you previously converted one or more Tenable Security Center databases to WAL journaling mode
without using the convertDatabaseMode.php script, you must use the convertDatabaseMode.php
script to ensure your Tenable Security Center databases are fully converted to WAL journaling mode.

- 43 -
WAL Requirements
In addition to the requirements to run Tenable Security Center, your Tenable Security Center
installation must be running Tenable Security Center 5.19.x or later.

Databases Affected
Enabling or disabling WAL converts the database journaling mode for the following Tenable Security
Center databases:

l /opt/sc/application.db

l /opt/sc/hosts.db

l /opt/sc/jobqueue.db

l /opt/sc/plugins.db

l /opt/sc/remediationHierarchy.db

l /opt/sc/orgs/<orgID>/organization.db (for each organization in your Tenable Security

Center)

l /opt/sc/orgs/<orgID>/assets.db (for each organization in your Tenable Security Center)

The convertDatabaseMode.php script only converts the database journaling mode for Tenable
Security Center databases that can significantly impact performance.

Enable Write-Ahead Logging

Required User Role: Root user

Note: This topic assumes a basic understanding of Linux.

You can use the convertDatabaseMode.php script to enable write-ahead logging (WAL) journaling
mode for Tenable Security Center databases. Enabling WAL may resolve issues with excessive
database locks. If your Tenable Security Center does not experience database locking issues,
Tenable recommends leaving your Tenable Security Center databases in the default DELETE
journaling mode.

For more information, see Tenable Security Center Database Journaling Modes.

- 44 -
Before you begin:
l Confirm your Tenable Security Center installation meets the requirements to enable WAL. For
more information, see WAL Requirements.

l Perform a backup of Tenable Security Center, as described in Perform a Backup.

To enable WAL:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

3. In the CLI in Tenable Security Center, run the following command to start the
converDatabaseMode.php script:

/opt/sc/support/bin/php /opt/sc/src/tools/convertDatabaseMode.php -m WAL

The script runs.

4. If the script detects any running tns user processes, repeat the following steps for each tns
user process detected:

a. Follow the prompts in the error output to halt the tns user process.

Example error output:

Error! The Tenable Security Center process with PID '10135' is still running
and needs to be halted before this script can be executed successfully.
Command: /opt/sc/support/bin/php -f /opt/sc/daemons/Jobd.php
Bailing with 146.

b. Run the following command to restart the converDatabaseMode.php script:

/opt/sc/support/bin/php /opt/sc/src/tools/convertDatabaseMode.php -m WAL

The script restarts.

Tenable Security Center converts supported databases to WAL journaling mode. For more
information, see Databases Affected.

5. Start Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

- 45 -
What to do next:
l Perform regular backups of Tenable Security Center, as described in Perform a Backup.

Disable Write-Ahead Logging

Required User Role: Root user

Note: This topic assumes a basic understanding of Linux.

If you experience issues with write-ahead logging (WAL), disable WAL by reverting your Tenable
Security Center databases to DELETE journaling mode. For more information, see Tenable Security
Center Database Journaling Modes.

Before you begin:

l Perform a backup of Tenable Security Center, as described in Perform a Backup.

To disable WAL:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

3. In the CLI in Tenable Security Center, run the following command to start the
converDatabaseMode.php script:

/opt/sc/support/bin/php /opt/sc/src/tools/convertDatabaseMode.php -m DELETE

The script runs.

4. If the script detects any running tns user processes, repeat the following steps for each tns
user process detected:

a. Follow the prompts in the error output to halt the tns user process.

Example error output:

- 46 -
 Error! The Tenable Security Center process with PID '10135' is still running
and needs to be halted before this script can be executed successfully.
Command: /opt/sc/support/bin/php -f /opt/sc/daemons/Jobd.php
Bailing with 146.

b. Run the following command to restart the converDatabaseMode.php script:

/opt/sc/support/bin/php /opt/sc/src/tools/convertDatabaseMode.php -m DELETE

The script restarts.

Tenable Security Center converts supported databases to DELETE journaling mode. For more
information, see Databases Affected.

5. Start Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

What to do next:
l Perform regular backups of Tenable Security Center, as described in Perform a Backup.

License Requirements
This topic breaks down the licensing process for Tenable Security Center as a standalone product.
It also explains how assets are counted, lists add-on components you can purchase, and describes
what happens during license overages or expirations.

Tenable Security Center Versions

Tenable Security Center has two versions:

l Tenable Security Center — Includes Tenable Nessus Network Monitor in discovery mode and
unlimited Tenable Nessus scanners.

l Tenable Security Center+ — Includes all of the above plus Tenable Nessus Network Monitor
with vulnerability detection and metrics such as Asset Exposure Score (AES) and Asset
Criticality Rating (ACR).

Tenable Security Center Director is available for both versions. Tenable Security Center Director is
an add-on with which you can manage multiple Tenable Security Center instances from one
location. For more information, see the Tenable Security Center Director User Guide.

- 47 -
 Note: You cannot upgrade a Tenable Security Center license to a Tenable Security Center
Director license or downgrade a Tenable Tenable Security Center Director license to a Tenable
Security Center license.

Licensing Tenable Security Center

To use any version of Tenable Security Center, you purchase licenses based on your organizational
needs and environmental details. Tenable Security Center assigns those licenses to your assets,
which are assessed hosts from Tenable Cloud Security or imported from other Tenable products.

When your environment expands, so does your asset count, so you purchase more licenses to
account for the change. Tenable licenses use progressive pricing, so the more you purchase, the
lower the per-unit price. For prices, contact your Tenable representative.

Note: Tenable offers simplified pricing to managed security service providers (MSSPs). To learn more,
contact your Tenable representative.

How Assets are Counted

Tenable Security Center licenses are valid for specific hosts and a maximum number of active
assets identified by IP address or UUID. Assets count towards your license depending on how
Tenable Security Center discovers them. In general, assets do not count unless they have been
assessed for vulnerabilities.

For example, if you purchase a 500 asset license, you can perform host discovery on your network,
but you cannot assess more than 500 assets. For more information about discovery and
assessment scanning, see Scanning Overview in the Tenable Security Center User Guide.

The following table explains when assets count towards your license.

Counted Towards Your License Not Counted Towards Your License

l IP addresses from active scans. l IP addresses present only from imports to

offline repositories.
l IP addresses from Log Correlation
Engine instances. l IP addresses present only from Tenable
Nessus Network Monitor instances in
l IP addresses from Tenable Nessus
discovery mode.
Network Monitor instances not in

- 48 -
 Counted Towards Your License Not Counted Towards Your License

discovery mode. l IP addresses in offline repositories that you

downloaded using the same Tenable
l UUIDs from OT Security instances.
Security Center instance with a different
l IP addresses in offline repositories license.
that you downloaded using the same
l IP addresses in offline repositories that you
Tenable Security Center instance or
downloaded using a different Tenable
license.
Security Center instance and license.
Note: A single IP address or UUID l In the latest versions of Tenable Security
counts once toward your license, even
Center and Tenable Security Center
if it was scanned via multiple methods
or stored in multiple repositories. Director, the following excluded plugins:

Tenable Nessus — 10180, 10287, 10335,

Note: If you use an alternative port 11219, 11933, 11936, 12053, 14272, 14274,
scanner, Tenable Security Center 19506, 22964, 33812, 33813, 34220, 34277,
counts the detected IP addresses
45590, 54615, 87413, 112154, 161455, and
against your license.
179042.

Tenable Nessus Network Monitor — 0, 12,

18, 19, 20, 113, and 132.

Tenable Log Correlation Engine — 800000

through 800099.

Tenable Security Center Components

You can customize Tenable Security Center for your use case by adding components. Some
components are add-ons that you purchase.

Included with
Version Add-on Component
Purchase

Tenable l One console (or l Cloud Tenable Nessus Agents.

Security more with l Tenable Nessus Network Monitors in high-
Center additional IP
performance mode.
addresses).

- 49 -
l Tenable Nessus l (Subscription-only) Additional consoles.
Network Monitor l (Subscription-only) Security Center Lab
in discovery
License.
mode.
l (Subscription-only) Tenable Lumin connector.
l Tenable Nessus
scanners. l Tenable Web App Scanning, to scan web
applications with a Tenable Nessus scanner in
l (Subscription-
Tenable Security Center. Scan up to your
only) The same
number of licensed fully qualified domain
number of on-
names (FQDNs). For more information, see
premises Tenable
Web App Scans in the Tenable Security Center
Nessus Agents as
User Guide.
your licensed
assets, provided Note: Tenable Security Center does not
on request. support web application scans in offline
and air-gapped deployments.
l Vulnerability
Probability Rating
Note: If you already have a Tenable
(VPR).
Security Center license and you upgrade to
Tenable Security Center version 6.2.x or
later, there are two ways to enable web
application scans. Either update your
Tenable Web App Scanning plugins
manually in Tenable Security Center or
wait for the nightly plugin update to run.

l (Subscription-only) Tenable Security Center

Director.

l (Perpetual-only) On-Premises Tenable Nessus

Agents, which Perpetual customers must
purchase separately.

l Tenable Attack Surface Management.

l Tenable Lumin, if you want to view your data

in Tenable Vulnerability Management.

- 50 -
 Tip: Synchronized assets that count
toward your Tenable Security Center
license also count toward your Tenable
Vulnerability Management license.

l Log Correlation Engine.

Note: Tenable no longer supports Log

Correlation Engine and will deprecate it at
the end of 2024.

Tenable l One console (or l Cloud Tenable Nessus Agents.

Security more with
l Tenable Nessus Network Monitors in high-
Center+ additional IP
performance mode.
addresses).
l (Subscription-only) Additional consoles.
l Tenable Nessus
Network Monitor l (Subscription-only) Security Center Lab
in discovery License.
mode. l (Subscription-only) Tenable Lumin connector.
l Tenable Nessus l Tenable Web App Scanning, to scan web
Network Monitors applications with a Tenable Nessus scanner in
with vulnerability Tenable Security Center. Scan up to your
detection. number of licensed fully qualified domain
l Tenable Nessus names (FQDNs). For more information, see
scanners. Web App Scans in the Tenable Security Center
User Guide.
l Asset Exposure
Score (AES). Note: Tenable Security Center does not
support web application scans in offline
l Asset Criticality
and air-gapped deployments.
Rating (ACR).

l Vulnerability Note: If you already have a Tenable

Priority Rating Security Center license and you upgrade to
(VPR). Tenable Security Center version 6.2.x or
later, there are two ways to enable web

- 51 -
 l (Subscription- application scans. Either update your
only) The same Tenable Web App Scanning plugins
number of on- manually in Tenable Security Center or
premises Tenable wait for the nightly plugin update to run.
Nessus Agents as
l (Subscription-only) Tenable Security Center
your licensed
Director.
assets, provided
on request. l (Perpetual-only) On-Premises Tenable Nessus
Agents, which Perpetual customers must
purchase separately.

l Tenable Attack Surface Management.

l Tenable Lumin, if you want to view your data

in Tenable Vulnerability Management.

Tip: Synchronized assets that count

toward your Tenable Security Center
license also count toward your Tenable
Vulnerability Management license.

l Log Correlation Engine.

Note: Tenable no longer supports Log

Correlation Engine and will deprecate it at
the end of 2024.

Reclaiming Licenses
Tenable Security Center's license count updates when you delete a repository, run a license report,
or upload a new license. If you set assets to age out, they are removed during nightly cleanup. If you
configure your scan settings to remove unresponsive hosts, they are removed at scan import.

For more information, see License Count in the Tenable Security Center Best Practices Guide.

Exceeding the License Limit

- 52 -
To allow for usage spikes due to hardware refreshes, sudden environment growth, or unanticipated
threats, you can temporarily exceed your licensed IP address count by 10%. If you exceed this
number, Tenable Security Center is disabled.

Tenable Security Center generates a warning in the user interface when you approach or exceed
the license limit. To monitor your license limit, use the Licensing Status widget, as described in
Overview Dashboard. To upgrade your license, contact your Tenable representative.

Expired Licenses
The Tenable Security Center licenses you purchase are valid for the length of your contract. 30 days
before your license expires, a warning appears in the user interface. During this renewal period,
work with your Tenable representative to add or remove products or change your license count.

After your license expires, your Tenable products and components are affected as follows:

l Tenable Security Center Console (Perpetual license) — The software remains fully functional.
All user data is accessible.

l Tenable Security Center Console (Subscription license) — To access the console, you must
enter a new license key. Once you enter a new license key, normal operation resumes.

l Tenable Nessus (Perpetual license) — When your maintenance period expires, plugin updates
are no longer available. After 90 days, Tenable Nessus stops working and you cannot perform
new scans. Because Tenable Security Center stops receiving feeds, the Tenable Nessus
scanners managed by Tenable Security Center no longer receive updates and also stop
working.

l Tenable Nessus Network Monitor (Perpetual license) — After 30 days with no updates, new
data is no longer processed.

l Tenable Log Correlation Engine — On the day of license expiration, new logs are no longer
processed.

Working with License Keys

The following sections explain how to work with Tenable license keys and link to additional details.

Get a Tenable Security Center License Key

- 53 -
To get a Tenable Security Center license key, enter the hostname of the installation machine in a
form on the Tenable Community site, as described in the Tenable Community Guide. You can also
email the key to licenses@tenable.com. In both cases, you receive a Tenable Security Center
license key to use when activating your products.

Tip: To obtain the hostname of the installation machine, in a system shell prompt, type
hostname .

Add or Update a Tenable Security Center License Key

In most cases, adding a license key to Tenable Security Center or its attached products requires the
Tenable Security Center console to contact a product registration server. The server connection is
encrypted, as described in Encryption Strength.

Tip: To learn which Tenable sites to allow through your firewall, see the Tenable Knowledge
Base.

Note: For instructions to use in offline or air-gapped environments, see Offline Plugin and Feed
Updates for Tenable Security Center.

See the following topics for instructions to upload a new license key or update an existing one:

l Quick Setup — Upload a new Tenable Security Center license and add activation codes for any
attached products.

l Apply a New License — Upload a new license for attached Tenable products only.

l Update an Existing License — Update an existing Tenable Security Center license or existing
attached Tenable product licenses.

Apply a New License

Required User Role: Administrator

To apply a license for an additional Tenable product, add the license activation code. To update a
license for an existing Tenable product, see Update an Existing License.

For general information about licensing, see License Requirements. For information about adding a
license during quick setup, see Quick Setup.

To download Tenable Security Center, see the Tenable Security Center downloads page.

- 54 -
To apply a new Tenable Nessus, Tenable Nessus Network Monitor, or Log Correlation
Engine license:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

The Configuration page appears.

3. Click the License tile.

The License Configuration page appears.

4. Click the product box for the license you want to apply.

5. In the box, type the activation code for the product.

6. Click Register.

Tenable Security Center updates the page to reflect the activation code status:

l Valid Code: A green box with a check mark.

l Invalid Code: A red box with an X.

If the code is valid, Tenable Security Center initiates a plugin download.

Update an Existing License

Required User Role: Administrator

Tip: Tenable rebranded Tenable Security Center Continuous View as Tenable Security Center+.

If you need to replace your Tenable Security Center or Tenable Security Center+ license or the
license activation code for your Tenable Nessus, Tenable Nessus Network Monitor, or Tenable Log
Correlation Engine license, update the license.

To apply a new license for another Tenable product for the first time, see Apply a New License.

You can update your Tenable Security Center license in an externally connected or air-gapped
environment. Tenable Security Center requires an internet connection to validate product licenses
for Tenable Nessus, Tenable Nessus Network Monitor, or Log Correlation Engine.

- 55 -
For instructions on how to install a Tenable Security Center patch, see Install a Tenable Security
Center Patch.

To download Tenable Security Center, see the Tenable Security Center Downloads page.

For general information about licensing, see License Requirements.

To update a license:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

The Configuration page appears.

3. Click the License tile.

The License Configuration page appears.

4. To replace your Tenable Security Center license, in the Tenable Security Center License
section:

a. Click Update License.

b. Click Choose File and browse to the license file you want to upload.

Tenable Security Center applies the new license.

5. To replace an activation code for an integrated product license, in the Activation Codes
section:

a. Click the green check mark.

b. Click Reset Activation Code.

c. In the box, paste your product license activation code.

d. Click Register.

Tenable Security Center communicates with the Tenable product registration server to
validate your license activation code.

If the code is valid, Tenable Security Center applies the new license and initiates a
plugin download.

Port Requirements

- 56 -
Tenable Security Center port requirements include Tenable Security Center-specific and
application-specific requirements.

l Tenable Security Center

l Tenable Nessus Scanner

l Tenable Nessus Agent

l Tenable Nessus Network Monitor

l Tenable Log Correlation Engine

Tenable Security Center

Your Tenable Security Center instances require access to specific ports for inbound and outbound
traffic.

Inbound Traffic

You must allow inbound traffic to the following ports.

Port Traffic

TCP 22 Performing remote repository synchronization with another Tenable Security

Center.

TCP Accessing the Tenable Security Center interface.

443
Communicating with Tenable Security Center Director instances.

Communicating with OT Security instances.

Performing the initial key push for remote repository synchronization with another
Tenable Security Center.

Interacting with the API.

Outbound Traffic

You must allow outbound traffic to the following ports.

- 57 -
 Port Traffic

TCP 22 Communicating with Log Correlation Engine for event query.

TCP 25 Sending SMTP email notifications.

TCP 443 Communicating with Tenable Lumin for synchronization.

Communicating with the plugins.nessus.org server for plugin updates.

TCP 1243 Communicating with Tenable Log Correlation Engine.

TCP 8834 Communicating with Tenable Nessus.

TCP 8835 Communicating with Tenable Nessus Network Monitor.

UDP 53 Performing DNS resolution.

Tenable Nessus Scanner

Your Tenable Nessus instances require access to specific ports for inbound and outbound traffic.

Inbound Traffic

You must allow inbound traffic to the following ports.

Port Traffic

TCP 8834 Accessing the Tenable Nessus interface.

Communicating with Tenable Security Center.

Interacting with the API.

Outbound Traffic

You must allow outbound traffic to the following ports.

Port Traffic

TCP 25 Sending SMTP email notifications.

TCP Communicating with Tenable Vulnerability Management (sensor.cloud.tenable.com

443 or sensor.cloud.tenablecloud.cn).

- 58 -
 Port Traffic

Communicating with the plugins.nessus.org server for plugin updates.

UDP 53 Performing DNS resolution.

Tenable Nessus Agent

Your Tenable Nessus Agents require access to specific ports for outbound traffic.

Outbound Traffic

You must allow outbound traffic to the following ports.

Port Traffic

TCP 443 Communicating with Tenable Vulnerability Management.

TCP Communicating with Tenable Nessus Manager.

8834
Note: The default Tenable Nessus Manager port is TCP 8834. However, this port is
configurable and may be different for your organization.

UDP 53 Performing DNS resolution.

Tenable Nessus Network Monitor

Your Tenable Nessus Network Monitor instances require access to specific ports for inbound and
outbound traffic.

Inbound Traffic

You must allow inbound traffic to the following ports.

Port Traffic

TCP 8835 Accessing the Tenable Nessus Network Monitor interface.

Communicating with Tenable Security Center.

Outbound Traffic

- 59 -
You must allow outbound traffic to the following ports.

Port Traffic

TCP Communicating with Tenable Vulnerability Management (sensor.cloud.tenable.com

443 or sensor.cloud.tenablecloud.cn).

Communicating with the plugins.nessus.org server for plugin updates.

TCP 601 Communications for reliable TCP syslog forwarding.

UDP 53 Performing DNS resolution.

UDP 514 Communications for UDP syslog forwarding.

Tenable Log Correlation Engine

Your Log Correlation Engine and Log Correlation Engine client instances require access to specific
ports for inbound and outbound traffic.

Inbound Traffic

You must allow inbound traffic to the following ports.

Port Traffic

Log Correlation Engine

TCP 22 Communicating with Tenable Security Center for Log Correlation Engine event
query.

TCP 601 Communications for reliable TCP syslog forwarding.

TCP 1243 Communicating with Tenable Security Center for Log Correlation Engine event
vulnerability import.

TCP 8836 Accessing the Log Correlation Engine interface.

TCP Communicating with Log Correlation Engine clients.

31300

UDP 162 Communicating with SNMP server for receiving SNMP traps.

- 60 -
 Port Traffic

UDP 514 Communications for UDP syslog forwarding.

Log Correlation Engine Client

TCP 1468 Communications between network devices and the Tenable Network Monitor.

TCP 9800 Communications between Splunk and the Log Correlation Engine Splunk Client.

TCP 18185 Communications between Check Point firewalls and the Log Correlation Engine
OPSEC Client.

UDP 514 Communications between network devices and the Tenable Network Monitor.

UDP 2055 Communications between routers and the Tenable NetFlow Monitor.

Outbound Traffic

You must allow outbound traffic to the following ports.

Port Traffic

Log Correlation Engine

TCP 25 Sending SMTP email notifications.

TCP 443 Communicating with Tenable Vulnerability Management (sensor.cloud.tenable.com

or sensor.cloud.tenablecloud.cn).

Communicating with the plugins.nessus.org server for plugin updates.

TCP 601 Communications for reliable TCP syslog forwarding.

UDP 53 Performing DNS resolution.

UDP 514 Communications for UDP syslog forwarding.

Log Correlation Engine Client

TCP 135 Communicating with the targets of the Log Correlation Engine WMI Monitor Client.

TCP 443 Communicating with the web host of the Log Correlation Engine Web Query Client.

TCP 445 Communicating with the targets of the Log Correlation Engine WMI Monitor Client.

- 61 -
 Port Traffic

TCP Communicating with Log Correlation Engine.

31300

Browser Requirements

Note: Tenable recommends using the newest available version of your browser.

You can access the Tenable Security Center user interface using the following browsers:

l Mozilla Firefox 87 or later

l Google Chrome 89 or later

l Mac OS Safari 14.02 or later

l Microsoft Edge 99 or later

l Microsoft Internet Explorer 11 or later

Tip: Tenable Security Center versions 5.22 and later do not support Internet Explorer.

Tenable Integrated Product Compatibility

The versions of Tenable products tested with Tenable Security Center 6.3.x are available in the
release notes. For more information, see the Tenable Security Center Release Notes for your
version.

Large Enterprise Deployments

You may have a number of unique technical and business requirements to consider when planning a
large enterprise deployment of Tenable Security Center. If your organization scans 100,000 or more
IP addresses, consider the information in the Tenable Security Center Large Enterprise Deployment
Guide when planning, configuring, and operationalizing your Tenable Security Center deployment.

Installation and Upgrade

To perform a fresh installation of Tenable Security Center, see Before You Install and Install Tenable
Security Center.

- 62 -
To perform an upgrade of Tenable Security Center, see Before You Upgrade and Upgrade Tenable
Security Center.

To uninstall Tenable Security Center, see Uninstall Tenable Security Center.

Before You Install

Note: A basic understanding of Linux is assumed throughout the installation, upgrade, and removal
processes.

Understand Tenable Security Center Licenses

Confirm your licenses are valid for your Tenable Security Center deployment. Tenable Security
Center does not support an unlicensed demo mode.

For more information, see License Requirements.

Disable Default Web Servers

Tenable Security Center provides its own Apache web server listening on port 443. If the installation
target already has another web server or other service listening on port 443, you must disable that
service on that port or configure Tenable Security Center to use a different port after installation.

Identify which services, if any, are listening on port 443 by running the following command:

# ss -pan | grep ':443 '

If there are any services listening on port 443, you must either disable or run them on a different
port.

Modify Security Settings

Tenable Security Center supports disabled, permissive, and enforcing mode Security-Enhanced
Linux (SELinux) policy configurations. For more information, see SELinux Requirements.

Perform Log File Rotation

The installation does not include a log rotate utility; however, the native Linux logrotate tool is
supported post-installation. In most Red Hat environments, logrotate is installed by default. The
following logs are rotated if the logrotate utility is installed:

- 63 -
 l All files in /opt/sc/support/logs matching *log

l /opt/sc/admin/logs/sc-error.log

During an install/upgrade, the installer drops a file named SecurityCenter into

/etc/logrotate.d/ that contains log rotate rules for the files mentioned above.

Log files are rotated on a monthly basis. This file is owned by root/root.

Allow Tenable Sites

To allow Tenable Security Center to communicate with Tenable servers for product updates and
plugin updates, Tenable recommends adding Tenable sites to an allow list at the perimeter firewall.
For more information, see the knowledge base article.

Install Tenable Security Center

Required User Role: Root user

Note: A basic understanding of Linux is assumed throughout the installation, upgrade, and removal
processes.

Caution: When performing sudo installs, use sudo –i to ensure the proper use of environmental variables.

Caution: During the installation process, Tenable Security Center produces a log file in a temporary
location: /tmp/sc.install.log. Once the installation process finishes, the file is stored here:
/opt/sc/admin/logs/install.log. Do not remove or modify these files; they are important for
debugging in case of a failed installation.

For information about new features, resolved issues, third-party product updates, and supported
upgrade paths, see the release notes for Tenable Security Center 6.3.x.

Note: If your Tenable Security Center will manage more than 10,000 active IPs, you must update the Apache
configuration file after you install and before you use Tenable Security Center.

Before you begin:

- 64 -
 l Complete system prerequisites, as described in Before You Install.

l Download the installation RPM file from the Tenable Security Center downloads page. If
necessary, depending on the operating system of the host, move the installation RPM file onto
the host.

l Confirm the integrity of the installation RPM file by comparing the download checksum with
the checksum on the Tenable Security Center downloads page, as described in the knowledge
base article.

l If your organization requires Tenable Security Center to use /dev/random instead of

/dev/urandom to generate random number data for secure communication functions, modify
the random data source as described in Use /dev/random for Random Number Data
Generation.

To install Tenable Security Center:

1. On the host where you want to install Tenable Security Center, open the command line
interface (CLI).

2. Run one of the following commands to install the RPM:

# yum install SecurityCenter-x.x.x-el6.x86_64.rpm

- or -

# dnf install SecurityCenter-x.x.x-el8.x86_64.rpm

Output similar to the following is generated:

# dnf install SecurityCenter-6.x.x-es6.x86_64.rpm

Preparing... ########################################### [100%]
1:SecurityCenter ########################################### [100%]
Installing Nessus plugins ... complete
Applying database updates ... complete.
By default, SecurityCenter will listen for HTTPS requests on ALL available
interfaces. To complete your installation, please point your web browser to one of
the following URL(s):
https://x.x.x.x

- 65 -
 Starting SecurityCenter services
[ OK ] SecurityCenter services: [ OK ]
#

The system installs the package into /opt/sc and attempts to start all required daemons and
web server services.

Tip: In rare cases, a system restart is required after installation in order to start all services. For
more information, see Start, Stop, or Restart Tenable Security Center.

What to do next:
l If you are scanning more than 10,000 hosts, update the Apache configuration file before using
Tenable Security Center.

Quick Setup
The Tenable Security Center Quick Setup Guide walks through the following configurations:

l License

l Tenable Nessus Scanner

l Tenable Nessus Network Monitor

l Log Correlation Engine

l Repository

l Organization

l LDAP

l User

l Additional Settings

After configuring, Review and confirm.

License
Upload your Tenable Security Center license and apply additional product licenses.

Tenable Security Center License

- 66 -
 1. Click Choose File to upload the Tenable Security Center license file you received from
Tenable.

The file should follow the format:

<CompanyName>_SC<IP Count>-<#>-<#>.key

2. Click Activate.

The page confirms successful upload and activation of a valid license.

Activation Codes

Consider adding additional license activation codes:

l Tenable Security Center license activation code — required before adding any Tenable Nessus
scanners. The Tenable Security Center license activation code allows Tenable Security Center
to download plugins and update Tenable Nessus scanner plugins.

In the Tenable Nessus section, type the Tenable Security Center activation code and click
Register.

l Tenable Nessus Network Monitor license activation code — required before using and
managing attached Tenable Nessus Network Monitor scanners.

In the Tenable Nessus Network Monitor section, type the Tenable Nessus Network Monitor
activation code and click Register.

l Log Correlation Engine Activation Code — required before downloading Log Correlation Engine
Event vulnerability plugins to Tenable Security Center. The Log Correlation Engine Activation
Code allows Tenable Security Center to download event plugins, but it does not manage plugin
updates for Log Correlation Engine servers.

In the Log Correlation Engine section, type the Tenable Log Correlation Engine activation
code and click Register.

Click Next to continue.

A plus (+) sign indicates that no license is applied for the product. A box with an X indicates an
invalid activation code. Click on the plus (+) or X to add or reset a license activation code.

A box with a checkmark indicates a valid license is applied and that Tenable Security Center
initiated a plugin download in the background.

- 67 -
The download may take several minutes and must complete before initiating any Tenable Nessus
scans. After the download completes, the Last Updated date and time update on the Plugins page.

Tenable Nessus Scanner

Configure your first Tenable Nessus scanner. For information about the options you can configure,
see Tenable Nessus Scanners. There are some limitations on the scanner options you can configure
during Quick Start:

l Agent Capable: If you use a Tenable Vulnerability Management or Tenable Nessus Manager
scanner for Tenable Nessus Agent scan imports, do not configure that scanner during the
Quick Start.

l Zones: If you want to grant scan zones access to this scanner, you must configure the Zones
option after the Quick Start.

Tenable Nessus Network Monitor

If you added an Tenable Nessus Network Monitor license activation code, you can configure your
first Tenable Nessus Network Monitor scanner. For information about the options you can
configure, see Tenable Nessus Network Monitor Instances. There are some limitations on the
scanner options you can configure during Quick Start:

l Repositories: If you want to select repositories to store the scanner's data, you must
configure the Repositories option after the Quick Start.

Log Correlation Engine

If you added an Log Correlation Engine Activation Code, you can configure your first Tenable Log
Correlation Engine scanner. For information about the options you can configure, see Tenable Log
Correlation Engines. There are some limitations on the scanner options you can configure during
Quick Start:

l Organizations: If you want to select organizations that can access the scanner's data, you
must configure the Organizations option after the Quick Start.

l Repositories: If you want to select repositories to store the scanner's data, you must
configure the Repositories option after the Quick Start.

- 68 -
Repository
You can configure your first local IPv4 or IPv6 repository.

Caution: When creating repositories, note that IPv4 and IPv6 addresses must be stored separately.
Additional repositories may be created once the initial configuration is complete.

A repository is essentially a database of vulnerability data defined by one or more ranges of IP

addresses. When the repository is created, a selection for IPv4 or IPv6 addresses must be made.
Only IP addresses of the designated type may be imported to the designated repository. The
organization created in steps that follow can take advantage of one or more repositories. During
installation, a single local repository is created with the ability to modify its configuration and add
others post-install.

Caution: When creating Tenable Security Center repositories, Tenable Log Correlation Engine event
source IP address ranges must be included along with the vulnerability IP address ranges or the event data
is not accessible from the Tenable Security Center UI.

Local repositories are based on the IP addresses specified in the IP Ranges option on this page
during the initial setup. Remote repositories use addressing information pulled over the network
from a remote Tenable Security Center. Remote repositories are useful in multi-Tenable Security
Center configurations where security installations are separate but reports are shared. Offline
repositories also contain addressing information from another Tenable Security Center. However,
the information is imported to the new installation via a configuration file and not via a direct
network connection. For information about how this works in air-gapped environments, see
Considerations for Air-Gapped Environments.

For information about the options you can configure, see Local Repositories. There are some
limitations on the repositories and repository options you can configure during Quick Start:

l You cannot configure a local mobile repository during Quick Start.

l You cannot configure a local agent repository during Quick Start.

l You cannot configure an external repository during Quick Start.

l Organizations: If you want to select organizations that can access the repository's data, you
must configure the Organizations option after the Quick Start.

- 69 -
 l Log Correlation Engine Correlation: If you want to select Log Correlation Engine servers
where you want Tenable Security Center to retrieve data, you must configure the Log
Correlation Engine Correlation option after the Quick Start.

Organization
An organization is a set of distinct users and groups and the resources they have available to them.
For information about the options you can configure, see Organizations.

You can configure one organization during initial setup. If you want to use multiple organizations,
you must configure other organizations after the Quick Start.

LDAP
Configuring LDAP allows you to use external LDAP servers for the Tenable Security Center user
account authentication or as LDAP query assets. Type all required LDAP server settings and click
Next. Click Skip if you do not want to configure LDAP during initial configuration.

You can configure one LDAP server connection during initial setup. If you want to use multiple
LDAP servers, or if you want to configure additional options, you must continue configuring
LDAP after the Quick Start.

For information about the options you can configure, see LDAP Authentication.

User
You must create one administrator and one security manager during initial setup. For more
information, see User Roles.

l Security manager — a user to manage the organization you just created. After you finish initial
setup, the security manager can create other user accounts within the organization.

l Administrator — a user to manage Tenable Security Center. After you finish initial setup, the
administrator can create other organizations and user accounts.

If you already configured an LDAP server, you have the option to create an LDAP user account. For
more information about user account options, see User Accounts.

- 70 -
After creating the security manager user and setting the administrator password, click Next to
finish initial setup. The Admin Dashboard page appears, where you can review login configuration
data.

Additional Settings
The Enable Usage Statistics option specifies whether Tenable collects anonymous telemetry data
about your Tenable Security Center deployment.

When enabled, Tenable collects usage statistics that cannot be attributed to a specific user or
customer. Tenable does not collect personal data or personally identifying information (PII).

Usage statistics include, but are not limited to, data about your visited pages, your used reports and
dashboards, your Tenable Security Center license, and your configured features. Tenable uses the
data to improve your user experience in future Tenable Security Center releases. You can disable
this option at any time to stop sharing usage statistics with Tenable.

For more information about enabling or disabling this option after initial setup, see Configuration
Settings.

Review
The review page displays your currently selected configurations. If you want to make further
changes, click the links in the left navigation bar.

When you are finished, click Confirm.

Install a Tenable Security Center Patch

Required User Role: Root user

Note: This topic assumes a basic understanding of Linux.

For information about new patches, see the release notes for Tenable Security Center.

Some patches are available through the Tenable Security Center feed. For more information, see
Configuration Settings.

To apply a Tenable Security Center patch manually:

- 71 -
 1. Download the patch TGZ file from the Tenable downloads page. If necessary, depending on
the operating system of the host, move the upgrade TGZ file onto the host.

2. Confirm the integrity of the patch TGZ file by comparing the download checksum with the
checksum on the Tenable downloads page.

3. If your organization requires Tenable Security Center to use /dev/random instead of

/dev/urandom to generate random number data for secure communication functions, modify
the random data source as described in Use /dev/random for Random Number Data
Generation.

4. Access the command line as a user with root-level permissions.

5. Run the following command to untar the patch file, where [patch file name] is the name of the
TGZ patch file you downloaded:

tar zxf [patch file name]

6. Run the following command to change the directory to the extracted directory, where
[directory] is the extracted directory:

cd [directory]

7. Run the following command to begin the installation:

sh ./install.sh

The installation begins and Tenable Security Center stops. After the installation finishes,
Tenable Security Center automatically restarts.

8. (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in
the knowledge base article.

To apply a patch through the Tenable Security Center feed:

1. Log in to Tenable Security Center as an Administrator.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the Plugins/Feed tile.

The Plugins/Feed Configuration page appears.

- 72 -
 4. On the Plugins/Feed Configuration page, in the Tenable Security Center Software Updates
section, enable the Enable Updates Through the Tenable Security Center Feed option.

During the next scheduled feed update, Tenable Security Center applies the patch. In the
Tenable Security Center Software Updates table, a timestamp appears in the row for the
patch in the Last Updated column.

Before You Upgrade

Note: A basic understanding of Linux is assumed throughout the installation, upgrade, and removal
processes.

l Tenable Security Center Upgrade Path

l Java Version Requirements

l Halt or Complete Running Jobs

l Perform a Tenable Security Center Backup

l Rename Your Mount Point

Tenable Security Center Upgrade Path

For more information about the upgrade paths to Tenable Security Center version 6.3.x, see the
Tenable Security Center Release Notes.

Java Version Requirements

If you have not installed the Oracle Java JRE or OpenJDK, Tenable Security Center displays the
following warning:

[WARNING] SecurityCenter has determined that Oracle Java JRE and OpenJDK is not
installed. One of two must be installed for SecurityCenter reporting to
function properly.

You must install the latest version of Oracle Java JRE or OpenJDK to take full advantage of Tenable
Security Center reporting.

Halt or Complete Running Jobs

- 73 -
Tenable recommends stopping all running Tenable Security Center processes before beginning an
upgrade. If processes are running (for example, Tenable Nessus scans), Tenable Security Center
displays the following message along with the related process names and their PIDs:

SecurityCenter has determined that the following jobs are still running. Please
wait a few minutes before performing the upgrade again. This will allow the
running jobs to complete their tasks.

Stop the processes manually or retry the upgrade after the processes complete.

Perform a Tenable Security Center Backup

Perform a backup of Tenable Security Center before beginning your upgrade. For more information,
see Backup and Restore.

Rename Your Mount Point

If the existing /opt/sc directory is or contains a mount point to another location, rename the
mount point. During the RPM upgrade process, a message appears with information about the
discovered mount point. Contact your system administrator for assistance.

Upgrade Tenable Security Center

Required User Role: Root user

Note: This topic assumes a basic understanding of Linux.

Caution: During the upgrade process, Tenable Security Center produces a log file in a temporary location:
/tmp/sc.install.log. Once the installation process finishes, the file is stored here:
/opt/sc/admin/logs/install.log. Do not remove or modify these files; they are important for
debugging in case of a failed upgrade.

Caution: If your plugin set is more than 30 days old, the upgrade will fail. Ensure you have updated your
plugin set within the last 30 days before you upgrade Tenable Security Center.

For information about new features, resolved issues, third-party product updates, and supported
upgrade paths, see the release notes for Tenable Security Center 6.3.x.

- 74 -
These steps describe how to upgrade to the latest version of Tenable Security Center from a
previous version. You can also use these steps to upgrade from an early access version of Tenable
Security Center.

Note: If you are upgrading from Tenable Security Center version 6.2.1 or earlier to version 6.3.x or later, you
must update the Apache configuration file after you upgrade and before you use Tenable Security Center.

Before you begin:

1. Complete system prerequisites, as described in Before You Upgrade.

Note: Tenable recommends creating a backup of your Tenable Security Center data before
upgrading, as described in Perform a Backup.

2. Download the upgrade RPM file from the Tenable downloads page. If necessary, depending on
the operating system of the host, move the upgrade RPM file onto the host.

3. Confirm the integrity of the upgrade RPM file by comparing the download checksum with the
checksum on the Tenable downloads page.

4. If your organization requires Tenable Security Center to use /dev/random instead of

/dev/urandom to generate random number data for secure communication functions, modify
the random data source as described in Use /dev/random for Random Number Data
Generation.

To upgrade to Tenable Security Center 6.3.x:

1. Log in to Tenable Security Center via the user interface.

2. Pause all running scans, as described in Start or Pause a Scan.

3. Prepare the upgrade command you intend to run:

l Use yum or dnf with the upgrade switch from the command line of the Tenable Security
Center server.

l Use “sudo -i” when performing sudo upgrades of Tenable Security Center to ensure
the proper use of environmental variables.

For example:

- 75 -
 # yum upgrade SecurityCenter-x.x.x-el6.x86_64.rpm

- or -

# dnf upgrade SecurityCenter-x.x.x-el8.x86_64.rpm

The upgrade begins. Tenable Security Center is not available until the upgrade finishes.

# dnf upgrade SecurityCenter-x.x.x-el6.x86_64.rpm

Preparing... ########################################### [100%]
Shutting down SecurityCenter services: [ OK ]
Backing up previous application files ... complete.
1:SecurityCenter ########################################### [100%]

Applying database updates ... complete.

Beginning data migration.
Starting plugins database migration...complete.
(1 of 4) Converting Repository 1 ... complete.
(2 of 4) Converting Repository 2 ... complete.
(3 of 4) Converting Repository 3 ... complete.
(4 of 4) Converting Repository 4 ... complete.
Migration complete.
Starting SecurityCenter services: [ OK ]
~]#

What to do next:
l If you are upgrading from Tenable Security Center version 6.2.1 or earlier to Tenable Security
Center version 6.3.x or later, update the Apache configuration file before using Tenable
Security Center.

l (Optional) If you used custom Apache SSL certificates before upgrading Tenable Security
Center, restore the custom SSL certificates, as described in Restore Custom SSL Certificates.

Restore Custom SSL Certificates

Required User Role: Root user

- 76 -
If you used custom Apache SSL certificates before upgrading Tenable Security Center, you must
restore the custom Apache SSL certificates after you upgrade Tenable Security Center.

Tenable Security Center creates a backup of the certificates during the upgrade process. Tenable
Security Center copies the existing custom SSL certificates to the Apache configuration backup
directory that the upgrade process creates in the /tmp/[version].apache.conf-########
directory. The exact name of the directory varies, but the system displays the name during the
upgrade process and reports it in the /opt/sc/admin/log/install.log file.

Before you begin:

l Upgrade to a new version of Tenable Security Center, as described in Upgrade Tenable
Security Center.

To restore custom SSL certificates after upgrading Tenable Security Center:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. In the CLI in Tenable Security Center, run the following command:

# cp /tmp/[version].apache.conf-########/SecurityCenter.cert
/opt/sc/support/conf/SecurityCenter.crt

3. Select yes to overwrite the existing file.

4. In the CLI in Tenable Security Center, run the following command:

# cp /tmp/[version].apache.conf-########/SecurityCenter.pem
/opt/sc/support/conf/SecurityCenter.key

5. Select yes to overwrite the existing file.

Caution: Ensure that the newly copied files have permissions of 0640 and ownership of tns:tns.

6. Modify the servername parameter in /opt/sc/support/conf/servername to match the

Common Name (CN) of the SSL certificate.

Tip: To obtain the CN, run the following command and note the CN= portion of the result.

- 77 -
 # /opt/sc/support/bin/openssl verify /opt/sc/support/conf/SecurityCenter.crt

7. In the CLI in Tenable Security Center, run one of the following commands to restart the
Apache server:

# /opt/sc/support/bin/apachectl restart

-or-

# service SecurityCenter restart

The Apache server restarts.

Update the Apache Configuration File

Required User Role: Root user

Tenable Security Center 6.3.x updated the Apache web server configuration to resolve a memory
leak issue. When your Tenable Security Center instance meets the following criteria, you must
update some values in the Apache configuration file located at
/opt/sc/support/conf/mpm.conf:

l Your Tenable Security Center instance manages more than 10,000 active IPs.

-or-

l You are upgrading from Tenable Security Center version 6.3.x or later from version 6.2.1 or
earlier.

For Tenable Security Center instances managing fewer than 10,000 active IPs, the default settings
in the Apache configuration file are sufficient.

Before you begin:

l Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

l Install Tenable Security Center or Upgrade Tenable Security Center

To update the Apache configuration file:

- 78 -
 1. Navigate to the Apache configuration file, located at /opt/sc/support/conf/mpm.conf

2. Update the values in the configuration file. Tenable recommends the following settings based
on the size of your deployment:

# Hosts Managed by Tenable Security Center Recommended Settings

10,000 to 25,000 active IPs StartServers 10

MinSpareServers 10

MaxSpareServers 20

MaxRequestWorkers 64

25,001 to 100,000 active IPs StartServers 20

MinSpareServers 20

MaxSpareServers 40

MaxRequestWorkers 128

100,001 or more active IPs StartServers 40

MinSpareServers 40

MaxSpareServers 80

MaxRequestWorkers 256

3. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

What to do next:
l After the Tenable Security Center build has run for a period of time, check the log located at
/opt/sc/support/logs/error_log for any errors related to the MaxRequestWorkers
setting. For more information, see Generate a Diagnostics File.

Uninstall Tenable Security Center

Required User Role: Root user

To uninstall Tenable Security Center:

- 79 -
 1. On the host where you want to uninstall Tenable Security Center, open the command line
interface (CLI).

2. In the CLI, run the following command to stop Tenable Security Center:

service SecurityCenter stop

3. Run the following command to remove Tenable Security Center:

dnf remove SecurityCenter

4. Run the following command to remove user-created and user-modified files:

rm -rf /opt/sc

Tenable Security Center is removed.

User Access
The Users page provides the ability to add, edit, delete, or view the details of Tenable Security
Center user accounts. When you view the Users page, you see a list of users and actions, limited by
your account privileges. Your user role, organization membership, and/or group membership
determine your account privileges. For more information, see User Roles and Organizations and
Groups.

There are two categories of user accounts:

l Administrator users have the system-provided administrator role and do not belong to
organizations.

l Organizational users have the system-provided security manager, auditor, credential manager,
executive, security analyst, security manager, or vulnerability analyst role, or a custom role,
and belong to an organization.

Tenable Security Center supports three types of user account authentication: TNS, LDAP, and
SAML. For more information, see User Accounts.

To log in to the Tenable Security Center web interface with a user account, see Log In to the Web
Interface or Log in to the Web Interface via SSL Client Certificate.

- 80 -
Log In to the Web Interface

Required User Role: Any

To log in to the Tenable Security Center configuration interface:

1. Open a supported web browser on a system that has access to the system’s network address
space.

Note: You must access the Tenable Security Center web interface using a secure web
connection (HTTPS) with SSL/TLS 1.2 enabled. Tenable Security Center recommends
configuring the strongest encryption supported by your browser.
For more information, see Encryption Strength.

2. Clear your web browser's cache.

3. Navigate to the URL for your Tenable Security Center: https://<SERVER ADDRESS OR NAME>/.

Where <SERVER ADDRESS OR NAME> is the IPv4 or IPv6 address or hostname for your Tenable
Security Center.

The Tenable Security Center web interface appears.

4. Log in using the supported method for your account configuration.

Note: If you are the first administrator user logging in to Tenable Security Center, see Initial Login
Considerations.

l To log in via a username and password, type your Tenable Security Center credentials
and click Log In.

l To log in via SAML authentication, click Sign In Using Identity Provider. When presented
with your identity provider login page, type your identity provider credentials.

For more information about SAML authentication, see Configure SAML Authentication
Manually via the User Interface.

l To log in via certificate, see Log in to the Web Interface via SSL Client Certificate.

Tenable Security Center logs you in and displays the dashboard with different elements
depending on your user role.

- 81 -
Initial Login Considerations
When you log in to Tenable Security Center for the first time, Tenable Security Center displays the
Quick Setup Guide welcome page to begin a multi-step setup process for initial configuration. For
more information about quick setup, see Quick Setup.

If you prefer to configure the system manually, click Exit Quick Setup Guide. For more information
about getting started with Tenable Security Center, see Get Started With Tenable Security Center.

Log in to the Web Interface via SSL Client Certificate

Required User Role: Any

Before you begin:

l Confirm your Tenable Security Center administrator fully configured Tenable Security Center
for certificate authentication, as described in Certificate Authentication.

To perform a certificate-based Tenable Security Center login:

Note: The following information is provided with the understanding that your browser is configured for
SSL certificate authentication. Please refer to your browser’s help files or other documentation to
configure this feature.

1. Open a browser window and navigate to Tenable Security Center.

The browser presents a list of available certificate identities.

- 82 -
 For information about Tenable Security Center-browser communications encryption, see
Encryption Strength.

2. Select a certificate.

3. Click OK.

An authentication prompt appears (if required to access your certificate).

4. (Optional) If prompted, type a PIN or password.

5. Click OK.

The Tenable Security Center login page appears.

- 83 -
 6. Log in using the username to be associated with the selected certificate.

Caution: Only one Tenable Security Center user may be associated with a single certificate. If one
user holds multiple user names and roles, a unique certificate must be provided for each login name.

The Certificate Authentication window appears.

7. When prompted, specify whether the current certificate is to be used to authenticate the
current user.

l Click Yes to always use the certificate for authentication.

l Click No to ignore the certificate and log in via TNS authentication.

Tenable Security Center logs you in.

Subsequent Logins
After you log out of Tenable Security Center, the login page appears. If you want to log in again with
the same certificate, refresh your browser window. If you want to use a different certificate, you
must start a new browser session.

After you perform your second certificate login, edit your account from the Profile page to view
your certificate details. If your certificate changes or you need to revoke it, click the Clear
Certification Details button to disassociate the certificate from your account.

User Roles
Roles determine what a user can or cannot access from their account. Tenable Security Center
comes with eight system-provided roles, but you can also create custom roles to satisfy complex
security policy needs. You can customize the permissions on some, but not all, system-provided
user roles.

You can create linked user accounts and linked non-admin user accounts to allow users to switch
between accounts without logging out and logging back in to Tenable Security Center. For more
information, see Linked User Accounts.

For more information about user roles in Tenable Security Center, see Create a User Role, Edit a
User Role, View User Role Details, and Delete a User Role.

Roles

- 84 -
 Customizable
User Role Description
Permissions?

Administrator No An account that manages Tenable Security Center as

a whole. The primary task of the Administrator is to
install and configure each organization. In addition,
the Administrator adds components to Tenable
Security Center such as Tenable Nessus Network
Monitor, Tenable Log Correlation Engine, and
Tenable Nessus to extend its capabilities. The
Administrator is automatically assigned the “Manage
Application” role.

Because administrators do not belong to an

organization, they do not have access to the data
collected by Tenable Security Center.

Organizational User Roles

Security Manager No An account that manages an individual organization.

This is the role assigned to the initial user that is
assigned when a new organization is created. They
can launch scans, configure users (except for
administrator user roles), vulnerability policies, and
other objects belonging to their organization.

A Security Manager is the account within an

organization that has a broad range of security roles
within the defined organization. This is the initial
user that is created when a new organization is
created, and the user can launch scans, configure
users (except for the Administrator user),
vulnerability policies, and other objects that belong
to their organization. This initial Security Manager
account cannot be deleted without deleting the
entire organization.

- 85 -
 Security Managers have complete access to all data
collected by their organization.

SM-Linked No A linked account that has the same abilities as a

Security Manager, except an SM-Linked account
cannot configure users.

Auditor Yes An account that can access summary information to

perform third-party audits. An Auditor can view
dashboards, reports, and logs, but cannot perform
scans or create tickets.

Credential Yes An account that can be used specifically for handling

Manager credentials. A Credential Manager can create and
share credentials without revealing the contents of
the credential. This can be used by someone outside
the security team to keep scanning credentials up to
date.

Executive Yes An account intended for users who are interested in

a high-level overview of their security posture and
risk profile. Executives would most likely browse
dashboards and review reports, but would not be
concerned with monitoring running scans or
managing users. Executives would also be able to
assign tasks to other users using the ticketing
interface.

Security Analyst Yes An account that has permissions to perform all

actions at the Organizational level except managing
groups and users. A Security Analyst is most likely
an advanced user who can be trusted with some
system-related tasks such as setting freeze windows
or updating plugins.

Vulnerability Yes An account that can perform basic tasks within the
Analyst application. A Vulnerability Analyst is allowed to view

- 86 -
 security data, perform scans, share objects, view
logs, and work with tickets.

No Role No An account with virtually no permissions. No Role is

assigned to a user if their designated role is deleted.

Custom Role Yes A custom role that you create by enabling or

disabling individual permissions.

Role Options
Permissions Option Description

General

Name Custom role name

Description Custom role description

Scanning Permissions

Create Scans Allows the user to create policy-based scans. Disabling Create Policies
while enabling this permission allows you to lock user into specific set
of policies for scanning.

Create Plugin (Appears when Create Scans is enabled) Allows the user to create
Scans single plugin remediation scans.

Create Agent Allows the user to add agent synchronization jobs that fetch agent scan
Synchronization results from Tenable Vulnerability Management or Tenable Nessus
Jobs Manager.

Create Agent Allows the user to add agent scans that create and launch parallel scans
Scans in Tenable Nessus Manager, then import the scan results to Tenable
Security Center.

Create Audit Files Allows the user to upload audit files, which can be used for
configuration audit scans.

Create Policies Allows the user to set scan parameters and select plugins for scanning.

- 87 -
Permissions Option Description

Upload Nessus Allows the user to import results from an external Nessus scanner.
Scan Results Result upload will be limited to user’s repositories and restricted by
user’s IP address ranges.

Manage Freeze Allows the user to add, edit, and delete organization-wide freeze
Windows windows. Freeze windows prevent scans from launching and stop any
scans in progress.

Asset Permissions

Create LDAP Query Allows the user to create LDAP Query Assets, which update a list of
Assets hosts based on a user-defined LDAP query.

Analysis Permissions

Accept Risks Allows the user to accept risks for vulnerabilities, which removes them
from the default view for analysis, dashboards, and reports.

Recast Risks Allows the user to change the severity for vulnerabilities.

Manage Risks (Appears when Accept Risks or Recast Risks is enabled) Allows the
user to modify accept and recast risk rules created by other users.

Organizational Permissions

Share Objects Allows the user to share assets, audit files, credentials, queries, and
Between Groups policies with any group. Users in groups to which these objects have
been shared can use the objects for filtering and scan creation.

View Organization Allows the user to view logs for entire organization.
Logs

User Permissions

Manage Roles Allows the user to create new roles and edit and delete organizational
roles. Any roles added must have permissions equal to or lesser than
the user’s role.

Manage Groups Allows the user to add, edit, and delete groups. Users with this

- 88 -
Permissions Option Description

permission are allowed to create groups with access to any vulnerability

and event data available to the organization.

Manage Group Allows the user to set other user’s relationship with any other groups.
Relationships Group relationships allow for a user to view and manage objects and
users in other groups.

Report Permissions

Manage Images Allows the user to upload images, so anyone in the organization can use
the images in reports.

Manage Attribute Allows the user to add, edit, and delete attribute sets.
Sets

System Permissions

Update Feeds Allows the user to request a plugin update or a Tenable Security Center
feed update.

Workflow Permissions

Create Alerts Allows the user to create alerts which are used to trigger actions (e.g.,
launch scans, run reports, send emails) when specified vulnerability or
event conditions occur.

Create Tickets Allows the user to create tickets, which are typically used to delegate
work to other users.

Attack Surface Discovery Permissions

Manage Attack Allows the user to manage Attack Surface Discovery Domains.
Surface Discovery
Domains

View Domain Allows the user to view domain inventory assets.

Inventory Assets

Host Assets Permissions

- 89 -
 Permissions Option Description

View Host Assets Allows the user to view host assets.

Create a User Role

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user role options, see User Roles.

To create a custom user role:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Roles.

The Roles page appears.

3. Click Add.

The Add Role page appears.

4. In the Name box, type a name for the role.

5. (Optional) In the Description box, type a description for the role.

6. Set the following permissions, as described in User Roles:

l Scanning Permissions

l Asset Permissions

l Analysis Permissions

l Domain Permissions

l Organization Permissions

l User Permissions

l Reporting Permissions

- 90 -
 l System Permissions

l Workflow Permissions

7. Click Submit.

Tenable Security Center saves your configuration.

Edit a User Role

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user role options, see User Roles.

To edit the permissions of a custom or system-provided role:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Roles.

The Roles page appears.

3. Right-click the row for the user role you want to edit.

The actions menu appears.

-or-

Select the check box for the user role you want to edit.

The available actions appear at the top of the table.

4. Click More > Edit.

The Edit Role page appears.

5. (Optional) Modify the Name

6. (Optional) Modify the Description.

7. (Optional) Modify the following permissions, as described in User Roles:

l Scanning Permissions

l Asset Permissions

- 91 -
 l Analysis Permissions

l Domain Permissions

l Organization Permissions

l User Permissions

l Reporting Permissions

l System Permissions

l Workflow Permissions

8. Click Submit.

Tenable Security Center saves your configuration.

View User Role Details

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can view details for any user role. For more information, see User Roles.

To view role details:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Roles.

The Roles page appears.

3. Right-click the row for the user role you want to view.

The actions menu appears.

-or-

Select the check box for the user role you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Role page appears.

- 92 -
 Section Action

General View general information for the user role.

l Name — The user role name.

l Description — The user role description.

l User Count — The number of users with this role.

l Created — The date the user role was created.

l Last Modified — The date the user role was last modified.

l ID — The user role ID.

Scanning View a summary of permissions for the role. For more

Permissions information, see User Roles.

Asset Permissions

Analysis
Permissions

Organization
Permissions

User Permissions

Reporting
Permissions

System
Permissions

Workflow
Permissions

Delete a User Role

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see User Roles.

- 93 -
To delete a custom or system-provided user role:

Note: Deleting a role will cause all users with that role to lose all assigned permissions.

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Roles.

The Roles page appears.

3. Select the role you want to delete:

To delete a single user role:

a. In the table, right-click the row for the role you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple user roles:

a. In the table, select the check box for each role you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click More > Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the role.

Organizations and Groups

An organization is a set of distinct users and groups and the resources they have available to them.
These users are assigned repositories and zones within one or more specified IP address networks.
Users refers to any non-administrator user account on Tenable Security Center. Groups refers to
collections of users with the same permissions within an organization.

For more information, see Organizations and Groups.

Organizations

- 94 -
An organization is a set of distinct users and groups and the resources (for example, scanners,
repositories, and LDAP servers) they have available to them.

The organization is managed primarily by the administrator users and security manager users. The
administrator user creates the organization and creates, assigns, and maintains the security
manager user account. The security manager user (or any organizational user with appropriate
permissions) creates other users within the organization. Groups allow you to manage users and
share permissions to resources and objects among the group. For more information, see User
Access.

Multiple organizations can share the same repositories, and the vulnerability data associated with
the overlapping ranges is shared between each organization. Conversely, organizations can be
configured with their own discrete repositories to facilitate situations where data must be kept
confidential between different organizational units.

Creation of an organization is a multi-step process. After you create an organization, Tenable

Security Center prompts you to create the initial security manager user. For more information, see
Add an Organization and Delete an Organization.

To view details for any organization, see View Organization Details.

To view the users in an organization, filter by the organization on the Users page. For more
information about filters, see Apply a Filter.

Organization Options
Option Description

General

Name (Required) The organization name.

Description A description for the organization.

Contact Information The relevant contact information for the organization including
address, city, state, country, and phone number.

Password Expiration

Enable Password Expiration When enabled, passwords for users in the organization will
expire after the number of days specified in the Expiration

- 95 -
Option Description

Days box.

Expiration Days The number of days before the user's password expires. You
can enter a number between 1 and 365.

The user will receive daily password expiration notifications at

login, starting 14 days before the password expires. After the
password expires, the user must change their password at the
next login. For more information about Tenable Security Center
notifications, see Notifications.

Scanning

Distribution Method The scan distribution mode you want to use for this
organization:

l Automatic Distribution Only: Tenable Security Center

chooses one or more scan zones to run the scan.
Organizational users cannot choose a scan zone when
configuring a scan.

Tenable Security Center distributes targets for scans

based on your configured scan zone ranges. This
facilitates optimal scanning and is useful if an
organization has devices placed behind a firewall or NAT
device or has conflicting RFC 1918 non-internet-routable
address spaces.

l Locked Zone: Tenable Security Center uses the one

Available Zone you specify to run the scan.
Organizational users cannot modify the scan zone when
configuring a scan.

l Selectable Zones: Tenable Security Center allows

organizational users to select a scan zone when
configuring a scan.

- 96 -
Option Description

This mode allows organizational users to use scanners to

run internal and external vulnerability scans and analyze
the vulnerability stance from a new perspective. For
example, an organizational user can choose an external
scanner to see the attack surface from an external
attacker’s perspective.

For more information about scan zones, see Scan Zones.

Available Zones One or more scan zones that you want organizational users to
have access to when configuring scans.

Allow for Automatic Enable or disable this option to specify whether you want
Distribution Tenable Security Center to select one or more scan zones
automatically if an organizational user does not specify a scan
zone when configuring a scan.

l When enabled, Tenable Security Center chooses one or

more scan zones as specified by your Restrict to
Selected Zones setting.

l When disabled, Tenable Security Center requires the

organizational user to specify a scan zone when
configuring a scan.

Restrict to Selected Zones If Allow for Automatic Distribution is enabled, enable or

disable this option to specify the zones you want Tenable
Security Center to choose from when automatically
distributing zones.

l When enabled, Tenable Security Center chooses from the

Available Zones shared with the organization.

l When disabled, Tenable Security Center chooses from all

zones on Tenable Security Center.

Restricted Scan Ranges The IP address ranges you do not want users in this

- 97 -
Option Description

organization to scan.

Analysis

Accessible LCEs The Log Correlation Engines that you want this organization to
have access to. You can search for the Log Correlation Engines
by name or scroll through the list.

Accessible Repositories The repositories that you want this organization to have
access to. You can search for the repositories by name or
scroll through the list.

Accessible Agent Capable The Tenable Nessus scanners (with Tenable Nessus Agents
Scanners enabled) that you want this organization to have access to.
Select one or more of the available scanners to allow the
organization to import Tenable Nessus Agent results from the
selected scanner.

Accessible LDAP Servers The LDAP servers that you want this organization to have
access to. An organization must have access to an
LDAP server to perform LDAP authentication on user accounts
within that organization, and to configure LDAP query assets.

Note: If you revoke access to an LDAP server, users in the

organization cannot authenticate and LDAP query assets cannot
run.

Custom Analysis Links

A list of custom analysis links provided to users within the host vulnerability details when
analyzing data outside of Tenable Security Center is desired. Click Add Custom Link to create a
new option to type the link name and URL to look up additional data external to Tenable
Security Center.

For example: http://example.com/index.htm?ip=%ip%

The %ip% reference is a variable that inserts the IP address of the current host into the
specified URI.

- 98 -
 Option Description

Vulnerability Weights

Low The vulnerability weighting to apply to Low criticality

vulnerabilities for scoring purposes. (Default: 1)

Medium The vulnerability weighting to apply to Medium criticality

vulnerabilities for scoring purposes. (Default: 3)

High The vulnerability weighting to apply to High criticality

vulnerabilities for scoring purposes. (Default: 10)

Critical The vulnerability weighting to apply to Critical criticality

vulnerabilities for scoring purposes. (Default: 40)

Vulnerability Scoring System

Scoring System The scoring system Tenable Security Center uses to assess the
severity of vulnerabilities: CVSS v2 or CVSS v3.

Note: Changing the Scoring System while Tenable Security

Center is running certain operations, such as preparing reports or
dashboard data, results in data using mixed CVSS v2 and CVSS v3
scores.

Note: Changing the Scoring System does not impact historical

dashboard trend data. For example, if you change the Scoring
System from CVSS v2 to CVSS v3, dashboard trend data before
the change displays CVSS v2 scores while dashboard trend data
after the change displays CVSS v3 scores.

Add an Organization

Required User Role: Administrator

For more information about organization options, see Organizations.

To add an organization:

- 99 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Organizations.

The Organizations page appears.

3. Click Add.

The Add Organization page appears.

4. Configure the following settings:

l General

l Password Expiration

l Scanning

l Analysis

l Custom Analysis Links

l Vulnerability Weights

l Vulnerability Scoring System

5. Click Submit.

Tenable Security Center saves your configuration.

View Organization Details

Required User Role: Administrator

You can view details for any organization. For more information, see Organizations.

To view organization details:

1. Log in to Tenable Security Center via the user interface.

2. Click Organizations.

The Organizations page appears.

3. Right-click the row for the organization you want to view.

- 100 -
 The actions menu appears.

-or-

Select the check box for the organization you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Organization page appears.

Section Action

General View general information for the organization.

l Name — The organization name.

l Description — The organization description.

l Address / City / State / Country / Phone — The contact

information for the organization.

l Created — The date the organization was created.

l Last Modified — The date the organization was last modified.

l ID — The organization ID.

Password View a summary of your password expiration settings for the

Expiration organization. For more information about a setting, see
Organizations.

Scanning View a summary of your scanning settings for the organization. For
more information about a setting, see Organizations.

Analysis View a summary of your analysis settings for the organization. For
more information about a setting, see Organizations.

Custom View a summary of your custom analysis link settings for the
Analysis Links organization. For more information about a setting, see
Organizations.

- 101 -
 Section Action

Vulnerability View a summary of your vulnerability weights settings for the

Weights organization. For more information about a setting, see
Organizations.

Vulnerability View the vulnerability scoring system selected for the organization.
Scoring System For more information, see Organizations.

Delete an Organization

Required User Role: Administrator

For more information, see Organizations.

To delete an organization:

Note: Deleting an organization deletes all of the users in that organization.

1. Log in to Tenable Security Center via the user interface.

2. Click Organizations.

The Organizations page appears.

3. Select the organization you want to delete:

To delete a single organization:

a. In the table, right-click the row for the organization you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple organizations:

a. In the table, select the check box for each organization you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

- 102 -
 A confirmation window appears.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the organization.

Groups
User groups are a way to group rights to objects within an organization, and then quickly assign
these rights to one or more users. A user's group membership determines their access to security
data. When a user creates various objects such as reports, scan policies, dashboards, and other
similar items, these objects are automatically shared among the group members if the group
permissions allow view and control.

For more information, see Add a Group, View Group Details, and Delete a Group.

Group Options
Option Description

General tab

Name The name for the group.

Description A description for the group (e.g., security team at the central office or
executives on the east coast).

Viewable Hosts The IP addresses and agent IDs that are viewable by the group. The
selection is made by all defined assets or the selection of one or more
asset lists.

Repositories The repositories you want to share with the group.

Log Correlation The Log Correlation Engines you want to assign to the group.
Engines

Sample Content When enabled, Tenable provides sample content objects to users in the
group:

- 103 -
 Option Description

l sample dashboards (Executive 7 Day, Executive Summary, and

Vulnerability Overview)

l sample reports (Critical and Exploitable Vulnerabilities, Monthly

Executive, and Remediation Instructions by Host)

l sample ARCs (CCC 1: Maintain an Inventory of Software and

Hardware, CCC 2: Remove Vulnerabilities and Misconfigurations,
CCC 3: Deploy a Secure Network, CCC 4: Authorize Users, and CCC
5: Search for Malware and Intruders)

l sample assets required for the sample ARCs

After enabling Sample Content, you must add a new user to the group
before all users in the group can access the sample content.

Note: If a user in a group deletes a sample content object, the object is deleted
for all other users in that group.

Note: If you move a sample content object owner (e.g., move the first
user in group A to group B), Tenable Security Center:
1. Assigns their dashboards and ARCs to a new sample content
object owner in group A. Tenable Security Center does not
reassign reports or assets.
2. Recreates their dashboards, ARCs, and assets required for ARCs
in group B. Tenable Security Center does not recreate reports.

Share to Group tab

Available The list of available objects to be shared with the group on creation or edit
Objects in a bulk operation.

Add a Group

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about group options, see Groups.

- 104 -
To add a group:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Groups.

The Groups page appears.

3. Click Add.

The Add Group page appears.

4. Configure the General options.

5. Configure the Share to Group options.

6. Click Submit.

Tenable Security Center saves your configuration.

View Group Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view details for any group. For more information, see Groups.

To view group details:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Groups.

The Groups page appears.

3. Right-click the row for the group you want to view.

The actions menu appears.

-or-

Select the check box for the group you want to view.

The available actions appear at the top of the table.

- 105 -
 4. Click View.

The View Group page appears.

Section Action

General View general information for the group.

l Name — The group name.

l Description — The group description.

l Created — The date the group was created.

l Last Modified — The date the group options were last modified.

l ID — The group ID.

Access View the lists of Viewable Hosts, Repositories, and LCEs users in the
group can access. For more information, see Group Options.

Preferences View whether you enabled Sample Content for the group. For more
information, see Group Options.

Users View the list of users associated with the group.

Delete a Group

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To delete a group:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Groups.

The Groups page appears.

3. Select the group you want to delete:

To delete a single group:

- 106 -
 a. In the table, right-click the row for the group you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple groups:

a. In the table, select the check box for each group you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the group.

User Accounts
The Users page displays the user accounts on Tenable Security Center, limited by your account
privileges. You can sort the columns or apply filters to locate specific user accounts. You can also
add a user (Add a TNS-Authenticated User, Add an LDAP-Authenticated User, or Add a SAML-
Authenticated User) or Delete a User.

You can create one or more administrator accounts on Tenable Security Center. You can create one
or more organizational users (security managers and custom roles) per organization. Tenable
recommends you make at least one TNS-authenticated administrator and security manager user
per organization so that you can still log in if the LDAP or SAML service becomes unavailable. For
more information about user account types, see User Access.

For more information about options available when configuring user accounts, see User Account
Options.

Linked User Accounts

You can create linked user accounts and linked non-admin user accounts to allow users to switch
between accounts without logging out and logging back in to Tenable Security Center. For more
information, see Linked User Accounts.

- 107 -
API Keys
You can generate API keys to authenticate as a specific user for Tenable Security Center API
requests. For more information, see API Key Authentication.

Add a TNS-Authenticated User

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user account configuration options, see TNS User Account Options.

To add a TNS-authenticated user account as an administrator user:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Click Add.

The Add User page appears.

4. Select a Role.

5. If you selected Security Manager as the Role, select an Organization.

6. (Optional) Type a First Name and Last Name.

7. Type a Username and Password for the user.

8. If the Type drop-down box is visible, select TNS.

9. (Optional) Enable User Must Change Password.

10. Select a Time Zone.

11. (Optional) Select a Scan Result Default Timeframe.

12. (Optional) Enable Cached Fetching.

13. (Optional) Enable Password Expiration for the user.

14. (Optional) Enable Dark Mode for the user.

- 108 -
 15. (Optional) Type Contact Information for the user.

16. Click Submit.

Tenable Security Center saves your configuration.

To add a TNS-authenticated user account as an organizational user:

1. Log in to Tenable Security Center via the user interface. You must log in with a user account
belonging to the organization where you want to create a new user.

2. Click Users > Users.

The Users page appears.

3. Click Add.

The Add User page appears.

4. (Optional) Type a First Name and Last Name for the user.

5. If the Type drop-down box is visible, select TNS.

6. Type a Username and Password for the user.

7. (Optional) Enable User Must Change Password.

8. Select a Time Zone.

9. (Optional) Select a Scan Result Default Timeframe.

10. (Optional) Enable Cached Fetching

11. (Optional) Enable Password Expiration for the user.

12. Select a Role. For more information, see User Roles.

13. Select a Group. For more information, see Organizations and Groups.

14. (Optional) If you want to customize the group-related permissions for the user, modify the
Group Permissions as described in Custom Group Permissions.

15. (Optional) If you want to share an asset list with the user, select an Asset. For more
information, see Assets.

16. (Optional) Enable Dark Mode for the user.

- 109 -
 17. (Optional) Type Contact Information for the user.

18. Click Submit.

Tenable Security Center saves your configuration.

Add an LDAP-Authenticated User

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user account configuration options, see User Accounts To
automatically add LDAP-authenticated users by importing users from your LDAP identity provider,
see Configure LDAP User Provisioning.

To add an LDAP-authenticated user account as an administrator user:

1. Log in to Tenable Security Center via the user interface.

2. Configure an LDAP server, as described in LDAP Authentication. If you want the new user to
be a member of an organization, associate the LDAP server with an organization.

3. Click Users > Users.

The Users page appears.

4. Click Add.

The Add User page appears.

5. Select a Role for the user account.

6. If you selected Security Manager as the Role, select an Organization for the user account.
You must select an organization with an associated LDAP server.

7. (Optional) Type a First Name and Last Name for the user.

8. In the Type drop-down list, select LDAP. If LDAP does not appear in the drop-down list, add
an LDAP server as described in Add an LDAP Server.

9. Select the LDAP Server where you want to authenticate the user.

10. Type a Search String to find existing users on the LDAP server.

- 110 -
 11. Click Search.

The page displays the LDAP Users Found by the LDAP search string.

12. Select an LDAP user from the LDAP Users Found drop-down box.

The page populates the Username option with your selection.

13. View the Username. Tenable does not recommend modifying the Username since it must
match the username on the LDAP server.

14. Select a Time Zone.

15. (Optional) Select a Scan Result Default Timeframe.

16. (Optional) Enable Cached Fetching.

17. (Optional) Enable Dark Mode for the user.

18. (Optional) Type Contact Information for the user.

19. Click Submit.

Tenable Security Center saves your configuration.

To add an LDAP-authenticated user account as an organizational user:

1. Log in to Tenable Security Center via the user interface. You must log in with a user account
belonging to the organization where you want to create a new user.

2. Confirm that an administrator user configured an LDAP server, and that the LDAP server was
associated with the organization where you want to create a user account.

3. Click Users > Users.

The Users page appears.

4. Click Add.

The Add User page appears.

5. (Optional) Type a First Name and Last Name for the user.

6. In the Type drop-down list, select LDAP. If LDAP does not appear in the drop-down list, add
an LDAP server as described in Add an LDAP Server.

- 111 -
 7. Select the LDAP Server where you want to authenticate the user.

8. Select an LDAP user from the LDAP Users Found drop-down box.

The page populates the Username option with your selection.

9. View the Username. Tenable does not recommend modifying the Username since it must
match the username on the LDAP server.

10. Select a Time Zone.

11. (Optional) Select a Scan Result Default Timeframe.

12. (Optional) Enable Cached Fetching.

13. Select a Role. For more information, see User Roles.

14. Select a Group. For more information, see Organizations and Groups.

15. (Optional) If you want to customize the group-related permissions for the user, modify the
Group Permissions as described in Custom Group Permissions.

16. (Optional) If you want to share an asset list with the user, select an Asset. For more
information, see Assets.

17. (Optional) Enable Dark Mode for the user.

18. (Optional) Type Contact Information for the user.

19. Click Submit.

Tenable Security Center saves your configuration.

Add a SAML-Authenticated User

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user account configuration options, see SAML User Account Options.
To automatically add SAML-authenticated users by importing users from your SAML identity
provider, see Configure SAML User Provisioning.

Before you begin:

- 112 -
 l Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of
how to configure SAML for use with Tenable Security Center.

l Configure SAML authentication, as described in Configure SAML Authentication Manually via

the User Interface.

To add a SAML-authenticated user account as an administrator user:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Click Add.

The Add User page appears.

4. (Optional) Type a First Name and Last Name for the user.

5. In the Type drop-down box, select SAML. If SAML does not appear in the drop-down box,
configure SAML authentication as described in Configure SAML Authentication Manually via
the User Interface.

6. In the Username box, type the user's SAML username exactly as it appears in your identity
provider SAML configuration for this user.

7. Select a Time Zone.

8. (Optional) Select a Scan Result Default Timeframe.

9. (Optional) Enable Cached Fetching.

10. (Optional) Enable Dark Mode for the user.

11. (Optional) Type Contact Information for the user.

12. Click Submit.

Tenable Security Center saves your configuration.

To add a SAML-authenticated user account as an organizational user:

- 113 -
 1. Log in to Tenable Security Center via the user interface. You must log in with a user account
belonging to the organization where you want to create a new user.

2. Click Users > Users.

The Users page appears.

3. Click Add.

The Add User page appears.

4. (Optional) Type a First Name and Last Name for the user.

5. In the Type drop-down list, select SAML. If SAML does not appear in the drop-down list,
configure SAML authentication as described in Configure SAML Authentication Manually via
the User Interface.

6. In the Username box, type the user's SAML username exactly as it appears in your identity
provider SAML configuration for this user.

7. Select a Time Zone.

8. (Optional) Select a Scan Result Default Timeframe.

9. (Optional) Enable Cached Fetching.

10. Select a Role. For more information, see User Roles.

11. Select a Group. For more information, see Organizations and Groups.

12. (Optional) To customize the user's object and user account management permissions, modify
the Group Permissions as described in Custom Group Permissions.

13. (Optional) To share an asset list with the user, select an Asset. For more information, see
Assets.

14. (Optional) Enable Dark Mode for the user.

15. (Optional) Type Contact Information for the user.

16. Click Submit.

Tenable Security Center saves your configuration.

Manage User Accounts

- 114 -
 Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user accounts, see User Accounts.

To view or edit a user account:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Users > Users.

The Users page appears.

3. To filter the users that appear on the page, apply a filter as described in Apply a Filter.

Note: If you are logged in with an administrator account, the Organization filter is set to System by
default. To view users from other organizations, select a different organization for the Organization
filter.

4. To view details for a user, see View User Details.

5. To edit a user:
a. Right-click the row for the user you want to edit.

The actions menu appears.

-or-

Select the check box for the user you want to edit.

The available actions appear at the top of the table.

b. Click Edit.

The Edit User page appears.

c. Modify the user details.

Note: If you want to edit a Tenable Security Center user that was created via user provisioning
and you enabled User Data Sync, edit the user in your SAML or LDAP identity provider.
Otherwise, the Tenable Security Center user data synchronization overwrites your changes the
next time the user logs in to Tenable Security Center using your SAML or LDAP identity

- 115 -
 provider. For more information about User Data Sync, see SAML Authentication Options or
LDAP Authentication Options.

d. Click Submit.

Tenable Security Center saves your configuration.

6. To delete a user, see Delete a User.

Edit Your User Account

Required User Role: Any

You can edit your user account to update your password, contact information, display preferences,
and other settings depending on your user role. If you want to edit a linked user account, see Edit a
Linked User Account.

To edit your user account as an administrator:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Right-click the row for your user account.

The actions menu appears.

-or-

Select the check box for your user account.

The available actions appear at the top of the table.

4. Click More > Edit.

The Edit User page appears.

5. Modify your user account settings. For more information, see User Account Options.

6. Click Submit.

Tenable Security Center saves your configuration.

To edit your user account as an organizational user:

- 116 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Username > Profile.

The Edit User Profile page appears.

3. Modify your user account settings. For more information, see User Account Options.

4. Click Submit.

Tenable Security Center saves your configuration.

View User Details

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about user accounts, see User Accounts.

To view details for a user:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Right-click the row for the user you want to view.

The actions menu appears.

-or-

Select the check box for the user you want to view.

The available actions appear at the top of the table.

4. Click View.

The View User page appears.

5. View the following information for the user:

Section Action

General View general information for the user.

- 117 -
 l Created — The date the user was created.

l Last Modified — The date the user was last modified.

l ID — The user ID.

Membership View role and organization information for the user. For more
information, see User Account Options.

Password View password expiration settings for the user. For more information,
Expiration see User Account Options.

Display Options View dark mode settings for the user. For more information, see User
Account Options.

Contact View contact information for the user. For more information, see User
Information Account Options.

API Key If the user has API keys, view the access key for the user. For more
information, see Enable API Key Authentication.

Linked User Required User Role: Administrator

Details
View linked user accounts associated with the user:

l Linked Users — If the user is an Administrator, view the linked

Security Manager users. If the user is a Security Manager, view
the linked SM-Linked users.

l Primary User — If the user is a linked Security Manager, view the

associated Administrator user. If the user is an SM-Linked user,
view the associated Security Manager user.

For more information, see Linked User Accounts.

Delete a User

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

- 118 -
If you want to migrate a user's objects, you must use a Security Manager account in the user's
organization to delete the user. Other roles cannot migrate user objects.

Note: You cannot delete the first user created in any of your organizations. For more information, contact
Tenable Support.

Note: If you want to delete an Administrator or Security Manager with linked user accounts, you must
delete the linked accounts associated with the Administrator or Security Manager before deleting the
Administrator or Security Manager, as described in Delete a Linked User Account. For more information
about linked user accounts, see Linked User Accounts.

Note: If you want to delete a Tenable Security Center user that was created via user provisioning, delete
the user from your SAML or LDAP identity provider. If you delete a user in Tenable Security Center that was
created via user provisioning without deleting the user in your SAML or LDAP identity provider, Tenable
Security Center automatically re-creates the user in Tenable Security Center the next time they log in
using your SAML or LDAP identity provider. For more information, see SAML User Provisioning or LDAP
User Provisioning.

To delete a user:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Select the user you want to delete:

To delete a single user:

a. In the table, right-click the row for the user you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple users:

a. In the table, select the check box for each user you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click More > Delete.

- 119 -
 A confirmation window appears.

4. (Optional) If you want to migrate the user's objects, click the toggle to migrate the user's
objects to another user. Tenable Security Center supports migrating:

l Active scans, agent scans, and scan results

l Custom assets, credentials, audit files, and scan policies

l Freeze windows

l Queries

l Tickets and alerts

l ARCs

l Dashboards

l Reports, report images, report attributes, and report results

If you do not migrate the user's objects, Tenable Security Center deletes the user's objects.

Note: You cannot migrate objects when deleting an Administrator user because all Administrator-
created objects are shared across Tenable Security Center and remain accessible after user
deletion.

Note: If you delete a linked non-admin user, the user's objects can only be migrated to the linked
Security Manager account. For more information about linked user accounts, see Linked User
Accounts.

5. Click Delete.

Tenable Security Center deletes the user.

Linked User Accounts

You can create linked user accounts and linked non-admin user accounts to allow users to switch
between accounts without logging out and logging back in to Tenable Security Center.

l Linked User Account - A Security Manager user account that is linked to an Administrator
user account.

- 120 -
 l Linked Non-Admin User Account - An SM-Linked user account that is linked to a Security
Manager user account.

On the Users page, a tooltip appears next to linked and linked non-admin users that displays the
username for the associated Administrator or Security Manager account.

Linked User
Users with linked user accounts can use a single set of login credentials to log in to Tenable
Security Center as an Administrator, then switch to a linked Security Manager, from one linked
Security Manager to another, or from a linked Security Manager to the linked Administrator. You do
not need to re-authenticate to switch between linked user accounts after logging in as the linked
Administrator.

The following restrictions apply to linked user accounts:

l Each Administrator can have one linked Security Manager per organization.

l Each linked Security Manager can be associated with only one Administrator user account.

l Linked Security Managers cannot log in to Tenable Security Center directly. You must log in to
the Administrator account associated with the linked Security Manager, then switch users.

l You cannot convert a standalone user account to a linked user account.

l You cannot convert a linked user account to a standalone user account. To unlink a Security
Manager user from an Administrator user, delete the linked Security Manager, then create a
standalone Security Manager.

Linked Non-Admin User

Users with linked non-admin user accounts can use a single set of login credentials to log in to
Tenable Security Center as a Security Manager, then switch to a linked SM-Linked account, from
one SM-Linked account to another, or from an SM-Linked account to the linked Security Manager.
You do not need to re-authenticate to switch between linked user accounts after logging in as the
linked Security Manager.

Note: You must have more than one organization to create a linked non-admin user. For more information
about organizations, see Organizations.

The following restrictions apply to linked non-admin user accounts:

- 121 -
 l Each Security Manager can have one linked SM-Linked user account per organization.

l Each SM-Linked user account can be associated with only one Security Manager user
account.

l SM-Linked user accounts cannot create, edit, or delete user accounts in the organization.

l SM-Linked users do not have access to the Profile page to edit their own accounts.

l SM-Linked users cannot log in to Tenable Security Center directly. You must log in to the
Security Manager account associated with the SM-Linked account, then switch users.

l You can only create linked non-admin user accounts for TNS user accounts. Linked non-
admin user accounts are not supported for LDAP or SAML user accounts.

l You cannot convert a standalone user account to a linked non-admin user account.

l You cannot convert an SM-Linked user to a standalone user account. To unlink an SM-Linked
user from a Security Manager user, delete the SM-Linked user account.

l You cannot create a standalone SM-Linked user account.

For more information about user accounts in Tenable Security Center, see User Access and User
Roles.

For more information about linked user accounts, see:

l Add a Linked User

l Switch to a Linked User Account

l Edit a Linked User Account

l Delete a Linked User Account

Add a Linked User

You can create linked user accounts and linked non-admin user accounts to allow users to switch
between accounts without logging out and logging back in to Tenable Security Center. You can add
a linked Security Manager to an Administrator account, or you can add an SM-Linked user to a
Security Manager account. The following restrictions apply to linked accounts:

- 122 -
 l You cannot convert a standalone user account to a linked user account.

l Each Administrator can have one linked Security Manager per organization.

l Each Security Manager can have one linked SM-Linked user per organization.

l Each linked Security Manager user can be associated with only one Administrator user
account.

l Each SM-Linked user can be associated with only one Security Manager user account.

For more information about linked user accounts, see Linked User Accounts. For more information
about user account configuration options, see User Account Options.

To add a linked Security Manager to an Administrator, or add an SM-Linked user to a

Security Manager:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Right-click the row for the Administrator or Security Manager to which you want to add a
linked user.

The actions menu appears.

-or-

Select the check box for the Administrator or Security Manager to which you want to add a
linked user.

The available actions appear at the top of the table.

4. Click Add Linked User.

The Add User page appears. Tenable Security Center pre-populates the First Name, Last
Name, and Contact Information fields with values from the Administrator or Security Manager
user account.

5. Select an Organization. If you create a linked non-admin user, you can select more than one
organization and Tenable Security Center will create one linked non-admin user for each

- 123 -
 organization.

6. (Optional) Modify the First Name and Last Name for the user.

7. Type a Username for the user. If you create a linked non-admin user, Tenable Security Center
adds the orgID to the end of the username.

8. Select a Time Zone.

9. (Optional) Select a Scan Result Default Timeframe.

10. (Optional) Enable Cached Fetching.

11. (Optional) Enable or disable Dark Mode for the user.

12. (Optional) Modify the Contact Information for the user.

13. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Switch between a linked user account and its associated Administrator or Security Manager
user account, as described in Switch to a Linked User Account.

Switch to a Linked User Account

You can create linked user accounts and linked non-admin user accounts to allow users to switch
between accounts without logging out and logging back in to Tenable Security Center.

Linked users can switch from the linked Administrator to a linked Security Manager, from one linked
Security Manager to another, or from a linked Security Manager to the linked Administrator user.
Linked non-admin users can switch from the linked Security Manager to an SM-Linked user, from
one SM-Linked user to another, or from an SM-Linked user to the linked Security Manager. For more
information about linked user accounts, see Linked User Accounts.

Before you begin:

l Configure one or more linked user accounts, as described in Add a Linked User.

To switch to a linked user account:

- 124 -
 1. Log in to Tenable Security Center via the user interface.

Note: You must log in to the Administrator or Security Manager account associated with the linked
user, then switch between linked users. Linked Security Managers and SM-Linked users cannot log
in to Tenable Security Center directly.

2. Click your user profile icon > Switch User. This option appears only if the current logged-in
user already has a linked user account.

The Switch To Linked Account window appears.

3. Click the name of the linked user you want to switch to.

4. Click Switch.

Tenable Security Center logs you in as the selected user.

The username menu updates to show the linked user account name and associated
organization.

Edit a Linked User Account

Administrators can edit linked user accounts. Linked Security Manager users and SM-Linked users
can edit their own account details. For more information, see Linked User Accounts.

To edit a linked user account as an Administrator:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Filter the Users page to show user accounts for the linked user's organization, as described in
Apply a Filter.

4. Right-click the row for the linked user account you want to edit.

The actions menu appears.

-or-

Select the check box for the linked user account you want to edit.

- 125 -
 The available actions appear at the top of the table.

5. Click More > Edit.

The Edit User page appears.

6. Modify the user account settings. For more information, see User Account Options.

7. Click Submit.

Tenable Security Center saves your configuration.

To edit your linked user account as a linked user:

1. Log in to Tenable Security Center via the user interface.

2. Switch to a linked user account, as described in Switch to a Linked User Account.

3. Click Username > Profile.

The Edit User Profile page appears.

4. Modify the user account settings. For more information, see User Account Options.

5. Click Submit.

Tenable Security Center saves your configuration.

Delete a Linked User Account

Required User Role: Administrator

If you want to remove a linked user account, you must delete the linked account. You cannot
convert a linked user account into a standalone user account. For more information about linked
user accounts, see Linked User Accounts.

Note: If you want to delete an Administrator or Security Manager with linked user accounts, you must
delete the linked accounts associated with the Administrator or Security Manager before deleting the
Administrator or Security Manager.

To delete a linked user account:

- 126 -
1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

3. Apply a filter to view the organization for the user you want to delete, as described in Apply a
Filter.

4. Select the linked user account you want to delete:

To delete a single linked user account:

a. In the table, right-click the row for the linked user account you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple linked user accounts:

a. In the table, select the check box for each linked user account you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

5. (Optional) If you want to migrate the user's objects, click the toggle to migrate the user's
objects to another user. Tenable Security Center supports migrating:

l Active scans, agent scans, and scan results

l Custom assets, credentials, audit files, and scan policies

l Freeze windows

l Queries

l Tickets and alerts

l ARCs

- 127 -
 l Dashboards

l Reports, report images, report attributes, and report results

If you do not migrate the user's objects, Tenable Security Center deletes the user's objects.

Note: You cannot migrate objects when deleting an Administrator user because all Administrator-
created objects are shared across Tenable Security Center and remain accessible after user
deletion.

6. Click Delete.

Tenable Security Center deletes the user.

Custom Group Permissions

When creating or editing a user account, you can customize a user's group permissions.

l Your selection in the Group field assigns the user to a group.

l Your selections in the Group Permissions section grant the user resource (user and object)
permissions in their assigned group and other groups.

For more information about organizations and groups, see Organizations and Groups.

In the Group Permissions section, the Manage All Users and Manage All Objects sliders enable or
disable all of the settings in the User Permission and Object Permission columns, respectively. By
default, the system enables all permissions for all groups. You can clear the check boxes in each
group row to restrict the user's ability to perform the following actions on the resources within a
group.

Resources Controlled by
Resources Controlled by Manage Objects/Object
Manage Users/User
Permissions
Permissions

l Users (edit and delete) l Reports (launch, stop, copy, delete, and sometimes
edit)
l Groups (edit and delete)
Note: A user can only edit reports within their assigned
group, even if you grant them Object Permissions for
another group.

- 128 -
 Resources Controlled by
Resources Controlled by Manage Objects/Object
Manage Users/User
Permissions
Permissions

l Report results (publish, email, copy, and delete)

l Report images (delete)

l Report attributes (delete)

l Scan results (launch, import, copy, send to report,

stop, pause, and delete)

l Policies (edit, copy, and delete)

l Assets (edit, share, and delete)

l Alerts (edit and delete)

l Audit files (edit, share, and delete)

l Credentials (edit, share, and delete)

l Tickets (edit, resolve, and close)

l Risk rules (delete)

l Queries (edit, share, and delete)

l ARCs (edit, share, copy, and delete)

l Dashboards (edit, share, copy, and delete)

Examples
Consider the following examples for a user assigned to Group1.

Control Permissions to Resources in the User's Assigned Group

l If you select the User Permissions and/or Object Permissions check boxes in the Group1 row,
the user can perform actions for all resources in Group1, including the resources owned by
other users.

- 129 -
 l If you clear the User Permissions and/or Object Permissions check boxes in the Group1 row,
the user cannot perform actions on resources owned by other users in Group1.

Control Permissions to Resources in Other Groups

l If you select the User Permissions and/or Object Permissions check boxes in the Group2 row,
the user can perform actions for all resources in Group2, including the resources owned by
other users.

Note: Although the user receives many permissions for resources in Group2, the user cannot edit
reports owned by Group2 users. Users must be assigned to Group2 and have Object Permissions
selected in order to edit reports, active scans, and agent scans.

l If you clear the User Permissions and/or Object Permissions check boxes in the Group2 row,
the user cannot perform actions on resources owned by other users in Group2.

Generate API Keys

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

API keys allow you to authenticate as a specific user for Tenable Security Center API requests.
Administrators can generate API keys for any user account. Other roles can generate API keys for
user accounts with the same role. For more information, see API Key Authentication.

Note: If you generate API keys for a user that already has API keys, the old keys will be replaced. If you
delete existing keys or generate new API keys for a user, Tenable Security Center deauthorizes API
requests attempted with the old keys.

Before you begin:

l Enable API keys to allow users to perform API key authentication, as described in Enable
API Key Authentication.

To generate API keys:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

- 130 -
 3. Right-click the row for the user for which you want to generate an API key.

The actions menu appears.

-or-

Select the check box for the user for which you want to generate an API key.

The available actions appear at the top of the table.

4. Click API Keys > Generate API Key.

A confirmation window appears.

5. Click Generate.

The Your API Key window appears, displaying the access key and secret key for the user.

6. Save the API keys in a safe location.

Note: You cannot view API secret keys in the Tenable Security Center interface after initial
generation. If you lose your existing secret key, you must generate new API keys.

What to do next:
l Use the API keys to perform API requests, as described in API Key Authorization in the
Tenable Security Center API Best Practices Guide.

Delete API Keys

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

After you delete a user's API keys, the deleted keys cannot be used for authentication in Tenable
Security Center API requests. To generate new API keys for a user, see Generate API Keys. For more
information, see API Key Authentication.

To delete API keys:

1. Log in to Tenable Security Center via the user interface.

2. Click Users > Users.

The Users page appears.

- 131 -
 3. Right-click the row for the user for which you want to delete API keys.

The actions menu appears.

-or-

Select the check box for the user for which you want to delete API keys.

The available actions appear at the top of the table.

4. Click API Keys > Delete API Key.

A confirmation window appears.

5. Click Delete.

The system deletes the API keys.

User Account Options

You can configure the following options for Tenable Security Center user accounts. The available
options depend on the user type, the user's role, and the role of the user adding or editing the user.

l TNS User Account Options

l LDAP User Account Options

l SAML User Account Options

For more information about user accounts in Tenable Security Center, see User Accounts.

TNS User Account Options

To add a TNS-authenticated user, see Add a TNS-Authenticated User.

Option Description

First Name The user's first name.

Last Name The user's last name.

Type (If LDAP or SAML are configured) The type of authentication you want to
perform on the user:

l Tenable (TNS)

- 132 -
 l Lightweight Directory Access Protocol (LDAP)

l Security Assertion Markup Language (SAML)

You must configure an LDAP server or SAML authentication in order to

select LDAP or SAML from the Type drop-down box.

Username (Required) The username for the user account.

Note: The username value is case-sensitive.

Password (Required) The password for the user account.

Tip:Tenable recommends using passwords that meet stringent length and

complexity requirements.

For information about Tenable Security Center password data encryption,

see Encryption Strength.

When editing a user, type a new password to change the password for the
user account.

Confirm (Required) When creating a user or changing a user's password, re-type the
Password password for the user account.

Password Click Change Password to change the password for the user account.
Change
To change a user password:

1. Begin editing a user account, as described in Manage User Accounts

or Edit Your User Account.

2. Click Change Password.

3. In the Current Password box, type your password. If you do not have
a password (for example, you have a SAML-authenticated or LDAP-
authenticated user account), type any string of characters in this
field.

4. In the Password box, type a new password.

5. In the Confirm Password box, type the new password again.

- 133 -
 6. Click Submit.

Tenable Security Center saves your configuration.

Current (If you click Change Password) Type your password. If you do not have a
Password password (for example, you have a SAML-authenticated or LDAP-
authenticated user account), type any string of characters in this field.

User Must When enabled, the user must change their password upon initial login.
Change
Password

Account When enabled, the user cannot log in to Tenable Security Center. An
Locked administrator must unlock the user's account to allow them to log in.

Time Zone (Required) The time zone for the user.

Scan Result The default Completion Time filter applied when the user accesses or
Default refreshes the scan results page.
Timeframe

Cached When enabled, Tenable Security Center caches plugin policy information
Fetching and performs plugin policy downloads once per page load.

Password Expiration

Password When enabled, the user's password will never expire. Any password
Never Expires expiration settings at the user or organization level will not apply to this
user.

Enable When enabled, the user's password will expire after the number of days
Password specified in the Expiration Days box.
Expiration or
When disabled, the user's password expiration settings will default to the
Custom
organization settings. For more information about organization options,
Password
see Organizations.
Expiration
The user will receive daily password expiration notifications at login,
starting 14 days before the password expires. After the password expires,
the user must change their password at the next login. For more

- 134 -
 information about Tenable Security Center notifications, see Notifications.

Expiration Days The number of days before the user's password expires. You can enter a
number between 1 and 365.

Membership

Role (Required) The role assigned to the user. For more information, see User
Roles.

Administrator users can create Administrator or Security Manager user

accounts. Organizational users can create Auditor, Credential Manager,
Executive, No Role, Security Analyst, Security Manager, or Vulnerability
Analyst accounts at their own privilege level or lower. For example:

l If a user is an Auditor, they can create new Auditors or lesser roles.

l If a custom user has the Create Policies privilege but not the Update
Feeds privilege, that user can create users with the Create Policies
privilege, but not the Update Feeds privilege.

Organization (Required) The organization where you want to assign the user account.

Group (Required) The group where you want to assign the user account. A user's
group determines their access to Tenable Security Center resources. For
more information about groups, see Groups.

To grant a user limited privileges to other groups' resources, see Custom

Group Permissions.

Group Permissions

Manage All When enabled, allows the user to manage users in all of the user's assigned
Users groups. For more information, see Custom Group Permissions.

Manage All When enabled, allows the user to manage objects in all of the user's
Objects assigned groups. For more information, see Custom Group Permissions.

Responsibility

Asset Assigns a user to an asset list for which the user is responsible. Assigning a

- 135 -
 user to an asset list makes it easier to determine who in a group or
organization should be assigned tickets, notifications, and other tasks to
resolve particular issues. Selecting an asset updates the User
Responsibility Summary in the Vulnerability Analysis section.

Display Options

Dark Mode When enabled, sets the Tenable Security Center user interface to dark
mode for the user.

Contact Information

Title

Address

City

State The contact information for the user.

Country

Email

Phone

LDAP User Account Options

You must configure an LDAP server to add LDAP-authenticated users. For more information, see
LDAP Authentication.

To add an LDAP-authenticated user, see Add an LDAP-Authenticated User.

Option Description

First Name The user's first name.

Last Name The user's last name.

Type (If LDAP or SAML are configured) The type of authentication you want to
perform on the user:

l Tenable (TNS)

- 136 -
 l Lightweight Directory Access Protocol (LDAP)

l Security Assertion Markup Language (SAML)

You must configure an LDAP server or SAML authentication in order to

select LDAP or SAML from the Type drop-down box.

LDAP Server The LDAP server you want to use to authenticate the user.

Search String The LDAP search string you want to use to filter your user search. Use the
format: attribute=<filter text>. You can use wildcards, and the option
accepts up to 1024 characters.

Examples

sAMAccountName=*

mail=a*

displayName=C*

LDAP Users A filtered list of LDAP user accounts retrieved by the Search String. Your
Found selection in this option populates the Username option.

The Username If the user was created via LDAP user provisioning, the username on the
for this account LDAP server associated with the Tenable Security Center user account. If
must match a you select a username in the drop-down, Tenable Security Center
user on the LDAP overwrites the Tenable Security Center user account using information
server in order to from the new LDAP user you selected. By default, this option is blank.
authenticate.
You do not need to configure this option to enable user provisioning or
automatic synchronization of user data between your LDAP server and
Tenable Security Center.

For more information, see LDAP User Provisioning.

Username (Required) The username, populated by your LDAP Users Found selection.
This username must match a user on the LDAP server in order to
authenticate successfully.

Time Zone (Required) The time zone for the user.

- 137 -
Scan Result The default Completion Time filter applied when the user accesses or
Default refreshes the scan results page.
Timeframe

Cached Fetching When enabled, Tenable Security Center caches plugin policy information
and performs plugin policy downloads once per page load.

Membership

Role (Required) The role assigned to the user. For more information, see User
Roles.

Administrator users can create Administrator or Security Manager user

accounts. Organizational users can create Auditor, Credential Manager,
Executive, No Role, Security Analyst, Security Manager, or Vulnerability
Analyst accounts at their own privilege level or lower. For example:

l If a user is an Auditor, they can create new Auditors or lesser roles.

l If a custom user has the Create Policies privilege but not the Update
Feeds privilege, that user can create users with the Create Policies
privilege, but not the Update Feeds privilege.

Organization (Required) The organization where you want to assign the user account.

Group (Required) The group where you want to assign the user account. A user's
group determines their access to Tenable Security Center resources. For
more information about groups, see Groups.

To grant a user limited privileges to other groups' resources, see Custom

Group Permissions.

Group Permissions

Manage All Users When enabled, allows the user to manage users in all of the user's
assigned groups. For more information, see Custom Group Permissions.

Manage All When enabled, allows the user to manage objects in all of the user's
Objects assigned groups. For more information, see Custom Group Permissions.

Responsibility

- 138 -
 Asset Assigns a user to an asset list for which the user is responsible. Assigning
a user to an asset list makes it easier to determine who in a group or
organization should be assigned tickets, notifications, and other tasks to
resolve particular issues. Selecting an asset updates the User
Responsibility Summary in the Vulnerability Analysis section.

Display Options

Dark Mode When enabled, sets the Tenable Security Center user interface to dark
mode for the user.

Contact Information

Title

Address

City

State The contact information for the user.

Country

Email

Phone

SAML User Account Options

You must configure SAML authentication to add SAML-authenticated users. For more information,
see SAML Authentication.

To add a SAML-authenticated user, see Add a SAML-Authenticated User.

Option Description

First Name The user's first name.

Last Name The user's last name.

Type (If LDAP or SAML are configured) The type of authentication you want to
perform on the user:

- 139 -
 l Tenable (TNS)

l Lightweight Directory Access Protocol (LDAP)

l Security Assertion Markup Language (SAML)

You must configure an LDAP server or SAML authentication in order to

select LDAP or SAML from the Type drop-down box.

Username (Required) The user's SAML username. Type the username exactly as it
appears in your identity provider SAML configuration for this user.

Time Zone (Required) The time zone for the user.

Scan Result The default Completion Time filter applied when the user accesses or
Default refreshes the scan results page.
Timeframe

Cached When enabled, Tenable Security Center caches plugin policy information
Fetching and performs plugin policy downloads once per page load.

Membership

Role (Required) The role assigned to the user. For more information, see User
Roles.

Administrator users can create Administrator or Security Manager user

accounts. Organizational users can create Auditor, Credential Manager,
Executive, No Role, Security Analyst, Security Manager, or Vulnerability
Analyst accounts at their own privilege level or lower. For example:

l If a user is an Auditor, they can create new Auditors or lesser roles.

l If a custom user has the Create Policies privilege but not the Update
Feeds privilege, that user can create users with the Create Policies
privilege, but not the Update Feeds privilege.

Organization (Required) The organization where you want to assign the user account.

Group (Required) The group where you want to assign the user account. A user's
group determines their access to Tenable Security Center resources. For
more information about groups, see Groups.

- 140 -
 To grant a user limited privileges to other groups' resources, see Custom
Group Permissions.

Group Permissions

Manage All When enabled, allows the user to manage users in all of the user's assigned
Users groups. For more information, see Custom Group Permissions.

Manage All When enabled, allows the user to manage objects in all of the user's
Objects assigned groups. For more information, see Custom Group Permissions.

Responsibility

Asset Assigns a user to an asset list for which the user is responsible. Assigning a
user to an asset list makes it easier to determine who in a group or
organization should be assigned tickets, notifications, and other tasks to
resolve particular issues. Selecting an asset updates the User
Responsibility Summary in the Vulnerability Analysis section.

Display Options

Dark Mode When enabled, sets the Tenable Security Center user interface to dark
mode for the user.

Contact Information

Title

Address

City

State The contact information for the user.

Country

Email

Phone

LDAP Authentication

- 141 -
Adding LDAP servers allows you to use one or more external LDAP servers for Tenable Security
Center user account authentication. LDAP authentication enhances the security of Tenable Security
Center by inheriting password complexity requirements from environments mandated by security
policy.

After you configure an LDAP server, create Tenable Security Center user accounts for each
LDAP user you want to grant access.

l To manually add LDAP-authenticated users in Tenable Security Center, see Add an LDAP-
Authenticated User.

l To automatically add LDAP-authenticated users by importing users from your LDAP identity
provider, see LDAP User Provisioning.

Then, users with LDAP-authenticated accounts can log in to Tenable Security Center using the Sign
In Using Identity Provider button, as described in Log In to the Web Interface.

You can also use configured LDAP servers as LDAP query assets. For more information, see Assets.

Note: Tenable Security Center does not support Microsoft Active Directory Lightweight Directory Services
(AD LDS) servers for LDAP authentication.

Note: Tenable Security Center cannot retrieve more than one page of LDAP results. If Tenable Security
Center asset list or user authentication queries are not retrieving all expected results, consider modifying
your LDAP pagination control settings to increase the results per page.

For more information, see Add an LDAP Server and Delete an LDAP Server.

LDAP Authentication Options

Configure the LDAP settings as directed by your LDAP server administrator. Click Test LDAP
Settings to validate the connection.

Option Description

Server Settings

Name (Required) A unique name for the LDAP server.

Description A description for the LDAP server.

- 142 -
Option Description

Hostname (Required) The IP address or DNS name of the LDAP server.

Port (Required) The remote LDAP port. Confirm the selection with your LDAP
server administrators.

l When Encryption is None, Port is typically 389.

l When Encryption is TLS or LDAPS, Port is typically 636.

Encryption If the LDAP server encrypts communications, the encryption

method: Transport Layer Security (STARTTLS) or LDAP over SSL (LDAPS).

Username / (Required) The username and password for an account on the LDAP server
Password with credentials to search for user data. For example, Active Directory
servers require an authenticated search.

Format the username as provided by the LDAP server.

Tip: It is recommended to use passwords that meet stringent length and

complexity requirements.

User You can enable user provisioning to automatically create LDAP-

Provisioning authenticated users in Tenable Security Center by importing user
accounts from your LDAP identity provider. When user provisioning is
enabled, users who log in to your LDAP identity provider are automatically
created in Tenable Security Center.

Tenable Security Center supports the following LDAP authentication

systems for user provisioning:

l Active Directory on Microsoft Server 2016 (on-premises)

l Active Directory on Microsoft Server 2019 (on-premises)

For more information, see LDAP User Provisioning.

Note: If you want to delete a Tenable Security Center user that was created via
LDAP user provisioning, delete the user from your LDAP identity provider. If
you delete a user in Tenable Security Center that was created via LDAP user

- 143 -
Option Description

provisioning without deleting the user in your LDAP identity provider, Tenable
Security Center automatically re-creates the user in Tenable Security Center
the next time they log in using your LDAP identity provider.

User Data Sync If you enable User Provisioning, you can enable User Data Sync to allow
Tenable Security Center to automatically synchronize contact information
(first name, last name, email address, and phone number) from your LDAP
identity provider for Tenable Security Center users created via LDAP user
provisioning. For more information, see LDAP User Provisioning.

Note: If you want to edit a Tenable Security Center user that was created via
LDAP user provisioning and you enabled User Data Sync, edit the user in your
LDAP identity provider. Otherwise, the Tenable Security Center user data
synchronization overwrites your changes the next time the user logs in to
Tenable Security Center using your LDAP identity provider.

LDAP Schema Settings

Base DN (Required) The LDAP search base used as the starting point to search for
the user data.

User Object The string you want to use to create a search based on a location or filter
Filter other than the default search base or attribute.

User Schema Settings (Optional, if you plan to use the LDAP server only as an LDAP query
asset.)

Username The attribute name on the LDAP server that contains the username for the
Attribute account. This is often specified by the string sAMAccountName in Active
Directory servers that may be used by LDAP. Contact your LDAP server
administrator for the correct value.

E-mail Attribute The attribute name on the LDAP server that contains the email address for
the account. This is often specified by the string mail in Active Directory
servers that may be used by LDAP. Contact your LDAP server
administrator for the correct value.

- 144 -
Option Description

Phone Attribute The attribute name on the LDAP server that contains the telephone
number for the account. This is often specified by the string
telephoneNumber in Active Directory servers that may be used by LDAP.
Contact your LDAP server administrator for the correct value.

Name Attribute The attribute name on the LDAP server that contains the name associated
with the account. This is often specified by the string CN in Active
Directory servers that may be used by LDAP. Contact your LDAP
administrator for the correct value.

Access Settings

Organizations The Tenable Security Center organizations you want to authenticate using
this LDAP server.

Advanced Settings

Lowercase When enabled, Tenable Security Center modifies the usernames sent by
the LDAP server to use only lowercase characters.

Tenable recommends keeping this option disabled.

DNS Field The LDAP server parameter used in LDAP server requests to filter the
returned asset data.

Tenable recommends using the default value provided by Tenable Security

Center.

Time Limit The number of seconds you want Tenable Security Center to wait for
search results from the LDAP server.

Tenable recommends using the default value provided by Tenable Security

Center.

Note: Access to Active Directory is performed via AD’s LDAP mode. When using multiple AD domains,
LDAP access may be configured to go through the Global Catalog. Port 3268 is the default non-SSL/TLS
setting, while port 3269 is used for SSL/TLS connections by default. More general information about LDAP
searches via the Global Catalog may be found at: http://technet.microsoft.com/en-us/library/cc728188
(v=ws.10).aspx.

- 145 -
Add an LDAP Server

Required User Role: Administrator

For more information about LDAP server options, see LDAP Authentication.

To add an LDAP server connection:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > LDAP Servers.

3. Click Add.

4. Configure the following settings as described in the Options table:

l Server Settings

l LDAP Schema Settings

l User Schema Settings

l Access Settings

5. If necessary, modify the default Advanced Settings.

6. Click Test LDAP Settings to validate the LDAP server connection.

7. Click Submit.

What to do next:
l Add LDAP-authenticated user accounts.

l To manually add LDAP-authenticated users in Tenable Security Center, see Add an

LDAP-Authenticated User.

l To automatically add LDAP-authenticated users by importing users from your LDAP

identity provider, see Configure LDAP User Provisioning.

LDAP User Provisioning

You can enable user provisioning to automatically create LDAP-authenticated users in Tenable
Security Center by importing user accounts from your LDAP identity provider. When user

- 146 -
provisioning is enabled, users who log in to your LDAP identity provider are automatically created in
Tenable Security Center.

Tenable Security Center supports the following LDAP authentication systems for user provisioning:

l Active Directory on Microsoft Server 2016 (on-premises)

l Active Directory on Microsoft Server 2019 (on-premises)

For more information about LDAP authentication in Tenable Security Center, see LDAP
Authentication.

If you enable user provisioning and a user who does not have a Tenable Security Center user
account logs in using your LDAP identity provider, Tenable Security Center automatically creates a
user account for them in Tenable Security Center.

Tenable Security Center creates users using data from attribute fields you map to the
corresponding fields in your LDAP identity provider. If you enable User Data Sync for an
LDAP server, each time a user logs into Tenable Security Center using your LDAP identity provider,
Tenable Security Center updates any mapped attribute fields in Tenable Security Center with values
from the fields in your LDAP identity provider. For more information about User Data Sync, see
LDAP Authentication Options.

Note: If you want to edit a Tenable Security Center user that was created via LDAP user provisioning and
you enabled User Data Sync, edit the user in your LDAP identity provider. Otherwise, the Tenable Security
Center user data synchronization overwrites your changes the next time the user logs in to Tenable
Security Center using your LDAP identity provider.

Note: If you want to delete a Tenable Security Center user that was created via LDAP user provisioning,
delete the user from your LDAP identity provider. If you delete a user in Tenable Security Center that was
created via LDAP user provisioning without deleting the user in your LDAP identity provider, Tenable
Security Center automatically re-creates the user in Tenable Security Center the next time they log in
using your LDAP identity provider.

For more information, see Configure LDAP User Provisioning.

Configure LDAP User Provisioning

Required User Role: Administrator

- 147 -
You can enable user provisioning to automatically create LDAP-authenticated users in Tenable
Security Center by importing user accounts from your LDAP identity provider. When user
provisioning is enabled, users who log in to your LDAP identity provider are automatically created in
Tenable Security Center.

Tenable Security Center supports the following LDAP authentication systems for user provisioning:

l Active Directory on Microsoft Server 2016 (on-premises)

l Active Directory on Microsoft Server 2019 (on-premises)

For more information, see LDAP User Provisioning.

To manually create LDAP-authenticated users in Tenable Security Center, see Add an LDAP-
Authenticated User.

For more information about user account configuration options, see LDAP User Account Options.

Before you begin:

1. (Recommended) Create a backup of your user directory in your LDAP identity provider.

2. In Tenable Security Center, add an LDAP server, as described in Add an LDAP Server.

3. In your LDAP identity provider, create the following custom user attributes: tenableRoleID,
tenableGroupID, and tenableOrgID.

4. In your LDAP identity provider, specify the role, group, and organization you want to assign the
user in Tenable Security Center:

a. In the tenableRoleID attribute field, type the ID for the Tenable Security Center role you
want to assign to the user. To locate the ID for a role, see View User Role Details.

b. In the tenableGroupID attribute field, type the ID for the Tenable Security Center group
you want to assign to the user. To locate the ID for a group, see View Group Details.

c. In the tenableOrgID attribute field, type the ID for the Tenable Security Center
organization you want to assign to the user. To locate the ID for an organization, see
View Organization Details.

To enable LDAP user provisioning for an LDAP server:

- 148 -
 1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Resources > LDAP Servers.

The LDAP Servers page appears.

3. Right-click the row for the LDAP server where you want to enable user provisioning.

The actions menu appears.

-or-

Select the check box for the LDAP server where you want to enable user provisioning.

The available actions appear at the top of the table.

4. Click Edit.

The Edit LDAP Server page appears.

5. In the Server Settings section, click the toggle to enable User Provisioning.

6. (Optional) To automatically update contact information (first name, last name, email address,
and phone number) for users created via LDAP user provisioning, click the User Data Sync
toggle. For more information about User Data Sync, see LDAP Authentication Options.

7. (Optional) In the User Schema Settings section, type the names of the attributes in your LDAP
identity provider you want to use to populate the Username, Email, Phone, First Name, and
Last Name for users created via LDAP user provisioning. For more information about user
account options, see LDAP User Account Options.

Note: If you enable User Data Sync and configure the options in the User Schema Settings section,
Tenable Security Center automatically updates the attributes in the User Schema Settings section
with values from your LDAP identity provider. For more information, see LDAP Authentication
Options.

8. Click Submit.

Tenable Security Center saves your configuration.

Delete an LDAP Server

Required User Role: Administrator

For more information, see LDAP Authentication.

- 149 -
To delete an LDAP server connection:

Note: If you delete a connection to an LDAP server, the users associated with that server cannot log in to
Tenable Security Center. Tenable recommends reconfiguring associated user accounts before deleting
LDAP server connections.

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > LDAP Servers.

3. Select the server connection you want to delete:

To delete a single server connection:

a. In the table, right-click the row for the server connection you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple server connections:

a. In the table, select the check box for each server connection you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the LDAP server.

LDAP Servers with Multiple OUs

Tenable’s Tenable Security Center LDAP configuration does not support the direct addition of
multiple Organizational Units (OUs) in the LDAP configuration page. Two deployment options are
possible for those with multiple OUs.

For general information about LDAP Servers, see LDAP Authentication.

Option 1 (Recommended)

- 150 -
When you complete these changes, new users who are members of this group can log in
immediately. No restart is required.

Before you begin:

l In LDAP, add a new group for Tenable Security Center users.

l In LDAP, allow existing Active Directory users to become members of the new group.

To configure LDAP with multiple OUs (Option 1):

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > LDAP Servers.

3. Add the LDAP server, as described in Add an LDAP Server.

Note: Use the Distinguished Name (DN) of the new group as the Search Base (e.g.,
CN=Tenablesc,DC=target,DC=example,DC=com).

4. Log out of Tenable Security Center.

5. Log in to Tenable Security Center as the organizational user you want to manage the users.

6. Create a user account for each Active Directory user in the new group, as described in Add an
LDAP-Authenticated User.

In the Search String box, type =*.

Option 2
Use a high level Search Base in the LDAP configuration. For example:
DC=target,DC=example,DC=com.

The example above could be used along with a Search String for global usage. As another example,
you might use this search string, when used in the configuration, applies to all LDAP searches:

memberOf=CN=nested1,OU=cftest1,DC=target,DC=example,DC=com

Note: This option is limited to 128 characters.

To configure LDAP with multiple OUs (Option 2):

- 151 -
1. Log in to Tenable Security Center via the user interface.

2. Click Resources > LDAP Servers.

3. Begin configuring the LDAP server, as described in Add an LDAP Server.

4. Click Test LDAP Settings to test configurations.

5. Log out of Tenable Security Center.

6. Log in to Tenable Security Center as the organizational user you want to manage the users.

7. Create a user account for each Active Directory user, as described in Add an LDAP-
Authenticated User.

- 152 -
 In the Search String box, type =*.

SAML Authentication
You can configure SAML authentication so that Tenable Security Center users can use identity
provider-initiated single sign-on (SSO) when logging in to Tenable Security Center. Tenable Security
Center supports SAML 2.0-based authentication (for example, Okta, OneLogin, Microsoft ADFS, or
Shibboleth 2.0).

For more information, see:

l Tenable SAML Configuration Quick-Reference Guide

l Configure SAML Authentication Automatically via the User Interface

l Configure SAML Authentication Manually via the User Interface

l Configure SAML Authentication via the SimpleSAML Module

After you configure SAML authentication, create Tenable Security Center user accounts for each
SAML user you want to grant access.

l To manually add SAML-authenticated users in Tenable Security Center, see Add a SAML-
Authenticated User.

l To automatically add SAML-authenticated users by importing users from your SAML identity
provider, see SAML User Provisioning.

Then, users with SAML-authenticated accounts can log in to Tenable Security Center using the Sign
In Using Identity Provider button, as described in Log In to the Web Interface.

Considerations for Advanced SAML Features

Because Tenable Security Center cannot accept private keys to decrypt SAML assertions, Tenable
Security Center does not support SAML assertion encryption. If you want to configure SAML
authentication in Tenable Security Center, choose an identity provider that does not require
assertion encryption and confirm that assertion encryption is not enabled.

For information about Tenable Security Center communications encryption, see Encryption
Strength.

Note: Tenable Support does not assist with configuring or troubleshooting advanced SAML features.

- 153 -
SAML Authentication Options
Option Description

SAML Specifies whether SAML authentication is enabled or disabled.

If you disable SAML, the system clears your SAML configuration settings
and prevents SAML-authenticated user accounts from accessing Tenable
Security Center.

Source Specifies your SAML configuration method:

l Import — Configure SAML authentication by uploading the metadata

file provided by your identity provider, as described in Configure
SAML Authentication Automatically via the User Interface.

l Entry — Configure SAML authentication by manually configuring SAML

options using data from the metadata file provided by your identity
provider, as described in Configure SAML Authentication Manually via
the User Interface.

Type Specifies the identity provider you are using: SAML 2.0 (e.g., Okta,
OneLogin, Shibboleth 2.0, etc.).

Entity ID The name of the Entity ID attribute. Type the attribute exactly as it appears
in your identity provider SAML configuration.

Tip: This is the Federation Service Identifier value in Microsoft ADFS.

Identity The identity provider identifier string.

Provider (IdP)
For example:

l The Identity Provider Issuer value in Okta.

l The Federation Service Identifier value in Microsoft ADFS.

Username The name of the SAML username attribute. Type the attribute exactly as it
Attribute appears in your identity provider SAML configuration.

For example, if your SAML username attribute is NameID, specify NameID

to instruct Tenable Security Center to recognize users who match the

- 154 -
Option Description

format NameID=username.

Single Sign-on The identity provider URL where users log in via single sign-on. Type the
Service URL exactly as it appears in your identity provider SAML metadata.

Single Logout The identity provider URL where users log out. Type the URL exactly as it
Service appears in your identity provider SAML metadata.

Certificate Data The text of the identity provider's X.509 SSL certificate, without the
===BEGIN CERT=== and the ===END CERT=== strings.

User You can enable user provisioning to automatically create SAML-

Provisioning authenticated users in Tenable Security Center by importing user accounts
from your SAML identity provider. When user provisioning is enabled, users
who log into your SAML identity provider are automatically created in
Tenable Security Center. For more information, see SAML User
Provisioning.

Note: If you want to delete a Tenable Security Center user that was created via
SAML user provisioning, delete the user from your SAML identity provider. If you
delete a user in Tenable Security Center that was created via SAML user
provisioning without deleting the user in your SAML identity provider, Tenable
Security Center automatically re-creates the user in Tenable Security Center
the next time they log in using your SAML identity provider.

User Data Sync If you enabled User Provisioning, you can enable User Data Sync to allow
Tenable Security Center to automatically synchronize contact information
from your SAML identity provider for Tenable Security Center users created
via SAML user provisioning. For more information, see SAML User
Provisioning.

Note: If you want to edit a Tenable Security Center user that was created via
SAML user provisioning and you enabled User Data Sync, edit the user in your
SAML identity provider. Otherwise, the Tenable Security Center user data sync
overwrites your changes the next time the user logs in to Tenable Security
Center using your SAML identity provider.

- 155 -
 Option Description

Note: Tenable Security Center does not update required fields (Organization ID,
Group ID, and Role ID). To change the organization, group, or role for a user
created via SAML user provisioning, see Manage User Accounts.

Configure SAML Authentication Automatically via the User Interface

Required User Role: Administrator

You can use this method to configure most types of SAML authentication via the Tenable Security
Center user interface. If you encounter issues with this method (for example, when configuring
Microsoft ADFS), try the module method described in Configure SAML Authentication via
the SimpleSAML Module.

For more information about SAML authentication and SAML authentication options, see
SAML Authentication.

Before you begin:

l Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of
how to configure SAML for use with Tenable Security Center.

l Save your identity provider SAML metadata file to a directory on your local computer.

To automatically configure SAML authentication for Tenable Security Center users:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the SAML button.

The SAML Configuration page appears.

4. In the General section, confirm the SAML toggle is enabled.

If you want to disable SAML authentication for Tenable Security Center users, click the toggle.

5. In the Source drop-down box, select Import.

- 156 -
 The page updates to display additional options.

6. In the Type drop-down box, select SAML 2.0 (e.g., Okta, OneLogin, Shibboleth 2.0, etc.).

7. Click Choose File and browse to the SAML metadata file from your identity provider.

Note: The metadata file must match the Type you selected. If Tenable Security Center rejects the
file, contact your identity provider for assistance.

8. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Click Download SAML Configuration XML, save the .xml file locally, and use it to configure
your identity provider SAML configuration. For more information, see SAML Authentication
XML Configuration Examples.

l Add SAML-authenticated user accounts.

l To manually add SAML-authenticated users in Tenable Security Center, see Add a SAML-
Authenticated User.

l To automatically add SAML-authenticated users by importing users from your SAML

identity provider, see Configure SAML User Provisioning.

l Instruct users to log in to Tenable Security Center using the Sign In Using Identity Provider
button, as described in Log In to the Web Interface.

Configure SAML Authentication Manually via the User Interface

Required User Role: Administrator

You can use this method to configure most types of SAML authentication via the Tenable Security
Center interface. However, you may prefer a more streamlined method:

l To configure SAML Authentication automatically, use the method described in Configure

SAML Authentication Automatically via the User Interface.

l If you encounter issues with either method (for example, when configuring Microsoft ADFS),

- 157 -
 try the module method described in Configure SAML Authentication via
the SimpleSAML Module.

For more information about SAML authentication and SAML authentication options, see
SAML Authentication.

Before you begin:

l Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of
how to configure SAML for use with Tenable Security Center.

l Save your identity provider SAML metadata file to a directory on your local computer.

To configure SAML authentication for Tenable Security Center users:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the SAML button.

The SAML Configuration page appears.

4. In the General section, confirm the SAML toggle is enabled.

If you want to disable SAML authentication for Tenable Security Center users, click the toggle.

5. In the Source drop-down box, select Entry.

The page updates to display additional options.

6. In the SAML Settings section, configure the options:

a. In the Type drop-down box, select SAML 2.0 (e.g., Okta, OneLogin, Shibboleth 2.0, etc.).

b. In the Entity ID box, type the name of the Entity ID attribute exactly as it appears in your
identity provider SAML configuration.

c. In the Identity Provider (IdP) box, type identity provider identifier string.

d. In the Username Attribute box, type the SAML username attribute exactly as it appears
in your identity provider SAML configuration.

- 158 -
 e. In the Single Sign-on Service box, type the identity provider URL where users log in via
single sign-on exactly as it appears in your identity provider SAML metadata.

f. In the Single Logout Service box, type the identity provider URL where users log out
exactly as it appears in your identity provider SAML metadata.

g. In the Certificate Data box, paste the text of the identity provider's X.509
SSL certificate, without the ===BEGIN CERT=== and the ===END CERT=== strings.

7. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Click Download SAML Configuration XML, save the .xml file locally, and use it to configure
your identity provider SAML configuration. For more information, see SAML Authentication
XML Configuration Examples.

l Add SAML-authenticated user accounts.

l To manually add SAML-authenticated users in Tenable Security Center, see Add a SAML-
Authenticated User.

l To automatically add SAML-authenticated users by importing users from your SAML

identity provider, see Configure SAML User Provisioning.

l Instruct users to log in to Tenable Security Center using the Sign In Using Identity Provider
button, as described in Log In to the Web Interface.

Configure SAML Authentication via the SimpleSAML Module

Tip: The recommended method for configuring SAML authentication is via the Tenable Security
Center interface:
l Configure SAML Authentication Automatically via the User Interface
l Configure SAML Authentication Manually via the User Interface

Required User Role: Administrator

If you encounter issues configuring SAML via the Tenable Security Center interface, you can use a
hidden SimpleSAML module to automatically configure SAML authentication.

- 159 -
For general information, see SAML Authentication.

Before you begin:

l Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of
how to configure SAML for use with Tenable Security Center.

l Save your identity provider SAML metadata file to a directory on your local computer.

To configure SAML authentication via the SimpleSAML module:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the SAML button.

The SAML Configuration page appears.

4. Type placeholder values into all SAML configuration options. You do not need to configure
valid values.

5. Click Submit.

Tenable Security Center saves your configuration.

6. Log in to Tenable Security Center via the command line interface (CLI).

7. Navigate to and open the /opt/sc/support/etc/SimpleSAML/config/authsources.php

file.

8. Copy and paste the following text into the file, between the ), line and the ); line:

// This is a authentication source which handles admin authentication.

'admin' => array(
// The default is to use core:AdminPassword, but it can be replaced with
// any authentication source.

'core:AdminPassword',
),

9. Save the file.

- 160 -
10. In a browser, navigate to https://<Tenable Security Center IP address or
hostname>/saml/module.php/core/frontpage_config.php.

The SimpleSAML.php installation page appears.

11. On the Configuration tab, click Login as administrator.

The Enter your username and password page appears.

12. In the Username box, type admin.

13. In the Password box, type admin.

14. Click Login.

15. On the Federation tab, in the Tools section, click XML to SimpleSAML.php metadata
converter.

The Metadata parser page appears.

16. Click Choose File and select your identity provider SAML metadata file.

17. Click Parse.

Tenable Security Center validates the identity provider SAML metadata file. If the metadata
file is supported, Tenable Security Center populates the XML metadata box with content from
your metadata file. If the metadata file is not supported, you cannot use it for
SAML authentication in Tenable Security Center.

18. In the saml20-idp-remote section, copy the text in the box.

19. Log in to Tenable Security Center via the command line interface (CLI).

20. Navigate to and open the /opt/sc/support/etc/SimpleSAML/metadata/saml20-idp-

remote.php file (for SAML 2.0 or Shibboleth 2.0).

21. Paste the text into the file, after the <?php line.

22. Save the file.

23. Navigate to and open the /opt/sc/support/etc/SimpleSAML/config/authsources.php

file again.

- 161 -
 24. Confirm the idp URL in the authsources.php file matches the $metadata URL in the
saml20-idp-remote.php or shib13-idp-remote.php file:

Valid authsources.php syntax example:

'idp' => 'http://www.okta.com/abcdefghijKLmnopQr0s1'

Valid saml20-idp-remote.php or shib13-idp-remote.php syntax example:

$metadata['http://www.okta.com/abcdefghijKLmnopQr0s1']

25. In a browser, navigate to https://<Tenable Security Center IP address or

hostname>/saml/module.php/core/frontpage_config.php.

The SimpleSAML.php installation page appears.

26. On the Authentication tab, click Test configured authentication sources.

The Test authentication sources page appears.

27. Click 1.

Your identity provider login page appears.

28. Log in to your identity provider.

The SAML 2.0 SP Demo Example page appears. If this page does not appear, the
configuration did not succeed.

What to do next:
l In the Tenable Security Center interface, on the SAML Configuration page, click Download
SAML Configuration XML, save the .xml file locally, and use it to configure your identity
provider SAML configuration. For more information, see SAML Authentication
XML Configuration Examples.

l Add SAML-authenticated user accounts.

l To manually add SAML-authenticated users in Tenable Security Center, see Add a SAML-
Authenticated User.

- 162 -
 l To automatically add SAML-authenticated users by importing users from your SAML
identity provider, see Configure SAML User Provisioning.

l Instruct users to log in to Tenable Security Center using the Sign In Using Identity Provider
button, as described in Log In to the Web Interface.

SAML User Provisioning

You can enable user provisioning to automatically create SAML-authenticated users in Tenable
Security Center by importing user accounts from your SAML identity provider. When user
provisioning is enabled, users who log into your SAML identity provider are automatically created in
Tenable Security Center. For more information about SAML authentication in Tenable Security
Center, see SAML Authentication.

Tip: Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to
configure SAML for use with Tenable Security Center.

If you enable user provisioning and a user who does not have a Tenable Security Center user
account logs in using your SAML identity provider, Tenable Security Center automatically creates a
user account for them in Tenable Security Center.

Tenable Security Center creates users using data from attribute fields you map to the
corresponding fields in your SAML identity provider. If you enable User Data Sync, each time a user
logs into Tenable Security Center using your SAML identity provider, Tenable Security Center
updates any mapped attribute fields in Tenable Security Center with values from the fields in your
SAML identity provider. For more information about User Data Sync, see SAML Authentication
Options.

Note: If you want to edit a Tenable Security Center user that was created via SAML user provisioning and
you enabled User Data Sync, edit the user in your SAML identity provider. Otherwise, the Tenable Security
Center user data sync overwrites your changes the next time the user logs in to Tenable Security Center
using your SAML identity provider.

Note: If you want to delete a Tenable Security Center user that was created via SAML user provisioning,
delete the user from your SAML identity provider. If you delete a user in Tenable Security Center that was
created via SAML user provisioning without deleting the user in your SAML identity provider, Tenable
Security Center automatically re-creates the user in Tenable Security Center the next time they log in
using your SAML identity provider.

For more information, Configure SAML User Provisioning.

- 163 -
Configure SAML User Provisioning

Required User Role: Administrator

You can enable user provisioning to automatically create SAML-authenticated users in Tenable
Security Center by importing user accounts from your SAML identity provider. When user
provisioning is enabled, users who log into your SAML identity provider are automatically created in
Tenable Security Center. For more information, see SAML User Provisioning.

To manually create SAML-authenticated users in Tenable Security Center, see Add a SAML-
Authenticated User.

For more information about user account configuration options, see SAML User Account Options.

Before you begin:

l Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of
how to configure SAML for use with Tenable Security Center.

l Configure SAML authentication, as described in Configure SAML Authentication Manually via

the User Interface.

To import SAML-authenticated user accounts from your SAML identity provider:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the SAML button.

The SAML Configuration page appears.

4. In the SAML Settings section, click the toggle to enable User Provisioning.

5. (Optional) To automatically update contact information for imported SAML-authenticated

users, click the User Data Sync toggle. For more information about User Data Sync, see SAML
Authentication Options.

6. Click Submit.

Tenable Security Center saves your configuration.

- 164 -
What to do next:
l In your SAML identity provider, map the required Tenable Security Center user attribute fields
to the corresponding fields for users in your identity provider: Organization ID, Group ID, and
Role ID.

Note: Tenable Security Center uses the fields listed in the Attribute Mapping section to create and
update users in Tenable Security Center. Any Tenable fields that you map to corresponding fields in
your SAML identity provider populate when Tenable Security Center imports SAML users into
Tenable Security Center. If you enable User Data Sync, each time a user logs into Tenable Security
Center using your SAML identity provider, Tenable Security Center updates any mapped attribute
fields in Tenable Security Center with values from the corresponding fields in your SAML identity
provider.

SAML Authentication XML Configuration Examples

Tip: Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to
configure SAML for use with Tenable Security Center.

Identity provider SAML configurations vary widely, but you can use the following examples to guide
your SAML-side configurations.

l OneLogin Example

l Okta Example

l Microsoft ADFS Example

OneLogin Example
In the OneLogin SAML configuration, paste data from your .xml download file.

OneLogin Field Description

Relay State Leave this field blank.

Audience Type https://tenable.sc.

Recipient Type https://<Tenable Security Center

host>/saml/module.php/saml/sp/saml2-acs.php/1, where
<Tenable Security Center host> is the IP address or hostname for

- 165 -
 OneLogin Field Description

Tenable Security Center.

ACS (Consumer) Type -*.

URL Validatior

ACS (Consumer) Type https://<Tenable Security Center

URL host>/saml/module.php/saml/sp/saml2-acs.php/1, where
<Tenable Security Center host> is the IP address or hostname for
Tenable Security Center.

Single Logout Type https://<Tenable Security Center

URL host>/saml/module.php/saml/index.php?sls, where <Tenable
Security Center host> is the IP address or hostname for Tenable
Security Center.

Okta Example
In the Okta SAML configuration, paste data from your .xml download file.

Okta Field Description

General

Single Sign On URL Type https://<Tenable Security Center

host>/saml/module.php/saml/sp/saml2-acs.php/1, where
<Tenable Security Center host> is the IP address or
hostname for Tenable Security Center.

Recipient URL Type https://<Tenable Security Center

host>/saml/module.php/saml/sp/saml2-acs.php/1, where
<Tenable Security Center host> is the IP address or
hostname for Tenable Security Center.

Destination URL Type https://<Tenable Security Center

host>/saml/module.php/saml/sp/saml2-acs.php/1, where
<Tenable Security Center host> is the IP address or
hostname for Tenable Security Center.

- 166 -
Okta Field Description

Audience Restriction Type https://tenable.sc.

Default Relay State Leave this field blank.

Name ID Format Set to Unspecified.

Response Set to Signed.

Assertion Signature Set to Signed.

Signature Algorithm Set to RSA_SHA256.

Digest Algorithm Set to SHA256.

Assertion Encryption Set to Unencrypted.

SAML Single Logout Set to Disabled.

authnContextClassRef Set to PasswordProtectedTransport.

Honor Force Set to Yes.

Authentication

SAML Issuer ID Type http://www.okta.com/${org.externalKey}.

Attribute Statements

FirstName Set to Name Format: Unspecified and Value:

user.firstName.

LastName Set to Name Format: Unspecified and Value: user.lastName.

Email Set to Name Format: Unspecified and Value: user.email.

username Set to Name Format: Unspecified and one of the following:

l Value: user.displayName, if your Tenable Security Center

user account usernames are full names (e.g., Jill Smith).

l Value: user.email, if your Tenable Security Center user

account usernames are email addresses (e.g.,
jsmith@website.com).

- 167 -
 Okta Field Description

l Value: user.login, if your Tenable Security Center user

account usernames are name-based text strings (e.g.,
jsmith).

Microsoft ADFS Example

In the Microsoft ADFS configuration, paste data from your .xml download file.

Microsoft ADFS
Description
Configuration

Edit Authentication Methods window

Extranet Select, at minimum, the Forms Authentication check box.

Intranet Select, at minimum, the Forms Authentication check box.

Add Relying Party Trust wizard

Welcome section l Select Claims aware.

l Select Import data about the relying party from a file.

l Browse to and select the SAML configuration .xml file you

downloaded from Tenable Security Center.

Note: If you see a warning that some content was skipped, click Ok to
continue.

Specify Display In the Display Name box, type your Tenable Security Center FQDN.
Name section

Configure Browse to and select the encryption certificate you want to use.
Certificate
section

Choose Access Select the Permit everyone policy.

Control Policy

- 168 -
 Microsoft ADFS
Description
Configuration

section

Ready to Add l On the Advanced tab, select SHA256 or the value dictated by your
Trust section security policy.

l On the Identifiers tab, confirm the information is accurate.

l On the Endpoints tab, confirm the information is accurate.

Finish section Select the Configure claims issuance policy for this application check
box.

Edit Claim Add one or more claim rules to specify the ADFS value you want Tenable
Issuance Policy Security Center to use when authenticating SAML users. For example:
window
To transform an incoming claim:

1. In Incoming claim type, select Email address or UPN.

2. In Outgoing claim type, select Name ID.

3. In Outgoing name ID format, select Transient Identifier.

4. Select the Pass through all claim values check box.

To send LDAP attributes as claim:

1. In Attribute store, select Active Directory.

2. In LDAP Attribute, select E-Mail Addresses.

3. In Outgoing Claim Type, select E-Mail Addresses.

Note:Tenable Support does not assist with claim rules.

Certificate Authentication
You can use configure SSL client certificate authentication for Tenable Security Center user
account authentication. Tenable Security Center supports:

- 169 -
 l SSL client certificates

l smart cards

l personal identity verification (PIV) cards

l Common Access Cards (CAC)

Configuring certificate authentication is a multi-step process.

To fully configure SSL client certificate authentication for Tenable Security Center user
accounts:

1. Configure Tenable Security Center to allow SSL client certificate authentication, as described
in Configure Tenable Security Center to Allow SSL Client Certificate Authentication.

2. Configure Tenable Security Center to trust certificates from your CA, as described in Trust a
Custom CA.

3. Add TNS-authenticated user accounts for the users you want to authenticate via certificate,
as described in Add a TNS-Authenticated User.

4. (Optional) If you want to validate client certificates against a certificate revocation list (CRL),
configure CRLs or OCSP in Tenable Security Center, as described in Configure a CRL in
Tenable Security Center or Configure OCSP Validation in Tenable Security Center.

What to do next:
l Instruct users to log in to Tenable Security Center via certificate, as described in Log in to the
Web Interface via SSL Client Certificate.

Configure Tenable Security Center to Allow SSL Client Certificate Authentication

You must configure the Tenable Security Center server to allow SSL client certificate connections.
For complete information about certificate authentication, see Certificate Authentication.

To allow SSL client certificate authentication:

1. Open the /opt/sc/support/conf/sslverify.conf file in a text editor.

2. Edit the SSLVerifyClient setting:

- 170 -
 Value Description

none Tenable Security Center does not accept SSL certificates for user
(default) authentication.

require Tenable Security Center requires a valid SSL certificate for user
authentication.

optional Tenable Security Center accepts but does not require a valid SSL
certificate for user authentication.

If a user does not present a certificate, they can log in via username and
password.

Note: Some browsers may not connect to Tenable Security Center when you
use the optional setting.

optional_no_ Tenable Security Center accepts valid and invalid SSL certificates for
ca user authentication.

Tip: This setting does not configure reliable user authentication, but you can
use it to troubleshoot issues with your SSL connection and determine
whether there is an issue with the key or the CA.

3. Edit the SSLVerifyDepth setting to specify the length of the certificate chain you want
Tenable Security Center to accept for user authentication. For example:

l When set to 0, Tenable Security Center accepts self-signed certificates.

l When set to 1, Tenable Security Center does not accept intermediate certificates.
Tenable Security Center accepts self-signed certificates or certificates signed by known
CAs.

l When set to 2, Tenable Security Center accepts up to 1 intermediate certificate. Tenable

Security Center accepts self-signed certificates, certificates signed by known CAs, or
certificates signed by unknown CAs whose certificate was signed by a known CA.

4. Save the file.

Tenable Security Center saves your configuration.

Configure a CRL in Tenable Security Center

- 171 -
 Required User Role: Root user

You can enable a certificate revocation list (CRL) in Tenable Security Center to prevent users from
authenticating to Tenable Security Center if their certificate matches a revocation in the CRL.

Note: Tenable Support does not assist with CRL creation or configuration in Tenable Security Center.

Before you begin:

l Confirm that you have the mod_ssl Apache module installed on Tenable Security Center.

l Back up the /opt/sc/data/CA/ directory in case you encounter issues and need to restore
the current version.

To configure a CRL in Tenable Security Center:

1. In a text editor, open the /opt/sc/support/conf/sslverify.conf file.

a. Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.

b. Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.

c. Save the file.

Tenable Security Center saves your configuration.

2. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

Tenable Security Center restarts.

3. Confirm that your CA root configuration file contains the following parameters:

l crl_dir

l database

l crl

l clr_extensions

l default_crl_days

For example:

- 172 -
 ...
# Directory and file locations.
dir = /opt/sc/data/CA
crl_dir = /opt/sc/support/conf/crl
database = /opt/sc/support/conf/index.txt
# The root key and root certificate.
private_key = /opt/sc/support/conf/TenableCA.key
certificate = /opt/sc/data/CA/TenableCA.crt
# For certificate revocation lists.
crl = /opt/sc/support/conf/crl/ca.crl
crl_extensions = crl_ext
default_crl_days = 30
...

4. Save your CA root configuration file as YourCAname.conf in a subdirectory of

/opt/sc/support/conf/.

5. Confirm the directories and files referenced in your YourCAname.conf file are present on
Tenable Security Center in a subdirectory of /opt/sc/support/conf/.

6. Configure Tenable Security Center to trust your CA, as described in Trust a Custom CA.

Tenable Security Center processes your CA.

7. In the command line interface (CLI), run the following command to enable the CRL in Tenable
Security Center:

$ openssl ca -config <CA root configuration file directory> -gencrl -out

<crl parameter value in the YourCAname.conf file>

For example:

$ openssl ca -config /opt/sc/support/conf/ca-root.conf -gencrl -out

/opt/sc/support/conf/crl/ca.crl

Tenable Security Center creates the CRL file.

- 173 -
8. In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.

a. Add the following content at the end of the file:

SSLCARevocationCheck <value>
SSLCARevocationFile "<filepath>"

Where <value> and <filepath> are:

Content Description

SSLCARevocationCheck <value>

chain Tenable Security Center checks all certificates in

a chain against the CRL.

leaf Tenable Security Center checks only the end-

entity certificate in a chain against the CRL.

SSLCARevocationFile <filepath>

Specifies the file path for the CRL file in Tenable Security Center. For example,
/opt/sc/support/conf/crl/ca.crl.

b. Save the file.

Tenable Security Center saves your configuration.

9. In the CLI, run the following command to create a symbolic link for the CRL file:

$ ln -s <crl parameter value in the YourCAname.conf file> `openssl crl -

hash -noout -in <crl parameter value in the YourCAname.conf file>`.r0

For example:

$ ln -s /opt/sc/support/conf/crl/ca.crl `openssl crl -hash -noout -in

/opt/sc/support/conf/crl/ca.crl`.r0

- 174 -
 Caution: Do not use a single quote character (') instead of a backtick character (`); this command
requires the backtick.

Tenable Security Center creates a symbolic link for the CRL file.

10. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

Tenable Security Center restarts.

Configure OCSP Validation in Tenable Security Center

Required User Role: Root user

You can configure Online Certificate Status Protocol (OCSP) validation in Tenable Security Center to
prevent users from authenticating to Tenable Security Center if their certificate matches a
revocation on your OCSP server.

Note: Tenable Support does not assist with OCSP configuration in Tenable Security Center.

Before you begin:

l Confirm that you have an OCSP server configured in your environment.

To configure OCSP validation in Tenable Security Center:

1. In a text editor, open the /opt/sc/support/conf/sslverify.conf file.

a. Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.

b. Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.

c. Save the file.

Tenable Security Center saves your configuration.

2. In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.

a. Add the following content at the end of the file:

SSLOCSPEnable on

- 175 -
 SSLOCSPDefaultResponder <URI>
SSLOCSPOverrideResponder on

Where <URI> is the URI for your OCSP server.

b. Save the file.

Tenable Security Center saves your configuration.

3. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

Tenable Security Center restarts.

Search
In Tenable Security Center, you can search for vulnerabilities (by CVE ID) and host assets (by IPv4
address) using the search box in the top navigation bar. Click the drop-down to change the
category. A list of suggestions appears after you type at least five characters or the first octet of an
IPv4 address.

Note: To search for host assets, you must have the View Host Assets permission enabled. For more
information, see User Roles.

Tenable Security Center saves your search history. To view your search history, click the search
box. To delete an item from your search history, click the icon next to the search term.

To view a search result, press Enter or click a suggestion in the drop-down box. The search results
page appears, which displays widgets with details about the vulnerability or host asset:

Widget Description

Vulnerabilities

Vulnerability A list of solutions for the vulnerability that correspond to the plugins
Information currently visible in the Tenable Coverage widget.

The top right corner displays the Vulnerability Priority Rating (VPR) for the
vulnerability. For more information about VPRs, see CVSS vs. VPR.

VPR Key Drivers Details about the history and severity of the vulnerability that contribute to

- 176 -
Widget Description

the VPR.

For more information about VPRs, see CVSS vs. VPR.

Risk Details about the risk associated with the vulnerability, as determined by
Information the National Vulnerability Database (NVD).

Hosts Impacted A list of assets in your system that are affected by the vulnerability. When
you scan your network, any discovered assets that are affected by the
vulnerability will appear in this list.

If you have a Tenable Security Center+ license, this widget also displays the
Asset Exposure Score (AES) and Asset Criticality Rating (ACR) for the
assets.

Click More Details to see the IP Summary page, where you can view the list
of hosts filtered by the CVE ID.

CPEs A list of CPE names that are relevant to the vulnerability.

Click More Details to open a dialog box with the full list of CPEs.

References A list of links with information relevant to the vulnerability.

Click More Details to open a dialog box with the full list of references.

Tenable A list of Tenable plugins that address the vulnerability. You can sort this list
Coverage by plugin ID.

When you sort plugins or navigate pages in the widget, the Vulnerability
Information and Related Links widgets update to correspond to the visible
plugins.

Click More Details to see the Vulnerability List page, where you can view
the list of plugins filtered by your assets. If none of the assets in your
network are affected by the list of plugins, then this page will not display
any plugins.

Related Links A list of links with information relevant to the plugins currently visible in the
Tenable Coverage widget.

- 177 -
 Widget Description

Click More Details to open a dialog box with the full list of related links.

Host Assets

Repository The repository associated with the host asset. If the host asset appears in
more than one repository, click the drop-down to view the host asset in a
different repository.

Host Details about the host asset.

Information
If you have a Tenable Security Center+ license, this widget also displays the
Asset Exposure Score (AES) and Asset Criticality Rating (ACR) for the
assets.

Click More Details to open a dialog box with the full list of host details.

Host A chart that displays a breakdown of vulnerabilities by severity level.

Vulnerability
Severity

Assets A list of assets associated with the host.

Findings A list of vulnerabilities in your system that correspond to the asset. When
you scan your network, any vulnerabilities associated with the host asset
will appear in this list.

Click More Details to see the Vulnerability List page, where you can view
the list of vulnerabilities filtered by the host asset.

Certificates and Certificate Authorities in Tenable Security Center

Tenable Security Center includes the following defaults:

l a default Tenable Security Center server certificate (SecurityCenter.crt)

l a Tenable Security Center certificate authority (CA), which signs SecurityCenter.crt

l a DigiCert High Assurance EV Root CA

- 178 -
However, you may want to upload your own CAs or certificates for advanced configurations or to
resolve scanning issues. For more information, see:

l Tenable Security Center Server Certificates

l Trust a Custom CA

l Certificate Authentication

l Custom Plugin Packages for NASL and CA Certificate Upload

l Manual Tenable Nessus SSL Certificate Exchange

Tenable Security Center Server Certificates

Tenable Security Center ships with a default Tenable Security Center server certificate and key:
SecurityCenter.crt and SecurityCenter.key. In some cases, you must replace it or regenerate
it.

If you replace the server certificate with a self-signed certificate, you may need to upload the
CA for your server certificate to Tenable Nessus or your browser.

Problem Solution

The default certificate Upload a certificate for theTenable Security Center server, as
for Tenable Security described in Upload a Server Certificate for Tenable Security Center.
Center is untrusted.
If the new server certificate is self-signed, plugin 51192 may report
that the Tenable Security Center server certificate is untrusted. To
configure Tenable Nessus to trust the server certificate, upload the
CA certificate to Tenable Nessus.

Your browser reports Upload a CA certificate for the Tenable Security Center server
that the Tenable certificate to your browser.
Security Center server
certificate is
untrusted.

Plugin 51192 reports Regenerate the Tenable Security Center server certificate, as
that the Tenable described in Regenerate the Tenable Security Center Server
Security Center server Certificate.
certificate expired.

- 179 -
Upload a Server Certificate for Tenable Security Center

Required User Role: Root user

For information about Tenable Security Center server certificates, see Tenable Security Center
Server Certificates.

Tip: The custom certificate email address must not be SecurityCenter@SecurityCenter or subsequent
upgrades cannot retain the new certificate.

Before you begin:

l Save your new server certificate and key files as host.crt and host.key.

To upload a server certificate for Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Back up the existing SecurityCenter.crt and SecurityCenter.key files located in the

/opt/sc/support/conf directory.

For example:

# cp /opt/sc/support/conf/SecurityCenter.crt /tmp/SecurityCenter.crt.bak
# cp /opt/sc/support/conf/SecurityCenter.key /tmp/SecurityCenter.key.bak

3. To rename the host.crt and host.key files and copy them to the /opt/sc/support/conf
directory, run:

# cp host.crt /opt/sc/support/conf/SecurityCenter.crt
# cp host.key /opt/sc/support/conf/SecurityCenter.key

If prompted, type y to overwrite the existing files.

4. To confirm the files have the correct permissions (640) and ownership (tns), run:

# ls -l /opt/sc/support/conf/SecurityCenter.crt
-rw-r---- 1 tns tns 4389 May 15 15:12 SecurityCenter.crt
# ls -l /opt/sc/support/conf/SecurityCenter.key

- 180 -
 -rw-r---- 1 tns tns 887 May 15 15:12 SecurityCenter.key

Note: If an intermediate certificate is required, it must also be copied to the system and given the
correct permissions (640) and ownership (tns). Additionally, you must remove the # from the line in
/opt/sc/support/conf/vhostssl.conf that begins with #SSLCertificateChainFile to enable
the setting. Modify the path and filename to match the uploaded certificate.

If necessary, change the ownership or permissions.

a. To change the ownership, run:

# chown tns:tns /opt/sc/support/conf/SecurityCenter.crt\

# chown tns:tns /opt/sc/support/conf/SecurityCenter.key

b. To change the permissions, run:

# chmod 640 /opt/sc/support/conf/SecurityCenter.crt

# chmod 640 /opt/sc/support/conf/SecurityCenter.key

5. Restart the Tenable Security Center service:

# service SecurityCenter restart

6. In a browser, log in to the Tenable Security Center user interface as a user with administrator
permissions.

7. When prompted, verify the new certificate details.

What to do next:
l If you uploaded a self-signed server certificate and plugin 51192 reports that the CA for your
self-signed certificate is untrusted, upload the custom CA certificate to Tenable Nessus.

Regenerate the Tenable Security Center Server Certificate

Required User Role: tns user

- 181 -
 Required User Role: Root user

Tenable Security Center ships with a default server certificate that is valid for two years. After the
certificate expires, you must regenerate the SSL certificate.

To regenerate the Tenable Security Center SSL certificate:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. In the CLI in Tenable Security Center, run the following command to switch to the tns user:

su - tns

3. As the tns user, run the following command:

/opt/sc/support/bin/php /opt/sc/src/tools/installSSLCertificate.php

(Optional) If you want to suppress the self-signed warning or specify a Common Name, include
an optional argument.

Argument Description

-q Suppresses the warning: This script generates a self-

signed SSL certificate, which is not recommended for
production.

-h <IP|host Specifies an IP address or hostname that will be used as the Common

name> Name for the certificate.

Tenable Security Center generates a new certificate.

4. Run the following command to exit the tns user:

exit

5. As the root user, run the following command to restart the Tenable Security Center service:

- 182 -
 # service SecurityCenter restart

The service restarts and Tenable Security Center applies the new certificate.

Trust a Custom CA

Required User Role: tns user

You can configure Tenable Security Center to trust a custom CA for certificate authentication or
other uses.

To configure Tenable Security Center to trust a custom CA:

1. Log in to Tenable Security Center via the user interface.

2. Copy the required PEM-encoded CA certificate (and intermediate CA certificate, if needed) to

the Tenable Security Center server’s /tmp directory.

In this example, the file is named ROOTCA2.cer.

3. Run the installCA.php script to create the required files for each CA in /opt/sc/data/CA:

# /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer

Tenable Security Center processes all the CAs in the file.

4. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

System Settings
The System menu in the left navigation and the Username menus in the top navigation bar contain
several options to configure Tenable Security Center system settings. Administrator users can
configure more options than organizational users.

l Configuration Settings

l Tenable One Data

l Diagnostics Settings

- 183 -
 l Job Queue Events

l System Logs

l Publishing Sites Settings

l Keys Settings

l User Profile Menu Settings

Configuration Settings
The configuration menu includes the following settings:

l Data Expiration Settings

l External Schedules Settings

l Mail Settings

l Miscellaneous Settings

l License Settings

l Plugins/Feed Settings

l SAML Settings

l Security Settings

l Tenable One Settings

Data Expiration Settings

Data expiration determines how long Tenable Security Center retains closed tickets, scan results,
and report results.

Option Description

User Generated Object Lifetime

Closed The number of days you want Tenable Security Center to retain closed tickets.
Tickets The default value of this option is 365 days.

- 184 -
 Option Description

Scan The number of days you want Tenable Security Center to retain scan results. The
Results default value of this option is 365 days.

Report The number of days you want Tenable Security Center to retain report results.
Results The default value of this option is 365 days.

Tip: You can configure vulnerability data expiration for individual IPv4, IPv6, agent, and universal
repositories. For more information, see IPv4/IPv6 Repositories,Agent Repositories, and Universal
Repositories.

External Schedules Settings

The Tenable Security Center external schedule settings determine the update schedule for the
common tasks of pulling Tenable Nessus Network Monitor data, IDS signature updates, and IDS
correlation updates.

Option Description

Tenable Nessus Network Monitor

Pull Interval This option configures the interval that Tenable Security Center uses to
pull results from the attached Tenable Nessus Network Monitor
instances. The default setting is 1 hour. The timing is based from the
start of the Tenable Security Center service on the host system.

Tenable Log Correlation Engine

IDS Signatures Specifies the frequency to update Tenable Security Center IDS
signatures via third-party sources. The schedule appears along with the
specified time zone.

IDS Correlation Specifies the frequency to push vulnerability information to the Log
Databases Correlation Engine for correlation. The schedule appears along with the
specified time zone.

You can also configure each of the update schedule times to occur by time in a particular time zone
using the Time Zone link next to each hour selection.

- 185 -
 Mail Settings

The Mail option designates SMTP settings for all email-related Tenable Security Center functions.
Available options include SMTP host, port, authentication method, encryption, and return address.
In addition, you can use the Test SMTP Settings in the upper left corner of the page to validate the
settings.

Note: The Return Address defaults to noreply@localhost. Use a valid return email address for this option. If
this option is empty or the email server requires emails from valid accounts, the email server cannot send
the email.

Note: Type the Username in a format supported by your SMTP server (for example, username@domain.com
or domain\username).

Miscellaneous Settings

The Miscellaneous Configuration section offers options to configure settings for web proxy, syslog,
notifications, and enable or disable some report types.

Web Proxy
From this configuration page, you can configure a web proxy by entering the host URL (proxy
hostname or IP address), port, authentication type, username, and password. The hostname used
must resolve properly from the Tenable Security Center host.

Syslog
In the Syslog section, you can configure options to allow Tenable Security Center to send
administrative log events to the local syslog service. For more information about the types of
Tenable Security Center logs, see the knowledge base article.

Option Description

Enable Enables log forwarding options.

Forwarding

Facility Type the facility you want to receive the log messages.

Severity Specifies which syslog message levels you want to forward: Informational,

- 186 -
 Option Description

Warning, or Critical.

Scanning
The IP Randomization option specifies how you want Tenable Security Center to send active scan
target lists to Tenable Nessus and Tenable Vulnerability Management scanners.

You enable or disable IP randomization for all configured active scans; you cannot configure
IP randomization on a per-scan basis.

l When enabled, Tenable Security Center randomizes the targets in the active scan before
sending the target list to the scanners to reduce strain on network devices during large active
scans.

Scan Randomization

1,000 or fewer Tenable Security Center randomizes all the IP addresses in the target
targets list.

1,001 or more Tenable Security Center randomizes all the IP addresses in the target
targets list by:

1. Ordering the IP addresses numerically and splitting them into 100

groups.

2. Randomly selecting a group and choosing the lowest IP address

from that group.

3. Selecting groups and IP addresses until all IP addresses in all

groups are randomized in the target list.

If the active scan includes a Tenable Vulnerability Management scanner, Tenable Security
Center breaks the target list into smaller lists (256 IP addresses each) before sending to
Tenable Vulnerability Management.

- 187 -
 Note: Some randomized target lists (such as small target lists) may still contain sequences of
increasing IP addresses. This is a possible outcome of randomization, not an indication that
randomization failed.

l When disabled, Tenable Security Center organizes the target list by increasing IP address.
Then, scanners scan targets, starting with the lowest IP address and finishing with the highest
IP address.

Tip: The Max simultaneous hosts per scan scan policy option specifies how many IP addresses Tenable
Security Center sends to each scanner at a time. For more information, see Scan Policy Options.

Notifications
In the Notifications section, you can configure options for Tenable Security Center notifications.
For more information, see Notifications.

Option Description

Tenable Security Defines the Tenable Security Center web address used when alerts
Center Location and tickets generate notifications.

Bell Notifications Enables notifications to appear in the menu in the top navigation
bar.

Report Generation
If your organization requires specialized reporting formats, such as DISA or CyberScope, you can
enable Report Generation options based on your organization's needs.

l Defense Information Systems Agency (DISA) reporting standards include the Assessment
Summary Results (ASR), Assessment Results Format (ARF), and Consolidated Assessment
Results Format (CARF) styles.

l CyberScope reports utilize Lightweight Asset Summary Results Schema (LASR) style reports,
which are used by some segments of governments and industry.

To allow users to choose these reports during report creation, you must enable the corresponding
toggles. For more information about reports in Tenable Security Center, see Reports.

- 188 -
 Option Description

Enable DISA ARF Enable the DISA ARF report format, which meets the standards of the
Defense Information Systems Agency Assessment Results Format.

Enable Enable the DISA consolidated ARF report format, which meets the
DISA Consolidated standards of the Defense Information Systems Agency Consolidated
ARF Assessment Results Format.

Enable DISA ASR Enable the DISA ASR report format, which meets the standards of the
Defense Information Systems Agency Assessment Summary Results.

Enable CyberScope Enable the CyberScope report format, which meets CyberScope
reporting standards to support FISMA compliance.

Risk Rule Comments

You can enable the Recast and Accept Risk Rule Comments option to display accept risk rule
comments and recast risk rule comments in reports and vulnerability analysis views.

For more information about recast risk rules and accept risk rules, see Recast Risk Rules and
Accept Risk Rules.

For more information about vulnerability analysis views, see View Vulnerability Instance Details and
View Vulnerabilities by Plugin.

Privacy
The Enable Usage Statistics option specifies whether Tenable collects anonymous telemetry data
about your Tenable Security Center deployment.

When enabled, Tenable collects usage statistics that cannot be attributed to a specific user or
customer. Tenable does not collect personal data or personally identifying information (PII).

Usage statistics include, but are not limited to, data about your visited pages, your used reports and
dashboards, your Tenable Security Center license, and your configured features. Tenable uses the
data to improve your user experience in future Tenable Security Center releases. You can disable
this option at any time to stop sharing usage statistics with Tenable.

- 189 -
After you enable or disable this option, all Tenable Security Center users must refresh their browser
window for the changes to take effect.

License Settings

The License Configuration section allows you to configure licensing and activation code settings
for Tenable Security Center and all attached Tenable products.

For information about the Tenable Security Center license count, see License Requirements. To
add or update a license, see Apply a New License or Update an Existing License.

Plugins/Feed Settings

The Plugins/Feed Configuration page displays the Plugin Detail Locale for Tenable Security Center
and the feed and plugin update (scanner update) schedules.

For more information, see Edit Plugin and Feed Settings and Schedules.

Update Description

Tenable Retrieves the latest Tenable Security Center feed from Tenable. This feed
Security includes data for general use, including templates (for example, dashboards,
Center ARCs, reports, policies, assets, and audit files), template-required objects,
Feed some general plugin information, and updated VPR values.

Active Retrieves the latest active plugins feed (for Tenable Nessus and Tenable
Plugins Vulnerability Management scanners) from Tenable. Tenable Security Center
pushes the feed to Tenable Nessus and Tenable Vulnerability Management
scanners.

Passive Retrieves the latest passive plugins feed from Tenable. Tenable Security Center
Plugins pushes the feed to Tenable Nessus Network Monitor instances.

Event Retrieves the latest event plugins feed from Tenable. Tenable Security Center
Plugins uses the feed locally with Log Correlation Engine data but does not push the
feed to Log Correlation Engine; Log Correlation Engine retrieves the feed
directly from Tenable.

For information about Tenable Security Center-Tenable plugins server communications encryption,
see Encryption Strength.

- 190 -
Plugin Detail Locale
The local language plugin feature allows you to display portions of plugin data in local languages.
When available, translated text displays on all pages where plugin details appear.

Select Default to display plugin data in English.

Note: Tenable Security Center cannot translate text within custom files. Upload a translated Active
Plugins.xml file to display the file content in a local language.

For more information, see Configure Plugin Text Translation.

Schedules
Tenable Security Center automatically updates Tenable Security Center feeds, active plugins,
passive plugins, and event plugins. If you upload a custom feed or plugin file, the system merges the
custom file data with the data contained in the associated automatically updating feed or plugin.

You can upload tar.gz files with a maximum size of 1500 MB.

For more information, see Edit Plugin and Feed Settings and Schedules.

Security Center Software Updates

The Security Center Software Updates section includes options for applying updates and patches
for Tenable Security Center.

In the Authorization Token box, enter your authorization token. You can generate an authorization
token on the Tenable Downloads API page.

If you enable the Automatically Update Through the Security Center Feed option, then Tenable
Security Center automatically applies any available Tenable Security Center patches during
scheduled feed updates.

Note: Some patches cannot be applied through the feed, and must be installed manually.

Available Software Updates

New updates and patches for Tenable Security Center appear in the Available Software Updates
section of the Plugins/Feed Configuration page.

- 191 -
The Install Now tab displays available software updates for download. You can install them
immediately by selecting the check box and clicking Install Now. If you enable the Automatically
Update Through the Security Center Feed option in the Security Center Software Updates
section, then Tenable Security Center will automatically apply these updates and patches during
scheduled feed updates.

The Install Manually tab includes software updates that must be installed manually. You can
download the files for these updates and patches from the Tenable Downloads page.

If you install a software update but the installation fails, the update will appear in the Available
Software Updates section with a warning icon. Click the software update in the table to view
details about the error.

Installed Software Updates

When you install a software update, it moves from the Available Software Updates section to the
Installed Software Updates section. If a software update requires a restart to finish installing, the
status for the update in the Installed Software Updates section will be Needs Restart. After you
complete a software update, the status for the update will be Installed.

SAML Settings

Use the SAML section to configure SAML 2.0-based SAML authentication (for example, Okta,
OneLogin, Shibboleth 2.0, etc.) for Tenable Security Center users. For more information, see
SAML Authentication.

Security Settings

Use the Security section to define the Tenable Security Center user interface login parameters and
options for account logins. You can also configure banners, headers, and classification headers and
footers.

Option Description

Authentication Settings

Session Timeout The web session timeout in minutes (default: 60).

Maximum Login The maximum number of user login attempts Tenable Security Center

- 192 -
Option Description

Attempts allows before locking out the account (default: 20). To disable this
feature, set the value to 0.

Minimum Password This setting defines the minimum number of characters for passwords
Length of accounts created using the local TNS authentication access
(default: 3).

Password When enabled, user passwords must be at least 4 characters long and
Complexity contain at least one of each of the following:

l An uppercase letter

l A lowercase letter

l A numerical character

l A special character

Note: After you enable Password Complexity, Tenable Security Center

prompts all users to reset their passwords the next time they log in to
Tenable Security Center.

Note: If you enable Password Complexity and set the Minimum Password
Length to a value greater than 4, Tenable Security Center enforces the
longer password requirement.

Startup Banner Text Type the text banner that appears before to the login interface.

User Text Adds custom text to the bottom of the user profile menu. You can use
the text to identify a company, group, or other organizational
information (maximum 128 characters).

Classification Type Adds a header and footer banner to Tenable Security Center to
indicate the classification of the data accessible via the software.
Current options are None, Custom, Unclassified, Confidential, Secret,
Top Secret, and Top Secret – No Foreign.

If you select Custom, the following options appear:

- 193 -
Option Description

l Custom Text - Type the text that you want to appear in the
banner (maximum 128 characters).

l Text Color - Select the text color for the banner.

l Background Color - Select the background color for the banner.

Note: Custom banners in reports are supported only for Arial Regular font.

Sample header:

Sample footer:

Note: If you set Classification Type to an option other than None, users
can only see the plain report styles. The Tenable report styles do not
support the classification banners.

Allow API Keys When enabled, allows users to generate API keys as an authentication
method for Tenable Security Center API requests. For more
information, see Enable API Key Authentication.

Allow Session This setting is disabled by default. When enabled, the Session Limit
Management option appears. This feature displays the option that allows
administrators to set a session limit for all users.

Disable Inactive When enabled, Tenable Security Center disables user accounts after a
Users set period of inactivity. You cannot use a disabled user account to log
in to Tenable Security Center, but other users can use and manage
objects owned by the disabled user account.

- 194 -
Option Description

Days Users Remain When you enable Disable Inactive Users, specify the number of
Enabled inactive days you want to allow before automatically disabling a user
account.

Session Limit Specifies the maximum number of sessions a user can have open at
once.

If you log in and the session limit has already been reached, Tenable
Security Center notifies you that the oldest session with that
username will be logged out automatically. You can cancel the login or
proceed with the login and end the oldest session.

Note: This behavior is different for Common Access Cards (CAC) logins.
Tenable Security Center does not check active sessions for
CAC authentication.

Login Notifications Sends notifications for each time a user logs in.

WebSeal Allows you to enable or disable WebSEAL. WebSEAL supports multiple

authentication methods, provides Security Access Authorization
service, and single sign-on capabilities.

Caution: Before the user that enabled WebSEAL logs out of Tenable
Security Center, Tenable Security Center strongly recommends
confirming, in a separate session, that at least one user (preferably an
administrator user) is able to log in successfully via WebSEAL. Otherwise,
if there is an issue, no one will be able to access Tenable Security Center
to turn off WebSEAL.

Caution: Any user created while WebSEAL is enabled will not have a
password. An administrator must update the user account to establish a
password. Any user that existed before enabling WebSEAL must revert to
their old password.

PHP Serialization

Operational Status Summarizes your current setting.

- 195 -
Option Description

PHP Serialization Specifies whether you want to allow or prevent PHP serialization in
Mode Tenable Security Center.

l PHP Serialization ON — Tenable Security Center performs

PHP serialization and Tenable Security Center features operate
as expected.

l PHP Serialization OFF — Tenable Security Center does not

perform PHP serialization and prevents users from importing or
exporting the following objects:

l Assets

l Scan policies

l Assurance Report Cards

l Reports

l Audit files

l Dashboards

Scanners

Picture in Picture When enabled, allows administrators to view and manage Tenable
Nessus scanner configurations from the Tenable Security Center user
interface. For more information, see Enable Picture in Picture.

Note: You cannot use Picture in Picture with a Tenable Nessus scanner if
you enabled Use Proxy for the scanner or if the scanner's Authentication
Type is SSL Certificate. For more information, see Tenable Nessus
Scanner Settings.

FIPS 140-2 Configuration

Operational Status Summarizes whether FIPS 140-2 mode is currently enabled or disabled.

FIPS 140-2 Mode Specifies whether you want to enable or disable FIPS mode for
communication. Switching from one mode to the other requires a

- 196 -
 Option Description

restart. For more information, see Start, Stop, or Restart Tenable

Security Center.

Tenable Lumin Settings

If you have a Tenable Vulnerability Management license to use Tenable Lumin with Tenable Security
Center, you can configure your Tenable Security Center data to synchronize to Tenable Vulnerability
Management for Tenable Lumin analysis.

For more information, see Tenable Lumin Synchronization.

Edit Plugin and Feed Settings and Schedules

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Configuration Settings.

To view and edit plugin and feed settings and schedules as an administrator user:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the Plugins/Feed tile.

The Plugins/Feed Configuration page appears.

4. View the Plugin Detail Locale section to see the local language configured for Tenable
Security Center.

5. Expand the Schedules section to show the settings for the Tenable Security Center Feed,
Active Plugins, Passive Plugins, or Event Plugins schedule.

a. If you want to update a plugin or feed on demand, click Update. You cannot update
feeds with invalid activation codes.

- 197 -
 l If there is an update available, the Update link will be active.

l If your plugins or feed are already up to date, the Update link will be inactive.

b. If you want to upload a custom feed file, click Choose File.

c. Click Submit.

Tenable Security Center saves your configuration.

To view and edit plugin and feed settings and schedules as an organizational user:

1. Log in to Tenable Security Center via the user interface.

2. In the top navigation bar, click your user profile icon > Feeds.

The Plugins/Feed Configuration page appears.

3. View the Plugin Detail Locale section to see the local language configured for Tenable
Security Center.

4. Expand the Schedules section to show the settings for the Tenable Security Center Feed,
Active Plugins, Passive Plugins, or Event Plugins schedule.

5. If you want to update a plugin or feed on demand, click Update. You cannot update feeds with
invalid activation codes.

6. If you want to upload a custom feed file, click Choose File.

7. Click Submit.

Tenable Security Center saves your configuration.

Configure Plugin Text Translation

Required User Role: Administrator

For more information, see Configuration Settings.

To configure plugin text translation:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

- 198 -
 The Configuration page appears.

3. Click the Plugins/Feed tile.

The Plugins/Feed Configuration page appears.

4. If you want plugin text to display in a local language, select a language from the Locale List
box.

5. Click Apply.

Tenable Security Center saves your configuration.

6. In the Schedules section, in the Active Plugins row, click Update.

Tenable Security Center updates active plugins to obtain available translations.

API Key Authentication

You can enable API key authentication to allow users to use API keys as an authentication method
for Tenable Security Center API requests. Without API keys, users must use the /token endpoint to
log in to the Tenable Security Center API and establish a token for subsequent requests, as
described in Token in the Tenable Security Center API Guide.

Tenable Security Center attributes actions performed with API keys to the user account associated
with the API keys. You can only perform actions allowed by the privileges granted to the user
account associated with the API keys.

You can enable the Allow API Keys toggle in your Security Settings to allow users to perform
API key authentication. Then, users can generate API keys for themselves or for other users. API
keys include an access key and secret key that must be used together for API key authentication.
For more information, see Enable API Key Authentication and Generate API Keys.

A user can use API keys for Tenable Security Center API request authentication by including the x-
apikey header element in your HTTP request messages, as described in API Key Authorization in the
Tenable Security Center API Best Practices Guide.

Deleting API keys prevents users from authenticating Tenable Security Center API requests with the
deleted keys. For more information, see Delete API Keys.

For more information about the Tenable Security Center API, see the Tenable Security Center API
Guide and the Tenable Security Center API Best Practices Guide.

- 199 -
Enable API Key Authentication

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can enable API key authentication to allow users to use API keys as an authentication method
for Tenable Security Center API requests. For more information, see API Key Authentication.

To allow users to authenticate to the Tenable Security Center API using API keys:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the Security tile.

The Security Configuration page appears.

4. In the Authentication Settings section, click Allow API Keys to enable the toggle.

5. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Generate API keys for a user, as described in Generate API Keys.

Disable API Key Authentication

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

Caution: Disabling API keys prevents users from authenticating API requests with API keys. Disabling
API keys does not delete existing API keys. If you re-enable API keys, Tenable Security Center reauthorizes
any API keys they were active before you disabled API key authentication.

For more information, see API Key Authentication.

To disable API key authentication:

- 200 -
 1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Configuration.

The Configuration page appears.

3. Click the Security tile.

The Security Configuration page appears.

4. In the Authentication Settings section, click Allow API Keys to disable the toggle.

5. Click Submit.

Tenable Security Center saves your configuration.

Enable Picture in Picture

Required User Role: Administrator

You can enable Picture in Picture to allow administrators to view and manage Tenable Nessus
scanner configurations from the Tenable Security Center user interface.

Note: You cannot use Picture in Picture with a Tenable Nessus scanner if you enabled Use Proxy for the
scanner or if the scanner's Authentication Type is SSL Certificate. For more information, see Tenable
Nessus Scanner Settings.

To enable Picture in Picture:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

The Configuration page appears.

3. Click the Security tile.

The Security Configuration page appears.

4. In the Scanners section, click Picture in Picture to enable the toggle.

5. Click Submit.

Tenable Security Center saves your configuration.

What to do next:

- 201 -
 l View and manage your Tenable Nessus instances in Tenable Security Center, as described in
View Tenable Nessus Instances in Tenable Security Center.

Disable Picture in Picture

Required User Role: Administrator

For more information, see Tenable Nessus Scanners.

To disable Picture in Picture:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

The Configuration page appears.

3. Click the Security tile.

The Security Configuration page appears.

4. In the Scanners section, click Picture in Picture to disable the toggle.

5. Click Submit.

Tenable Security Center saves your configuration.

Tenable One Data

After you configure Tenable Security Center data synchronization to Tenable One in Tenable
Vulnerability Management, you can monitor information about your Tenable One metrics and past
synchronizations. For general information about Tenable One synchronization, see Configure
Tenable One Synchronization.

Tenable Security Center logs all Tenable One synchronization activity. For more information about
the log contents, see View Tenable One Data Synchronization Logs.

Tenable Security Center retrieves your latest Cyber Exposure Score (CES), Assessment Maturity
grade, and Remediation Maturity grade daily from Tenable One in Tenable Vulnerability
Management. For more information about the metrics and timing, see View Tenable One Metrics.

View Tenable One Metrics

- 202 -
 Required Additional License: Tenable Lumin

Required User Role: Administrator

After you configure Tenable Security Center data synchronization to Tenable One in Tenable
Vulnerability Management, you can view information about your Tenable One metrics.

Every day at 11:00 PM UTC, Tenable Security Center retrieves data from Tenable One in Tenable
Vulnerability Management.

Note: Newly transferred data does not immediately impact your Tenable Lumin metrics (for
example, your CES). Tenable requires 4 to 6 hours to recalculate your metrics. Recalculated
metrics appear in Tenable Security Center after the next daily retrieval.

For more information, see How long does synchronization take to complete?.

Tip: To view all Tenable Lumin data and take advantage of full Tenable Lumin functionality, see Tenable
Lumin.

To view Tenable One metrics in Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. To view your Cyber Exposure Score, Assessment Maturity grade, and Remediation Maturity
grade, do the following:

a. In the left navigation, click System > Tenable One Data.

The Tenable One Data page appears.

b. In the Metrics section, view data about your Tenable One metrics.

l An updated Cyber Exposure Score (CES) for the data you synchronized to Tenable
One. High CES values indicate higher risk.

l An updated Assessment Maturity grade for the data you synchronized to Tenable
One. A high grade indicates you are assessing your assets frequently and
thoroughly.

- 203 -
 l An updated Remediation Maturity grade for the data you synchronized to Tenable
One. A high grade indicates you are remediating the vulnerabilities on your assets
quickly and thoroughly.

If a metric changed since the last retrieval, Tenable Security Center identifies if the
value increased ( ) or decreased ( ).

Tip: If you performed an initial synchronization, Tenable requires up to 48 hours to

calculate your Tenable Lumin metrics. Then, metrics appear in Tenable Security
Center after the next daily retrieval.
For more information, see How long does synchronization take to complete?.

3. (Requires Tenable Security Center+ license) To view the Asset Criticality Rating for a host,
view details for the host, as described in View Hosts. For more information, see Asset
Criticality Rating in the Tenable Vulnerability Management User Guide.

4. (Requires Tenable Security Center+ license) To view the Asset Exposure Score for a host, view
details for the host, as described in View Hosts. For more information, see Asset Exposure
Score in the Tenable Vulnerability Management User Guide.

View Tenable One Data Synchronization Logs

Required Additional License: Tenable Lumin

Required User Role: Administrator

After you configure Tenable Security Center data synchronization to Tenable One in Tenable
Vulnerability Management, you can view the logs for past synchronizations.

For information about monitoring Tenable One synchronization status, see View Tenable One
Synchronization Status.

To view Tenable One synchronization logs:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Tenable One Data.

- 204 -
 The Tenable One Data page appears.

3. In the History section, view data about your logged activity.

Column Description

Timestamp The date and time of the logged activity, including the day of the week,
the date, and the time.

For example, Tue, 05 Mar 2024 15:42:00.000.

Object Type The synchronization data type.

Sync Type The repository or asset synchronization type:

l Cumulative repository synchronization — The initial

synchronization of this repository, which included all cumulative
database data from the repository.

l Active repository synchronization — A subsequent

synchronization of this repository, which included only the new or
modified scan result data imported to the repository.

l Static asset — A synchronization of Static Assets.

l Dynamic asset — A synchronization of Dynamic Assets.

l Delete host - A synchronization of deleted Host Assets.

l Unknown — Indicates an error occurred.

Object ID The repository ID, asset ID, or host UUID. To locate the ID or UUID for
an object, see View Repository Details, View Asset Details, or View
Host Details.

Transfer For repository or asset synchronizations, the length of time it took

Duration Tenable Security Center to transfer your repository or asset data to
Tenable Vulnerability Management. For host asset deletion
synchronizations, the length of time it took Tenable Vulnerability
Management to delete the host asset after the host was deleted in
Tenable Security Center.

- 205 -
 Column Description

Note: The transfer duration does not include the time required for all data
and recalculated metrics to appear in Tenable One. For more information,
see How long does synchronization take to complete?.

Status The status of the repository or asset synchronization:

l Error — Tenable Security Center failed to transfer your data to

Tenable Vulnerability Management.

l Synchronized — Tenable Security Center successfully transferred

your data to Tenable Vulnerability Management.

For more information about the time required for all data and
recalculated metrics to appear in Tenable One, see How long does
synchronization take to complete?.

4. To view additional details about your logged activity, click a row in the table.

Column Description

Repository or asset A message explaining the reason for the synchronization

Message Error status.

Repository or asset The organization ID. To locate the ID for an organization, see
Organization ID View Organization Details.

Repository Scan Result The scan result ID. To locate the ID for a scan result, see View
ID Scan Result Details.

Edit an ACR Manually

Required License: Tenable Security Center+

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can customize an individual host's Asset Criticality Rating (ACR) value to reflect the unique
infrastructure or needs of your organization.

- 206 -
For more information about ACR values, see Asset Criticality Rating in the Tenable Vulnerability
Management User Guide.

Tip: If you want to edit the ACR for a host you imported using a remote repository or by connecting a
managed Tenable Security Center instance to Tenable Security Center Director, log in to the Tenable
Security Center instance that contains the host's data.

Tip: Changes to an ACR value (and recalculations for your ACR values) take effect within 24 hours.

To edit the ACR for a host:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Host Assets.

The Host Assets page appears.

3. In the host assets table, do one of the following:

l Click the row for the host.

The Host Asset Details page appears.

In the Asset Criticality Rating section, click the button.

l Right-click the row for the host for which you want to edit the ACR.

The actions menu appears.

Click Edit ACR.

l Select the check box for the host for which you want to edit the ACR.

The available actions appear at the top of the table.

Click Edit ACR.

The Edit Asset Criticality Rating plane appears.

4. Do one of the following:

l To modify the ACR value, click the Asset Criticality Rating slider to increase or decrease
the ACR.

- 207 -
 l To reset an existing ACR value to the Tenable-provided ACR value, click Reset to
Tenable ACR.

5. In the Overwrite Reasoning section, select one or more options to include a justification for
your ACR change. For example, if a host in your development lab environment received a
Tenable-assigned ACR appropriate for a public host but not the development host, you can
select Dev Only. If you modify the ACR from the Tenable-provided value, this option is
required.

6. In the Notes box, type a note about your ACR change. If you select Other in the Overwrite
Reasoning section, you must type a note for the change.

7. Click Submit.

Tenable Security Center saves the ACR.

What to do next:
l View the ACR for each host, as described in View Hosts.

Diagnostics Settings
This page displays and creates information that assists in troubleshooting issues that may arise
while using Tenable Security Center.

System Status
You can use this section to view the current status of system functions.

System Function Description

Correct Java Indicates whether the minimum version of Java required to support
Version Tenable Security Center functionality is installed.

For more information, see Before You Upgrade.

Sufficient Disk Indicates whether you have enough disk space to support Tenable Security
Space Center functionality. A red X indicates the disk is at 95% capacity or
higher.

For more information, see Hardware Requirements.

- 208 -
 System Function Description

Correct Indicates whether you have the correct Tenable Security Center RPM
RPM Package installed for your operating system.
Installed
For more information, see System Requirements.

Debugging Indicates whether debugging is enabled. You may experience performance

and storage issues if you leave debugging enabled for extended periods of
time.

For more information, see Debugging LogsDebugging Logs.

Migration Errors Indicates whether an error occurred during a recent Tenable Security
Center update.

PHP Integrity Indicates whether any PHP files have been modified from the original
Errors version included in the Tenable Security Center RPM.

Diagnostics File
You can use this section to generate a diagnostics file for troubleshooting with Tenable Support.
For more information, see Generate a Diagnostics File.

Debugging Logs
You can use this section to enable or disable debugging logs for troubleshooting with Tenable
Support. For more information, see Enable Debugging Logs and Disable Debugging Logs.

Note: Tenable does not recommend leaving debugging enabled on Tenable Security Center after you send
the log files to Tenable Support. You may experience performance and storage issues if you leave
debugging enabled for extended periods of time.

Generate a Diagnostics File

Required User Role: Administrator

Tenable Support may ask you to generate a diagnostics file to assist with troubleshooting. The
debug.zip diagnostics file contains files related to the selected chapters. For more information
about diagnostics file options, see Diagnostics File Options.

- 209 -
For more information about Tenable Security Center diagnostics, see Diagnostics Settings.

To generate a diagnostics file for Tenable Support:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Diagnostics.

The Diagnostics page appears.

3. In the Diagnostics File section, click Create Diagnostics File.

The page updates with options to configure the diagnostics file.

4. In the General section, if you want to omit IP addresses from the diagnostics file, click to
enable the Strip IPs from Chapters toggle.

5. In the Chapters section, click the toggles to enable or disable the chapters you want to
include in the diagnostics file.

6. Click Generate File.

Tenable Security Center generates the diagnostics file.

7. Click Download Diagnostics File.

The debug.zip file downloads.

What to do next:
l Share the debug.zip file with Tenable Support for troubleshooting.

Diagnostics File Options

For more information, see Diagnostics Settings and Generate a Diagnostics File.

Option Description Default

General

Strip IPs from When enabled, Tenable Security Center omits IP addresses Disabled
Chapters from the following files:

l sc-configuration.txt

- 210 -
Option Description Default

l sc-scans.txt

l sc-setup.txt

l sc-logs.txt

l sc-error.log

l cert.log

l install.log

l upgrade.log

l schemaUpdates*.log

l sc-environment.txt

l sc-telemetry.txt

l /opt/sc/support/error_Log

l /opt/sc/support/*.conf

Chapters

System Include information about the Tenable Security Center host Enabled
Information system in the diagnostic file (sc-systeminfo.txt).

Scan Include information about scans, scan results, and freeze Enabled
Information windows in the diagnostic file (sc-sscaninfo.txt).

For more information, see Active Scans, Agent Scanning,

and Freeze Windows.

Setup Include information about the following Tenable Security Enabled

Center resources in the diagnostic file (sc-setup.txt):

l Active users

l Tenable Nessus Scanners

l Tenable Nessus Network Monitor Instances

- 211 -
Option Description Default

l Tenable Log Correlation Engines

l Scan Zones

l Schedules

l Job Queue Events

l Assets

l Repositories

l Organizations

l User Roles

l Reports

l Report results

l Audit Files

Logs Include administrator logs, organization logs, Tenable Enabled

Security Center error logs, and the certificate log in the
diagnostic file (sc-logs.txt, sc-error.log, and
cert.log).

Environment Include information about the tns user environment in the Enabled
diagnostic file (sc-environment.txt).

Directory Include a directory listing in the diagnostic file (sc- Enabled

Listing dirlisting.txt).

For more information, see Tenable Security Center

Communications and Directories.

Dependency Include information about Tenable Security Center Enabled

dependencies in the diagnostic file (sc-depsinfo.txt).

For more information, see Dependencies.

Upgrade Log Include a log of Tenable Security Center upgrade events in Enabled

- 212 -
 Option Description Default

the diagnostic file (upgrade.log).

Install Log Include a log of Tenable Security Center installation events Enabled
in the diagnostic file (install.log).

Apache Log Include a log of web server requests in the diagnostic file Enabled
(/opt/sc/support/error_Log).

Application Include Tenable Security Center configuration details in the Enabled

Conf diagnostic file (sc-configuration.txt).

Server Conf Include server configuration details in the diagnostic file Enabled
(/opt/sc/support/*.conf).

User Include a list of users in the diagnostic file (sc- Enabled

Information users.txt). The list includes the following details:

l For administrators, the user ID and role ID

l For organizational users, the user ID, role ID, and

group ID

For more information about ID values, see View User

Details, View User Role Details, and View Group Details.

Include Names (If User Information is enabled) Include usernames and Disabled
user display names for each user in the diagnostic file.

For more information, see User Account Options.

Tip: The display name combine's the user's First Name and
Last Name.

Enable Debugging Logs

Required User Role: Administrator

You can enable debugging to generate logs for troubleshooting with Tenable Support.

To enable debugging:

- 213 -
 1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Diagnostics.

The Diagnostics page appears.

3. In the Debugging Logs section, select one or more debugging logs Tenable Support asked you
to enable.

4. Click Save Debug Settings.

Tenable Security Center enables the debugging logs you selected and saves the
corresponding log files to /opt/sc/admin/logs.

What to do next:
l Download the debugging logs, as described in Download Debugging Logs.

l Share the debugging log files with Tenable Support.

l Disable any unneeded debugging logs, as described in Disable Debugging Logs.

Note: Tenable does not recommend leaving debugging enabled on Tenable Security Center after you
send the log files to Tenable Support. You may experience performance and storage issues if you
leave debugging enabled for extended periods of time.

Note: Collected debug logs contained in the debug archive are automatically deleted during the
scheduled nightly cleanup.

Download Debugging Logs

Required User Role: Administrator

You can download debugging logs for troubleshooting with Tenable Support.

Before you begin:

l Enable debugging logs, as described in Enable Debugging Logs.

To download debugging logs:

- 214 -
 1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Diagnostics.

The Diagnostics page appears.

3. In the Download Debugging Logs section, click Collect Log Files.

Tenable Security Center generates the debugging log files you selected.

4. Click Download Debug File.

The debugging logs download.

What to do next:
l Share the files with Tenable Support.

l Disable any debugging logs as needed, as described in Disable Debugging Logs.

Note: Tenable does not recommend leaving debugging enabled on Tenable Security Center after you
send the log files to Tenable Support. You may experience performance and storage issues if you
leave debugging enabled for extended periods of time.

Note: Collected debug logs contained in the debug archive are automatically deleted during the
scheduled nightly cleanup.

Disable Debugging Logs

Required User Role: Administrator

Tenable does not recommend leaving debugging enabled on Tenable Security Center after you send
the log files to Tenable Support. You may experience performance and storage issues if you leave
debugging enabled for extended periods of time.

For more information about debugging logs, see Debugging Logs.

To disable debugging:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click System > Diagnostics.

- 215 -
 The Diagnostics page appears.

3. In the Debugging Logs section:

l To disable individual debugging logs, deselect the logs.

l To disable all debugging logs, click Deselect All.

4. Click Save Debug Settings.

Tenable Security Center disables the debugging logs you deselected.

What to do next:
l Follow Tenable Support's instructions to manually remove old debugging log files from
/opt/sc/admin/logs.

Job Queue Events

Path: System > Job Queue

Job Queue is a Tenable Security Center feature that displays specified events in a list for review.

You can view and sort Job Queue notifications in several ways by clicking on the desired sort
column. Using the menu next to an item, that item may be viewed for more detail or, if the job is
running, the process may be killed. Killing a process should be done only as a last resort, as killing a
process may have undesirable effects on other Tenable Security Center processes.

System Logs
Tenable Security Center logs contain detailed information about functionality to troubleshoot
unusual system or user activity. You can use the system logs for debugging and for maintaining an
audit trail of users who access Tenable Security Center or perform basic functions (for example,
changing passwords, recasting risks, or running Nessus scans).

To view system logs:

1. Log in to Tenable Security Center via the user interface.

2. Click System > System Logs (Administrator users) or Username > System Logs
(Organizational users).

The System Logs page appears.

- 216 -
 3. To filter the logs, see Apply a Filter.

The page updates to reflect the filter you applied.

View System Logs

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see System Logs.

To view system logs:

1. Log in to Tenable Security Center via the user interface.

2. Click System > System Logs (Administrator users) or Username > System Logs
(Organizational users).

The System Logs page appears.

3. To filter the logs, see Apply a Filter.

The page updates to reflect the filter you applied.

Publishing Sites Settings

Path: System > Publishing Sites

Organizations may configure publishing sites as targets to send report results to a properly
configured web server or a Defense Information Systems Agency (DISA) Continuous Monitoring and
Risk Scoring (CMRS) site.

Option Description

Name Type a name for the publishing site.

Description Type a description of the publishing site.

Type The method Tenable Security Center uses to publish to the site.
Available options are HTTP Post or CMRS. Use the selection appropriate
for the configuration of the publishing site.

Max Chunk Size If the target is a CMRS site, Tenable sends the report in chunks sized

- 217 -
 Option Description

(MB) according to this value.

URI The target address to send the report to when completed.

Use Proxy When enabled, the publishing site leverages the web proxy defined in the
Web Proxy settings.

Authentication There are two methods of authentication available: SSL Certificate and
Password.

Username / If you select Password as the Authentication method, the credentials to

Password authenticate to the target publishing server.

Certificate If you selected SSL Certificate as the Authentication method, the

certificate you want to use for authentication.

Organizations Select the organization(s) that are allowed to publish to the configured
site.

Verify Host When enabled, Tenable Security Center verifies that the target address
specified in the URI option matches the CommonName (CN) in the
SSL certificate from the target publishing server.

Keys Settings
Keys allow administrator users to use key-based authentication with a remote Tenable Security
Center (remote repository) or between a Tenable Security Center and a Tenable Log Correlation
Engine server. This also removes the need for Tenable Security Center administrators to know the
administrator login or password of the remote system.

Note: The public key from the local Tenable Security Center must be added to the Keys section of the
Tenable Security Center from which you wish to retrieve a repository. If the keys are not added properly,
the remote repository add process prompts for the root username and password of the remote host to
perform a key exchange before the repository add/sync occurs.

For more information, see Add a Key, Delete a Key, and Download the Tenable Security Center
SSH Key.

Remote Tenable Log Correlation Engine Key Exchange

- 218 -
A manual key exchange between the Tenable Security Center and the Tenable Log Correlation
Engine is normally not required; however, in some cases where remote root login is prohibited or
key exchange debugging is required, you must manually exchange the keys.

For the remote Tenable Log Correlation Engine to recognize the Tenable Security Center, you need
to copy the SSH public key of the Tenable Security Center and append it to the
/opt/lce/.ssh/authorized_keys file. The /opt/lce/daemons/lce-install-key.sh script
performs this function. For more information, see Manual Log Correlation Engine Key Exchange.

Add a Key

Required User Role: Administrator

For more information, see Keys Settings.

To add a new key:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Keys.

The Keys page appears.

3. At the top of the table, click Add.

The Add Key page appears.

4. In the Type drop-down, select DSA or RSA.

5. In the Comment box, add a description or note about the key.

6. In the Public Key box, type the text of your public key from your remote Tenable Security
Center.

7. Click Submit.

Tenable Security Center saves your configuration.

Delete a Key

Required User Role: Administrator

For more information, see Keys Settings.

- 219 -
To delete a key:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Keys.

3. Select the key you want to delete:

To delete a single key:

a. In the table, right-click the row for the key you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple keys:

a. In the table, select the check box for each key you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the key.

Download the Tenable Security Center SSH Key

Required User Role: Administrator

For more information, see Keys Settings.

To download the Tenable Security Center SSH key:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Keys.

3. At the top of the table, click Download Tenable Security Center Key.

The Tenable Security Center SSH key downloads.

- 220 -
Notifications
To view your Tenable Security Center notifications, in the top navigation bar, click your user profile
icon > Notificationsor icon > Show More. Notifications are cleared after 30 days.

Note: If you upgrade from a previous version of Tenable Security Center to version 6.4.0 or
later, all existing notifications will be deleted.

In Tenable Security Center, certain events can display a pop-up in the lower right-hand corner of
the Tenable Security Center user interface. When you click on a notification, the Notifications page
appears.

The Notifications page displays a list of notifications for your Tenable Security Center instance.
You can filter these notifications by time frame. For general information about using filters, see
Filters.

User Profile Menu Settings

The user profile icon in the top navigation bar opens a menu with options to manage your user
account.

Note: Depending on the screen resolution, the username may not appear next to the user icon in the top
navigation bar.

About
Path: Your user profile icon > About

The About menu item displays the Tenable Security Center version, Server Build ID, and copyright
information.

System Logs (Organizational Users Only)

Path: Your user profile icon > System Logs

For a complete discussion about system logs, see System Logs.

Profile (Organizational Users Only)

Path: Your user profile icon > Profile

- 221 -
The Profile option launches the Edit User Profile page, where you can modify some of your user
account information and permissions. For more information about user account options, see User
Account Options.

Feeds (Organizational Users Only)

Path: Your user profile icon > Feeds

The Feeds option displays information about the Tenable Security Center feeds and plugin sets and,
if permitted, a link to update the plugins either through Tenable Security Center or by manually
uploading plugins. The displayed feeds are for Tenable Security Center Feed, Active Plugins,
Passive Plugins, and Event Plugins. You can only update feeds with valid Activation Codes.

Plugins are scripts used by the Tenable Nessus, Tenable Nessus Network Monitor, and Log
Correlation Engine servers to interpret vulnerability data. For ease of operation, Tenable Security
Center centrally manages Tenable Nessus and Tenable Nessus Network Monitor plugins and pushes
the plugins out to their respective scanners. Log Correlation Engine servers download their own
event plugins and Tenable Security Center downloads event plugins for its local reference. Tenable
Security Center does not currently push event plugins to Log Correlation Engine servers.

For more information about plugin/feed settings, see Configuration Settings and Edit Plugin and
Feed Settings and Schedules.

Notifications
Path: Your user profile icon > Notifications or icon > Show More

In Tenable Security Center, specified events can display a pop-up in the lower right-hand corner of
the Tenable Security Center user interface.

Some events in Tenable Security Center will cause a notification to appear in the icon in the top
navigation bar.

For more information, see Notifications.

Plugins
Path: Your user profile icon > Plugins

- 222 -
Plugins are scripts used by the Tenable Nessus, Tenable Nessus Network Monitor, and Log
Correlation Engine servers to interpret vulnerability data. For ease of operation, Tenable Nessus
and Tenable Nessus Network Monitor plugins are managed centrally by Tenable Security Center and
pushed out to their respective scanners. Log Correlation Engine servers download their own event
plugins and Tenable Security Center downloads event plugins for its local reference. Tenable
Security Center does not currently push event plugins to Log Correlation Engine servers.

Within the Plugins interface, click the information icon next to the Plugin ID and search for specific
plugins utilizing the filtering tools to view plugin details/source.

For more information about custom plugins, see Custom Plugin Packages for NASL and CA
Certificate Upload.

Help
Path: Your user profile icon > Help

The Help option opens the Tenable Security Center User Guide section for your page. To access
other Tenable documentation, see https://docs.tenable.com/.

Logout
To end your session in Tenable Security Center, click Your user profile icon > Logout. Tenable
recommends closing your browser window after logging out.

Plugin Filter Components

For general information about using filters, see Filters.

Filter
Description
Component

BID Filters plugins based on the BID.

Cross Filters plugins based on a search against the cross reference information.
References

CVE ID Displays plugins based on one or more CVE IDs. Type multiple IDs as a
comma-separated list (e.g., CVE-2011-3348,CVE-2011-3268,CVE-2011-3267).

- 223 -
Filter
Description
Component

Exploit If set to yes, displays only plugins for vulnerabilities for which a known
Available public exploit exists.

MS Bulletin ID Displays plugins based on one or more Microsoft Bulletin IDs. Type multiple
IDs as a comma-separated list (e.g., MS10-012,MS10-054,MS11-020).

Name Type all or a portion of the actual plugin name. For example, entering
MS08-067 displays plugins named MS08-067: Microsoft Windows Server
Service Crafted RPC Request Handling Remote Code Execution (958644)
(uncredentialed check). Similarly, entering the string uncredentialed
displays a list of plugins with that string in the name.

Patch Modified Tenable plugins contain information about when a patch was last modified.
This filter allows users to search based on when a particular patch was
modified:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

- 224 -
Filter
Description
Component

l Explicit (at a specific time you specify)

Patch Published Some plugins contain information about when a patch was published for a
vulnerability. This filter allows the user to search based on when a
vulnerability's patch became available:

l None (displays plugins for vulnerabilities that do not have a patch

available)

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Plugin ID Type the plugin ID desired or range based on a plugin ID. Available
operators are equal to (=), not equal to (!=), greater than or equal (>=) and
less than or equal to (<=).

Plugin Modified Tenable plugins contain information about when a plugin was last modified.
This filter allows users to search based on when a particular plugin was

- 225 -
Filter
Description
Component

modified:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Plugin Tenable plugins contain information about when a plugin was first
Published published. This filter allows users to search based on when a particular
plugin was created:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

- 226 -
Filter
Description
Component

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Plugin Type Select whether to filter plugin types by active, compliance, event, passive,
or WAS plugins.

Vulnerability When available, Tenable plugins contain information about when a

Published vulnerability was published. This filter allows users to search based on
when a particular vulnerability was published:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

- 227 -
 Filter
Description
Component

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Security End of When available, Tenable plugins contain information about software end of
Life Date life dates. This filter allows users to search based on when a particular
software is end of life:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Vulnerability Displays plugins for vulnerabilities within the chosen VPR range. For more
Priority Rating information, see CVSS vs. VPR.
(VPR)
Tip:The Vulnerabilities page displays vulnerabilities by plugin. The VPR that
appears is the highest VPR of all the vulnerabilities associated with that plugin.

Custom Plugin Packages for NASL and CA Certificate Upload

- 228 -
 Note: Tenable does not support troubleshooting custom plugin packages for NASL.

You can upload a custom plugin package as a .tar.gz or .tgz file. Depending on your needs, you
must include a combination of the following files:

l A custom_feed_info.inc file. Always include this file to time stamp your upload to Tenable
Security Center.

l (Optional) A custom_nasl_archive.tar.gz or custom_nasl_archive.tgz file. Include this

file if you are uploading one or more custom plugins.

l (Optional) A custom_CA.inc file. Include this file if you are uploading one or more CA
certificates to solve a Tenable Nessus scanning issue.

After you Create the Custom Plugin Package and Upload the Custom Plugin Package, Tenable
Security Center pushes the package to Tenable Nessus for use when scanning.

Note: The system untars the files within your custom plugin package and overwrites any
identically named files already in Tenable Security Center or Tenable Nessus.

custom_feed_info.inc Guidelines
Always include this file to time stamp your upload to Tenable Security Center. This text file must
contain the following lines:

PLUGIN_SET = "YYYYMMDDHHMM";
PLUGIN_FEED = "Custom";

The PLUGIN_SET variable YYYYMMDDHHMM is the date and time 2 minutes in the future from when
you plan to upload the file to Tenable Security Center.

custom_nasl_archive.tar.gz or custom_nasl_archive.tgz
Guidelines
Include this file if you are uploading one or more custom plugins. This package must contain one or
more custom plugin NASL files.

All custom plugins must have unique Plugin ID numbers and have family associations based on
existing Tenable Security Center families.

- 229 -
 Note: Tenable Support does not assist with creating custom plugin NASL files.

custom_CA.inc Guidelines
Include this file if you are uploading one or more CA certificates to solve a Tenable Nessus scanning
issue. This text file must contain PEM-encoded (Base64) CA certificate text.

For troubleshooting information, see Troubleshooting Issues with the custom_CA.inc File.

One CA Certificate

If you need to include a single CA certificate, paste the PEM-encoded (Base64) certificate directly
into the file.

-----BEGIN CERTIFICATE-----
certificatetext
certificatetext
certificatetext
certificatetext
-----END CERTIFICATE-----

Multiple CA Certificates

If you need to include two or more CA certificates, include the PEM-encoded (Base64) certificates
back-to-back.

-----BEGIN CERTIFICATE-----
certificate1text
certificate1text
certificate1text
certificate1text
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
certificate2text
certificate2text
certificate2text
certificate2text
-----END CERTIFICATE-----

Create the Custom Plugin Package

- 230 -
 Required User Role: Administrator

For complete information, see Custom Plugin Packages for NASL and CA Certificate Upload.

To create the .tar.gz or .tgz custom plugin package:

1. Prepare the individual text files you want to include in the custom plugins package.

l custom_nasl_archive.tar.gz or custom_nasl_archive.tgz

l custom_feed_info.inc

l custom_CA.inc

Confirm the files meet the requirements described in Custom Plugin Packages for NASL and
CA Certificate Upload.

Note: After upload, the system untars the files within your custom plugin package and overwrites
any identically named files already in Tenable Security Center or Tenable Nessus.

2. In the command line interface (CLI), tar and compress the files together. (7-Zip or running tar
on a Mac does not work for this.) For example:

# tar -zcvf upload_this.tar.gz custom_feed_info.inc custom_CA.inc

The system generates a .tar.gz or .tgz file.

What to do next:
l Upload the .tar.gz or .tgz file, as described in Upload the Custom Plugin Package.

Upload the Custom Plugin Package

Required User Role: Administrator

For complete information, see Custom Plugin Packages for NASL and CA Certificate Upload.

Before you begin:

l Create the .tar.gz or .tgz custom plugin file, as described in Create the Custom Plugin
Package.

- 231 -
Upload the .tar.gz or .tgz file to Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Click Username > Plugins.

The Plugins page appears.

3. Click Upload Custom Plugins and select the .tar.gz or .tgz file.

4. Click Submit.

Tenable Security Center uploads the package and pushes it to Tenable Nessus.

What to do next:
l To verify the upload succeeded, click System > System Logs.

l To verify the upload resolved a validation issue, run another scan that includes plugin 51192.
Verify that Nessus has the custom plugin bundle by checking its plugin directory.

Troubleshooting Issues with the custom_CA.inc File

If uploading a custom_CA.inc file does not resolve your issue, confirm your file meets the
requirements described in custom_CA.inc Guidelines. Then, use these tips to continue
troubleshooting.

The /opt/sc/data/customNasl/custom_CA.inc file

If the Tenable Security Center installation is not on the Appliance, check the uploaded custom_
CA.inc with the following command: # cat /opt/sc/data/customNasl/custom_CA.inc.

The output should match the custom_CA.inc file that you checked in a text editor in step T1 above.
If the file does not exist, the upload was not successful. If the file does not match, the most recent
upload may not have been successful. Go over the steps above for creating and uploading upload_
this.tar.gz and ensure it is done correctly.

The /opt/nessus/lib/nessus/plugins/custom_CA.inc or
\ProgramData\Tenable\Nessus\nessus\plugins\custom_CA.inc
file

- 232 -
If Nessus is not on the Appliance, navigate to the plugins folder and cat or type custom_CA.inc to
verify it exists and matches the custom_CA.inc file contents verified in steps 1 and 2 above. If
custom_CA.inc does not exist in the plugins folder, or does not match the most recent custom_
CA.inc in Tenable Security Center, it has not propagated to the scanner. Check Resources > Nessus
Scanners in Tenable Security Center to see if the scanner is still updating plugins. If it is in a
Working state, try updating the active plugins in Tenable Security Center to prompt a plugin push. If
the plugin feed version has not incremented and the customer must push plugins immediately, see
the following article: Force plugin update on scanner managed by Tenable Security Center
(Comparable to nessus-update-plugins -f).

The plugin 51192 output details

Adding the custom CA certificate to custom_CA.inc does not resolve the issue if the service is
missing intermediate certificate(s). If the service has a self-signed or default certificate (if not self-
signed with the server name, it may be issued by a vendor name like Nessus Certification Authority)
and not a certificate signed by their custom CA at all, the certificate is expired, etc.

Look at the detailed plugin output of 51192 to see exactly why the certificate is untrusted. If
custom_CA.inc can fix it, the output states that the certificate at the top of the certificate chain is
unrecognized, and the certificate it shows is either issued by the custom CA (matching the name
exactly) or the actual custom CA self-signed certificate.

Backup and Restore

Tenable recommends performing regular backups of the Tenable Security Center data in your
/opt/sc directory. When you restore a backup, the file overwrites the content in your /opt/sc
directory.

Data backup requirements:

l You must restore a backup file to a Tenable Security Center running the same version. For
example, you cannot restore a backup file created on version 6.0.0 to a Tenable Security
Center running Tenable Security Center 6.1.0.

l You must restore a backup file to the same Tenable Security Center where you created the
backup file. The hostname associated with the backup file must match the hostname on the
receiving Tenable Security Center. For example, you cannot restore a backup file created on a

- 233 -
 Tenable Security Center with the hostname Example1 to a Tenable Security Center with the
hostname Example2.

For more information, see Perform a Backup and Restore a Backup.

Configuration Backups
Tenable recommends performing regular backups of your Tenable Security Center configuration in
addition to your Tenable Security Center data. You can restore a configuration backup to quickly
resume normal Tenable Security Center operation as part of your disaster recovery plan.

Configuration backups do not include data (such as vulnerability data, trend data, licenses, or
secure connection settings). When your repositories contain new vulnerability data, you can use
your dashboards, reports, and analysis tools to assess your network.

Note: After you restore a configuration backup, Tenable recommends performing discovery scans to re-
populate your repositories with vulnerability data. For more information, see Scanning Overview.

Configuration backup requirements:

l You must restore a backup file to a Tenable Security Center running the same version. For
example, you cannot restore a backup file created on version 5.20.0 to a Tenable Security
Center running Tenable Security Center 5.21.0.

Note: For best performance, after restoring a configuration backup, ensure the hostname associated with
the configuration backup file matches the hostname on the receiving Tenable Security Center.

For more information, see Perform a Configuration Backup and Restore a Configuration Backup.

Configurations Included in a Configuration Backup

Category Configurations

Users User accounts, user roles, groups, and organizations

Resources Tenable Nessus scanners, Tenable Nessus Network Monitor instances, Log
Correlation Engines, LDAP servers, and scan zones

System Configuration settings (including data expiration settings, external schedules

settings, Tenable Lumin settings, mail settings, miscellaneous settings,

- 234 -
 license settings, plugins/feed settings, SAML settings, and security settings),
publishing sites settings, keys settings, and schedules

Scanning Active scans, agent synchronization jobs, agent scans, freeze windows,
credentials, scan policies, audit files, assets, repositories, and compliance
check plugin entries

Reporting Dashboards, Assurance Report Cards, report definitions, report images, and
CyberScope and DISA report attributes

Workflow Alerts

Analysis Queries

Automatic Backups
Tenable Security Center performs automatic nightly backups of the following databases:

l /opt/sc/application.db

l /opt/sc/hosts.db

l /opt/sc/jobqueue.db

l /opt/sc/plugins.db

l /opt/sc/remediationHierarchy.db

l /opt/sc/orgs/<orgID>/organization.db (for each organization in your Tenable Security

Center)

l /opt/sc/orgs/<orgID>/assets.db (for each organization in your Tenable Security Center)

Automatic backups run nightly at 1:20 AM local time. This schedule cannot be changed.

Tenable Security Center stores backups in the same directory as the database.

Perform a Backup

Required User Role: Root user

For more information about the backup and restore process, see Backup and Restore.

- 235 -
To perform a backup of Tenable Security Center data:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center stops.

3. In the CLI in Tenable Security Center, run the following command to view all running
processes:

# ps -fu tns

4. If any processes are listed, run the following commands to stop them:

# killall -u tns

# killall httpd

Note: These commands stop all jobs (including scans) running on Tenable Security Center.

5. If necessary, repeat step 4 to confirm all processes stopped.

6. Run the following command to create a .tar file for your /opt/sc directory:

# tar -pzcf sc_backup.tar.gz /opt/sc

Note: The.tar file switches are case-sensitive.

Tenable Security Center creates the backup file.

7. Run the following command to confirm the backup file is not corrupted:

# tar -tvf sc_backup.tar.gz

8. Move the backup file to a secure location.

9. Start Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center starts.

- 236 -
What to do next:
l (Optional) Restore the backup file, as described in Restore a Backup.

Restore a Backup

Required User Role: Root user

For more information about the backup and restore process, see Backup and Restore.

Before you begin:

l Perform a backup of your Tenable Security Center, as described in Perform a Backup.

l Confirm your receiving Tenable Security Center meets the requirements described in Backup
and Restore.

l Move the backup file to your receiving Tenable Security Center's /tmp directory.

To restore a backup file:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center stops.

3. In the CLI in Tenable Security Center, run the following command to view all running
processes:

# ps -fu tns

4. If any processes are listed, run the following commands to stop them:

# killall -u tns

# killall httpd

Note: These commands stop all jobs (including scans) running on Tenable Security Center.

- 237 -
 5. If necessary, repeat step 4 to confirm all processes are stopped.

6. Run the following commands to decompress the .tar file and overwrite the existing /opt/sc
directory:

# cd /

# tar -xvf /tmp/sc_backup.tar.gz

Note: The.tar file switches are case-sensitive.

The restore finishes.

7. Start Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center starts.

Perform a Configuration Backup

Required User Role: Root user

For more information about the backup and restore process and the configurations included in a
configuration backup, see Backup and Restore.

Before you begin:

l If you uploaded custom plugins, save a copy of your custom plugins in a safe location.

To perform a backup of your Tenable Security Center configuration:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center stops.

3. In the CLI in Tenable Security Center, do one of the following:

- 238 -
 l To save the configuration backup file to a local directory, run the following command,
where [local directory path] is the local directory where you want to save the
backup file:

/opt/sc/support/bin/php /opt/sc/src/tools/backupSCConfiguration.php -l [local

directory path]

For example:

/opt/sc/support/bin/php /opt/sc/src/tools/backupSCConfiguration.php -l /tmp/

l To save the configuration backup file to a remote directory, run the following command,
where [remote directory absolute path] is the absolute path to the remote
directory where you want to save the backup file:

/opt/sc/support/bin/php /opt/sc/src/tools/backupSCConfiguration.php -r
[user]@[host]:[remote absolute path to configuration backups directory]

For example:

/opt/sc/support/bin/php /opt/sc/src/tools/backupSCConfiguration.php -r
tns@100.100.100.100:/tmp/

Tenable Security Center creates the configuration backup file and saves it to the specified
directory.

Tip: The configuration backup file name includes the backup date and time, the Tenable Security
Center hostname, and the Tenable Security Center version (for example, SC-config-20211101-
165111-sc-hostname-5_20_0.tar.gz).

4. Start Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center starts.

What to do next:
l (Optional) Restore the configuration backup file, as described in Restore a Configuration
Backup.

- 239 -
Restore a Configuration Backup

Required User Role: Root user

For more information about the backup and restore process and the configurations included in a
configuration backup, see Backup and Restore.

Note: For best performance, after restoring a configuration backup, ensure the hostname associated with
the configuration backup file matches the hostname on the receiving Tenable Security Center.

Before you begin:

1. Perform a configuration backup of your Tenable Security Center, as described in Perform a

Configuration Backup.

2. Confirm your receiving Tenable Security Center meets the requirements described in Backup
and Restore.

To restore a configuration backup file:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Stop Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center stops.

3. In the CLI in Tenable Security Center, run the following command to restore the configuration
backup, where [path to backup file] is the path to the backup file you want to restore:

/opt/sc/support/bin/php /opt/sc/src/tools/restoreSCConfiguration.php -l [path to

backup file]

For example:

/opt/sc/support/bin/php /opt/sc/src/tools/restoreSCConfiguration.php -l /tmp/SC-

config-20211101-165111-sc-hostname-5_20_0.tar.gz

Tenable Security Center restores the configuration backup.

- 240 -
 4. Start Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

Tenable Security Center starts.

What to do next:

1. If you uploaded custom plugins before restoring your Tenable Security Center configuration,
re-upload the custom plugins. For more information, see Custom Plugin Packages for
NASL and CA Certificate Upload.

2. Perform discovery scans to re-populate your repositories with vulnerability data. For more
information, see Scanning Overview.

Tenable One Synchronization

You can use Tenable One to quickly and accurately assess your Cyber Exposure risk and compare
your health and remediation performance to other Tenable customers in your Salesforce industry
and the larger population. Tenable Lumin correlates raw vulnerability data with asset business
criticality and threat context data to support faster, more targeted analysis workflows than
traditional vulnerability management tools. For more information about Tenable One, see Tenable
One.

After you acquire a Tenable Lumin license for use with Tenable Security Center, you can configure
Tenable Security Center synchronization to send limited Tenable Security Center data to Tenable
Vulnerability Management for use in Tenable One analysis. Tenable Security Center communicates
with Tenable Vulnerability Management using an encrypted connection, as described in Encryption
Strength.

When you send data to Tenable Vulnerability Management, the system does not remove the data
from your Tenable Security Center. You can continue normal operation of Tenable Security Center.

For more information, see:

l Plan Your Tenable One Synchronization

l Configure Tenable One Synchronization

l View Tenable One Synchronization Status

l View Tenable One Data Synchronization Logs

- 241 -
 l View Tenable One Metrics

l Disable Tenable One Synchronization

Tenable One Synchronization Options

Option Description

Access Key The Tenable Vulnerability Management API access key for a Tenable
Vulnerability Management user with Administrator permissions.

Secret Key The Tenable Vulnerability Management API secret key for a Tenable
Vulnerability Management user with Administrator permissions.

Network Supports accurate tracking of assets in repositories with overlapping IPv4

Support addresses.

Tip: The default setting for Network Support depends on the Tenable
Security Center version where you configured Tenable Lumin
synchronization. For the purpose of determining the default setting for
Network Support, Tenable Lumin synchronization is configured if you have
configured the Tenable Connection Settings and selected at least one
repository to synchronize.
l Tenable Security Center 5.18.x or earlier — Disabled by default if
Tenable Lumin is already configured.
l Tenable Security Center 5.19.x or later — Enabled by default and
cannot be disabled.

l Enabled — Tenable Security Center synchronizes each IPv4 repository,

agent repository, and universal repository to its own network in Tenable
Vulnerability Management, named TSC-Repository Name. You do not need
to resolve repository overlaps if you enable Network Support.

Note: Once enabled, you cannot disable Network Support.

l Disabled — Tenable Security Center synchronizes all repository data to

the Default network in Tenable Vulnerability Management. You must
resolve all repository overlaps before synchronizing your Tenable Security

- 242 -
 Option Description

Center data to Tenable Vulnerability Management.

For more information, see Networks in the Tenable Vulnerability

Management User Guide.

Contact your Tenable representative to enable Network Support.

Plan Your Tenable One Synchronization

Tenable recommends planning your synchronization strategy to accommodate synchronization
limitations and limit data duplication in Tenable Vulnerability Management.

Can I communicate with Tenable Vulnerability Management through a

proxy?
To use the proxy configured for your Tenable Security Center instance for communications with
your Tenable Vulnerability Management instance, contact Tenable Support.

Can I synchronize multiple Tenable Security Center instances?

You can synchronize data from one Tenable Security Center to one Tenable Vulnerability
Management instance. You cannot synchronize data from multiple Tenable Security Center
instances to a single Tenable Vulnerability Management instance.

If you purchase multiple Tenable Vulnerability Management instances, you can synchronize one
Tenable Security Center to each Tenable Vulnerability Management instance.

What data does synchronization include?

Tenable Security Center supports synchronizing:

l IPv4 addresses within dynamic assets and IPv4 addresses within static assets.

Note: You cannot synchronize IPv6 addresses within static assets. If an asset contains a mix of IPv4
and IPv6 addresses, Tenable Security Center synchronizes only the IPv4 addresses.

- 243 -
 Note: You cannot synchronize non-IPv4 assets within dynamic assets. If a dynamic asset contains
other asset types, Tenable Security Center synchronizes only the IPv4 addresses.

Note: You cannot synchronize DNS name list assets, LDAP query assets, combination assets,
watchlist assets, or import assets.

l Active or agent cumulative database and scan result vulnerability data stored in IPv4, IPv6,
agent, and universal repositories.

The initial synchronization includes all cumulative database data from the repository. All
subsequent synchronizations include only the new or modified scan result data imported to
the repository.

Note: You cannot synchronize passive scan result vulnerability data. Tenable Security Center
identifies vulnerability data by plugin family and excludes Tenable Nessus Network Monitor and LCE
plugin families from synchronization.

Caution: To avoid data merge issues in Tenable Vulnerability Management, Tenable recommends
enabling Network Support or resolving all repository overlaps before synchronizing data to Tenable
Vulnerability Management. You cannot resolve data merge issues after synchronizing a repository
with Tenable Vulnerability Management; you must enable Network Support or resolve overlapping
repositories in Tenable Security Center before synchronizing a repository for the first time. For more
information, see Network Support and Repository Overlap.

Do I need to synchronize both data types (repositories and assets)?

Yes. In order to accurately assess your Cyber Exposure risk with Tenable Lumin, you must
synchronize one or more asset lists and one or more repositories containing vulnerability data for
those assets.

Should I resolve repository overlaps or enable Network Support?

If you first configured Tenable Lumin synchronization in Tenable Security Center 5.19.x or later,
Network Support is enabled by default and cannot be disabled.

If you first configured Tenable Lumin synchronization in Tenable Security Center 5.18.x or earlier
and upgraded to Tenable Security Center 5.19.x or later, you can decide to enable Network Support
instead of resolving repository overlaps in the Tenable Security Center repositories you synchronize

- 244 -
with Tenable Vulnerability Management. Contact your Tenable representative to enable Network
Support.

Tip: For the purpose of determining the default setting for Network Support, Tenable Lumin
synchronization is configured if you have configured the Tenable Connection Settings and selected at
least one repository to synchronize.

For more information, see Network Support and Repository Overlap and Tenable One
Synchronization.

How long does synchronization take to complete?

Vulnerability and asset data synchronize differently to Tenable Vulnerability Management.

Data Synchronization Method Timing

Vulnerability l Manual initial After you initiate a synchronization, Tenable

data synchronization. Security Center immediately begins
transferring data to Tenable Vulnerability
l Automatic
Management. After 10-15 minutes, data
subsequent
begins appearing in Tenable Vulnerability
synchronizations
Management.
when new scan
result data imports Newly transferred data does not
to your synchronized immediately impact your Tenable Lumin
repositories. metrics (for example, your CES). Tenable
requires 4 to 6 hours to recalculate your
Asset data (tags l Manual initial
metrics.
in Tenable synchronization.
Vulnerability All data and recalculated Tenable Lumin
l On-demand,
Management) metrics appear in Tenable Vulnerability
automatic, or
Management within 4 to 6 hours.
scheduled
subsequent Recalculated metrics appear in Tenable
synchronizations, Security Center after the next daily retrieval.
depending on your
synchronization
configuration.

- 245 -
To monitor the success or failure of synchronizations, see View Tenable One Synchronization Status
and View Tenable One Data Synchronization Logs.

Which of my synchronized assets count toward my Tenable

Vulnerability Management license?
Synchronized assets that count toward your Tenable Security Center license also count toward your
Tenable Vulnerability Management license. For more information about Tenable Security Center
asset counting, see License Requirements.

Where will I see synchronized data in Tenable Vulnerability

Management?
You can view your synchronized data in both the Vulnerability Management and Tenable Lumin
areas of Tenable Vulnerability Management.

Vulnerability Management

View your synchronized data on the Assets page. For more information, see View Assets in Tenable
Vulnerability Management.

Tenable One

View your synchronized data on any Tenable One page. For more information, see Tenable Lumin.

Tip: To view limited metrics Tenable Security Center retrieves from Tenable Lumin in Tenable Vulnerability
Management, see View Tenable One Metrics.

Network Support and Repository Overlap

Two or more IPv4 repositories overlap if their specified IP Ranges contain intersecting
IP addresses. To avoid data merge issues in Tenable Vulnerability Management, Tenable
recommends enabling Network Support or resolving all repository overlaps before synchronizing
data to Tenable Vulnerability Management.

While both methods avoid data merge issues, Tenable recommends enabling Network Support to
support accurate tracking of assets in repositories with overlapping IPv4 addresses without
manually resolving repository overlaps.

- 246 -
Synchronize Repositories to Individual Tenable Vulnerability
Management Networks
Tip: The default setting for Network Support depends on the Tenable Security Center version
where you configured Tenable Lumin synchronization. For the purpose of determining the
default setting for Network Support, Tenable Lumin synchronization is configured if you have
configured the Tenable Connection Settings and selected at least one repository to
synchronize.
l Tenable Security Center 5.18.x or earlier — Disabled by default if Tenable Lumin is already
configured.
l Tenable Security Center 5.19.x or later — Enabled by default and cannot be disabled.

Because Network Support synchronizes each IPv4 and agent repository to its own individual
network in Tenable Vulnerability Management, repositories with overlap do not cause data merge
issues in Tenable Vulnerability Management.

For more information, see Tenable One Synchronization Options.

Resolve Repository Overlaps

If Network Support is disabled and you do not plan to enable it, you must resolve repository
overlaps before synchronizing new repositories to Tenable Vulnerability Management.

To resolve an overlap between two repositories, edit the repository configurations and reconfigure
the IP Ranges to avoid intersecting IP addresses, as described in IPv4/IPv6 Repositories.

Caution: You cannot resolve data merge issues after synchronizing a repository with Tenable Vulnerability
Management; you must enable Network Support or resolve overlapping repositories in Tenable Security
Center before synchronizing a repository for the first time.

If you cannot resolve all overlaps and you do not want to enable Network Support, plan to
synchronize a limited number of repositories to avoid conflicts. For example, to avoid a conflict
between two repositories, synchronize one repository but not the other repository.

Configure Tenable One Synchronization

Required Additional License: Tenable Lumin

- 247 -
 Required Tenable Security Center User Role: Administrator
Required Tenable Vulnerability Management User Role: Administrator

You can configure Tenable Security Center to send limited Tenable Security Center data to Tenable
Vulnerability Management for use in Tenable One analysis. For more information, see Tenable One
Synchronization.

Before you begin:

l License and enable Tenable Lumin in Tenable Vulnerability Management, as described in
License and Enable Tenable Lumin in the Tenable Vulnerability Management User Guide.

l Plan your synchronization strategy and review known limitations and dependencies, as
described in Plan Your Tenable One Synchronization.

l Note that Tenable Security Center repositories are not case-sensitive, but networks in
Tenable Vulnerability Management are case-sensitive. When you synchronize a repository,
ensure that the name is unique from any existing Tenable Vulnerability Management networks.

l Plan your strategy for avoiding data merge issues and perform any required cleanup, as
described in Network Support and Repository Overlap.

Caution:You cannot resolve data merge issues after synchronizing a repository with Tenable
Vulnerability Management; you must enable Network Support or resolve overlapping repositories in
Tenable Security Center before synchronizing a repository for the first time.

l Generate Tenable Vulnerability Management API keys for a Tenable Vulnerability Management
user with Administrator permissions, as described in Generate API Keys in the Tenable
Vulnerability Management User Guide.

l Share any assets you want to synchronize with the Full Access group, as described in Groups.
You cannot synchronize assets with more limited sharing.

To configure data synchronization between Tenable Security Center and Tenable One in
Tenable Vulnerability Management:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

- 248 -
 The Configuration page appears.

3. Click the Tenable One tile.

The Tenable One Configuration page appears.

4. In the Tenable Vulnerability Management Connection Settings section, type an Access Key
and Secret Key for the Tenable Vulnerability Management user you want to have full access to
your data in Tenable Vulnerability Management. For more information, see Tenable One
Synchronization Options.

Tenable Security Center validates the connection to Tenable Vulnerability Management and
locks the key configuration.

5. (Optional) To test the connection to Tenable Vulnerability Management, click Test Connection.

Tenable Security Center tests the connection to Tenable Vulnerability Management using the
access key and secret key you provided.

Tenable Security Center displays a notification indicating the status of the connection to
Tenable Vulnerability Management.

6. In the Vulnerability Data Synchronization section:

a. (Optional) If you did not enable Network Support and you want to synchronize each
Tenable Security Center repository to its own network in Tenable Vulnerability
Management, contact your Tenable representative to enable Network Support. For
more information, see Tenable One Synchronization Options.

Note: Once enabled, you cannot disable Network Support.

b. Select one or more repositories that contain the scan result data you want to
synchronize with Tenable Vulnerability Management.

The initial synchronization includes all cumulative database data from the repository. All
subsequent synchronizations include only the new or modified scan result data imported
to the repository.

- 249 -
 Note: You cannot synchronize passive scan result vulnerability data. Tenable Security Center
identifies vulnerability data by plugin family and excludes Tenable Nessus Network Monitor
and LCE plugin families from synchronization.

Caution: To avoid data merge issues in Tenable Vulnerability Management, Tenable

recommends enabling Network Support or resolving all repository overlaps before
synchronizing data to Tenable Vulnerability Management. You cannot resolve data merge
issues after synchronizing a repository with Tenable Vulnerability Management; you must
enable Network Support or resolve overlapping repositories in Tenable Security Center before
synchronizing a repository for the first time. For more information, see Network Support and
Repository Overlap.

Tip: Hover over the to view details for a repository (including information about unresolved
repository overlaps).

c. Click Synchronize.

A confirmation window appears.

d. Click Synchronize.

Tenable Security Center begins synchronizing your vulnerability data to Tenable

Vulnerability Management.

7. In the Asset to Tag Synchronization section:

a. If you want to synchronize asset data at a scheduled time:

i. Click to enable the Custom Schedule slider.

ii. Next to the schedule link, click the button.

iii. Modify the Time and Timezone options to specify when you want synchronizations
to occur.

Tip: You cannot modify the Frequency or Repeat Every options; all Tenable One
synchronizations occur once daily.

If you do not schedule your asset synchronizations, Tenable Security Center

automatically synchronizes once daily, after business hours for your local time zone.

- 250 -
b. If you want to filter the assets that appear in the Unstaged Assets section, do any of the
following:

l Select an organization from the Organization Filter drop-down list and click Apply
Filters.

l Select an asset type from the Asset Type Filter drop-down list and click Apply
Filters.

l Type an asset name in the Search Name box and press Enter.

Note: You can synchronize any assets shared with the Full Access group. You cannot
synchronize assets with more limited sharing.

Tenable Security Center applies your filter to the Unstaged Assets section.

c. To stage one or more assets for synchronization, do one of the following:

l Click the Add All button to stage all visible assets for synchronization.

Tenable Security Center stages all visible assets for synchronization and displays
them in the Staged Assets section.

l In the rows for individual assets you want to stage for synchronization, click the
button.

Tenable Security Center stages your selected assets for synchronization and
displays them in the Staged Assets section.

Note: You cannot synchronize IPv6 addresses within static assets. If an asset contains a mix
of IPv4 and IPv6 addresses, Tenable Security Center synchronizes only the IPv4 addresses.

Note: You cannot synchronize non-IPv4 assets within dynamic assets. If a dynamic asset
contains other asset types, Tenable Security Center synchronizes only the IPv4 addresses.

Note: You cannot synchronize DNS name list assets, LDAP query assets, combination assets,
watchlist assets, or import assets.

Tip: Click an asset row to view details for an asset.

- 251 -
 d. Click Synchronize Staged Assets.

A confirmation window appears.

e. Click Synchronize.

Tenable Security Center begins synchronizing your assets to Tenable Vulnerability

Management.

8. Wait for data transfer and Tenable One data calculations to complete. For more information,
see How long does synchronization take to complete?.

9. Monitor the synchronization and confirm there were no errors, as described in View Tenable
One Synchronization Status or View Tenable One Data Synchronization Logs.

What to do next:
l Begin using Tenable Vulnerability Management and Tenable One, as described in Where will
I see synchronized data in Tenable Vulnerability Management?.

l View Tenable One metrics information within Tenable Security Center, as described in View
Tenable One Metrics.

l By default, synchronized data is visible to the Tenable Vulnerability Management

Administrator account used for synchronization and to all other users in Tenable Vulnerability
Management. If you want to restrict privileges for synchronized data, configure access groups
as described in Access Groups in the Tenable Vulnerability Management User Guide.

View Tenable One Synchronization Status

Required Additional License: Tenable Lumin

Required User Role: Administrator

After you configure Tenable Security Center data synchronization to Tenable One in Tenable
Vulnerability Management, you can view the status of your synchronizations.

For information about viewing logs for past synchronizations, see View Tenable One Data
Synchronization Logs.

Before you begin:

- 252 -
 l Configure Tenable One synchronization, as described in Configure Tenable One
Synchronization.

To monitor the status of your data synchronization between Tenable Security Center and
Tenable One in Tenable Vulnerability Management:

1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

The Configuration page appears.

3. Click the Tenable One tile.

The Tenable One Configuration page appears.

4. In the Vulnerability Data Synchronization section:

l View the Last Successful Sync date and time for data from any repository.

l View details for a repository by hovering over the that appears when you hover over a
repository name:

Data Description

Name The repository name.

Format The repository type: IPv4/IPv6, Agent, or Universal.

First Successful The date and time of the first synchronization of this
Synchronization repository.

Last Successful The date and time of the most recent synchronization of this
Synchronization repository.

Error Status If the most recent synchronization of this repository failed, a

description of the failure.

Last Failed The date and time of the most recent failed synchronization
Synchronization of this repository.

Repositories The names of other repositories with IP Ranges that overlap

- 253 -
 Data Description

Overlapping with this repository. For more information, see Network Support
<Repository Name> and Repository Overlap.

5. In the Asset to Tag Synchronization section:

l In the Unstaged Assets or Staged Assets section, click an asset row to view details for
an asset:

Data Description

Description The asset description.

First Sync The date and time of the first synchronization of this asset.
Success

Last Sync The date and time of the most recent synchronization of this
Success asset.

Last Sync The date and time of the most recent failed synchronization of
Failure this asset.

Sync Error If the most recent synchronization of this asset failed, a

description of the failure.

l View the Last Successful Sync date and time for any asset data.

Disable Tenable One Synchronization

Required Additional License: Tenable Lumin

Required User Role: Administrator

When you disable Tenable One synchronization, Tenable Security Center stops synchronizing new or
updated scan result and asset data with Tenable One in Tenable Vulnerability Management. Existing
Tenable Security Center data remains visible in Tenable Vulnerability Management.

To stop synchronizing data with Tenable One in Tenable Vulnerability Management:

- 254 -
1. Log in to Tenable Security Center via the user interface.

2. Click System > Configuration.

The Configuration page appears.

3. Click the Tenable One tile.

The Tenable One Configuration page appears.

4. In the Vulnerability Data Synchronization section:

a. Deselect all of your repositories.

b. Click Synchronize.

Tenable Security Center stops synchronizing vulnerability data to Tenable Vulnerability

Management. Existing Tenable Security Center data remains visible in Tenable
Vulnerability Management.

5. In the Asset to Tag Synchronization section:

a. In the Staged Assets section, click Remove All.

All staged assets move to the Unstaged Assets section.

b. Click Synchronize Staged Assets.

Tenable Security Center stops synchronizing asset data to Tenable Vulnerability

Management. Existing Tenable Security Center data remains visible in Tenable
Vulnerability Management.

- 255 -
Configure Scans
See the following sections to configure Tenable Security Center scans.

l Scanning Overview

l Resources

l Repositories

l Active Scans

l Active Scan Objects

l Agent Scans

l Agent Scanning

l Freeze Windows

l Patch Management

Scanning Overview
You can perform two types of scans using Tenable products: discovery scans and assessment
scans. Tenable recommends performing discovery scans to get an accurate picture of the assets on
your network and assessment scans to understand the vulnerabilities on your assets.

Configuring both methods provides a comprehensive view of the organization’s security posture and
reduces false positives. For more information about Tenable Security Center scanning strategies,
see the Tenable Security Center Scan Tuning Guide.

Scan Type Description Licensing

Discovery Scan Find assets on your network. For example: Assets

identified by
l a scan configured with the Host Discovery
discovery
template.
scans do not
l a scan configured to use only discovery plugins. count toward
your license.
l an Tenable Nessus Network Monitor instance in
discovery mode.

- 256 -
 Assessment Find vulnerabilities on your assets. For example: In general,
Scan assets
l an authenticated or unauthenticated active scan
assessed by
using a Tenable Nessus or Tenable Vulnerability
assessment
Management scanner.
scans count
l an agent scan using an agent-capable Tenable toward your
Vulnerability Management or Tenable Nessus license.
Manager scanner.

Authenticated Active Scans

Configure authenticated scans, also known as

credentialed scans, by adding access credentials to your
assessment scan configuration.

Credentialed scans can perform a wider variety of

checks than non-credentialed scans, which can result in
more accurate scan results. This facilitates scanning of
a very large network to determine local exposures or
compliance violations.

Credentialed scans can perform any operation that a

local user can perform. The level of scanning depends
on the privileges granted to the user account. The more
privileges the scanner has via the login account (e.g.,
root or administrator access), the more thorough the
scan results.

For more information, see Credentials.

Unauthenticated Active Scans

If you do not add access credentials to your assessment

scan configuration, Tenable Vulnerability Management
performs a limited number of checks when scanning
your assets.

For more information about how discovered and assessed assets are counted towards your license,
see License Requirements.

- 257 -
Resources
Administrator users can configure supporting resources.

l Tenable Nessus Scanners

l Tenable Nessus Network Monitor Instances

l Tenable Log Correlation Engines

l Tenable Log Correlation Engine Clients

l Tenable Log Correlation Engine Client Policies

l OT Security Instances

Scan zone resources are considered active scan objects. For more information, see Active Scan
Objects and Scan Zones.

LDAP server resources are part of user account configuration. For more information, see User
Accounts and LDAP Authentication.

Tenable Nessus Scanners

For high level information about active and agent scanning, see Active Scans and Agent Scans.

In the Tenable Security Center framework, the Tenable Nessus scanner behaves as a server, while
Tenable Security Center serves as a client that schedules and initiates scans, retrieves results,
reports results, and performs a wide variety of other important functions.

You can add one or more Tenable Nessus or Tenable Vulnerability Management deployments to
Tenable Security Center as Tenable Nessus scanners in Tenable Security Center:

l Managed or unmanaged Tenable Nessus scanners

Note: Tenable Security Center cannot perform scans with or update plugins for scanners running
unsupported versions of Tenable Nessus. For minimum Tenable Nessus scanner version
requirements, see the Tenable Security Center Release Notes for your version.

l Tenable Nessus Manager instances

- 258 -
 Note: If you enabled clustering on Tenable Nessus Manager, add the parent node of the cluster to
Tenable Security Center. For more information, see Clustering in the Tenable Nessus User Guide.

l Tenable Vulnerability Management instances

For more information, see:

l Add a Tenable Nessus Scanner

l Add a Tenable Vulnerability Management Scanner

l Manage Nessus Scanners

l View Your Nessus Scanners

l View Details for a Nessus Scanner

l Delete a Nessus Scanner

l View Tenable Nessus Instances in Tenable Security Center

For information about Tenable Security Center-Tenable Nessus and Tenable Security Center-
Tenable Vulnerability Management communications encryption, see Encryption Strength.

Tenable Nessus Scanner Settings

Option Description

General

Name A descriptive name for the scanner.

Description A scanner description, location, or purpose.

Host The hostname or IP address of the scanner.

Port The TCP port that the scanner listens on for communications from
Tenable Security Center. The default is port 8834.

Enabled A scanner may be Enabled or Disabled within Tenable Security Center to

allow or prevent access to the scanner.

Verify Hostname Adds a check to verify that the hostname or IP address entered in the
Host option matches the CommonName (CN) presented in the SSL

- 259 -
Option Description

certificate from the Nessus server.

Note: Confirm that the correct CA certificate is configured for use by Tenable
Security Center. If you are using a custom CA, configure Tenable Security
Center to trust your custom CA, as described in Trust a Custom CA. You do not
need to perform this step when using the default certificates for Tenable
Nessus servers.

Use Proxy Instructs Tenable Security Center to use its configured proxy for
communication with the scanner.

Authentication

Type Select Password, SSL Certificate, or API Keys for the authentication type
to connect to the scanner.

For complete information about Tenable Nessus SSL certificate

authentication, see Manual Tenable Nessus SSL Certificate Exchange.

Username Username generated during the install for daemon to client

communications. This must be an administrator user in order to send
plugin updates to the scanner. If the scanner is updated by a different
method, such as through another Tenable Security Center, a standard
user account may be used to perform scans. This option is only available if
the Authentication Type is set to Password.

Password The login password must be entered in this option. This option is only
available if the Authentication Type is set to Password.

Certificate If you set Authentication Type to SSL Certificate, specifies the

nessuscert.pem file you want to use for authentication to the scanner.

For complete information about Tenable Nessus SSL certificate

authentication, see Manual Tenable Nessus SSL Certificate Exchange.

Certificate If you selected SSL Certificate as the Authentication Type and the
Passphrase private key that decrypts your SSL certificate is encrypted with a
passphrase, the passphrase for the private key.

- 260 -
Option Description

Active Scans

Zones The scan zones that can use this scanner. For more information, see Scan
Zones.

Agents

Agent Capable Specifies whether you want this scanner to provide Tenable Nessus Agent
scan results to Tenable Security Center.

Agent capable scanners must be either Tenable Vulnerability Management

or Nessus Manager 6.5 or later. When using Nessus Manager, you must
use an organizational user account to connect from Tenable Security
Center.

Organizations When the Agent Capable option is enabled, or you select API Keys as the
Authentication Type, specifies one or more organizations that you want
to grant access to import Tenable Nessus Agent data into Tenable
Security Center.

API Keys When the Agent Capable option is enabled, specifies whether you want to
use secure API keys when importing agent scan data from Tenable Nessus
or Tenable Vulnerability Management scanners.

For more information about retrieving your access key and secret key
from Tenable Nessus and Tenable Vulnerability Management, see
Generate a Nessus API Key in the Tenable Nessus User Guide and Generate
a Tenable Vulnerability Management API Key in the Tenable Vulnerability
Management User Guide.

Access Key When the API Keys option is enabled, specifies the access key for the
Tenable Nessus or Tenable Vulnerability Management scanner.

When you select API Keys as the Authentication Type, specifies the
access key for the Tenable Nessus Agent.

Secret Key When the API Keys option is enabled, specifies the secret key for the
Tenable Nessus or Tenable Vulnerability Management scanner.

- 261 -
 Option Description

When you select API Keys as the Authentication Type, specifies the
secret key for the Tenable Nessus Agent.

Web Application Scanning

Capable Specifies whether you want this scanner to provide Tenable Web App
Scanning scan results to Tenable Security Center.

Add a Tenable Nessus Scanner

Required User Role: Administrator

For more information, see Tenable Nessus Scanners.

Note: Tenable Security Center cannot perform scans with or update plugins for scanners running
unsupported versions of Tenable Nessus. For minimum Tenable Nessus scanner version requirements, see
the Tenable Security Center Release Notes for your version.

Note:Tenable Security Center does not send plugins to linked Nessus Managers. Nessus Manager pulls
plugins directly from Tenable's plugin sites. Therefore, to update plugin sets, Nessus Manager needs
access to the internet and Tenable's plugin sites (for more information, see the Which Tenable sites should I
allow? community article). If your Nessus Manager does not have internet access, you can manually update
its version and plugins offline (for more information, see Manage Nessus Offline in the Nessus User Guide).

To add a Tenable Nessus scanner to Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Scanners.

The Tenable Nessus Scanners page appears.

3. At the top of the table, click Add.

The Add Tenable Nessus Scanner page appears.

4. Configure Tenable Nessus scanner options, as described in Tenable Nessus Scanners.

- 262 -
a. In the Name box, type a name for the scanner.

b. In the Description box, type a description for the scanner.

c. In the Host box, type the hostname or IP address for the scanner.

d. In the Port box, view the default (8834) and modify, if necessary.

e. If you want to disable this scanner's connection to Tenable Security Center, click
Enabled to disable the connection.

f. If you want to verify that the hostname or IP address entered in the Host option matches
the CommonName (CN) presented in the SSL certificate from the Tenable Nessus
scanner, click Verify Hostname to enable the toggle.

g. If you want to use the proxy configured in Tenable Nessus for communication with the
scanner, click Use Proxy to enable the toggle.

h. In the Type drop-down box, select the authentication type.

i. If you selected Password as the Type:

i. In the Username box, type the username for the account generated during the
Tenable Nessus installation for daemon-to-client client communications.

ii. In the Password box, type the password associated with the username you
provided.

j. If you selected SSL Certificate as the Type:

i. Click Choose File to upload the nessuscert.pem file you want to use for
authentication to the scanner. For more information, see Manual Tenable Nessus
SSL Certificate Exchange.

ii. (Optional) If the private key that decrypts your SSL certificate is encrypted with a
passphrase, in the Certificate Passphrase box, type the passphrase for the private
key.

k. Check the box for all active scan zones you want to use this scanner.

- 263 -
 l. If you want this scanner to provide Tenable Nessus Agent scan results to Tenable
Security Center:

i. Click Agent Capable to enable the toggle.

ii. Check the box for one or more Organizations that you want to grant access to
import Tenable Nessus Agent data into Tenable Security Center.

iii. If you want to use secure API keys when importing agent scan data from Tenable
Nessus scanners:

a. Click API Keys to enable the toggle.

b. In the Access Key box, type the access key.

c. In the Secret Key box, type the secret key.

5. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Configure a scan zone, repository, and active scan objects, as described in Active Scans.

Add a Tenable Vulnerability Management Scanner

Required User Role: Administrator

Tenable Security Center supports the use of Tenable Vulnerability Management as a Tenable Nessus
scanner within Tenable Security Center. Tenable Vulnerability Management is an enterprise-class
remote vulnerability scanning service you can use to audit internet-facing IP addresses for both
network and web application vulnerabilities from the cloud. While Tenable Security Center does not
manage Tenable Vulnerability Management scanners (for example, Tenable Security Center does not
push plugins to the scanner), you can add Tenable Vulnerability Management scanners to Tenable
Security Center the same way you add internal, local, or remote Tenable Nessus scanners.

Before you begin:

l Confirm that you have a valid, active Tenable Vulnerability Management subscription.

To add Tenable Vulnerability Management to Tenable Security Center as a Tenable Nessus

scanner:

- 264 -
1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Scanners.

3. At the top of the table, click Add.

- 265 -
 4. Configure Tenable Nessus scanner options, as described in Tenable Nessus Scanners. You
use Tenable Vulnerability Management-specific values for some settings.

Option Value for a Tenable Vulnerability Management Configuration

Host l Commercial Tenable Vulnerability Management: cloud.tenable.com

l Tenable Vulnerability Management FedRAMP:

fedcloud.tenable.com

Port 443

Username The username for an active Tenable Vulnerability Management user

account.

Password The password for an active Tenable Vulnerability Management user

account.

Zones The zones within Tenable Security Center that use Tenable Vulnerability
Management as a scanner.

5. Click Submit.

Note: Existing scan reports from Tenable Vulnerability Management are not automatically available in
Tenable Security Center. However, you can manually download and import them into Tenable Security
Center.

Note: By default, Tenable Vulnerability Management selects the regional scanner that corresponds with the
location of your Tenable Vulnerability Management user account. For example, if you run a scan from a
user account located in the United States, Tenable Vulnerability Management selects the United States
scanner. If you run a scan from a user account in Germany, Tenable Vulnerability Management selects the
Germany scanner.

What to do next:
l Configure a scan zone, repository, and active scan objects, as described in Active Scans.

Tenable Nessus Scanner Statuses

You can view the status for scanners, as described in View Your Nessus Scanners.

- 266 -
Status Description Recommended Action

Authentication Tenable Security Center could Check your scanner configuration

Error not authenticate to the scanner settings and confirm the Username
using the credentials you and Password options specify valid
provided. login credentials for the scanner.

Certificate Tenable Security Center could Do one of the following:

Mismatch not confirm the validity of the
l Edit your scanner
SSL certificate presented by the
configuration and select a
scanner.
different authentication type.

l (Tenable Nessus scanners

only) Check your scanner
configuration settings and
confirm the Certificate option
specifies the correct
nessuscert.pem file. For
more information about
managing SSL certificates in
Nessus, see Manage SSL
Certificates in the Tenable
Nessus User Guide.

Connection Error Tenable Security Center cannot Do one or both of the following:
connect to the scanner because
l Check your scanner
the scanner is unreachable or
configuration and confirm the
does not exist at the IP address
Host option specifies the
or hostname provided.
correct IP address or
hostname for the scanner.

l Confirm the network devices

and firewalls between Tenable
Security Center and the
scanner are configured to
permit network traffic.

- 267 -
Connection Tenable Security Center Contact your network administrator
Timeout connected to the scanner but for troubleshooting assistance.
timed out waiting for a reply.

Invalid The scanner attempted to Do one or both of the following:

Configuration connect to a scanner on port 0,
l Check your scanner
or the provided API key is for a
configuration and confirm the
scanner that does not support
Port option specifies a valid
agent scans.
TCP port to connect to your
scanners. For more
information, see Port
Requirements.

l Check your scanner

configuration and confirm the
Access Key and Secret Key
options specify valid keys for
a Tenable Nessus Manager or
cloud scanner.

Permission Error The provided API keys do not Check your scanner configuration
have the correct permissions to and confirm the Access Key and
run agent scans. Secret Key options specify valid
keys for the scanner.

Plugins Out of The plugin sets on the scanner For troubleshooting assistance, see
Sync do not match the plugin sets in the knowledge base article.
Tenable Security Center.

Protocol Error Tenable Security Center Contact your network administrator

connected to the scanner but for troubleshooting assistance.
the scanner returned an HTTPS
protocol negotiation error.

Reloading The scanner is temporarily None.

Scanner unable to run scans because
Tenable Nessus is restarting on

- 268 -
 the scanner.

Updating Plugins Tenable Security Center is You may want to schedule plugin
performing a plugin update on updates to run a few hours before
the scanner. your scheduled scans. For more
information, see Edit Plugin and
Feed Settings and Schedules.

If a scanner has a persistent

Updating Plugins status, the plugin
update have been interrupted. For
troubleshooting assistance, see the
knowledge base article.

Updating Status Tenable Security Center is None.

refreshing the status of the
scanner. Scanners can continue
to run scans while Tenable
Security Center refreshes the
status.

Note: Tenable Security Center

automatically refreshes scanner
statuses every 15 minutes.

If you create a new scanner,

edit a scanner, or manually
refresh the status using the
Update Status option,
Tenable Security Center
refreshes the status of the
scanner on demand.

Upgrade Required The version of Tenable Nessus Upgrade to a supported version of

on the scanner is unsupported Tenable Nessus, as described in
and requires an upgrade. Upgrade Nessus in the Tenable
Nessus User Guide.
Tenable Security Center cannot

- 269 -
 perform scans with or update
plugins for scanners running
unsupported versions of Tenable
Nessus. For minimum Tenable
Nessus scanner version
requirements, see the Tenable
Security Center Release Notes
for your version.

User Disabled A Tenable Security Center user Edit your scanner configuration and
disabled the scanner. click the Enabled toggle to re-
enable the scanner.

For more information about scanner

options, see Tenable Nessus
Scanners.

Working The scanner is connected to None.

Tenable Security Center and
able to run scans.

Manage Nessus Scanners

Required User Role: Administrator

For more information, see Tenable Nessus Scanners.

To manage your Tenable Nessus scanners:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Scanners.

The Tenable Nessus Scanners page appears.

3. To filter the scanners that appear on the page, apply a filter as described in Apply a Filter.

4. To view the list of configured scanners, see View Your Nessus Scanners.

5. To view details for a scanner, see View Details for a Nessus Scanner.

- 270 -
 6. To edit a scanner:
a. Right-click the row for the scanner.

The actions menu appears.

-or-

Select the check box for the scanner.

The available actions appear at the top of the table.

b. Click More > Edit.

The Edit Tenable Nessus Scanner page appears.

c. Modify the scanner options. For more information about scanner options, see Tenable
Nessus Scanners.

d. Click Submit.

7. To download logs for a scanner, see Download Tenable Nessus Scanner Logs.

8. To delete a scanner, see Delete a Nessus Scanner.

View Your Nessus Scanners

Required User Role: Administrator

For more information, see Tenable Nessus Scanners.

To view a list of configured Tenable Nessus scanners:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Scanners.

The Tenable Nessus Scanners page appears.

3. View details about each Tenable Nessus scanner.

- 271 -
l Name — The name for the scanner.

l Features — Specifies whether the scanner is a Standard scanner or an Agent Capable

scanner. Agent capable scanners provide Tenable Nessus Agent scan results to Tenable
Security Center.

l Status — The status of the scanner. For more information, see Tenable Nessus Scanner
Statuses.

l Host — The IP address or hostname of the scanner.

l Version — The scanner's Tenable Nessus version.

l Type — The type of scanner connection.

Type Description

Unknown Tenable Security Center could not identify the scanner.

Nessus Tenable Security Center accesses the scanner using a Tenable

(Unmanaged Nessus user account with Standard permissions.
Plugins)
Tenable Security Center cannot send plugin updates to the
scanner or manage the scanner's activation code.

Nessus Tenable Security Center manages the scanner and

(Managed authenticates via a Tenable Nessus user account.
Plugins)
Tenable Security Center sends plugin updates to the scanner
and manages the scanner's activation code.

Tenable Tenable Security Center accesses the instance using a Tenable

(Unmanaged Vulnerability Management user account with Standard
Plugins) permissions.

Tenable Security Center cannot send plugin updates to the

instance or manage the instance's activation code.

l Uptime — The length of time, in days, that the scanner has been running.

l Last Modified — The date and time the scanner was last modified.

- 272 -
 4. To view details of a specific Tenable Nessus scanner, see View Details for a Nessus Scanner.

5. To filter the scanners that appear on the page, apply a filter as described in Apply a Filter.

6. To manually refresh the Status data, at the top of the table, click Update Status.

Tenable Security Center refreshes the Status data.

View Details for a Nessus Scanner

Required User Role: Administrator

For more information, see Tenable Nessus Scanners.

To view details for a Tenable Nessus scanner:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Scanners.

The Tenable Nessus Scanners page appears.

3. Right-click the row for the scanner you want to view.

The actions menu appears.

-or-

Select the check box for the scanner you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Tenable Nessus Scanner page appears.

Section Action

Options drop- l To edit the scanner, click Edit.

down box l To delete the scanner, click Delete, as described in Delete a
Nessus Scanner.

l To download logs for the scanner, click Download Logs. For

more information, see Download Tenable Nessus Scanner

- 273 -
Section Action

Logs.

General View general information about the scanner.

Authentication View authentication information for the scanner.

Active Scans View active scan information for the scanner.

Agents View agent information for the scanner.

l Agent Capable — Specifies whether the scanner is agent

capable: Yes or No.

l Organizations — If the scanner is agent capable, the

organization configured for the scanner.

l API Keys Set — If the scanner is agent capable, specifies

whether API keys are configured for the scanner: Yes or No.

Data summary View metadata and performance metrics for the scanner.

Note: Tenable Security Center refreshes the load information every 15

minutes.

Nessus Scanner If you are viewing details for a managed Tenable Nessus scanner
Health running version 8.2.0 or later, view scanner health summary data:

l Running Scans — The number of scans currently running on

the scanner.

l Hosts Being Scanned — The number of hosts currently being

scanned by the scanner.

l CPU Load — The percent of the total CPU currently in use by

the scanner.

l Total Memory — The total memory installed on the scanner.

l Memory Used — The percent of the total memory currently in

- 274 -
 Section Action

use by the scanner.

l Total Disk Space — The total disk space installed on the

scanner.

l Disk Space Used — The percent of the total disk space

currently in use by the scanner.

l Last Updated — The date and time Tenable Security Center

last updated the scanner data.

Tenable Security Center refreshes the data when you load the View
Nessus Scanner page. To force a manual refresh, click the
button.

View Tenable Nessus Instances in Tenable Security Center

Required User Role: Administrator

Administrators can view and manage Tenable Nessus scanner configurations from the Tenable
Security Center user interface. For more information about Tenable Nessus scanners in Tenable
Security Center, see Tenable Nessus Scanners.

Note: You cannot use Picture in Picture with a Tenable Nessus scanner if you enabled Use Proxy for the
scanner or if the scanner's Authentication Type is SSL Certificate. For more information, see Tenable
Nessus Scanner Settings.

Before you begin:

l Enable Picture in Picture, as described in Enable Picture in Picture.

To view Tenable Nessus instances inside the Tenable Security Center user interface:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Scanners.

The Tenable Nessus Scanners page appears.

- 275 -
 3. Right-click the row for the Tenable Nessus scanner.

The actions menu appears.

-or-

Select the check box for the Tenable Nessus scanner.

The available actions appear at the top of the table.

4. Click Manage System.

The Tenable Nessus instance opens inside the Tenable Security Center user interface.

What to do next:
l Manage your Tenable Nessus scanner configurations using the picture in picture window in
Tenable Security Center. For more information about Tenable Nessus and Tenable Nessus
settings, see the Tenable Nessus User Guide.

l To exit the Picture in Picture view, in the upper-right corner, click Back.

Download Tenable Nessus Scanner Logs

Required User Role: Administrator

You can download a log file for Tenable Nessus scanners managed by Tenable Security Center. The
Tenable Nessus scanner must be running version 8.0.0 or later to send logs to Tenable Security
Center for download.

All Tenable Nessus scanner logs include:

l Recent Tenable Nessus log data

l System information (operating system version, CPU statistics, available memory, available
disk space, etc.)

l Troubleshooting data

If you include extended logs, the system also downloads recent Tenable Nessus web server log
records, system log data, and network configuration information.

To download logs for a Tenable Nessus scanner:

- 276 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Nessus Scanners.

The Nessus Scanners page appears.

3. Right-click the row for the scanner for which you want to download logs.

The actions menu appears.

-or-

Select the check box for the scanner for which you want to download logs.

The available actions appear at the top of the table.

4. Click Download Logs.

The Download Nessus Scanner Logs window appears.

5. To include recent Tenable Nessus web server log records, system log data, and network
configuration information, click to enable the Extended Logs toggle.

6. To hide the first two octets of IPv4 addresses within the logs, click to enable the Sanitize IPs
toggle.

7. Click Download.

Tenable Security Center downloads the tar.gz file in your browser.

Tip: If you use 7-Zip to extract the tar.gz file, you may see the following error message: There are
some data after the end of the payload data. You can safely ignore this error.

Delete a Nessus Scanner

Required User Role: Administrator

For more information, see Tenable Nessus Scanners.

To delete a Tenable Nessus scanner:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Nessus Scanners.

- 277 -
 The Nessus Scanners page appears.

3. Select the scanner you want to delete:

To delete a single scanner:

a. In the table, right-click the row for the scanner you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple scanners:

a. In the table, select the check box for each scanner you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click More > Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the scanner.

Tenable Nessus Network Monitor Instances

Tenable Nessus Network Monitor (Tenable Nessus Network Monitor) is a patented network
discovery and vulnerability analysis software solution that delivers real-time network profiling and
monitoring for continuous assessment of an organization’s security posture in a non-intrusive
manner. Tenable Nessus Network Monitor monitors network traffic at the packet layer to determine
topology, services, and vulnerabilities. Where an active scanner takes a snapshot of the network in
time, Tenable Nessus Network Monitor behaves like a security motion detector on the network.

Tenable Security Center communicates with Tenable Nessus Network Monitor utilizing the XMLRPC
protocol on port 8835 by default. For information about Tenable Security Center-Tenable Nessus
Network Monitor communications encryption, see Encryption Strength.

Note: It is important for you to restrict the data Tenable Nessus Network Monitor collects to only the
desired IP address ranges. For example, if your attached Tenable Nessus Network Monitor collects
information on 1100 hosts and Tenable Security Center is licensed for 1000 hosts, Tenable Security Center
imports all of the Tenable Nessus Network Monitor data and indicates that you exceeded your host count.
For more information, see License Requirements.

- 278 -
Tenable Security Center will ask Tenable Nessus Network Monitor for the latest (if any) vulnerability
report once every hour by default. The pull interval may be changed under the System Configuration
page under the Update tab.

To fully configure passive scan data retrieval from Tenable Nessus Network Monitor:

1. Configure Tenable Nessus Network Monitor, as described in Get Started in the Tenable Nessus
Network Monitor User Guide.

2. Add your Tenable Nessus Network Monitor license to Tenable Security Center, as described in
Apply a New License.

3. Add an IPv4, IPv6, or Universal repository for Tenable Nessus Network Monitor data in Tenable
Security Center, as described in Add a Repository.

4. Add an Tenable Nessus Network Monitor instance in Tenable Security Center, as described in
Add an Tenable Nessus Network Monitor Instance.

5. (Optional) Configure Tenable Nessus Network Monitor plugin import schedules, as described in
Edit Plugin and Feed Settings and Schedules. By default, Tenable Security Center checks for
new passive vulnerability plugins every 24 hours and pushes them to your attached Tenable
Nessus Network Monitor instances.

What to do next:
l View vulnerability data filtered by your Tenable Nessus Network Monitor repository, as
described in Vulnerability Analysis.

Considerations for Licensing

If you want Tenable Security Center to push plugin updates to Tenable Nessus Network Monitor, you
must add the product activation code to Tenable Security Center. For more information, see Apply a
New License.

For detailed information about plugins counted toward the Tenable Security Center license count,
see License Requirements.

Considerations for Tenable Nessus Network Monitor Discovery Mode

- 279 -
Your Tenable Nessus Network Monitor instances can run in two modes: discovery mode disabled
and discovery mode enabled. For more information, see NNM Settings in the Tenable Nessus
Network Monitor User Guide.

If discovery mode is enabled on an Tenable Nessus Network Monitor instance, Tenable Security
Center stores discovery mode asset data to Tenable Security Center repositories. Since discovery
mode only discovers limited asset data, the repository data appears incomplete.

Tenable Security Center does not count IP addresses present only from Tenable Nessus Network
Monitor instances in discovery mode toward your license count.

Add an Tenable Nessus Network Monitor Instance

Required User Role: Administrator

Before you begin:

l Confirm you understand the complete scanning configuration process, as described in
Tenable Nessus Network Monitor Instances.

To add an Tenable Nessus Network Monitor instance to Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Tenable Nessus Network Monitors.

The Tenable Nessus Network Monitor Scanners page appears.

3. At the top of the table, click Add.

The Add Tenable Nessus Network Monitor Scanner page appears.

4. Configure the settings, as described in Tenable Nessus Network Monitor Instance Settings.

a. In the Name box, type a name for the scanner.

b. In the Description box, type a description for the scanner.

c. In the Host box, type the hostname or IP address for the scanner.

d. In the Port box, view the default (8835) and modify, if necessary.

- 280 -
 e. If you want to disable this scanner's connection to Tenable Security Center, click
Enabled to disable the connection.

f. If you want to verify that the hostname or IP address entered in the Host option matches
the CommonName (CN) presented in the SSL certificate from the Tenable Nessus
Network Monitor server, click Verify Hostname to enable the toggle.

g. If you want to use the proxy configured in Tenable Nessus Network Monitor for
communication with the scanner, click Use Proxy to enable the toggle.

h. In the Type drop-down box, select the authentication type.

i. If you selected Password as the Type:

i. In the Username box, type the username for the account generated during the
Tenable Nessus Network Monitor installation for daemon-to-client client
communications.

ii. In the Password box, type the password for the account generated during the
Tenable Nessus Network Monitor installation for daemon-to-client client
communications

j. If you selected SSL Certificate as the Type, click Choose File to upload a certificate.

k. If you selected SSL Certificate as the Type:

i. Click Choose File to upload a certificate.

ii. (Optional) If the private key that decrypts your SSL certificate is encrypted with a
passphrase, in the Certificate Passphrase box, type the passphrase for the private
key.

l. In the Repositories list, select one or more repositories where you want Tenable
Security Center to store the scanner data.

5. Click Submit.

Tenable Security Center saves your configuration.

View Your Tenable Nessus Network Monitor Instances

Required User Role: Administrator

For more information, see Tenable Nessus Network Monitor Instances.

- 281 -
To view your Tenable Nessus Network Monitor instances in Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Nessus Network Monitors.

The Nessus Network Monitor Scanners page appears.

3. View details about each Tenable Nessus Network Monitor instance.

l Name — The name for the instance.

l Status — The status of the instance.

l Host — The IP address of the instance.

l Version — The instance's Tenable Nessus Network Monitor version.

l Uptime — The length of time, in days, that the instance has been running.

l Last Report — The date and time Tenable Nessus Network Monitor most recently
reported data to Tenable Security Center.

4. (Optional) To manually refresh the Status data, at the top of the table, click Update Status.

Tenable Security Center refreshes the Status data.

Tenable Nessus Network Monitor Instance Settings

Use the following options to configure Tenable Nessus Network Monitor instances in Tenable
Security Center, as described in Add an Tenable Nessus Network Monitor Instance.

Option Description

Name Descriptive name for the Tenable Nessus Network Monitor instance.

Description Instance description, location, or purpose.

Host Hostname or IP address of the instance.

Port TCP port that the Tenable Nessus Network Monitor instance listens on
for communications from Tenable Security Center. The default is port
8835.

State A instance may be marked as Enabled or Disabled within Tenable

- 282 -
 Option Description

Security Center to allow or prevent access to the instance.

Authentication Select Password or SSL Certificate for the authentication type to

Type connect to the Tenable Nessus Network Monitor instance.

Username Username generated during the Tenable Nessus Network Monitor install
for daemon to client communications. This must be an administrator user
in order to send plugin updates to the Tenable Nessus Network Monitor
instance. This option is only available if the Authentication Type is set to
Password.

Password The login password must be entered in this option. This option is only
available if the Authentication Type is set to Password.

Certificate This option is available if the Authentication Type is SSL Certificate.

Click the Browse button, choose a SSL Certificate file to upload, and
upload to the Tenable Security Center.

Certificate If you selected SSL Certificate as the Authentication Type and the
Passphrase private key that decrypts your SSL certificate is encrypted with a
passphrase, the passphrase for the private key.

Verify Hostname Adds a check to verify that the hostname or IP address entered in the
Host option matches the CommonName (CN) presented in the SSL
certificate from the Tenable Nessus Network Monitor server.

Use Proxy Instructs Tenable Security Center to use its configured proxy for
communication with the instance.

Repositories The repositories which this Tenable Nessus Network Monitor instance
will save its data to. If Tenable Nessus Network Monitor will be reporting
IPv4 and IPv6 data, at least two repositories (one for IPv4 and one for
IPv6 data) must be selected.

Tenable Log Correlation Engines

- 283 -
Tenable Tenable Log Correlation Engine (Log Correlation Engine) is a software module that
aggregates, normalizes, correlates, and analyzes event log data from the myriad of devices within
the infrastructure. Log Correlation Engine also has the ability to analyze logs for vulnerabilities.

Tenable Security Center performs vulnerability, compliance, and event management, but without
Log Correlation Engine integration it does not directly receive logs or IDS/IPS events. With Log
Correlation Engine integration, Log Correlation Engine processes the events and passes the results
to Tenable Security Center.

Log Correlation Engine's close integration with Tenable Security Center allows you to centralize log
analysis and vulnerability management for a complete view of your organization’s security posture.

Note: If you add an Log Correlation Engine server to Tenable Security Center and enable Import
Vulnerabilities, Log Correlation Engine data counts against your Tenable Security Center license. For more
information, see License Requirements.

For more information, see Add a Tenable Log Correlation Engine Server.

If remote root or root equivalent user login is prohibited in your environment, you can add the Log
Correlation Engine server using SSH key authentication. For more information, see Manual Log
Correlation Engine Key Exchange.

For information about Tenable Security Center-Tenable Log Correlation Engine communications
encryption, see Encryption Strength.

Tenable Log Correlation Engine Options

Option Description

Name Name for the integrated Tenable Log Correlation Engine.

Description Descriptive text for the integrated Tenable Log Correlation Engine.

Host IP address of the integrated Tenable Log Correlation Engine.

Check Whether Tenable Security Center checks the status of authentication

Authentication between itself and the Log Correlation Engine server.

Organizations Organizations that can access data from the integrated Tenable Log
Correlation Engine.

- 284 -
 Option Description

Repositories The repositories where you want Tenable Security Center to store the
imported Log Correlation Engine data.

Port The port where the Log Correlation Engine reporter is listening on the
Log Correlation Engine server.

Username and The username and password you want Tenable Security Center to use for
Password authentication to the Log Correlation Engine server to retrieve
vulnerability information.

This user account must be able to make changes on the remote system
to enable the SSH key exchange between Tenable Security Center and
Log Correlation Engine. The appropriate permissions level is typically
root, root equivalent, or other high-level user permissions on the Log
Correlation Engine system. Tenable Security Center uses these
credentials a single time to exchange SSH keys for secure
communication between Tenable Security Center and Log Correlation
Engine.

Add a Tenable Log Correlation Engine Server

Required User Role: Administrator

Tip: You can configure more than one Tenable Log Correlation Engine to work with Tenable Security
Center.

Before you begin:

l Confirm you understand the complete scanning configuration process, as described in
Tenable Log Correlation Engines.

To add an Log Correlation Engine server to Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Log Correlation Engines.

- 285 -
 The LCE Servers page appears.

3. At the top of the table, click Add.

The Add LCE Server window appears.

4. Configure the General options, as described in Tenable Log Correlation Engines.

a. In the Name box, type a name for the Log Correlation Engine server.

b. In the Description box, type a description for the Log Correlation Engine server.

c. In the Host box, type the hostname or IP address for the Log Correlation Engine server.

d. In the Port box, view the default (1243) and modify, if necessary.

5. (Optional) To allow Tenable Security Center to log in to the Log Correlation Engine server and
retrieve vulnerability information:

a. Enable Import Vulnerabilities.

Note: If you use an Log Correlation Engine server with Tenable Security Center, Tenable
Security Center counts the IP addresses associated with each imported instance against your
license. For more information, see License Requirements.

b. Select a Repository for the event vulnerability data.

c. Type a Username and Password you want Tenable Security Center to use for access to
the Log Correlation Engine server.

6. Click Submit.

Tenable Security Center saves your configuration.

7. (Optional) If you enabled the Check Authentication option above, Tenable Security Center
checks its ability to authenticate with the Log Correlation Engine server.

l If authentication is successful, Tenable Security Center displays a message to

acknowledge that fact.

l If authentication fails, Tenable Security Center prompts you for credentials to the Log
Correlation Engine server:

- 286 -
 a. Type a username and password.

b. Click Push Key to initiate the transfer of the SSH Key.

If the transfer is successful, Tenable Security Center displays a message to

acknowledge that fact.

Tenable Log Correlation Engine Clients

The Log Correlation Engine server manages configuration files for Log Correlation Engine 5.x
clients remotely from the command line. Tenable Security Center manages the configuration files
for Tenable Log Correlation Engine 5.x clients via a graphical interface.

The default view for the Log Correlation Engine Clients page displays all of the available clients for
the selected Tenable Log Correlation Engine server in the Filters section, and may be changed by
updating the Log Correlation Engine Server filter. Use the other filter options, to narrow down the
displayed clients for the selected server by a mix of criteria based on combinations of the displayed
columns.

Current Log Correlation Engine Client versions display information in the table including their name,
host address, authorization status, client type, host OS, assigned policy file, date last updated, and
client version. Log Correlation Engine Client configurations can be managed from Tenable Security
Center.

Tip: Configured clients prior to version 5.x appear in the list without OS and policy information. However,
these clients cannot have their policy files centrally managed from Tenable Security Center.

Each client may have a name assigned to it to help easily identify the client. The currently assigned
name appears in the Name column. To change the name, click on the client to edit from the list, and
type the name. Client names may not contain spaces. Click the Submit button to save the change.

Log Correlation Engine Clients are initially configured to send their data to a particular Log
Correlation Engine server, but must be authorized by the Log Correlation Engine sever for the
server to accept the data. The client’s authorization status appears in the left-side column. If there
is no icon, the client is authorized to send data to the Log Correlation Engine server. If there is a
broken link icon, the client is not authorized to send data to the Log Correlation Engine server. To
do this, right-click the row for the client or select the check box for the client, then click Authorize
or Revoke Authorization.

- 287 -
Each client must have a policy assigned to it that specifies the appropriate data to send. The
currently assigned policy appears in the Policy column. To change the assigned policy, select the
client to edit and click the appropriate policy from the drop-down box. Search client policies by
name by entering text into the Policy box. Click the Submit button to save the change. The policy
updates on the client on its next connection.

Tenable Log Correlation Engine Client Policies

The Log Correlation Engine Client Policies page contains a list of all the client policies currently
available for use by Log Correlation Engineclients. The list contains the name of the policy, the
operating system it is configured for use on, and the type of client the policy can be applied to.

Example policy files are available for use with the names default and beginning with TNS-. You can
use these policy files as is or export them to be used as a basis for custom policy files. Tenable may
update or change these example policy files without notice, so using them as is may return
different results at a later time.

Use the Add button to add customized Log Correlation EngineClient policy files to the Log
Correlation Engine server and make them available for use. The Name option is appended to the
beginning of the file name and offers a description of the function or use of the policy file. The OS
Type is used in the file name to easily identify the OS for which the policy is designed. The Client
Type indicates the LCE Client for which the policy is written. The Source option is used to select
and upload the custom policy file or type the policy file into the box. Click the Submit button to save
the policy file and send it to the Log Correlation Engine server.

Note: The default and TNS prefixes should only be used by policies supplied by Tenable. If you use default
or TNS as a prefix for custom policy files, they may be overwritten or manipulated.

Right-click or select the check box for a policy, then click Export to save the policy to a local drive.
The file is in XML format, which you can edit with standard text or XML editors.

Right-click or select the check box for a policy, then click View to display the policy name and
source of the policy in a window within Tenable Security Center. You cannot edit the information
from within this window.

Note: For more information on creating Log Correlation Engine Client policy files, see the Tenable Log
Correlation Engine Client Guide.

OT Security Instances

- 288 -
OT Security protects industrial networks by providing industrial and critical infrastructure
operations with visibility, security, and control to ensure safe facility operation while reducing
overall risk. You can use Tenable Security Center to analyze OT Security asset and vulnerability data
alongside your data from other scanners.

When you configure data synchronization from OT Security to Tenable Security Center, OT Security
sends asset and vulnerability data to an agent repository in Tenable Security Center. OT Security
communicates with Tenable Security Center using the Tenable Security Center API.

Note: It is important to restrict the data OT Security collects to only the desired host IP address ranges.
For example, if OT Security collects information on 1100 hosts and Tenable Security Center is licensed for
1000 hosts, OT Security sends all of the data to Tenable Security Center and Tenable Security Center will
indicate that you exceeded your host count. For more information, see License Requirements.

Before you begin:

l Deploy OT Security, as described in the OT Security User Guide.

l Begin vulnerability assessment in OT Security, as described in the OT Security User Guide.

To fully configure data synchronization from OT Security to Tenable Security Center:

1. Add a designated agent repository for OT Security data in Tenable Security Center, as
described in Add a Repository.

2. Using the OT Security API, configure the Tenable Security Center integration to specify the
sync schedule, import repository, and authentication.

What to do next:
l View scan results from OT Security, as described in View Scan Results.

l View vulnerability data filtered by your OT Security repository, as described in Vulnerability

Analysis.

Repositories
Repositories are databases within Tenable Security Center that contain vulnerability data. You can
share repositories with users and organizations based on admin-defined assets. Repositories
provide scalable and configurable data storage. Optionally, you can share repository data between
multiple Tenable Security Centers.

- 289 -
 Note: The maximum repository size is 64 GB. For best performance, Tenable recommends splitting
repositories larger than 32 GB.

When adding a local repository, you designate storage within Tenable Security Center for different
types of vulnerability data (identified by IPv4 addresses, IPv6 addresses, agents, or mobile
scanners). Scanners attached to a Tenable Security Center populate your local repositories with
vulnerability data. For more information, see Local Repositories.

When adding an external repository, you access a local repository from another Tenable Security
Center:

l Remote repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via an SSH session.

l Offline repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via manual export and import
(a .tar.gz archive file). You can combine data from several repository files into a single
offline repository by importing multiple files to the offline repository.

External repository data is static and used solely for reporting purposes. For more information, see
External Repositories.

For more information, see Add a Repository and Manage Repositories. For information about
Tenable Security Center repository data encryption, see Encryption Strength.

Tip: If you need to remove data from a repository (for example, to remove retired asset data or to resolve a
license issue), see the knowledge base article.

Manage Repositories

Required User Role: Administrator

For more information, see Repositories.

To manage your repositories:

1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

- 290 -
 The Repositories page appears.

3. To filter the repositories that appear on the page, apply a filter as described in Apply a Filter.

4. To view details for a repository:

a. Right-click the row for the repository you want to view.

The actions menu appears.

-or-

Select the check box for the repository you want to view.

The available actions appear at the top of the table.

b. Click View.

The View Repository page appears. For more information, see Repository Details.

5. To edit a repository:

a. Right-click the row for the repository you want to edit.

The actions menu appears.

-or-

Select the check box for the repository you want to edit.

The available actions appear at the top of the table.

b. Click More > Edit.

The Edit Repository page appears.

c. Modify the repository options, as described in IPv4/IPv6 Repositories, Mobile

Repositories, Agent Repositories, Universal Repositories, Remote Repositories, or
Offline Repositories.

d. Click Submit.

Tenable Security Center saves your configuration.

6. To export a repository, see Export a Repository.

- 291 -
 7. To import a repository file into an offline repository, see Import a Repository.

8. To delete a repository, see Delete a Repository.

Add a Repository

Required User Role: Administrator

For more information about repositories, see Repositories.

To add a repository:

1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

The Repositories page appears.

3. At the top of the table, click Add.

The Add Repository page appears.

4. Click the tile for the repository type you want to add.

The Add Repository page appears.

5. Configure the options for your repository type:

l IPv4/IPv6 Repositories

l Mobile Repositories

l Agent Repositories

l Universal Repositories

l Remote Repositories

l Offline Repositories

6. Click Submit.

Tenable Security Center saves your configuration.

What to do next:

- 292 -
 l If you added an offline repository, export one or more repositories from your other Tenable
Security Center as described in Export a Repository.

l If you added an offline repository, import one or more exported repository files as described
in Import a Repository.

View Your Repositories

Required User Role: Administrator

You can view a list of all repositories on your Tenable Security Center. For more information, see
Repositories.

To view a list of your repositories:

1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

The Repositories page appears.

3. View details about each repository.

l Name — The name of the repository.

l Vulnerability Count — The total number of vulnerability instances in the repository.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset,

identified uniquely by plugin ID, port, and protocol.

l IP/Device Count — The total number of assets for which the repository contains
vulnerability data.

l Type — The repository type.

l Capacity — (IPv4, IPv6, Agent, and Universal repositories only) The percentage of
maximum available repository space you are currently using. The maximum repository
size is 64 GB.

Tip: For best performance, Tenable recommends splitting repositories larger than 32 GB.

l Last Updated — The date and time the repository was last updated.

- 293 -
View Repository Details

Required User Role: Administrator

You can view details for any repository. For more information, see Repositories.

To view repository details:

1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

The Repositories page appears.

3. Right-click the row for the repository you want to view.

The actions menu appears.

-or-

Select the check box for the repository you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Repository page appears.

Section Repository Type Action

General All View general information for the

repository.

l Name — The repository name.

l Description — The repository

description.

l IP Count — The total number of

assets for which the repository
contains vulnerability data.

l Last Vuln Update — The date and

time the repository was last

- 294 -
Section Repository Type Action

updated.

l Vulnerability Count — The total

number of vulnerability instances in
the repository.

Tip: A vulnerability instance is a

single instance of a vulnerability
appearing on an asset, identified
uniquely by plugin ID, port, and
protocol.

l Repository Capacity — (IPv4, IPv6,

Agent, and Universal repositories
only) The percentage of maximum
available repository space you are
currently using. The maximum
repository size is 64 GB.

Tip: For best performance, Tenable

recommends splitting repositories
larger than 32 GB.

l Created — The date the repository

was created.

l Last Modified — The date the

repository was last modified.

l ID — The repository ID.

MDM Mobile View a summary of your settings for the

repository. For more information about a
setting, see Mobile Repositories.

Data IPv4/IPv6, Agent, View a summary of the repository data (for

- 295 -
Section Repository Type Action

Remote, Offline, example, the IP address range). For more

Universal information, see:

l IPv4/IPv6 Repositories

l Agent Repositories

l Universal Repositories

l Remote Repositories

l Offline Repositories

Access All View the name of the organizations with

access to this repository.

Advanced Settings IPv4/IPv6, Agent, View a summary of your settings for the
Remote, Offline, repository. For more information about a
Universal setting, see:

l IPv4/IPv6 Repositories

l Agent Repositories

l Universal Repositories

l Remote Repositories

l Offline Repositories

Tenable All supported for View synchronization summary data:

Synchronization Tenable Lumin l Status — The status of the
Data synchronization
repository in Tenable Lumin
synchronization:

l Finished — The most recent

synchronization that included
this repository succeeded.

- 296 -
 Section Repository Type Action

l Not Synced — The repository is

not configured for Tenable
Lumin synchronization.

l Error — An error occurred. For

more information, see View
Tenable Lumin Data Logs.

l First Synchronization — The date

and time of the first synchronization
of this repository.

l Last Success — The date and time of

the most recent synchronization of
this repository.

l Last Failure — The date and time of

the most recent failed
synchronization of this repository.

For more information about Tenable

Lumin synchronization, see Tenable Lumin
Synchronization.

Vulnerability Data IPv4/IPv6, Agent, View the data expiration settings for the
Lifetime Universal repository. For more information, see:

l IPv4/IPv6 Repositories

l Agent Repositories

l Universal Repositories

Export a Repository

Required User Role: Administrator

- 297 -
You can export a repository from one Tenable Security Center and import it as an offline repository
on another Tenable Security Center. You can export repositories via the Tenable Security Center
user interface or the CLI. For more information, see Offline Repositories.

Note: Depending on the size of the repository database, this file can be quite large. It is important to save
the file to a location with sufficient free disk space.

Tip: If the repository you want to export has trend data enabled and you want to include trend data in your
repository export, export the repository via the CLI. Repositories that you export via the user interface do
not include trend data. For more information about trend data, see IPv4/IPv6 Repositories, Agent
Repositories, and Universal Repositories.

To export a repository via the user interface:

1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

The Repositories page appears.

3. Right-click the row for the repository you want to export.

The actions menu appears.

-or-

Select the check box for the repository you want to export.

The available actions appear at the top of the table.

4. Click Export.

Tenable Security Center exports the repository.

To export a repository via the CLI:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. Prepare the command you want to run.

/opt/sc/customer-tools/exportRepository.sh [repID] [trendingDays] [trendWithRaw]

- 298 -
 Variable Description

repID The repository ID of the repository you want to export. To locate

the repository ID, view the details for the repository, as described
in View Repository Details.

trendingDays (IP, Agent, and Universal repositories only) The number of days of
vulnerability trending data to include. To use the preconfigured
repository setting, type default.

Note: The number of days of trending data included in the export

cannot exceed the Days Trending setting for the repository or the
number of days of trending data available for the repository. For
example, if you request 30 days of trending data, but trending data
has been enabled for only 15 days, then the export includes only 15
days of trending data. For more information about repository
settings, see IPv4/IPv6 Repositories, Agent Repositories, and
Universal Repositories.

trendWithRaw (IP, Agent, and Universal repositories only) Specify whether you
want the export to include plugin output data: yes or no. To use
the preconfigured repository setting, type default.

(Optional) To automatically overwrite an existing repository file with the same name, include
the optional argument -f.

3. In the CLI in Tenable Security Center, run the export command.

For example:

/opt/sc/customer-tools/exportRepository.sh -f 1 default default

Tenable Security Center exports the repository.

What to do next:
l To import the repository to another Tenable Security Center, add an offline repository to that
Tenable Security Center, as described in Add a Repository.

Import a Repository

- 299 -
 Required User Role: Administrator

You can import one or more repository files to an offline repository. For more information, see
Offline Repositories.

Note: When importing the repository archive, the default maximum file import size is 360MB. This is
specified by the post_max_size directive in /opt/sc/support/etc/php.ini. If larger file uploads are
required, increase the default value.

Before you begin:

l Export one or more repository files from your other Tenable Security Center, as described in
Export a Repository.

l Add an offline repository, as described in Add a Repository.

To import an exported repository to an offline repository:

1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

The Repositories page appears.

3. Right-click the row for the offline repository you created.

The actions menu appears.

-or-

Select the check box for the offline repository you created.

The available actions appear at the top of the table.

4. Click Upload and browse to the file you want to upload.

Tenable Security Center imports the repository.

Delete a Repository

Required User Role: Administrator

To delete a repository:

- 300 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Repositories > Repositories.

The Repositories page appears.

3. Select the repository you want to delete:

To delete a single repository:

a. In the table, right-click the row for the repository you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple repositories:

a. In the table, select the check box for each repository you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click More > Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the repository.

Local Repositories
When adding local repositories, you designate storage within Tenable Security Center for different
types of vulnerability data. Scanners attached to a Tenable Security Center populate your local
repositories with vulnerability data.

Tenable Security Center supports four types of local repositories: IPv4/IPv6 Repositories, Mobile
Repositories, Agent Repositories, and Universal Repositories.

For more information, see Repositories and Add a Repository.

IPv4/IPv6 Repositories

- 301 -
These are the most common types of repositories used with Tenable Security Center. They store
IPv4 and IPv6 data from active and passive scans. Data stored in local repositories can be shared
between organizations and includes the full range of event and vulnerability metadata.

Caution: When creating Tenable Security Center IPv4 or IPv6 repositories, Log Correlation Engine event
source IP address ranges must be included along with the vulnerability IP address ranges or the event data
and event vulnerabilities are not accessible from the Tenable Security Center user interface.

For more information, see Add a Repository.

IP Repository Options
Option Description

General

Name The repository name.

Description (Optional) A description for the repository.

Data

IP Ranges Specifies the IP address range of vulnerability data you want to store in
the repository.

Type the range as a comma-separated list of IP addresses, IP address

ranges, and/or CIDR blocks.

Access

Organizations Specifies which organizations have access to the vulnerability data stored
in the repository.

If groups are configured for the organization, Tenable Security Center

prompts you to grant or deny access to all of the groups in the
organization. For more granular control, grant access within the settings
for that group.

Advanced Settings

Generate Trend When enabled, Tenable Security Center generates trend data by taking
Data periodic snapshots of the cumulative database. Trend data is displayed in

- 302 -
Option Description

some Tenable Security Center tools (e.g., trending line charts and trending
area charts).

Tenable Security Center also produces differential data (snapshot

comparison data), which improves performance when displaying trend
data in Tenable Security Center tools.

Tip: Disable this option to reduce your disk space usage.

Days Trending Specifies the number of days of cumulative vulnerability data that you
want Tenable Security Center to display in dashboard and report
vulnerability trending displays.

Enable Full Text When enabled, Tenable Security Center includes vulnerability text in
Search periodic snapshots of .nessus data for vulnerability trending purposes. For
more information about the Vulnerability Text filter component, see
Vulnerability Analysis Filter Components.

Log Correlation Not supported for IPv6 repositories.

Engine
The Log Correlation Engine server where you want Tenable Security
Correlation
Center to retrieve data. The data retrieved depends on the Import
Vulnerabilities setting in your Log Correlation Engine server
configuration:

l If Import Vulnerabilities is enabled, Tenable Security Center

retrieves vulnerability data and Log Correlation Engine events.

l If Import Vulnerabilities is disabled, Tenable Security Center

retrieves Log Correlation Engine events.

Vulnerability Data Lifetime (Data Expiration Settings)

Active The number of days you want Tenable Security Center to retain active
scan vulnerability data stored in IP repositories. The default value of this
option is 365 days.

Passive The number of days you want Tenable Security Center to retain Tenable

- 303 -
 Option Description

Nessus Network Monitor vulnerability data stored in IP repositories. The

default value of this option is 7 days.

Event (IPv4 repositories only) The number of days you want Tenable Security
Center to retain Log Correlation Engine event data stored in
IP repositories. The default value of this option is 365 days.

Compliance The number of days you want Tenable Security Center to retain audit
compliance data stored in IP repositories. The default value of this option
is 365 days.

Mitigated The number of days you want Tenable Security Center to retain mitigated
vulnerability data. The default value of this option is 365 days.

Mobile Repositories
The mobile repository is a local type that stores data from various servers. For more information,
see Add a Repository.

General Options

Configure the following options for all mobile repository types.

Option Description Default

Name The repository name. --

Description (Optional) A description for the repository. --

Type The type of repository you want to configure. --

Your Type selection determines the type-
specific options you must configure:

l ActiveSync Options

l AirWatch MDM Options

l Apple Profile Manager Options

- 304 -
 Option Description Default

l Blackberry UEM Options

l Good MDM Options

l MaaS360 Options

l Microsoft Intune Options

l MobileIron Options

Organizations Specifies which organizations have access to --

the vulnerability data stored in the repository.

If groups are configured for the organization,

Tenable Security Center prompts you to grant
or deny access to all of the groups in the
organization. For more granular control, grant
access within the settings for that group.

ActiveSync Options

The following table describes the additional options to configure when creating an ActiveSync
mobile repository.

Option Description Default

Domain Controller The domain controller for ActiveSync. --

Domain The Windows domain for ActiveSync. --

Domain Username The username for the domain administrator's --

account that Tenable Security Center uses to
authenticate to ActiveSync.

Domain Password The password for the domain administrator --

user.

Scanner Specifies which Tenable Nessus scanner --

Tenable Security Center uses when scanning

- 305 -
 Option Description Default

the server. Tenable Security Center can only

use one Tenable Nessus scanner to add data to
a mobile repository.

Update Schedule Specifies when Tenable Security Center scans Every day at
the server to update the mobile repository. On 12:30 -04:00
each scan, Tenable Security Center removes
the current data in the repository and replaces
it with data from the latest scan.

AirWatch MDM Options

The following table describes the additional options to configure when creating an AirWatch MDM
mobile repository.

Option Description Default

AirWatch Environment The AirWatch API url endpoint. (For example, --

API URL https://xxx.awmdm.com/api)

Port The TCP port that AirWatch listens on for 443

communications from Tenable.

Username The username for the AirWatch user account --

Tenable uses to authenticate to Workspace
ONE's API.

Password The password for the AirWatch user. --

API Key The API key for the AirWatch API. --

HTTPS When enabled, Tenable connects using Enabled

secure communication (HTTPS).

When disabled, Tenable connects using

standard HTTP.

Verify SSL Certificate When enabled, Tenable verifies that the Enabled

- 306 -
 Option Description Default

SSL certificate on the server is signed by a

trusted CA.

Tip: If you are using a self-signed certificate,

disable this setting.

Scanner Specifies which Tenable Nessus scanner --

Tenable Security Center uses when scanning
the server. Tenable Security Center can only
use one Tenable Nessus scanner to add data
to a mobile repository.

Update Schedule Specifies when Tenable Security Center Every day at

scans the server to update the mobile 12:30 -04:00
repository. On each scan, Tenable Security
Center removes the current data in the
repository and replaces it with data from the
latest scan.

Apple Profile Manager Options

The following table describes the additional options to configure when creating an Apple Profile
Manager mobile repository.

Option Description Default

Server The server URL Tenable Security Center --

uses to authenticate with Apple Profile
Manager.

Port The TCP port that Apple Profile Manager 443

listens on for communications from Tenable
Security Center.

Username (Optional) The username for the Apple Profile --

Manager user account Tenable Security

- 307 -
 Option Description Default

Center uses to authenticate to Apple Profile

Manager.

Password (Optional) The password for the Apple Profile --

Manager user.

HTTPS When enabled, Tenable connects using Enabled

secure communication (HTTPS).

When disabled, Tenable connects using

standard HTTP.

Verify SSL Certificate When enabled, Tenable verifies that the Enabled
SSL certificate on the server is signed by a
trusted CA.

Tip: If you are using a self-signed certificate,

disable this setting.

Scanner Specifies which Tenable Nessus scanner --

Tenable Security Center uses when scanning
the server. Tenable Security Center can only
use one Tenable Nessus scanner to add data
to a mobile repository.

Update Schedule Specifies when Tenable Security Center Every day at

scans the server to update the mobile 12:30 -04:00
repository. On each scan, Tenable Security
Center removes the current data in the
repository and replaces it with data from the
latest scan.

Blackberry UEM Options

The following table describes the additional options to configure when creating a Blackberry UEM
mobile repository.

- 308 -
Option Description Default

Hostname The hostname for the Blackberry UEM server. --

Port The port you want Tenable Security Center to use for --
authenticating to the Blackberry UEM server.

Tenant The SRP ID value in Blackberry UEM. --

Domain (Optional) The domain name value in Blackberry UEM. --

Username The username for the Blackberry UEM user account --

Tenable Security Center uses to authenticate to
Blackberry UEM.

Password The password for the Blackberry UEM user. --

SSL When enabled, Tenable Security Center uses an Disabled

encrypted connection to authenticate with Blackberry
UEM.

Verify When enabled, Tenable verifies that the SSL certificate Disabled
SSL Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Scanner Specifies which Tenable Nessus scanner Tenable --

Security Center uses when scanning the server. Tenable
Security Center can only use one Tenable Nessus
scanner to add data to a mobile repository.

Update Schedule Specifies when Tenable Security Center scans the server Every day at
to update the mobile repository. On each scan, Tenable 12:30 -
Security Center removes the current data in the 04:00
repository and replaces it with data from the latest scan.

Good MDM Options

- 309 -
The following table describes the additional options to configure when creating a Good MDM mobile
repository.

Option Description Default

Server The server URL Tenable Security Center uses to --

authenticate with Good MDM.

Port The TCP port that Good MDM listens on for --

communications from Tenable Security Center.

Domain The domain name for Good MDM. --

Username The username for the Good MDM user account Tenable --
Security Center uses to authenticate to Good MDM.

Password The password for the Good MDM user. --

HTTPS When enabled, Tenable connects using secure Enabled

communication (HTTPS).

When disabled, Tenable connects using

standard HTTP.

Verify When enabled, Tenable verifies that the Enabled

SSL Certificate SSL certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Scanner Specifies which Tenable Nessus scanner Tenable --

Security Center uses when scanning the server.
Tenable Security Center can only use one Tenable
Nessus scanner to add data to a mobile repository.

Update Schedule Specifies when Tenable Security Center scans the Every day
server to update the mobile repository. On each scan, at 12:30 -
Tenable Security Center removes the current data in 04:00
the repository and replaces it with data from the latest
scan.

- 310 -
 MaaS360 Options

The following table describes the additional options to configure when creating a MaaS360 mobile
repository.

Option Description Default

Username The username for the MaaS360 user account Tenable Security --
Center uses to authenticate to MaaS360.

Password The password for the MaaS360 user. --

Root URL The URL Tenable Security Center uses to authenticate to --

MaaS360.

Platform ID The ID for the device platform. --

Billing ID The billing ID for the MaaS360 account. --

App ID The ID for the MaaS360 application. --

App Version The MaaS360 application version. --

App Access The access key for the MaaS360 application. --

Key

Collect All When enabled, a mobile repository scan collects all data. Enabled
Device Data
When disabled, you can select which types of data a mobile
repository scan collects:

l Collect Device Summary

l Collect Device Applications

l Collect Device Compliance

l Collect Device Policies

Scanner Specifies which Tenable Nessus scanner Tenable Security --

Center uses when scanning the server. Tenable Security
Center can only use one Tenable Nessus scanner to add data

- 311 -
 Option Description Default

to a mobile repository.

Update Specifies when Tenable Security Center scans the server to Every day
Schedule update the mobile repository. On each scan, Tenable Security at 12:30 -
Center removes the current data in the repository and 04:00
replaces it with data from the latest scan.

Intune Options

The following table describes the additional options to configure when creating a Microsoft Intune
mobile repository.

Option Description Default

Intune Tenant The Microsoft Azure Directory value in your Microsoft Intune --
registration.

Intune Client The Microsoft Azure Application value generated during your --
Microsoft Intune registration.

Intune Secret The Microsoft Azure client secret key. --

Intune The username for the Microsoft Intune user account Tenable --
Username Security Center uses to authenticate to Microsoft Intune.

Intune The password for the Microsoft Intune user. --

Password

Scanner Specifies which Tenable Nessus scanner Tenable Security --

Center uses when scanning the server. Tenable Security Center
can only use one Tenable Nessus scanner to add data to a
mobile repository.

Update Specifies when Tenable Security Center scans the server to Every day
Schedule update the mobile repository. On each scan, Tenable Security at 12:30 -
Center removes the current data in the repository and replaces 04:00
it with data from the latest scan.

- 312 -
 MobileIron Options

The following table describes the additional options to configure when creating a MobileIron mobile
repository.

Option Description Default

MobileIron VSP Admin Portal The server URL Tenable Security Center uses --
URL to authenticate to the MobileIron
administrator portal.

VSP Admin Portal Port (Optional) The TCP port that the MobileIron --
administrator portal listens on for
communications from Tenable Security
Center.

MobileIron Port The TCP port that MobileIron listens on for 443
communications from Tenable Security
Center.

Username The username for the MobileIron --

administrator account Tenable Security
Center uses to authenticate to MobileIron.

Password The password for the MobileIron --

administrator user.

HTTPS When enabled, Tenable connects using Enabled

secure communication (HTTPS).

When disabled, Tenable connects using

standard HTTP.

Verify SSL Certificate When enabled, Tenable verifies that the Enabled
SSL certificate on the server is signed by a
trusted CA.

Tip: If you are using a self-signed certificate,

- 313 -
 Option Description Default

disable this setting.

Scanner Specifies which Tenable Nessus scanner --

Tenable Security Center uses when scanning
the server. Tenable Security Center can only
use one Tenable Nessus scanner to add data
to a mobile repository.

Update Schedule Specifies when Tenable Security Center Every day at

scans the server to update the mobile 12:30 -04:00
repository. On each scan, Tenable Security
Center removes the current data in the
repository and replaces it with data from the
latest scan.

Agent Repositories
Agent repositories can store data from Tenable Nessus Agents (identified by agent ID) or
OT Security (identified by OT Security UUID).

An agent ID uniquely identifies agent-detected assets that may share a common IP address.

OT Security assigns UUIDs to assets to uniquely identify them, since not all operational technology
assets have IP addresses. Then, Tenable Security Center uses the UUIDs to uniquely identify
OT Security data in Tenable Security Center. For more information about viewing OT Security data
in Tenable Security Center, see OT Security Instances.

For more information, see Add a Repository.

Agent Repository Options

Option Description

General

Name The repository name.

- 314 -
Option Description

Description (Optional) A description for the repository.

Access

Organizations Specifies which organizations have access to the vulnerability data stored
in the repository.

If groups are configured for the organization, Tenable Security Center

prompts you to grant or deny access to all of the groups in the
organization. For more granular control, grant access within the settings
for that group.

Advanced Settings

Generate Trend When enabled, Tenable Security Center generates trend data by taking
Data periodic snapshots of the cumulative database. Trend data is displayed in
some Tenable Security Center tools (e.g., trending line charts and trending
area charts).

Tenable Security Center also produces differential data (snapshot

comparison data), which improves performance when displaying trend
data in Tenable Security Center tools.

Tip: Disable this option to reduce your disk space usage.

Days Trending Specifies the number of days of cumulative vulnerability data that you
want Tenable Security Center to display in dashboard and report
vulnerability trending displays.

Enable Full Text When enabled, Tenable Security Center includes vulnerability text in
Search periodic snapshots of .nessus data for vulnerability trending purposes. For
more information about the Vulnerability Text filter component, see
Vulnerability Analysis Filter Components.

Vulnerability Data Lifetime (Data Expiration Settings)

Active The number of days you want Tenable Security Center to retain agent
scan vulnerability data stored in agent repositories. The default value of

- 315 -
 Option Description

this option is 365 days.

Compliance The number of days you want Tenable Security Center to retain audit
compliance data stored in repositories. The default value of this option is
365 days.

Mitigated The number of days you want Tenable Security Center to retain mitigated
vulnerability data. The default value of this option is 365 days.

Universal Repositories
Universal repositories can store data from Tenable Nessus, Tenable Nessus Agent, and Tenable OT
Security scans, as well as IPv4 and IPv6 data from Tenable Nessus Network Monitor, and Log
Correlation Engine scans.

Tenable Security Center assigns UUIDs to assets to uniquely identify vulnerability data in universal
repositories, since not all operational technology assets have IP addresses or Tenable UUIDs.

For more information, see Add a Repository.

Universal Repository Options

Option Description

General

Name The repository name.

Description (Optional) A description for the repository.

Data

IP Ranges Specifies the IP address range of vulnerability data you want to store in
the repository.

Type the range as a comma-delimited list of IP addresses, IP address

ranges, and/or CIDR blocks.

Note: Agent scans and Tenable OT Security scans into universal repositories

- 316 -
Option Description

are not restricted by IP range.

Access

Organizations Specifies which organizations have access to the vulnerability data stored
in the repository.

If groups are configured for the organization, Tenable Security Center

prompts you to grant or deny access to all of the groups in the
organization. For more granular control, grant access within the settings
for that group.

Advanced Settings

Generate Trend When enabled, Tenable Security Center generates trend data by taking
Data periodic snapshots of the cumulative database. Trend data is displayed in
some Tenable Security Center tools (e.g., trending line charts and trending
area charts).

Tenable Security Center also produces differential data (snapshot

comparison data), which improves performance when displaying trend
data in Tenable Security Center tools.

Tip: Disable this option to reduce your disk space usage.

Days Trending Specifies the number of days of cumulative vulnerability data that you
want Tenable Security Center to display in dashboard and report
vulnerability trending displays.

Enable Full Text When enabled, Tenable Security Center includes vulnerability text in
Search periodic snapshots of .nessus data for vulnerability trending purposes. For
more information about the Vulnerability Text filter component, see
Vulnerability Analysis Filter Components.

Vulnerability Data Lifetime (Data Expiration Settings)

Active The number of days you want Tenable Security Center to retain active

- 317 -
 Option Description

scan vulnerability data stored in universal repositories. The default value

of this option is 365 days.

Passive The number of days you want Tenable Security Center to retain passive
scan vulnerability data stored in universal repositories. The default value
of this option is 7 days.

Event The number of days you want Tenable Security Center to retain event data
stored in universal repositories. The default value of this option is 365
days.

Compliance The number of days you want Tenable Security Center to retain audit
compliance data stored in universal repositories. The default value of this
option is 365 days.

Mitigated The number of days you want Tenable Security Center to retain mitigated
vulnerability data stored in universal repositories. The default value of this
option is 365 days.

External Repositories
When adding an external repository, you access a local repository from another Tenable Security
Center:

l Offline repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via manual export and import
(a .tar.gz archive file). You can combine data from several repository files into a single
offline repository by importing multiple files to the offline repository.

l Remote repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via an SSH session.

External repository data is static and used solely for reporting purposes. For more information, see
Offline Repository Options and Remote Repositories.

For more information, see Repositories and Add a Repository.

Offline Repositories

- 318 -
Offline repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via manual export and import (a
.tar.gz archive file). You can combine data from several repository files into a single offline
repository by importing multiple files to the offline repository.

Offline repositories are particularly useful to export data from air-gapped instances of Tenable
Security Center. For more information, see Considerations for Air-Gapped Environments.

Note: You cannot set an offline repository as the Import Repository for active scans. You can only use
offline repository data for reporting purposes.

To fully configure an offline repository:

1. Add an offline repository to your primary Tenable Security Center deployment.

2. Export one or more repositories from your other Tenable Security Center deployment.

3. Import one or more repositories to the offline repository on your primary Tenable Security
Center deployment.

Offline Repository Options

Option Description

General

Name The repository name.

Description (Optional) A description for the repository.

Access

Data Type The type of data in the other Tenable Security Center repository: IPv4,
IPv6, Mobile, Agent, or Universal.

IP Ranges If the Data Type is IPv4 or IPv6, specifies the IP address range of
vulnerability data that you want to view in the offline repository. For
example, to view all data from the exported repository file, specify a range
that includes all data in that repository.

Type the range as a comma-delimited list of IP addresses, IP address

- 319 -
Option Description

ranges, and/or CIDR blocks.

For more information, see IPv4/IPv6 Repositories.

Type If the Data Type is Mobile, the type of mobile repository: ActiveSync,
AirWatch MDM, Apple Profile Manager, Blackberry UEM, Good MDM,
Microsoft Intune, or Mobile Iron.

For more information, see Mobile Repositories.

Access

Organizations Specifies which organizations have access to the vulnerability data stored
in the repository.

If groups are configured for the organization, Tenable Security Center

prompts you to grant or deny access to all of the groups in the
organization. For more granular control, grant access within the settings
for that group.

Advanced Settings

Generate Trend When enabled, Tenable Security Center generates trend data by taking
Data periodic snapshots of the cumulative database. Trend data is displayed in
some Tenable Security Center tools (e.g., trending line charts and trending
area charts).

Tenable Security Center also produces differential data (snapshot

comparison data), which improves performance when displaying trend
data in Tenable Security Center tools.

Tip: Disable this option to reduce your disk space usage.

Days Trending Specifies the number of days of cumulative vulnerability data that you
want Tenable Security Center to display in dashboard and report
vulnerability trending displays.

Enable Full Text When enabled, Tenable Security Center includes vulnerability text in

- 320 -
 Option Description

Search periodic snapshots of .nessus data for vulnerability trending purposes. For
more information about the Vulnerability Text filter component, see
Vulnerability Analysis Filter Components.

Remote Repositories
Remote repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via an SSH session.

Note: You cannot set a remote repository as the Import Repository for active scans. You can use remote
repository data only for reporting purposes.

Note: Ensure all your Tenable Security Center deployments are running the same version. For example, if
your remote repository exists on a Tenable Security Center running a later version than your primary
Tenable Security Center deployment, upgrade your primary Tenable Security Center deployment to the
same version.

For more information, see Add a Repository.

To use tiered remote repositories for large enterprise deployments of Tenable Security Center, see
Tiered Remote Repositories.

Option Description

General

Name The repository name.

Description (Optional) A description for the repository.

Remote Tenable Security Center

Host The IP address for the host you want to synchronize with to obtain
repository data. After you type the IP address:

1. Click Request Repositories.

2. Type the username and password for an administrator account on

the remote Tenable Security Center.

- 321 -
 Option Description

The Tenable Security Center deployments exchange SSH keys, and

the system populates the Repository list with all available
repositories from the remote Tenable Security Center.

Repository The remote repository you want to collect IP addresses and vulnerability
data from.

Update Schedule Sets the schedule for the remote server to be queried for updated
information.

Access

Organizations Specifies which organizations have access to the vulnerability data stored
in the repository.

If groups are configured for the organization, Tenable Security Center

prompts you to grant or deny access to all of the groups in the
organization. For more granular control, grant access within the settings
for that group.

Tiered Remote Repositories

Remote repositories allow you to share repository data from one Tenable Security Center
deployment to your primary Tenable Security Center deployment via an SSH session.

A tiered remote repository configuration uses remote repositories to share data between multiple
Tenable Security Center instances.

l If you plan to support 100,000-249,999 hosts, Tenable recommends a tiered remote repository
configuration.

l If you plan to support 250,000 or more hosts, Tenable requires a tiered remote repository
configuration.

Tiered Tenable Security Center instances perform informal roles in your overall Tenable Security
Center deployment. Tenable recommends at least one designated reporting Tenable Security
Center and an additional Tenable Security Center instance for every 100,000 to 150,000 hosts on
your network.

- 322 -
 l A scanning tier Tenable Security Center optimizes scanning by managing scan jobs across
your attached scanners. Scanning tier Tenable Security Center instances prioritize efficient
collection of scan data.

l A reporting tier Tenable Security Center optimizes dashboards and reporting by centralizing
the data collected by scanning tier Tenable Security Center instances.

Note: Your scanning tier and reporting tier Tenable Security Center instances must be running the same
Tenable Security Center version.

Without a tiered remote repository configuration, enterprise-scale scanning and analysis may cause
performance issues on a single Tenable Security Center. Tiered remote repositories optimize your
analysis and report generation without negatively impacting scanning performance.

For more information, see Configure Tiered Remote Repositories.

Tip: Configuring tiered remote repositories does not allow you to monitor the status of scanning tier
Tenable Security Center instances. To monitor the status of multiple Tenable Security Center instances,
connect your Tenable Security Center instances to Tenable Security Center Director. For more information
about Tenable Security Center Director, see the Tenable Security Center Director User Guide.

Configure Tiered Remote Repositories

You may want to configure tiered remote repositories in large deployments of Tenable Security
Center. For more information, see Tiered Remote Repositories.

To configure a tiered remote repository deployment:

1. On the scanning tier Tenable Security Center instance, create one or more repositories for
storing scan result data.

Note: To view trend data for scanning tier Tenable Security Center instances on your
reporting tier Tenable Security Center instance, enable the Generate Trend Data option
for each repository on your scanning tier Tenable Security Center instances. For more
information, see Agent Repositories and IPv4/IPv6 Repositories.

2. On the scanning tier Tenable Security Center instance, run scans to populate the repositories
with data.

- 323 -
 3. On the reporting tier Tenable Security Center instance, create a remote repository for each
repository on your scanning tier Tenable Security Center instance.

The reporting tier Tenable Security Center syncs scan result data from the scanning tier
Tenable Security Center repositories.

Active Scans
In active scanning, the scanner sends packets to a remote target to provide a snapshot of network
services and applications. Tenable Security Center compares this data to a plugin database to
determine if any vulnerabilities are present. Tenable Security Center can also use a scanner located
outside the local network to simulate what an external entity might see.

For more information about supported active scanner types (Tenable Nessus and Tenable
Vulnerability Management deployments) in Tenable Security Center, see Tenable Nessus Scanners.

You can use credentialed Tenable Nessus scans, a type of active scanning, to perform highly
accurate and rapid patch, configuration, and vulnerability audits on Unix, Windows, Cisco, and
database systems by actually logging in to the target system with provided credentials.
Credentialed scans can also enumerate all UDP and TCP ports in just a few seconds. Tenable
Security Center can manage these credentials securely across thousands of different systems and
also share the results of these audits only with users who need to access them.

For more information, see Manage Active Scans and Active Scan Settings.

To fully configure active scans using a Tenable Nessus or Tenable Vulnerability

Management scanner:

1. If you are configuring a Tenable Nessus scanner (not a Tenable Vulnerability Management
deployment), configure scanning in Tenable Nessus, as described in Scans in the Tenable
Nessus User Guide.

Note: For information about credentialed scanning in Tenable Nessus, see Credentialed Checks in the
Tenable Nessus User Guide.

2. Add the Tenable Nessus scanner or your Tenable Vulnerability Management deployment in
Tenable Security Center, as described in Tenable Nessus Scanners.

3. Add a scan zone in Tenable Security Center, as described in Add a Scan Zone.

- 324 -
 4. Add a repository for the scan data in Tenable Security Center, as described in Add a
Repository.

5. Create active scan objects in Tenable Security Center, as described in:

a. Add a Template-Based Asset or Add a Custom Asset.

b. Add Credentials.

c. Add a Template-Based Audit File or Add a Custom Audit File.

d. Add a Scan Zone.

e. Add a Scan Policy.

6. Add an active scan in Tenable Security Center, as described in Add an Active Scan.

What to do next:
l View scan results, as described in Scan Results.

l View vulnerability data by IP address, as described in Vulnerability Analysis.

Special Active Scans

Diagnostic Scans

If you experience issues with an active scan, Tenable Support may ask you to run a diagnostic scan
to assist with troubleshooting. After Tenable Security Center runs the diagnostic scan, download
the diagnostic file and send it to Tenable Support.

For more information, see Run a Diagnostic Scan.

Remediation Scans

You can run a remediation scan to run a followup active scan against existing active scan results. A
remediation scan evaluates a specific plugin against a specific target or targets where the related
vulnerability was present in your earlier active scan.

For more information, see Launch a Remediation Scan.

Add an Active Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

- 325 -
For more information about active scan options, see Active Scan Settings.

Before you begin:

l Confirm you are running Tenable Nessus 6.3.6 or later.

l Confirm you understand the complete scanning configuration process, as described in Active
Scans.

To add an active scan:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Active Scans.

The Active Scans page appears.

3. Click Add.

The Add Active Scan page appears.

4. Click General.

5. Type a Name for the scan.

6. (Optional) Type a Description for the scan.

7. Select a Policy for the scan.

8. (Optional) If you want to schedule the scan to run automatically, select a Schedule for the
scan.

9. Click Settings.

The Settings tab appears.

10. If prompted, select a preconfigured Scan Zone for the scan.

11. Select an Import Repository for the scan.

12. Select a Scan Timeout Action for the scan.

13. Select a Rollover Schedule for the scan.

14. Enable or disable the Advanced options.

- 326 -
15. Click Targets.

The Targets tab appears.

16. Select a Target Type for the scan.

17. Select one or more Assets and IPs / DNS Names for the scan.

18. (Optional) To configure credentialed scanning, do the following:

a. Click Credentials.

The Credentials tab appears.

b. Click Add Credential.

c. In the drop-down boxes, select a credential type and a preconfigured credential.

d. Click the check mark to save your selection.

19. (Optional) If you want to configure multiple credentials for the active scan, repeat step 19.

Note: When running an active scan, Tenable Security Center attempts authentication
using the newest credentials added by an Administrator user. If the newest Administrator-
added credentials do not match, Tenable Security Center attempts authentication with
older Administrator-added credentials.
Then, if no Administrator-added credentials match, Tenable Security Center attempts to
authenticate using the newest credentials added by an organizational user. If the newest
organizational user-added credentials do not match, Tenable Security Center attempts
authentication with older organizational user-added credentials.

If no credentials match, the scan runs without credentialed access.

20. (Optional) To configure post-scan options, do the following:

a. Click Post Scan.

The Post Scan tab appears.

b. To configure automatic report generation, click Add Report.

c. Select the report you want to run after the scan completes, as described in Add a Report
to a Scan.

21. Click Submit.

- 327 -
 Tenable Security Center saves your configuration.

Configure vSphere Scanning

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can configure a scan policy to scan the following virtual environments:

l ESXi/vSphere that vCenter manages

l ESXi/vSphere that vCenter does not manage

l Virtual machines

Note: You must provide an IPv4 address when scanning an ESXi host. Otherwise, the scan fails.

Scanning ESXi/vSphere Not Managed by vCenter

To configure an ESXi/vSphere scan that vCenter does not manage:

1. Begin configuring a scan policy that supports credentialed access, as described in Add a Scan
Policy. For more information about authentication options in scan policies, see The
Authentication tab specifies authentication options during a scan..

2. In the left navigation menu, click Authentication.

The Authentication tab appears.

3. Click Add Authentication Settings.

The authentication options appear.

4. In the first Type drop-down box, select Miscellaneous.

5. In the second Type drop-down box, select VMware ESX SOAP API.

6. Click Select.

The VMware ESX SOAP API options appear. For more information, see VMware ESX SOAP API.

7. In the Username box, type the username associated with the local ESXi account.

- 328 -
 8. In the Password box, type the password associated with the username you provided.

9. If your vCenter host includes an SSL certificate (not a self-signed certificate), disable the Do
not verify SSL Certificate toggle.

10. Click the button.

Tenable Security Center applies the VMware ESX SOAP API authentication options to the scan
policy.

What to do next:
l Reference the scan policy in an active scan configuration, as described in Add an Active Scan.

Scanning vCenter Managed ESXi/vSpheres

Note: The SOAP API requires a vCenter admin account with read and write permissions. The
REST API requires a vCenter admin account with read permissions, and a VMware vSphere Lifecycle
manager account with read permissions.

To configure an ESXi/vSphere scan managed by vCenter:

1. Begin configuring a scan policy that supports credentialed access, as described in Add a Scan
Policy. For more information about authentication options in scan policies, see The
Authentication tab specifies authentication options during a scan..

2. In the left navigation menu, click Authentication.

The Authentication tab appears.

3. Click Add Authentication Settings.

The authentication options appear.

4. In the first Type drop-down box, select Miscellaneous.

5. In the second Type drop-down box, select VMware vCenter SOAP API.

6. Click Select.

The VMware vCenter SOAP API options appear. For more information, see VMware vCenter
SOAP API.

- 329 -
 7. In the vCenter Host box, type the IP address of the vCenter host.

8. In the vCenter Port box, type the port for the vCenter host.

9. In the Username box, type the username associated with the local vCenter account.

10. In the Password box, type the password associated with the username you provided.

11. If the vCenter host is not SSL enabled, disable the HTTPS toggle.

12. If your vCenter host includes an SSL certificate (not a self-signed certificate), enable the
Verify SSL Certificate toggle.

13. Click the button.

Tenable Security Center applies the VMware vCenter SOAP API authentication options to the
scan policy.

Note: When scanning vCenter-managed ESXis with API credentials, the Nessus Scan information
plugin always shows Credentialed Checks: No in the vCenter scan results. To verify that the
authentication was successful, check to see that the Nessus Scan Information plugin shows
Credentialed Checks: Yes in the scan results of the ESXis.

What to do next:
l Reference the scan policy in an active scan configuration, as described in Add an Active Scan.

Scanning Virtual Machines

You can scan virtual machines just like any other host on the network. Be sure to include the IP
addresses of virtual machines you want to scan in your scan targets. For more information, see Add
an Active Scan.

VMware vCenter Support Matrix

Feature Requires Authentication Supported vCenter Version

Vulnerability Management No 7.x, 8.x

Auto Discovery Yes 7.0.3+, 8.x

Audit / Compliance Yes 6.x, 7.x, 8.x

- 330 -
 VIB Enumeration Yes 7.0.3+, 8.x

Active / Inactive VMs Yes 7.0.3+, 8.x

Manage Active Scans

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about active scans, see Active Scans.

To manage active scans:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Active Scans.

The Active Scans page appears.

3. To filter the scans that appear on the page, apply a filter as described in Apply a Filter.

4. To start or pause a scan, see Start or Pause a Scan.

5. To suspend or resume a scheduled scan, see Suspend or Resume a Scheduled Active Scan.

6. To view details for a scan:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click View.

The View Active Scan page appears.

7. To edit a scan:

- 331 -
 a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click Edit.

The Edit Active Scan page appears.

c. Modify the scan options.

d. Click Submit.

Tenable Security Center saves your configuration.

8. To copy a scan:
a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click Copy.

Tenable Security Center creates a copy of the scan.

To copy multiple scans:

a. In the table, select the check box for each scan you want to copy.

The available actions appear at the top of the table.

b. At the top of the table, click Copy.

A confirmation window appears.

c. Click Copy.

- 332 -
 Tenable Security Center creates a copy of the scan.

9. To run a diagnostic scan, see Run a Diagnostic Scan.

10. To delete a scan:

a. In the table, right-click the row for the scan.

The actions menu appears.

b. Click Delete.

A confirmation window appears.

c. Click Delete.

Tenable Security Center deletes the scan.

To delete multiple scans:

a. In the table, select the check box for each scan you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

c. Click Delete.

Tenable Security Center deletes the scans.

Start or Pause a Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To start or pause a scan or synchronization job:

1. Log in to Tenable Security Center.

2. Click one of the following:

- 333 -
 l Scans > Active Scans (to manage active scans)

l Scans > Agent Synchronization Jobs (to manage agent synchronization jobs)

l Scans > Agent Scans (to manage agent scans)

Note: You cannot pause agent scans in Tenable Security Center.

l Scans > Scan Results (to manage a scan from the results page).

3. Do one of the following:

l To pause the scan or synchronization job, select the check box for the scan or
synchronization job, and click Pause at the top of the table.

l To start the scan or synchronization job, select the check box for the scan or
synchronization job, and click Launch at the top of the table.

Suspend or Resume a Scheduled Active Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

If you suspend a scheduled active scan, Tenable Security Center stops launching new scans for that
active scan configuration. Tenable Security Center does not disrupt scans already in progress or
prevent users from launching scans on demand.

If you resume a suspended active scan, Tenable Security Center resumes launching scans on the
schedule configured for that active scan.

For more information, see Active Scans.

Before you begin:

l Configure a scheduled active scan, as described in Add an Active Scan.

To suspend or resume a scheduled active scan:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Active Scans.

The Active Scans page appears.

- 334 -
 3. Right-click the row for the scheduled scan you want to suspend or resume.

The actions menu appears.

-or-

Select the check box for the scheduled scan you want to suspend or resume.

The available actions appear at the top of the table.

4. Click Suspend Schedule or Resume Schedule.

The page updates to reflect the scan schedule status. When a scan is suspended, Tenable
Security Center displays a line through the Start Time and Schedule values.

Run a Diagnostic Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

If you experience issues with an active scan, Tenable Support may ask you to run a diagnostic scan
to assist with troubleshooting. After Tenable Security Center runs the diagnostic scan, download
the diagnostic file and send it to Tenable Support.

Before you begin:

l Add an active scan, as described in Add an Active Scan.

l Confirm the scanner associated with the active scan is running a supported version of
Tenable Nessus. For minimum Tenable Nessus scanner version requirements, see the Tenable
Security Center Release Notes for your version.

To run a diagnostic scan:

1. Click Scans > Active Scans.

2. Right-click the row for the scan where you want to run a diagnostic scan.

The actions menu appears.

-or-

Select the check box for the scan where you want to run a diagnostic scan.

- 335 -
 The available actions appear at the top of the table.

3. Click Run Diagnostic Scan.

Note: You must resolve repository errors before running a diagnostic scan.

4. In the Diagnostic Target box, type a target as a single IPv4 address, IPv6 address, or
hostname. The target must also be specified in the active scan's Targets.

5. In the Diagnostic Password box, type a password to secure the diagnostic file.

6. Click Submit.

The diagnostic scan runs and finishes.

7. Click Scans > Scan Results.

8. Locate the diagnostic scan and confirm that the scan finished without errors.

9. Right-click the row for the diagnostic scan result.

The actions menu appears.

-or-

Select the check box for the diagnostic scan result.

The available actions appear at the top of the table.

10. Click Download Diagnostic Info.

The diagnostic scan file downloads.

Active Scan Settings

For more information, see Add an Active Scan.

l Parameter

l Parameter

l The Targets section identifies the devices Tenable Security Center scans.

l The Credentials section allows users to select pre-configured credential sets for
authenticated scanning. For more information, see Credentials.

- 336 -
 l These options determine what actions occur immediately before and after the active scan
completes.

General Options

Parameter Description

General

Name The scan name that is associated with the scan’s results and may be any
name or phrase (for example, SystemA, DMZ Scan, or Daily Scan of the Web
Farm).

Description Descriptive information related to the scan.

Policy The policy on which you want to base the scan. You can scroll through the
list, or search by entering text in the search box at the top of the list of
available policies.

Schedule

Schedule The frequency you want to run the scan.

l Now specifies that you want Tenable Security Center to launch the
scan immediately without saving the configuration for later.

Note: Scans configured to run Now do not appear on the Active Scans
page.

l Once specifies that you want Tenable Security Center to launch the
scan at the specified time without saving the configuration for later.

Note: Scans configured to run Once do not appear on the Active Scans
page.

l Daily, Weekly, or Monthly specifies that you want Tenable Security

Center to launch the scan at a scheduled interval.

Note: If you schedule your scan to repeat monthly, Tenable recommends

setting a start date no later than the 28th day. If you select a start date

- 337 -
Parameter Description

that does not exist in some months (e.g., the 29th), Tenable Security
Center cannot run the scan on those days.

l On Demand specifies that you want to manually launch the scan at any
time.

l Dependent specifies that you want Tenable Security Center to launch

the scan every time Tenable Security Center finishes a scheduled run
of the dependent scan you select.

Settings Options

Parameter Description

Basic

Scan Zone Note: If your organization's Distribution Method setting is Locked Zone, you
cannot modify this setting. If your organization's Distribution Method setting
is Automatic Distribution Only, Tenable Security Center automatically
chooses one or more scan zones and hides this setting.

Specifies the scan zone you want to use to run the scan. Depending on
your organization's Distribution Method setting, you can select one of the
following:

l An available zone — use a single scan zone to run the scan.

Note: If you select a single scan zone, Tenable Security Center ignores
the ranges in the scan zone and scans all of the targets you specify in
the scan configuration.

l Automatic Distribution — allow Tenable Security Center to choose

the best scan zone to run the scan.

For more information, see Organizations and Scan Zones.

Import Repository Specifies the repository where Tenable Security Center imports the scan
results. Select a IPv4, IPv6, or Universal repository to receive IPv4 or IPv6

- 338 -
Parameter Description

results appropriate to the scan.

Scan Timeout The action you want Tenable Security Center to perform in the event a
Action scan is incomplete:

l Import Completed Results With Rollover — (Default) The system

imports the results from the scan into the database and creates a
rollover scan that you can launch manually to complete the scan.

l Import Completed Results — The system imports the results of the

current scan and discards the information for the unscanned hosts.

l Discard Results — The system does not import any of the results
obtained by the scan to the database.

Rollover Schedule If you set the Scan Timeout Action to Import results with Rollover, this
option specifies how to handle the rollover scan. You can create the
rollover scan as a template to launch manually, or to launch the next day
at the same start time as the just-completed scan.

Advanced

Scan Virtual Specifies whether the system treats a new DNS entry for an IP address
Hosts as a virtual host as opposed to a DNS name update.

When Tenable Security Center finds a new DNS name for an IP address:

l If Scan Virtual Hosts is enabled, vulnerability data for the two DNS
names appears as two entries with the same IP address in the IP
Summary analysis tool.

l If Scan Virtual Hosts is disabled, vulnerability data for the two DNS
names merge into a single IP address entry in the IP Summary
analysis tool.

If you import scan results from a Universal repository, this option does
not appear. Universal repositories treat hosts with the same IP address
but unique FQDNs as different hosts. For more information, see Universal

- 339 -
Parameter Description

Repositories.

Track hosts This option uses the DNS name, NetBIOS name, Agent ID, and MAC
which have been address (if known), in that order, to track a host when its IP address
issued new IP changes. Once Tenable Security Center finds a match, Tenable Security
address Center does not search further for matches.

For example, if Tenable Security Center does not match a DNS name, but
it does match a NetBIOS name, the system does not check the MAC
address. Networks using DHCP require that you set this option to
properly track hosts.

If you import scan results from a Universal repository, this option does
not appear. Universal repositories do not rely on IP addresses to track
hosts. For more information, see Universal Repositories.

Immediately If a previously responsive host does not reply to a scan, Tenable Security
remove Center removes the host's vulnerabilities from the cumulative database.
vulnerabilities If the host has vulnerabilities in the mitigated database, they remain in
from scanned the mitigated database.
hosts that do not
l If you enable this option, the system removes the vulnerabilities
reply
immediately after the scan completes.

l If you disable this option, the system removes the vulnerabilities

according to the interval set in the Number of days to wait before
removing dead hosts option.

Number of days If you disable Immediately remove vulnerabilities from scanned hosts
to wait before that do not reply, this value specifies how many days the system waits to
removing dead remove vulnerabilities.
hosts

Max scan duration Specifies the maximum number of hours you want a scan to run.
(hours)
If a scan reaches this threshold, Tenable Security Center automatically
creates a rollover scan that you can launch manually to complete the

- 340 -
 Parameter Description

scan. Tenable Security Center creates a rollover scan regardless of your

Scan Timeout Action setting.

Inactivity timeout This setting specifies the maximum number of hours a scan will wait for
duration (hours) a plugin to run before switching to a different scanner. The default value
is 12 hours. You can specify a value from 1 to 120 hours.

The value for Inactivity timeout duration must be less than the value for
Max scan duration.

Targets Options

The Targets section identifies the devices Tenable Security Center scans.

Option Description

Target Type Specifies the target type for the scan:

l Assets — Scan one or more assets. For more information, see Assets.

l IP / DNS Name — Scan one or more IP addresses or DNS names.

l Mixed—Scan a combination of asset lists, IP addresses, and DNS

names.

Assets (Available if Target Type is Assets or Mixed) The list of assets to scan. Click
to select or deselect the assets you want to scan.

IPs / (Available if Target Type is IP / DNS Name or Mixed) The IP addresses or

DNS Names DNS names you want to scan.

Specify IP addresses and DNS names using the following valid formats:

l A single IPv4 address (for example, 192.0.2.202)

l A single IPv6 address (for example,

2001:db8:d54e:cca6:4109:ac02:2fbe:134e)

l An IP address range in dot-decimal or CIDR notation (for example,

- 341 -
 192.0.2.0-192.0.2.255 or 192.0.2.0/24)

l A resolvable hostname (for example, www.yourdomain.com)

Note: You cannot scan both IPv4 and IPv6 addresses in the same scan, because
you can only select one Import Repository.

Credentials Options

The Credentials section allows users to select pre-configured credential sets for authenticated
scanning. For more information, see Credentials.

Tenable Security Center active scans support the following credential types:

l Windows Credentials

l SSH Credentials

l SNMP Credentials

l Database Credentials

l API Gateway Credentials

l Miscellaneous Credentials

Post Scan Options

These options determine what actions occur immediately before and after the active scan
completes.

Option Description

Reports to Run on Scan Completion

Add This option provides a list of reports available to the user to run when the scan
Report completes. For more information, see Add a Report to a Scan.

Launch a Remediation Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

- 342 -
You can run a remediation scan to run a followup active scan against existing active scan results. A
remediation scan evaluates a specific plugin against a specific target or targets where the related
vulnerability was present in your earlier active scan.

Remediation scans allow you to validate whether your vulnerability remediation actions on the
targets have been successful. If a remediation scan cannot identify a vulnerability on targets where
it was previously identified, the system changes the status of the vulnerability to mitigated. For
more information, see Cumulative vs. Mitigated Vulnerabilities.

Note the following:

l You can perform remediation scans only for active scan results.

l You cannot perform remediation scans for agent repository scan results.

l You cannot perform remediation scans for Tenable OT Security scan results.

l If the selected plugin requires dependent plugins, the system automatically includes those
plugins in the remediation scan.

l Remediation scans only evaluate plugins against the port you specify. Keep this in mind when
launching a remediation scan for a plugin that typically targets multiple ports.

l Remediation scans work best for un-credentialed network scan results. Use caution when
running a remediation scan for a plugin that requires scan credentials. If you neglect to add
scan credentials when required for a specific plugin, or if you mis-enter the credentials, the
system may identify the related vulnerabilities as mitigated, not because they are mitigated,
but because the system could not complete the credentialed scan.

To launch a remediation scan:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the analysis tools drop-down box, select Vulnerability Summary.

The page refreshes to show the analysis tool view you selected.

- 343 -
 4. Right-click the row for the vulnerability for which you want to launch a remediation scan and
click Launch Remediation Scan.

The Launch Remediation Scan page appears.

Note: A remediation scan inherits certain settings from the vulnerability or vulnerability
instance you selected. The Launch Remediation Scan page:
l Automatically populates the relevant plugin information.
l Provides an editable scan name in the format "Remediation Scan of Plugin #
number".
l Populates the target IP address based on the asset where the previous scan
identified the vulnerability.

5. Configure the settings for the scan, as described in Active Scan Settings.

Note: You do not need to associate the remediation scan with a scan policy.

Note: You cannot schedule a remediation scan. The scan launches as soon as you submit it.

6. Click Submit.

Tenable Security Center launches the remediation scan.

Attack Surface Domain Discovery

On the Attack Surface Domain Discovery page, you can manage your domains. When you add a
domain, Tenable Security Center identifies internet-accessible assets associated with the domain
that may not otherwise be visible to your organization. Tenable Security Center uses DNS records,
IP addresses, and Autonomous System Numbers (ASN) to identify assets.

To view a list of assets identified on your domain, see the Domain Inventory Assets page.

For more information about domain inventory assets, see:

l View Domain Inventory Assets

l Export Domain Inventory Assets

To view your domains:

- 344 -
 1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Scans > Attack Surface Domain Discovery.

The Attack Surface Domain Discovery page appears.

3. (Optional) Add your organization's domain to begin identifying assets.

4. Click Submit.

Tenable Security Center saves your configuration.

Add a Domain

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Note: You can add a maximum of two domains across your system.

When you add a domain, Tenable Security Center identifies internet-accessible assets associated
with the domain. For more information, see Attack Surface Domain Discovery.

To add a domain:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Scans > Attack Surface Domain Discovery.

The Attack Surface Domain Discovery page appears.

3. At the top of the table, click Add.

The Add Domain panel appears.

4. In the Add a Domain to Your Inventory box, type your organization's domain.

5. Click Submit.

Tenable Security Center saves your configuration.

What to do next:

- 345 -
 l View the assets associated with your domain, as described in View Domain Inventory Assets.

l Export a CSV file of the assets associated with your domain, as described in Export Domain
Inventory Assets.

View Domain Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about domains, see Attack Surface Domain Discovery.

To view domain details:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Scans > Attack Surface Domain Discovery.

The Attack Surface Domain Discovery page appears.

3. In the table, select the domain you want to view.

The View Domain panel appears, with details about the domain:

l Domain Name — The name of the domain.

l Created Time - When the domain was added to Tenable Security Center.

l Last Refresh - The last time the list of domain assets was updated.

4. (Optional) Delete the domain.

Delete a Domain

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about domains, see Attack Surface Domain Discovery.

To delete a domain:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Scans > Attack Surface Domain Discovery.

- 346 -
 The Attack Surface Domain Discovery page appears.

3. In the table, select the domain you want to delete.

The View Domain panel appears.

4. Click Delete Domain.

A dialog box appears, confirming your selection to delete the domain.

5. Click Delete.

The domain and related domain inventory assets are deleted.

Active Scan Objects

Complete Tenable Security Center scan configurations rely on the following scan objects. For
information about active scans, see Active Scans.

Scan Object Description

assets Assets are lists of devices (for example, laptops, servers, tablets, or phones)
within a Tenable Security Center organization. You can share assets with one
or more users based on local security policy requirements.

You can add an asset to group devices that share common attributes. Then,
you can use the asset during scan configuration to target the devices in the
asset.

For more information, see Assets.

credentials Credentials are reusable objects that facilitate a login to a scan target. You
can configure various types of credentials with different authentication
methods for use within scan policies. You can also share credentials
between users for scanning purposes.

Tenable Security Center supports an unlimited number of SSH, Windows, and

database credentials, and four SNMP credential sets per scan configuration.

For more information, see Credentials.

audit files During a configuration audit, auditors verify that your server and device
configurations meet an established standard and that you maintain them

- 347 -
 with an appropriate procedure. Tenable Security Center can perform
configuration audits on key assets by using local Tenable Nessus checks that
can log directly on to a Unix or Windows server without an agent.

Tenable Security Center supports several audit standards. Some of these

come from best practice centers like the PCI Security Standards Council and
the Center for Internet Security (CIS). Some of these are based on Tenable’s
interpretation of audit requirements to comply with specific industry
standards such as PCI DSS or legislation such as Sarbanes-Oxley.

In addition to base audits, you can create customized audits for the
particular requirements of any organization. You can upload customized
audits into Tenable Security Center and make them available to anyone
performing configuration audits within an organization.

You can upload and use NIST SCAP files in the same manner as an audit file.
Navigate to NIST’s SCAP website (http://scap.nist.gov) and under the SCAP
Content section, download the desired SCAP security checklist zip file. You
can then upload the file to Tenable Security Center and select it for use in
Tenable Nessus scan jobs.

Once you configure audit scan policies in Tenable Security Center, you can
use them as needed. Tenable Security Center can also perform audits
intended for specific assets. A Tenable Security Center user can use audit
policies and asset lists to determine the compliance posture of any specified
asset.

For more information, see Audit Files.

scan zones Scan zones represent areas of your network that you want to target in an
active scan, associating an IP address or range of IP addresses with one or
more scanners in your deployment. Scan zones define the IP address ranges
associated with the scanner along with organizational access.

For more information, see Scan Zones.

scan policies Scan policies contain options related to performing an active scan. For
example:

- 348 -
 l Options that control technical aspects of the scan such as timeouts,
number of hosts, type of port scanner, and more.

l Options that provide plugin family-based or individual plugin-based

scan specifications.

l Options that control compliance policy checks (Windows, Linux,

Database, etc.), report verbosity, service detection scan settings, audit
files, patch management systems, and more.

For more information, see Scan Policies.

Assets
Tenable Security Center assets are lists of devices (for example, laptops, servers, tablets, or
phones) within a Tenable Security Center organization. Assets can be shared with one or more
users based on local security policy requirements.

You can add an asset to group devices that share common attributes. Then, you can use the asset
during scan configuration to target the devices in the asset. Examples of common attributes
include:

l IP address ranges

l hardware types

l vulnerabilities

l outdated software versions

l operating systems

Tenable Security Center supports template-based and custom assets. For more information, see
Add a Template-Based Asset and Add a Custom Asset. To view details for any of your assets, see
View Asset Details.

To view details about individual hosts that appear in your assets, see View Hosts and View Host
Details.

Template-Based Assets

- 349 -
Tenable provides asset templates that you can customize for your environment. Tenable-provided
asset templates are updated via the Tenable Security Center feed and visible depending on other
configurations.

Custom Assets
Tenable Security Center supports the following custom assets types: Static Assets, DNS Name List
Assets, LDAP Query Assets, Combination Assets, Dynamic Assets, Watchlist Assets, and Import
Assets.

Static Assets
Static assets are lists of IP addresses. You can use static assets immediately after configuration.

For example, if your organization assigns laptops within a defined IP address range, you can create
a custom static asset for laptops using that IP address range.

Option Description

Name A name for the asset.

Description A description for the asset.

Tag A tag for the asset. For more information, see Tags.

IP Addresses IP addresses to include within the asset (50,000 character limit).

l Type a comma-separated list of IP addresses, CIDR addresses, or

ranges.

l Upload a .txt file containing a comma-separated list of

IP addressees, CIDR addresses, or ranges.

DNS Name List Assets

Option Description

Name A name for the asset.

Description A description for the asset.

DNS Names The DNS hostnames for the asset to be based on.

- 350 -
LDAP Query Assets
The LDAP query asset type appears if your organization includes a configured LDAP server.

Option Description

Name A name for the asset.

Description A description for the asset.

LDAP Server The LDAP server where you want to perform the query.

Note: If the LDAP server uses a different DNS server than Tenable Security
Center, Tenable Security Center cannot resolve hostnames retrieved from the
LDAP server.

Note: Tenable Security Center cannot retrieve more than one page of LDAP
results. If Tenable Security Center asset or user authentication queries are not
retrieving all expected results, consider modifying your LDAP pagination control
settings to increase the results per page.

Search Base The LDAP search base used as the starting point to search for specific
LDAP data.

Search String Modify this string to create a search based on a location or filter other than
the default search base or attribute.

Generate Click to display a preview query in the Results Preview section. The
Preview preview lists the LDAP data that matches the defined search string.

Combination Assets
Combination assets allow you to create an asset based on existing assets and the AND, OR, and
NOT operators.

Combination assets can include agent IDs if the asset contains exclusively dynamic assets. You may
experience unexpected asset behavior if your combination asset contains other asset types and
interacts with agent repository data.

- 351 -
 Option Description

Name A name for the asset.

Description A description for the asset.

Combination This option accepts multiple existing assets utilizing the operators AND,
OR, and NOT. You can use these operators and multiple existing assets to
create new unique assets. If the source assets change, the Combination
asset updates to match the new conditions.

To configure the query:

1. Click inside the Combination box.

A list of assets appears.

2. Click one of the options in the list to select it.

3. Press Space.

4. Continue selecting options and pressing space to describe the

combination asset you want to configure.

Tip: A red border around a combination option indicates there is a problem in

the query logic.

Dynamic Assets
Dynamic assets are flexible groups of condition statements that Tenable Security Center uses to
retrieve a list of devices meeting the conditions. Tenable Security Center refreshes dynamic asset
lists using the results from Tenable Security Center scans. You cannot use dynamic assets until
after Tenable Security Center performs an initial discovery scan and retrieves a list of devices.

Note: If a dependent scan uses a dynamic asset list, the asset list will update before the scan runs.

Dynamic assets can include agent IDs.

- 352 -
For example, in the asset above, Tenable Security Center retrieves a list of Linux systems listening
on TCP Port 80. For more information about using dynamic asset conditions, see Dynamic Assets.

Option Description

Name A name for the asset.

Description A description for the asset.

Asset Defines the rules for creating a dynamic asset list. Hover over an existing
Definition rule to display the options to add, edit, or delete a group or a rule.

Dynamic Asset Rule Logic

Valid Operators Effect

Plugin ID

is equal to Value must be equal to value specified.

- 353 -
Valid Operators Effect

not equal to Value must be not equal to value specified.

is less than Value must be less than the value specified.

is greater than Value must be greater than the value specified.

Plugin Text

is equal to Value must be equal to value specified.

not equal to Value must be not equal to value specified.

contains the Value must contain the text specified (for example, ABCDEF contains ABC).
pattern

Posix regex Any valid Posix regex pattern contained within “/” and “/” (example:
/.*ABC.*/).

Perl compatible Any valid Perl compatible regex pattern.

regex

Operating System

is equal to Value must be equal to value specified.

not equal to Value must be not equal to value specified.

contains the Value must contain the text specified (for example, ABCDEF contains ABC).
pattern

Posix regex Any valid Posix regex pattern contained within “/” and “/” (for example,
/.*ABC.*/).

Perl compatible Any valid Perl compatible regex pattern.

regex

IP Address

is equal to Value must be equal to value specified.

not equal to Value must be not equal to value specified.

- 354 -
Valid Operators Effect

DNS, NetBIOS Host, NetBIOS Workgroup, MAC, SSH v1 Fingerprint, SSH v2 Fingerprint

is equal to Value must be equal to value specified.

not equal to Value must be not equal to value specified.

contains the Value must contain the text specified (for example, 1.2.3.124 contains 124).
pattern

Posix regex Any valid Posix regex pattern contained within “/” and “/” (for example,
/.*ABC.*/).

Perl compatible Any valid Perl compatible regex pattern.

regex

Port, TCP Port, UDP Port

is equal to Value must be equal to value specified.

not equal to Value must be not equal to value specified.

is less than Value is less than value specified.

is greater than Value is greater than the value specified.

Days Since Discovery, Days Since Observation

is equal to Value must be equal to value specified (maximum 365).

not equal to Value must be not equal to value specified (maximum 365).

is less than Value is less than value specified (maximum 365).

is greater than Value is greater than the value specified (maximum 365).

where Plugin ID Any valid plugin ID number. You can enter multiple plugin IDs using a range
is or comma-separated plugin IDs (for example, 3, 10189, 34598, 50000-55000,
800001-800055).

Severity

is equal to Value must be equal to value specified: Info, Low, Medium, High, or

- 355 -
 Valid Operators Effect

Critical.

not equal to Value must be not equal to value specified: Info, Low, Medium, High, or
Critical.

is less than Value must be less than the value specified: Info, Low, Medium, High, or
Critical.

is greater than Value must be greater than the value specified: Info, Low, Medium, High,
or Critical.

where Plugin ID Any valid plugin ID number. You can enter multiple plugin IDs using a range
is or comma-separated plugin IDs (for example, 3, 10189, 34598, 50000-55000,
800001-800055).

Exploit Available

Is Click True or False in the drop-down box.

Exploit Frameworks

is equal to Value must be equal to value specified.

Is not equal to Value must not be equal to value specified.

contains the Value must contain the pattern entered.

pattern

XRef

Value must be in the XRef option.

Watchlist Assets
You can use a watchlist asset to maintain lists of IPs that are not in the user’s managed range of IP
addresses. You can filter for IPs from a watchlist regardless of your IP address range configuration
to help analyze event activity originating outside of the user’s managed range. For example, if a
block of IP addresses is a known source of malicious activity, you could add it to a Malicious IPs
watchlist and added to a custom query.

- 356 -
 Note: Watchlists only use event data to create the asset list.

Option Description

Name A name for the asset.

Description A description for the asset.

IP Addresses IP addresses to include within the asset list (20,000 character limit). You
can enter one address, CIDR address, or range per line.

Click Choose File to import a list of IP addresses from a saved file.

Import Assets

Option Description

Name The asset name.

Asset Click Choose File to choose the asset that was previously exported for import
into Tenable Security Center.

Add a Template-Based Asset

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For information, see Assets.

To add an asset from a Tenable-provided template:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Assets > Assets.

The Assets page appears.

3. Click Add.

The Asset Templates page appears.

- 357 -
 4. (Optional) If you want to search for a specific asset template, type a search phrase in the
Search Templates box.

5. In the Common section, click a template type.

The Add Asset Template page for the template type appears.

6. View the available templates.

l The four square icon ( ) on the left side indicates a collection of several assets.

l The data icons ( ) on the right side indicate the data required to build the
asset. The Tenable Nessus Network Monitor (PVS), Log Correlation Engine, and NS icons
indicate you must have Tenable Nessus Network Monitor, Log Correlation Engine, or
Tenable Nessus data. The key icon ( ) indicates you must have credentials for the
device. The notepad icon ( ) indicates you must have compliance data.

7. (Optional) If you want to search for a specific asset template, type a search phrase in the
Search Templates box or select a category from the All drop-down box.

8. Click the row for the template you want to use.

The detail page for the template type appears.

9. Click Add.

The Assets page appears.

10. Click the row for the asset you just added.

The Edit page appears.

11. View the details for the asset.

12. (Optional) If necessary, edit the asset to customize it for your environment. For more
information about asset options, see Assets.

13. Click Submit.

Tenable Security Center saves your configuration.

Add a Custom Asset

- 358 -
 Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For information, see Assets.

To add a custom asset:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Assets > Assets.

The Assets page appears.

3. At the top of the table, click Add.

The Asset Templates page appears.

4. In the Other section, click an asset type.

The Add Assets page for the asset type appears.

5. Configure the required options for the asset type, as described in Assets.

6. Click Submit.

Tenable Security Center saves your configuration.

View Asset Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view details for any asset. For more information, see Assets.

To view asset details:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Assets > Assets.

The Assets page appears.

3. Right-click the row for the asset you want to view.

The actions menu appears.

- 359 -
 -or-

Select the check box for the asset you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Asset page appears.

Section Action

General View general information for the asset.

l Name — The asset name.

l Description — The asset description.

l Tag — The tag applied to the asset. For more

information, see Tags.

l IP Addresses (static assets only) — The IP addresses

specified in the asset. For more information, see
Assets.

l Created — The date the asset was created.

l Last Modified — The date the asset was last

modified.

l Owner — The username for the user who created the

asset.

l Group — The group in which the asset belongs.

l ID — The asset ID.

TenableSynchronization View synchronization summary data:

Data l Status — The status of the asset in Tenable Lumin
synchronization:

l Finished — The most recent synchronization

that included this asset succeeded.

- 360 -
 Section Action

l Not Synced — The asset is not configured for

Tenable Lumin synchronization.

l Error — An error occurred. For more

information, see View Tenable Lumin Data
Logs.

l First Synchronization — The date and time of the

first synchronization of this asset.

l Last Success — The date and time of the most

recent synchronization of this asset.

l Last Failure — The date and time of the most recent

failed synchronization of this asset.

l Details — If the Status is Error, details about the

error.

For more information about Tenable Lumin

synchronization, see Tenable Lumin Synchronization.

View Hosts

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view a list of hosts associated with asset lists. For more information, see Assets.

To view details for an individual host, see View Host Details.

To view the list of hosts:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Host Assets.

The Host Assets page appears.

3. (Optional) To show or hide columns on the Host Assets page:

- 361 -
 a. In the table, click the button next to a column header.

A drop-down menu appears with a list of column names.

b. Check or uncheck the boxes to show or hide columns.

4. View details about each host asset.

l Name — The name of the host.

l AES — (Requires Tenable Security Center+ license) The host's Asset Exposure Score. For
more information, see Asset Exposure Score in the Tenable Vulnerability
Management User Guide.

l ACR— (Requires Tenable Security Center+ license) The host's Asset Criticality Rating.
For more information, see Asset Criticality Rating in the Tenable Vulnerability
Management User Guide.

l IP Address — The host's IP address, if available.

l Repository — The repository that contains vulnerability data associated with the host.

l OS — The operating system running on the host, if available.

l System Type — The host's device type, as determined by plugin 54615.

l Net BIOS — The host's NetBIOS name, if available.

l DNS — The host's DNS name, if available.

l Last Seen — The date and time last Tenable Security Center detected the host on your
network.

l Asset ID — The ID of the host.

l Source — The type of scan that discovered the host on your network: Tenable Nessus
Scan, Tenable Nessus Network Monitor, Log Correlation Engine, Agent Scan, or
Tenable OT Security Scan.

Tip: The following columns are hidden by default: System Type, Net BIOS, DNS, and Asset ID.

Export Hosts

- 362 -
 Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can export a list of hosts in a .csv file to share the data with others in your organization. For
more information, see Assets.

To view details for an individual host, see View Host Details.

To view the list of hosts:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Host Assets.

The Host Assets page appears.

3. (Optional) To filter the list of hosts, apply a filter. For more information, see Host Asset Filter
Components.

4. At the top of the table, click Export.

Tenable Security Center exports the host assets in a CSV file.

Host Asset Filter Components

For general information about using filters, see Filters.

Filter
Description
Component

Asset Criticality (Requires Tenable Security Center+ license) Filters for hosts within the
Rating (ACR) specified ACR range (for example, between 1 and 5). For more information,
see Asset Criticality Rating in the Tenable Vulnerability Management User
Guide.

Tip: To edit the ACR for a host asset, see Edit an ACR Manually.

Address This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit
the viewed hosts. For example, entering 198.51.100.28/24 and/or
2001:DB8::/32 limits any of the web tools to show only host data from the
selected network(s). Addresses can be comma-separated or on separate

- 363 -
 Filter
Description
Component

lines.

Asset Exposure (Requires Tenable Security Center+ license) Filters for hosts within the
Score (AES) specified AES range (for example, between 400 and 600).

DNS Name This filter specifies a DNS name to limit the viewed hosts. For example,
entering host.example.com limits any of the web tools to show only host
data from that DNS name.

Name Filters for hosts with names that include the specified text.

Operating Filters for hosts running the specified operating system.

System

Repositories Filters for hosts with associated vulnerability data in the specified
repository.

System Type Filters for hosts with the specified device type, as determined by plugin
54615.

View Domain Inventory Assets

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view a list of assets identified in your organization's domains. For more information, see
Attack Surface Domain Discovery.

To view the list of domain inventory assets:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Domain Inventory.

The Domain Inventory page appears.

3. (Optional) To filter the list of domain inventory assets, apply a filter. For more information, see
Domain Inventory Filter Components.

- 364 -
 4. (Optional) To create a domain inventory asset list, see Create a Domain Inventory Asset List.

5. (Optional) To show or hide columns on the Domain Inventory page:

a. In the table, click the button next to a column header.

A drop-down menu appears with a list of column names.

b. Check or uncheck the boxes to show or hide columns.

6. View details about each domain inventory asset.

l Host — The host associated with the asset.

l Record Type - The asset type.

Note: The value in this column is determined by DNS messages associated with the asset.

l Record Value - The name of the asset.

l IP - The asset's IP address, if available.

l ASN - The asset's Autonomous System Number.

l Ports - The ports to which the asset connects.

Create a Domain Inventory Asset List

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can create an asset list from your domain inventory assets to use in active scans.

For more information about your domain inventory, see Attack Surface Domain Discovery.

To create an asset list from your domain inventory assets:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Domain Inventory.

The Domain Inventory page appears.

- 365 -
 3. (Optional) To filter the list of domain inventory assets, apply a filter. For more information, see
Domain Inventory Filter Components.

4. Right-click the row for the domain inventory asset you want to include in the asset list.

The actions menu appears.

-or-

Select the check box for the domain inventory asset you want to include in the asset list.

The available actions appear at the top of the table.

5. Click Create Asset.

The Create Asset pane appears.

6. In the Name box, type a name for the asset list.

7. (Optional) In the Description box, type a description for the asset list.

8. (Optional) In the Tag drop-down box, select a tag for the asset list. For more information
about tags, see Tags.

9. Click Submit.

What to do next:
l Create an active scan using the domain inventory asset list. For more information, see Add an
Active Scan.

Export Domain Inventory Assets

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can export a list of assets identified in your organization's domains. For more information, see
Attack Surface Domain Discovery.

To export a list of domain inventory assets:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Domain Inventory.

- 366 -
 The Domain Inventory page appears.

3. (Optional) To the left of the table, click a domain to filter the list of assets.

4. At the top of the table, click Export All.

Tenable Security Center exports the domain inventory assets in a CSV file.

Domain Inventory Filter Components

For general information about using filters, see Filters. For more information about domains, see
Attack Surface Domain Discovery.

Filter
Description
Component

Address Filters by an IPv4 or IPv6 address, range, or CIDR block. You can enter
IP addresses in a comma-separated list or on separate lines.

Domain Filters by domain name. The drop-down includes a list of all available
domains.

Host Filters by the host associated with the domain inventory asset. In the drop-
down, select Exact Match, Should not Match, Contains, or Not Contains. The
Exact Match option supports single and comma-separated values.

Ports Filters by ports associated with the domain inventory asset. In the drop-
down, select = to match the specified ports, ≠ to exclude the specified ports,
≥ to match ports greater than or equal to the specified ports, or ≤ to match
ports less than or equal to the specified ports. You can specify a single port,
comma-separated list of ports, or range of ports (e.g., 8000-8080).

Record Type The type of domain inventory asset. This value is determined by DNS
messages associated with the asset. In the drop-down, select Exact Match,
Should not Match, Contains, or Not Contains. The Exact Match option
supports single and comma-separated values.

Credentials
Credentials are reusable objects that facilitate scan target login.

- 367 -
Administrators can add credentials available to all organizations. Organizational users can add
credentials available to other users in the same organization. For information about user access in
Tenable Security Center, see User Access.

Users can share credentials with other users, allowing them to scan remote hosts without knowing
the credentials of the host. For information about Tenable Security Center credential data
encryption, see Encryption Strength.

Tenable Security Center supports the following credential types:

l Miscellaneous Credentials

l API Gateway Credentials

l Database Credentials

l SNMP Credentials

l SSH Credentials

l Windows Credentials

l Web Authentication Credentials

If a scan contains multiple instances of one type of credential, Tenable Security Center tries the
credentials on each scan target in the order you added the credentials to Tenable Security Center.

Note: Tenable Security Center uses the first credential that allows successful login to perform
credentialed checks on the target. After a credential allows a successful login, Tenable Security Center
does not try any of the other credentials in the list, even if a different credential has greater privileges.

To add credentials, see Add Credentials.

Add Credentials

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information about credentials, see Credentials.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable
recommends adding no more than 10 SSH credentials per scan.

- 368 -
To add credentials:

1. Log in to Tenable Security Center.

2. Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational
users).

The Credentials page appears.

3. Click Add.

The Credential Templates page appears.

4. In the Miscellaneous, API Gateway, Database, SNMP, SSH, Windows, or Web Authentication
sections, click the tile for the specific method you want to configure.

The Add Credentials configuration page appears.

5. In the Name box, type a name for the credentials.

6. In the Description box, type a description for the credentials.

7. (Optional) Type or select a Tag. For more information, see Tags.

8. Configure the options, as described in:

l Miscellaneous Credentials

l API Gateway Credentials

l Database Credentials

l SNMP Credentials

l SSH Credentials

l Windows Credentials

l Web Authentication Credentials

9. Click Submit.

Tenable Security Center saves your configuration.

Miscellaneous Credentials

- 369 -
Configure the following options for all miscellaneous credentials, including options specific for your
authentication method:

l The following table describes the additional options to configure for Citrix credentials.

l The following table describes the additional options to configure for Nutanix Prism Central
credentials.

l The following table describes the additional options to configure for OpenShift Container
Platform credentials.

l The following table describes the additional options to configure for VMware vCenter API
credentials.

Option Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

Citrix Options

The following table describes the additional options to configure for Citrix credentials.

Option Description Default

Port (Required) The TCP port that Citrix listens on for 443
communications from Tenable Security Center.

Username (Required) The username for the scanning Citrix account that --
Tenable Security Center uses to perform checks on the target
system.

Password (Required) The password for the Citrix user. --

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

- 370 -
 Option Description Default

Verify SSL When enabled, Tenable verifies that the SSL certificate on enabled
Certificate the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Nutanix Prism Central Options

The following table describes the additional options to configure for Nutanix Prism Central
credentials.

Option Description Default

Nutanix Host (Required) The hostname or IP address for the Nutanix Prism --
Central host.

Nutanix Port (Required) The port for the Nutanix Prism Central host. 9440

Username (Required) The username for the Nutanix Prism Central --

account.

Password (Required) The password for the Nutanix Prism Central user. --

Discover When enabled, Tenable Security Center adds all discovered enabled
Hosts Nutanix hosts to the list of scan targets.

Discover When enabled. Tenable Security Center adds all discovered enabled
Virtual Nutanix Virtual Machines to the list of scan targets.
Machines

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify SSL When enabled, Tenable verifies that the SSL certificate on disabled
Certificate the server is signed by a trusted CA.

- 371 -
 Option Description Default

Tip: If you are using a self-signed certificate, disable this

setting.

OpenShift Container Platform Options

The following table describes the additional options to configure for OpenShift Container Platform
credentials.

Option Description Default

Token (Required) The authentication token for the Service --

Account in OpenShift.

Port (Required) The port for the OpenShift Container Platform 6443
host.

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify When enabled, Tenable verifies that the SSL certificate enabled
SSL Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

VMware vCenter API Options

The following table describes the additional options to configure for VMware vCenter API
credentials.

Option Description Default

vCenter Host (Required) The hostname or IP address for the --

VMware vCenter API host.

- 372 -
 Option Description Default

vCenter Port (Required) The port for the VMware vCenter API host. 443

Username (Required) The username for the VMware vCenter API --

account.

Password (Required) The password for the VMware vCenter API --

user.

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS).

When disabled, Tenable connects using

standard HTTP.

Verify SSL Certificate When enabled, Tenable verifies that the disabled
SSL certificate on the server is signed by a trusted
CA.

Tip: If you are using a self-signed certificate, disable

this setting.

Auto Discover When enabled, Tenable Security Center adds all disabled
Managed VMware discovered managed VMware ESXi hosts to the list of
ESXi Hosts scan targets.

Auto Discover When enabled, Tenable Security Center adds all disabled
Managed VMware discovered managed VMware ESXi virtual machines
ESXi Virtual Machines to the list of scan targets.

API Gateway Credentials

Configure the following options for all API gateway credentials.

Option Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

- 373 -
IBM DataPower Options
The following table describes the additional options to configure for IBM DataPower credentials.

Option Description

Client The file that contains the PEM certificate used to communicate with the IBM
Certificate DataPower host.

Client The file that contains the PEM private key for the client certificate.
Certificate
Private Key

Client The passphrase for the private key, if required.

Certificate
Private Key
Passphrase

Custom If your IBM DataPower configuration uses custom HTTP headers, the custom
Header Key HTTP header key.

Custom If your IBM DataPower configuration uses custom HTTP headers, the custom
Header Value HTTP header value.

Enable for When enabled, allows Tenable Security Center to use the IBM DataPower
Hashicorp credential with a Hashicorp Vault credential.
Vault
Tip: If you want to run a test that does not use IBM DataPower credentials
without having to delete the credential, you can temporarily disable this option
to prevent Tenable Security Center from using IBM DataPower credentials.

Database Credentials
The following topic describes the available Database credentials.

Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential
options may differ from the descriptions documented here.

Configure the following options for all database credentials:

- 374 -
 Options Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

IBM DB2

The following table describes the additional options to configure for IBM DB2 credentials.

Options Description

Source The method for providing the required credential details: Entry or
Import.

l Entry — Specifies you want to use a single SID value or

SERVICE_NAME value for the credential. You must also
configure the remaining options on the Add Credential
page, as described in Add Credentials.

l Import — Specifies you want to use multiple SID values for

the credential, uploaded as a .csv file. For more
information about the required .csv file format, see
Database Credentials Authentication.

Authentication Method The authentication method for providing the required

credentials.

l CyberArk

l Password

l Lieberman

l Hashicorp Vault

l Wallix Bastion

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

- 375 -
 Options Description

Port The TCP port that the IBM DB2 database instance listens on for
communications from Tenable Security Center. The default is
port 50000.

Database Name The name for your database (not the name of your instance).

Informix/DRDA

The following table describes the additional options to configure for Informix/DRDA credentials.

Options Description

Username The username for a user on the database.

Password The password associated with the username you provided.

Port The TCP port that the Informix/DRDA database instance listens on for
communications from Tenable Security Center. The default is port 1526.

MySQL

The following table describes the additional options to configure for MySQL credentials.

Options Description

Source The method for providing the required credential details: Entry or
Import.

l Entry — Specifies you want to use a single SID value or

SERVICE_NAME value for the credential. You must also
configure the remaining options on the Add Credential
page, as described in Add Credentials.

l Import — Specifies you want to use multiple SID values for

the credential, uploaded as a .csv file. For more
information about the required .csv file format, see
Database Credentials Authentication.

Authentication Method The authentication method for providing the required

- 376 -
 Options Description

credentials.

l CyberArk

l Password

l Lieberman

l Hashicorp Vault

l Wallix Bastion

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

Username The username for a user on the database.

Password The password associated with the username you provided.

Port The TCP port that the MySQL database instance listens on for
communications from Tenable Security Center. The default is
port 3306.

SID The name for your database instance.

Oracle Database

The following table describes the additional options to configure for Oracle Database credentials.

Options Description

Source The method for providing the required credential details: Entry or
Import.

l Entry — Specifies you want to use a single SID value or

SERVICE_NAME value for the credential. You must also
configure the remaining options on the Add Credential
page, as described in Add Credentials.

l Import — Specifies you want to use multiple SID values for

the credential, uploaded as a .csv file. For more

- 377 -
 Options Description

information about the required .csv file format, see

Database Credentials Authentication.

Authentication Method The authentication method for providing the required

credentials.

l CyberArk

l Password

l Lieberman

l Hashicorp Vault

l Wallix Bastion

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

Port The TCP port that the Oracle database instance listens on for
communications from Tenable Security Center. The default is
port 1521.

Authentication The type of account you want Tenable Security Center to use to
access the database instance:

l Normal

l System Operator

l System Database Administrator

Service Type The Oracle parameter you want to use to specify the database
instance: SID or Service Name.

Service The SID value or SERVICE_NAME value for your database

instance.

The Service value you enter must match your parameter

selection for the Service Type option.

PostgreSQL

- 378 -
The following table describes the additional options to configure for PostgreSQL credentials.

Options Description

Authentication Method The authentication method for providing the required

credentials.

l CyberArk

l Password

l Lieberman

l Hashicorp Vault

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

Port The TCP port that the PostgreSQL database instance listens on
for communications from Tenable Security Center. The default is
port 5432.

Database Name The name for your database instance.

SQL Server

The following table describes the additional options to configure for SQL Server credentials.

Options Description

Source The method for providing the required credential details: Entry or
Import.

l Entry — Specifies you want to use a single SID value or

SERVICE_NAME value for the credential. You must also
configure the remaining options on the Add Credential
page, as described in Add Credentials.

l Import — Specifies you want to use multiple SID values for

the credential, uploaded as a .csv file. For more
information about the required .csv file format, see
Database Credentials Authentication.

- 379 -
 Options Description

Authentication Method The authentication method for providing the required

credentials.

l CyberArk

l Password

l Lieberman

l Hashicorp Vault

l Wallix Bastion

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

Username The username for a user on the database.

Password The password associated with the username you provided.

Port The TCP port that the SQL Server database instance listens on
for communications from Tenable Security Center. The default is
port 1433.

Authentication The type of account you want Tenable Security Center to use to
access the database instance: SQL or Windows.

Instance Name The name for your database instance.

Sybase ASE

The following table describes the additional options to configure for Sybase ASE credentials.

Options Description

Authentication Method The authentication method for providing the required

credentials.

l CyberArk

l Password

- 380 -
 Options Description

l Lieberman

l Hashicorp Vault

l Wallix Bastion

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

Port The TCP port that the Sybase ASE database instance listens on
for communications from Tenable Security Center. The default is
port 3638.

Sybase ASE Auth Type The type of authentication used by the Sybase ASE
database: RSA or Plain Text.

Apache Cassandra

Option Description

Authentication Method The authentication method for providing the required

credentials.

l CyberArk

l Password

l Lieberman

l Hashicorp Vault

l Wallix Bastion

For descriptions of the options for your selected authentication

type, see Database Credentials Authentication.

Database Port The port the database listens on. The default is port 9042.

MongoDB

- 381 -
 Option Description

Username The username for the database.

Password The password for the supplied username.

Database The name of the database to authenticate to.

Tip: To authenticate via LDAP or saslauthd, type $external.

Port (Required) The TCP port that the MongoDB database instance listens on for
communications from Tenable Security Center.

Database Credentials Authentication Method Settings

Depending on the authentication type you select for your database credentials, you must configure
the following options. For more information about database credential settings, see Database
Credentials.

l Import Credentials

l Arcon Options

l CyberArk Options

l CyberArk (Legacy) Options

l CyberArk Database Auto-Discovery Options

l Hashicorp Vault Options

l Lieberman Options

l Password Options

l WALLIX Bastion Options

Import

Upload a .csv file with the credentials entered in the specified format. For descriptions of valid
values to use for each item, see Database Credentials.

- 382 -
You must configure either CyberArk or Hashicorp credentials for a database credential in the same
scan so that Tenable Security Center can retrieve the credentials.

Database
CSV Format
Credential

IBM DB2 target, port, database_name, username, cred_manager,

accountname_or_secretname

MySQL target, port, database_name, username, cred_manager,

accountname_or_secretname

Oracle target, port, service_type, service_ID, username, auth_type,

cred_manager, accountname_or_secretname

SQL Server target, port, instance_name, username, auth_type, cred_

manager, accountname_or_secretname

Note: Include the required data in the specified order, with commas between each value, without spaces.
For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_
id,username,SYSDBA,CyberArk,Database-Oracle-SYS.

Note: The value for cred_manager must be either CyberArk or Hashicorp.

Arcon Options

The following table describes the additional options to configure when using Arcon as the
Authentication Method for IBM DB2, SQL Server, MySQL, Oracle Database, PostgreSQL, or Sybase
ASE database credentials.

Option Description

Arcon Host (Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

Arcon Port (Required) The port on which Arcon listens. By default, Tenable Security

- 383 -
 Center uses port 444.

API User (Required) The API user provided by Arcon.

API Key (Required) The API key provided by Arcon.

Authentication (Required) The URL Tenable Security Center uses to access Arcon.
URL

Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.

Checkout Duration (Required) The length of time, in hours, that you want to keep
credentials checked out in Arcon. Configure the Checkout Duration to
exceed the typical duration of your Tenable Security Center scans. If a
password from a previous scan is still checked out when a new scan
begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password

changes do not disrupt your Tenable Security Center scans. If Arcon
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Arcon before
enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Arcon before enabling this option.

CyberArk Options

The following table describes the additional options to configure when using CyberArk as the
Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, PostgreSQL,
SQL Server, or Sybase ASE database credentials.

Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.

- 384 -
Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service. This can be the host, or the host with a custom
URL added on in a single string.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client The file that contains the PEM certificate used to no

Certificate communicate with the CyberArk host.

Client The file that contains the PEM private key for the client yes, if
Certificate certificate. private key
Private Key is applied

Client The passphrase for the private key, if required. yes, if

Certificate private key
Private Key is applied
Passphrase

Get credential The method with which your CyberArk API credentials are yes
by retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query per

target. The frequency of queries for Identifier is one query per
chunk. This feature requires all targets have the same
identifier.

Note: The Username option also adds the Address parameter

of the API query and assigns the target IP of the resolved host
to the Address parameter. This may lead to failure to fetch
credentials if the CyberArk Account Details Address field
contains a value other than the target IP address.

Username (If Get credential by is Username) The username of the no

- 385 -
 Option Description Required

CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved from. no

Account Name (If Get credential by is Identifier) The unique account name no
or identifier assigned to the CyberArk API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. Enable no
Certificate this option if CyberArk is configured to support SSL through
IIS and you want to validate the certificate.

CyberArk (Legacy) Options

The following table describes the additional options to configure when using CyberArk (Legacy) as
the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, PostgreSQL,
SQL Server, or Sybase ASE database credentials.

Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.

Database
Option Description Required
Types

Username All The target system’s username. yes

Central All The CyberArk Central Credential Provider yes

Credential IP/DNS address.
Provider Host

Central All The port on which the CyberArk Central yes

Credential Credential Provider is listening.
Provider Port

CyberArk AIM All The URL of the AIM service. By default, no

- 386 -
 Database
Option Description Required
Types

Service URL this field uses

/AIMWebservice/v1.1/AIM.asmx.

Central All If the CyberArk Central Credential no

Credential Provider is configured to use basic
Provider authentication, you can fill in this field
Username for authentication.

Central All If the CyberArk Central Credential no

Credential Provider is configured to use basic
Provider authentication, you can fill in this field
Password for authentication.

CyberArk Safe All The safe on the CyberArk Central no

Credential Provider server that
contained the authentication
information you would like to retrieve.

CyberArk All The file that contains the PEM no

Client certificate used to communicate with
Certificate the CyberArk host.

CyberArk All The file that contains the PEM private no

Client key for the client certificate.
Certificate
Private Key

CyberArk All The passphrase for the private key, if no

Client your authentication implementation
Certificate requires it.
Private Key
Passphrase

CyberArk All The AppId that has been allocated yes

AppId permissions on the CyberArk Central

- 387 -
 Database
Option Description Required
Types

Credential Provider to retrieve the target

password.

CyberArk All The folder on the CyberArk Central no

Folder Credential Provider server that contains
the authentication information you
would like to retrieve.

CyberArk All The unique name of the credential you yes

Account want to retrieve from CyberArk.
Details Name

PolicyId All The PolicyID assigned to the credentials no

that you want to retrieve from the
CyberArk Central Credential Provider.

Use SSL All If CyberArk Central Credential Provider is no

configured to support SSL through IIS
check for secure communication.

Verify SSL All If CyberArk Central Credential Provider is no

Certificate configured to support SSL through IIS
and you want to validate the certificate,
select this option. Refer to the custom_
CA.inc documentation for how to use
self-signed certificates.

Database Port All The port on which Tenable Security yes

Center communicates with the
database.

Database DB2 The name of the database. no

Name
PostgreSQL

Auth type Oracle SQL Server values include: yes

- 388 -
 Database
Option Description Required
Types

SQL Server l Windows

Sybase ASE l SQL

Oracle values include:

l Normal

l System Operator

l System Database Administrator

Sybase ASE values include:

l RSA

l Plain Text

Instance Name SQL Server The name for your database instance. no

Service type Oracle Valid values include: yes

l SID

l SERVICE_NAME

Service Oracle The SID value for your database instance no

or a SERVICE_NAME value. The Service
value you enter must match your
parameter selection for the Service
Type option.

CyberArk Database Auto-Discovery Options

The following table describes the additional options to configure when using CyberArk Database
Auto-Discovery as the Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle
Database, PostgreSQL, SQL Server, or Sybase ASE database credentials.

Note: You must be running Tenable Nessus 7.0.0 or later to configure CyberArk credentials.

- 389 -
Option Description Required

CyberArk Host The IP address or FQDN name for the user’s CyberArk yes
Instance.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Safe Users may optionally specify a Safe to gather account no

information and request passwords.

AIM WebService There are two authentication methods established in the yes
Authentication feature. IIS Basic Authentication and Certificate
Type Authentication. Certificate Authentication can be either
encrypted or unencrypted.

Client Certificate The file that contains the PEM-formatted certificate no

used to communicate with the host.

Client Certificate The file that contains the PEM-formatted private key for no
Private Key the client certificate.

Client Certificate The passphrase for the private key, if required. no

Private Key
Passphrase

CyberArk PVWA Username to log in to CyberArk web console. This is yes

Web UI Login used to authenticate to the PVWA REST API and gather
Name bulk account information.

CyberArk PVWA Password for the username to log in to CyberArk web yes
Web UI Login console. This is used to authenticate to the PVWA REST
Password API and gather bulk account information.

CyberArk Platform String used in the PVWA REST API query parameters to yes
Search String gather bulk account information. For example, the user

- 390 -
 Option Description Required

can enter Oracle Admin TestSafe, to gather all Oracle

platform accounts containing a username Admin in a
Safe called TestSafe.

Note: This is a non-exact keyword search. A best practice

would be to create a custom platform name in CyberArk
and enter that value in this field to improve accuracy.

Use SSL If enabled, the scanner uses SSL through IIS for secure yes
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

Password Options

The following table describes the additional options to configure when using Password as the
Authentication Method for Apache Cassandra, IBM DB2, SQL Server, MySQL, Oracle Database,
PostgreSQL, or Sybase ASE database credentials.

Database
Option Description
Types

Username All The username for a user on the database.

Password All The password associated with the username you

provided.

Port All The port the database is listening on.

Database Name IBM D2 The name for your database instance.

PostgreSQL

Authentication Oracle The type of account you want Tenable Security

Database Center to use to access the database instance.

- 391 -
 Database
Option Description
Types

SQL Server

Service Type Oracle The Oracle parameter you want to use to identify the
Database database instance: SID or Service Name.

Service Oracle The SID value for your database instance or a

Database SERVICE_NAME value.

The Service value you enter must match your

parameter selection for the Service Type option.

Instance Name SQL Server The name for your database instance.

Hashicorp Vault Options

The following table describes the additional options to configure when using Hashicorp Vault as the
Authentication Method for Apache Cassandra, IBM DB2, SQL Server, MySQL, Oracle Database,
PostgreSQL, or Sybase ASE database credentials.

Option Credential Description Required

Port Oracle The port on which Tenable Security yes

Database Center communicates with the
database.
IBM DB2

MySQL

PostgreSQL

SQL Server

SID MySQL The security identifier used to yes

connect to the database.

Database Name IBM DB2 The name of the database. no

PostgreSQL

- 392 -
Instance Name SQL Server The SQL server name. yes

Hashicorp Host All The Hashicorp Vault IP address or yes

DNS address.

Note: If your Hashicorp Vault

installation is in a subdirectory, you
must include the subdirectory path.
For example, type IP address or
hostname/subdirectory path.

Hashicorp Port All The port on which Hashicorp Vault yes

listens.

Service Type Oracle The unique SID or Service Name that yes
Database identifies your database.

Service Oracle The SID or Service Name value for yes

Database your database instance.

Note: The Service value must match

the Service Type option parameter
selection.

Authentication All Specifies the authentication type for yes

Type connecting to the instance: App
Role or Certificates.

Client Cert All If Authentication Type is yes

Certificates, the client certificate
file you want to use to authenticate
the connection.

Private Key All If Authentication Type is yes

Certificates, the private key file
associated with the client certificate
you want to use to authenticate the
connection.

- 393 -
Role ID All The GUID provided by Hashicorp yes
Vault when you configured your App
Role.

Role Secret ID All The GUID generated by Hashicorp yes

Vault when you configured your App
Role.

Authentication All The path/subdirectory to the yes

URL authentication endpoint. This is not
the full URL. For example:

/v1/auth/approle/login

Namespace All The name of a specified team in a no

multi-team environment.

Hashicorp Vault All The type of Hashicorp Vault secrets yes

Type engine:

l KV1 — Key/Value Secrets

Engine Version 1

l KV2 — Key/Value Secrets

Engine Version 2

l AD — Active Directory

l LDAP - LDAP secrets engine

KV1 Engine URL All The URL Tenable Security Center yes
uses to access the Hashicorp Vault
KV2 Engine URL
secrets engine.
AD Engine URL
Example: /v1/path_to_secret. No
LDAP Engine URL trailing /

Username Source All (Appears when Hashicorp Vault Type yes

is KV1 or KV2) Specifies if the
username is input manually or pulled

- 394 -
 from Hashicorp Vault.

Username key All (Appears when Hashicorp Vault Type no

is KV1 or KV2) The name in
Hashicorp Vault that usernames are
stored under.

Username All (Appears when Username Source is yes

Manual Entry) The name in Hashicorp
Vault that usernames are stored
under.

Password key All (Appears when Hashicorp Vault Type no

is KV1 or KV2) The key in Hashicorp
Vault that passwords are stored
under.

Secret Name All The key secret you want to retrieve yes
values for.

Use SSL All When enabled, Tenable Security no

Center uses SSL for secure
communications. You must
configure SSL in Hashicorp Vault
before enabling this option.

Verify SSL All When enabled, Tenable Security no

Center validates the SSL certificate.
You must configure SSL in Hashicorp
Vault before enabling this option.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the
Authentication Method for Apache Cassandra, IBM DB2, SQL Server, MySQL, Oracle Database,
PostgreSQL, or Sybase ASE database credentials.

Note: You must meet the version requirements specified in Tenable Integrated Product Compatibility.

- 395 -
 Database
Option Description
Types

Username All The username for a user on the database.

Port All The port the database is listening on.

Database Name IBM DB2 The name for your database instance.

PostgreSQL

Authentication Oracle The type of account you want Tenable Security

Database Center to use to access the database instance.

SQL Server

Service Type Oracle The Oracle parameter you want to use to identify the
Database database instance: SID or Service Name.

Service Oracle The SID value for your database instance or a

Database SERVICE_NAME value.

The Service value you enter must match your

parameter selection for the Service Type option.

Instance Name SQL Server The name for your database instance.

Lieberman Host All The Lieberman IP address or DNS address.

Lieberman Port All The port Lieberman is listening on.

Lieberman User All The username for the Lieberman explicit user you
want Tenable Security Center to use for
authentication to the Lieberman Rapid Enterprise
Defense (RED) API.

Lieberman All The password for the Lieberman explicit user.

Password

Use SSL All When enabled, Tenable Security Center uses SSL
through IIS for secure communications. You must

- 396 -
 Database
Option Description
Types

configure SSL through IIS in Lieberman before

enabling this option.

Verify All When enabled, Tenable Security Center validates the

SSL Certificate SSL certificate. You must configure SSL through IIS
in Lieberman before enabling this option.

System Name All The name for the database credentials in Lieberman.

WALLIX Bastion Options

The following table describes the additional options to configure when using WALLIX Bastion as the
Authentication Method for Apache Cassandra, IBM DB2, MySQL, Oracle Database, SQL Server, or
Sybase ASE database credentials.

Option Description Required

Port The port the database is listening on. no

WALLIX Host The IP address for the WALLIX Bastion host. yes

WALLIX Port The port on which the WALLIX Bastion API yes
communicates. By default, Tenable uses 443.

Authentication Basic authentication (with WALLIX Bastion user no

Type interface username and Password requirements) or
API Key authentication (with username and WALLIX
Bastion-generated API key requirements).

WALLIX User Your WALLIX Bastion user interface login username. yes

WALLIX Password Your WALLIX Bastion user interface login password. yes
Used for Basic authentication to the API.

WALLIX API Key The API key generated in the WALLIX Bastion user yes
interface. Used for API Key authentication to the
API.

- 397 -
 Option Description Required

Get Credential by The account name associated with a Device you Required only if
Device Account want to log in to the target systems with. you have a
Name target and/or
Note: If your device has more than one account you device with
must enter the specific device name for the account
you want to retrieve credentials for. Failure to do this
multiple
may result in credentials for the wrong account accounts.
returned by the system.

HTTPS This is enabled by default. yes

Caution: The integration fails if you disable HTTPS.

Verify SSL This is disabled by default and is not supported in no

Certificate WALLIX Bastion PAM integrations.

SNMP Credentials
Configure the following options for SNMP credentials. Tenable Security Center supports SNMPv1 for
authentication via a community string.

Options Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

Community The SNMP community string used for authentication.

SSH Credentials
Use SSH credentials for host-based checks on Unix systems and supported network devices.
Tenable Security Center uses these credentials to obtain local information from remote Unix
systems for patch auditing or compliance checks. Tenable Security Center uses Secure Shell (SSH)
protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.

- 398 -
Tenable Security Center encrypts the data using the AES-256-CBC algorithm to protect it from
being viewed by sniffer programs.

Note: Non-privileged users with local access on Linux systems can determine basic security issues, such
as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system
configuration data or file permissions across the entire system, an account with root privileges is required.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable
recommends adding no more than 10 SSH credentials per scan.

Configure the following options for SSH credentials, including options specific for your
authentication method:

l The following table describes the additional options to configure when using Arcon as the
authentication method for SSH credentials.

l The following table describes the additional options to configure when using BeyondTrust as
the authentication method for SSH credentials.

l Centrify Options

l The following table describes the additional options to configure when using Certificate as the
authentication method for SSH credentials.

l The following table describes the additional options to configure when using CyberArk
SSH Auto-Discovery as the authentication method for SSH credentials.

l The following table describes the additional options to configure when using CyberArk Vault
as the authentication method for SSH credentials.

l The following table describes the additional options to configure when using CyberArk Vault
(Legacy) as the authentication method for SSH credentials.

l The following table describes the additional options to configure when using Delinea Secret
Server as the authentication method for SSH credentials.

l The following table describes the additional options to configure when using Hashicorp Vault
as the authentication method for SSH credentials.

l The following table describes the additional options to configure when using Kerberos as the
authentication method for SSH credentials.

- 399 -
 l The following table describes the additional options to configure when using Lieberman as the
authentication method for SSH credentials.

l The most effective credentialed scans are those with root privileges (enable privileges, for
Cisco IOS). Since many sites do not permit a remote login as root for security reasons, a
Nessus user account can invoke a variety of privilege escalation options including: su, sudo,
su+sudo, DirectAuthorize (dzdo), PowerBroker (pbrun), k5login, and Cisco Enable.

l The following table describes the additional options to configure when using Public Key as the
authentication method for SSH credentials.

l QiAnXin Options

l The following table describes the additional options to configure when using Senhasegura as
the authentication method for SSH credentials.

l The following table describes the additional options to configure when using Thycotic Secret
Server as the authentication method for SSH credentials.

l The following table describes the additional options to configure when using WALLIX Bastion
as the authentication method for SSH credentials.

General Option Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

Arcon Options

The following table describes the additional options to configure when using Arcon as the
authentication method for SSH credentials.

Option Description

Arcon Host (Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory

- 400 -
 path.

Arcon Port (Required) The port on which Arcon listens. By default, Tenable Security
Center uses port 444.

API User (Required) The API user provided by Arcon.

API Key (Required) The API key provided by Arcon.

Authentication (Required) The URL Tenable Security Center uses to access Arcon.
URL

Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.

Arcon Target Type (Optional) The name of the target type. Depending on the Arcon PAM
version you are using and the system type the SSH credential has been
created with, this is set to linux by default. Refer to the Arcon PAM
Specifications document (provided by Arcon) for target type/system
type mapping for the correct target type value.

Checkout Duration (Required) The length of time, in hours, that you want to keep
credentials checked out in Arcon. Configure the Checkout Duration to
exceed the typical duration of your Tenable Security Center scans. If a
password from a previous scan is still checked out when a new scan
begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password

changes do not disrupt your Tenable Security Center scans. If Arcon
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Arcon before
enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Arcon before enabling this option.

- 401 -
 Privilege The privilege escalation method you want to use to increase users'
Escalation privileges after initial authentication. Your Privilege Escalation selection
determines the specific options you must configure. For more
information, see Privilege Escalation.

BeyondTrust Options

The following table describes the additional options to configure when using BeyondTrust as the
authentication method for SSH credentials.

Option Description

Username The username to log in to the hosts you want to scan.

BeyondTrust Host The BeyondTrust IP address or DNS address.

BeyondTrust Port The port BeyondTrust is listening on.

BeyondTrust The API user provided by BeyondTrust.

API User

BeyondTrust The API key provided by BeyondTrust.

API Key

Checkout Duration The length of time, in minutes, that you want to keep credentials
checked out in BeyondTrust. Configure the Checkout duration to exceed
the typical duration of your Tenable Security Center scans. If a password
from a previous scan is still checked out when a new scan begins, the
new scan fails.

Tip: Configure the password change interval in BeyondTrust so that

password changes do not disrupt your Tenable Security Center scans. If
BeyondTrust changes a password during a scan, the scan fails.

Use SSL If enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in BeyondTrust
before enabling this option.

Verify If enabled, Tenable Security Center validates the SSL certificate. You

- 402 -
 Option Description

SSL Certificate must configure SSL through IIS in BeyondTrust before enabling this
option.

Use Private Key If enabled, Tenable Security Center uses key-based authentication for
SSH connections instead of password authentication.

Use Privilege If enabled, Tenable Security Center uses BeyondTrust for privilege
Escalations escalation.

Centrify Options

The following table describes the additional options to configure when using Centrify as the
authentication method for SSH credentials.

Option Description

Centrify Host (Required) The Centrify IP address or DNS address.

Note: If your Centrify installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

Centrify Port (Required) The port on which Centrify listens. By default, Tenable
Security Center uses port 443.

API User (Required) The API user provided by Centrify.

API Key (Required) The API key provided by Centrify.

Tenant (Required) The Centrify tenant associated with the API. By default,
Tenable Security Center uses centrify.

Authentication (Required) The URL Tenable Security Center uses to access Centrify. By
URL default, Tenable Security Center uses /Security.

Password Query (Required) The URL Tenable Security Center uses to query the
URL passwords in Centrify. By default, Tenable Security Center uses
/RedRock.

- 403 -
 Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Centrify. By default, Tenable Security Center uses
/ServerManage.

Username (Required) The username to log in to the hosts you want to scan.

Checkout Duration (Required) The length of time, in minutes, that you want to keep
credentials checked out in Centrify.

Configure the Checkout Duration to exceed the typical duration of your

Tenable Security Center scans so that password changes do not disrupt
your Tenable Security Center scans. If Centrify changes a password
during a scan, the scan fails. If a password from a previous scan is still
checked out when a new scan begins, the new scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Centrify before
enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Centrify before enabling this
option.

Certificate Options

The following table describes the additional options to configure when using Certificate as the
authentication method for SSH credentials.

Option Description

Username (Required) The username for a user on the host system.

User (Required) The RSA, DSA, ECDSA, or ED25519 OpenSSH certificate file for
Certificate the user.

Private Key (Required) The RSA, DSA, ECDSA, or ED25519 OpenSSH private key file for
the user.

Passphrase The passphrase for the private key, if required.

- 404 -
 Option Description

Privilege The privilege escalation method you want to use to increase users'
Escalation privileges after initial authentication. Your Privilege Escalation selection
determines the specific options you must configure. For more information,
see Privilege Escalation.

CyberArk SSH Auto-Discovery Options

The following table describes the additional options to configure when using CyberArk SSH Auto-
Discovery as the authentication method for SSH credentials.

Option Description Required

CyberArk Host The IP address or FQDN name for the user’s CyberArk yes
Instance.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Safe Users may optionally specify a Safe to gather account no

information and request passwords.

AIM Web Service There are two authentication methods established in yes
Authentication the feature. IIS Basic Authentication and Certificate
Type Authentication. Certificate Authentication can be either
encrypted or unencrypted.

Username (Appears if AIM Web Service Authentication Type is no

IIS Basic Authentication) The username for a user on
the CyberArk server.

Password (Appears if AIM Web Service Authentication Type is no

IIS Basic Authentication) The password associated with
the username you provided.

- 405 -
Option Description Required

Client Certificate (Appears if AIM Web Service Authentication Type is no

Certificate Authentication) The file that contains the
PEM certificate used to communicate with the CyberArk
host.

Client Certificate (Appears if AIM Web Service Authentication Type is yes, if

Private Key Certificate Authentication) The file that contains the private key
PEM private key for the client certificate. is applied

Client Certificate (Appears if AIM Web Service Authentication Type is yes, if

Private Key Certificate Authentication) The passphrase for the private key
Passphrase private key, if required. is applied

CyberArk PVWA Username to log in to CyberArk web console. This is yes

Web UI Login used to authenticate to the PVWA REST API and gather
Name bulk account information.

CyberArk PVWA Password for the username to log in to CyberArk web yes
Web UI Login console. This is used to authenticate to the PVWA REST
Password API and gather bulk account information.

CyberArk String used in the PVWA REST API query parameters to yes
Platform Search gather bulk account information. For example, the user
String can enter UnixSSH Admin TestSafe, to gather all
UnixSSH platform accounts containing a username
Admin in a Safe called TestSafe.

Note: This is a non-exact keyword search. A best practice

would be to create a custom platform name in CyberArk
and enter that value in this field to improve accuracy.

Use SSL If enabled, the scanner uses SSL through IIS for secure yes
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

- 406 -
 Option Description Required

Certificate Enable this option if CyberArk is configured to support

SSL through IIS and you want to validate the certificate.

Privilege The privilege escalation method you want to use to no

Escalation increase users' privileges after initial authentication.
Your Privilege Escalation selection determines the
specific options you must configure. For more
information, see Privilege Escalation.

CyberArk Vault Options

The following table describes the additional options to configure when using CyberArk Vault as the
authentication method for SSH credentials.

Option Description Required

CyberArk Elevate The privilege escalation method you want to use to no

Privileges With increase users' privileges after initial authentication.
Your CyberArk Elevate Privileges With selection
determines the specific options you must configure. For
more information, see Privilege Escalation.

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client Certificate The file that contains the PEM certificate used to no
communicate with the CyberArk host.

Client Certificate The file that contains the PEM private key for the client yes, if
Private Key certificate. private key
is applied

- 407 -
Option Description Required

Client Certificate The passphrase for the private key, if required. yes, if
Private Key private key
Passphrase is applied

Kerberos Target If enabled, Kerberos authentication is used to log in to no

Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port (Required if Kerberos Target Authentication is enabled.) yes

The port on which the Kerberos authentication API
communicates. By default, Tenable uses 88.

KDC Transport (Required if Kerberos Target Authentication is enabled.) yes

The KDC uses TCP by default in Linux implementations.
For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

Realm (Required if Kerberos Target Authentication is enabled) yes

The Realm is the authentication domain, usually noted as
the domain name of the target (for example,
example.com). By default, Tenable Security Center uses
443.

Get credential by The method with which your CyberArk API credentials yes
are retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query

per target. The frequency of queries for Identifier is one
query per chunk. This feature requires all targets have the
same identifier.

Note: The Username option also adds the Address

- 408 -
 Option Description Required

parameter of the API query and assigns the target IP of the

resolved host to the Address parameter. This may lead to
failure to fetch credentials if the CyberArk Account Details
Address field contains a value other than the target IP
address.

Username (If Get credential by is Username) The username of the no

CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved no

from.

Address The option should only be used if the Address value is no

unique to a single CyberArk account credential.

Account Name (If Get credential by is Identifier) The unique account no

name or identifier assigned to the CyberArk
API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

CyberArk Vault (Legacy) Options

The following table describes the additional options to configure when using CyberArk Vault
(Legacy) as the authentication method for SSH credentials.

Option Description

Username (Required) The username for the target system.

CyberArk The privilege escalation method you want to use to increase users'

- 409 -
Option Description

elevate privileges after initial authentication. Your CyberArk elevate privileges with
privileges with selection determines the specific options you must configure. For more
information, see Privilege Escalation.

Central (Required) The CyberArk Central Credential Provider IP/DNS address.

Credential
Provider URL
Host

Central (Required) The port the CyberArk Central Credential Provider is listening on.
Credential
Provider URL
Port

CyberArk The domain for the CyberArk account. You must configure SSL through IIS in
Address CyberArk Central Credential Provider before configuring this option.

Vault The username for the vault, if the CyberArk Central Credential Provider is
Username configured for basic authentication.

Vault The password for the vault, if the CyberArk Central Credential Provider is
Password configured for basic authentication.

Safe (Required) The safe on the CyberArk Central Credential Provider server that
contains the credentials you want to retrieve.

CyberArk The file that contains the PEM certificate used to communicate with the
Client CyberArk host.
Certificate

CyberArk The file that contains the PEM private key for the client certificate.
Client
Certificate
Private Key

CyberArk The passphrase for the private key, if required.

Client

- 410 -
Option Description

Certificate
Private Key
Passphrase

AppID (Required) The AppID with CyberArk Central Credential Provider permissions
to retrieve the target password.

Folder (Required) The folder on the CyberArk Central Credential Provider server
that contains the credentials you want to retrieve.

PolicyID The PolicyID assigned to the credentials you want to retrieve.

Vault Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in CyberArk Central
Credential Provider before enabling this option.

Vault Verify When enabled, Tenable Security Center validates the SSL certificate. You
SSL must configure SSL through IIS in CyberArk Central Credential Provider
before enabling this option.

CyberArk The unique name of the credential you want to retrieve from CyberArk.
Escalation
Account
Details Name

CyberArk AIM The URL for the CyberArk AIM web service. By default, Tenable Security
Service URL Center uses /AIMWebservice/v1.1/AIM.asmx.

Delinea Secret Server Options

- 411 -
The following table describes the additional options to configure when using Delinea Secret Server
as the authentication method for SSH credentials.

Option Description Required

Delinea The value of the secret on the Delinea server. The secret is yes
Secret Name labeled Secret Name on the Delinea server.

Delinea Host The Delinea Secret Server host to pull the secrets from. yes

Delinea Port The Delinea Secret Server Port for API requests. By default, yes
Tenable uses 443.

Delinea Login The username to authenticate to the Delinea server. yes

Name

Delinea The password to authenticate to the Delinea server. This is yes

Password associated with the Delinea Login Name you provided.

Use Private If enabled, uses key-based authentication for SSH no

Key connections instead of password authentication.

Checkout The duration Tenable should check out the password from yes
Duration Delinea. Duration time is in hours and should be longer than
the scan time.

Use SSL Enable if the Delinea Secret Server is configured to support no

SSL.

Verify SSL If enabled, verifies the SSL Certificate on the Delinea server. no
Certificate

Privilege The privilege escalation method you want to use to increase no

Escalation users' privileges after initial authentication. Multiple options
for privilege escalation are supported, including su, su+sudo
and sudo. Your selection determines the specific options you
must configure.

Custom Some devices are configured to prompt for a password with no

password a non-standard string (for example, "secret-passcode"). This

- 412 -
 prompt setting allows recognition of these prompts. Leave this blank
for most standard password prompts.

Hashicorp Vault Options

The following table describes the additional options to configure when using Hashicorp Vault as the
authentication method for SSH credentials.

Option Default Value Required

Hashicorp Host The Hashicorp Vault IP address or DNS address. yes

Note: If your Hashicorp Vault installation is in a

subdirectory, you must include the subdirectory path. For
example, type IP address or hostname/subdirectory
path.

Hashicorp Port The port on which Hashicorp Vault listens. yes

Authentication Specifies the authentication type for connecting to the yes

Type instance: App Role or Certificates.

If you select Certificates, additional options for

Hashicorp Client Certificate (Required) and Hashicorp
Client Certificate Private Key (Required) appear. Select
the appropriate files for the client certificate and
private key.

Role ID The GUID provided by Hashicorp Vault when you yes

configured your App Role.

Role Secret ID The GUID generated by Hashicorp Vault when you yes
configured your App Role.

Authentication The path/subdirectory to the authentication endpoint. yes

URL This is not the full URL. For example:

/v1/auth/approle/login

Namespace The name of a specified team in a multi-team no

- 413 -
 environment.

Hashicorp Vault The type of Hashicorp Vault secrets engine: yes

Type
l KV1 — Key/Value Secrets Engine Version 1

l KV2 — Key/Value Secrets Engine Version 2

l AD — Active Directory

l LDAP - LDAP secrets engine

KV1 Engine URL The URL Tenable Security Center uses to access the yes
Hashicorp Vault secrets engine.
KV2 Engine URL
Example: /v1/path_to_secret. No trailing /
AD Engine URL

LDAP Engine URL

Username Source (Appears when Hashicorp Vault Type is KV1 or KV2) yes
Specifies if the username is input manually or pulled
from Hashicorp Vault.

Username Key (Appears when Hashicorp Vault Type is KV1 or KV2) The yes
name in Hashicorp Vault that usernames are stored
under.

Password Key (Appears when Hashicorp Vault Type is KV1 or KV2) The yes
key in Hashicorp Vault that passwords are stored under.

Secret Name The key secret you want to retrieve values for. yes

Kerberos Target If enabled, Kerberos authentication is used to log in to no

Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port (Required if Kerberos Target Authentication is enabled) yes

The port on which the Kerberos authentication API
communicates. By default, Tenable uses 88.

- 414 -
 KDC Transport (Required if Kerberos Target Authentication is enabled) yes
The KDC uses TCP by default in Linux implementations.
For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

Realm (Required if Kerberos Target Authentication is enabled) yes

The Realm is the authentication domain, usually noted
as the domain name of the target (for example,
example.com). By default, Tenable Security Center uses
443.

Use SSL When enabled, Tenable Security Center uses SSL for no
secure communications. You must configure SSL in
Hashicorp Vault before enabling this option.

Verify SSL When enabled, Tenable Security Center validates the no

SSL certificate. You must configure SSL in Hashicorp
Vault before enabling this option.

Privilege The privilege escalation method you want to use to no

Escalation increase users' privileges after initial authentication.
Your Privilege Escalation selection determines the
specific options you must configure. For more
information, see Privilege Escalation.

Kerberos Options

The following table describes the additional options to configure when using Kerberos as the
authentication method for SSH credentials.

Option Description

Username (Required) The username for a user on the target system.

Password (Required) The password associated with the username you provided.

- 415 -
 Option Description

KDC Host (Required) The host supplying the session tickets.

KDC Port (Required) The port you want to use for the KDC connection. By default,
Tenable Security Center uses port 88.

KDC Transport (Required) The method you want to use to connect to the KDC server.

Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP
protocol uses either port 88 or port 750.

Realm (Required) The authentication domain, typically the domain name of the
target (e.g., example.com).

Privilege The privilege escalation method you want to use to increase users'
Escalation privileges after initial authentication. Your Privilege Escalation selection
determines the specific options you must configure. For more
information, see Privilege Escalation.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the
authentication method for SSH credentials.

Option Description

Username The username for a user on the database.

Lieberman Host The Lieberman IP address or DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include

the subdirectory path. For example, type IP address or
hostname/subdirectory path.

Lieberman Port The port Lieberman is listening on.

Lieberman User The username for the Lieberman explicit user you want Tenable Security
Center to use for authentication to the Lieberman Rapid Enterprise
Defense (RED) API.

- 416 -
 Option Description

Lieberman The password for the Lieberman explicit user.

Password

Use SSL When enabled, Tenable Security Centeruses SSL through IIS for secure
communications. You must configure SSL through IIS in Lieberman
before enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Lieberman before enabling this
option.

System Name The name for the database credentials in Lieberman.

Password Options

The most effective credentialed scans are those with root privileges (enable privileges, for Cisco
IOS). Since many sites do not permit a remote login as root for security reasons, a Nessus user
account can invoke a variety of privilege escalation options including: su, sudo, su+sudo,
DirectAuthorize (dzdo), PowerBroker (pbrun), k5login, and Cisco Enable.

The following table describes the additional options to configure when using Password as the
authentication method for SSH credentials.

Option Description

Username (Required) The username for a user on the target system.

Password (Required) The password associated with the username you provided.
(Unsafe!)

Privilege The privilege escalation method you want to use to increase users' privileges
Escalation after initial authentication. Your Privilege Escalation selection determines
the specific options you must configure. For more information, see Privilege
Escalation.

Public Key Options

- 417 -
The following table describes the additional options to configure when using Public Key as the
authentication method for SSH credentials.

Option Description

Username (Required) The username for a user on the host system.

Private Key (Required) The RSA, DSA, ECDSA, or ED25519 OpenSSH key file for the user.

Passphrase The passphrase for the private key, if required.

Privilege The privilege escalation method you want to use to increase users'
Escalation privileges after initial authentication. Your Privilege Escalation selection
determines the specific options you must configure. For more information,
see Privilege Escalation.

QiAnXin Options

The following table describes the additional options to configure when using QiAnXin as the
authentication method for SSH credentials.

Option Description Required

QiAnXin Host The IP address or url for the QiAnXin host. yes

QiAnXin Port The port on which the QiAnXin API communicates. yes
By default, Tenable uses 443.

QiAnXin API Client ID The Client ID for the embedded account yes
application created in QiAnXin PAM.

QiAnXin API Client The Secret ID for the embedded account yes
Secret application created in QiAnXin PAM.

QiAnXin Username The username to log in to the hosts you want to yes
scan.

QiAnXin Asset Address Specify the host IP of the asset containing the no
account to use. If not specified, the scan target IP
is used.

- 418 -
Option Description Required

QiAnXin Asset Specify the platform (based on asset type) of the no

Platform asset containing the account to use. If not
specified, a default target is used based on
credential type (for example, for Windows
credentials, the default is WINDOWS). Possible
values:

l ACTIVE_DIRECTORY — Windows Domain

Account

l WINDOWS — Windows Local Account

l LINUX — Linux Account

l SQL_SERVER — SQL Server Database

l ORACLE — Oracle Database

l MYSQL — MySQL Database

l DB2 — DB2 Database

l HP_UNIX — HP Unix

l SOLARIS — Solaris

l OPENLDAP — OpenLDAP

l POSTGRESQL — PostgreSQL

QiAnXin Region ID Specify the region ID of the asset containing the Only if using
account to use. multiple
regions

Use SSL When enabled, Tenable uses SSL for secure no

communication. This is enabled by default.

Verify SSL Certificate When enabled, Tenable verifies that the SSL no
Certificate on the server is signed by a trusted CA.

- 419 -
 Option Description Required

Privilege Escalation The privilege escalation method you want to use to no

increase users' privileges after initial
authentication. Your Privilege Escalation selection
determines the specific options you must
configure. For more information, see Privilege
Escalation.

Senhasegura Options

The following table describes the additional options to configure when using Senhasegura as the
authentication method for SSH credentials.

Option Description Required

Senhasegura Host The IP address or url for the Senhasegura host. yes

Senhasegura Port The port on which the Senhasegura API yes

communicates. By default, Tenable uses 443.

Senhasegura API The Client ID for the applicable Senhasegura A2A yes
Client ID Application for Oauth 2.0 API authentication.

Senhasegura API The Secret ID for the applicable Senhasegura A2A yes
Client Secret Application for Oauth 2.0 API authentication.

Senhasegura The credential ID or identifier for the credential yes

Credential ID or that you are requesting to retrieve.
Identifier

Use SSH Key for The user can select this option to retrieve the Required if
Target SSH Key to authenticate to the target if authenticating to
Authentication configuration is applicable in Senhasegura. target with SSH
Key.

Private Key File The Private Key used to decrypt encrypted Required if you
sensitive data from A2A. have enabled

- 420 -
 Option Description Required

Note: You can enable encryption of sensitive data encryption of

in the A2A Application Authorizations. If enabled, sensitive data in
you must provide a private key file in the scan A2A Application
credentials. This can be downloaded from the
Authorizations.
applicable A2A application in Senhasegura.

Use SSL When enabled, Tenable Security Center uses SSL no

for secure communications. This setting is
enabled by default.

Verify SSL When enabled, Tenable Security Center validates no

Certificate the SSL certificate. This setting is disabled by
default.

Privilege The Private Key used to decrypt encrypted no

Escalation sensitive data from A2A.

Note: Tenable supports multiple options for

privilege escalation, including su, su+sudo and
sudo. For example, if you select sudo, more fields
for sudo user, Escalation Account Name, and
Location of su and sudo (directory) are provided
and can be completed to support authentication
and privilege escalation through Senhasegura. The
Escalation Account Name field is then required to
complete your privilege escalation.

Note: For more information about supported

privilege escalation types and their accompanying
fields, see Privilege Escalation.

Thycotic Secret Server Options

The following table describes the additional options to configure when using Thycotic Secret
Server as the authentication method for SSH credentials.

- 421 -
Option Description

Username (Required) The username for a user on the target system.

Thycotic The privilege escalation method you want to use to increase users'
elevate privileges after initial authentication. Your selection for this setting
privileges with determines the specific options you must configure. For more information,
see Privilege Escalation.

Thycotic Secret The Secret Name value on the Thycotic server.

Name

Thycotic Secret (Required) The value you want Tenable Security Center to use when setting
Server URL the transfer method, target, and target directory for the scanner. Find the
value on the Thycotic server, in Admin > Configuration > Application
Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, Tenable

Security Center determines it is an SSL connection, that pw.mydomain.com
is the target address, and that /SecretServer is the root directory.

Thycotic Login (Required) The username for a user on the Thycotic server.
Name

Thycotic (Required) The password associated with the Thycotic Login Name you
Password provided.

Thycotic In cloud instances of Thycotic, the value that identifies the organization
Organization you want Tenable Security Center to target.

Thycotic The domain, if set for the Thycotic server.

Domain

Verify SSL If enabled, Tenable Security Center verifies the SSL Certificate on the
Certificate Thycotic server.

For more information about using self-signed certificates, see the Nessus
custom_CA.inc documentation.

Use Private Key If enabled, Tenable Security Center uses key-based authentication for

- 422 -
 Option Description

SSH connections instead of password authentication.

WALLIX Bastion Options

The following table describes the additional options to configure when using WALLIX Bastion as
the authentication method for SSH credentials.

Option Description Required

WALLIX Host The IP address for the WALLIX Bastion host. yes

WALLIX Port The port on which the WALLIX Bastion API yes
communicates. By default, Tenable uses 443.

Authentication Type Basic authentication (with WALLIX Bastion user no

interface username and Password requirements)
or API Key authentication (with username and
WALLIX Bastion-generated API key
requirements).

WALLIX User Your WALLIX Bastion user interface login yes

username.

WALLIX Password Your WALLIX Bastion user interface login yes

password. Used for Basic authentication to the
API.

WALLIX API Key The API key generated in the WALLIX Bastion yes
user interface. Used for API Key authentication
to the API.

Get Credential by The account name associated with a Device you Required only if
Device Account Name want to log in to the target systems with. you have a
target and/or
Note: If your device has more than one account device with
you must enter the specific device name for the
account you want to retrieve credentials for.
multiple
accounts.

- 423 -
 Option Description Required

Failure to do this may result in credentials for the

wrong account returned by the system.

HTTPS This is enabled by default. yes

Caution: The integration fails if you disable

HTTPS.

Verify SSL Certificate This is disabled by default and is not supported no

in WALLIX Bastion PAM integrations.

Privilege Escalation This enables WALLIX Bastion Privileged Access Required if you
Management (PAM). Use the drop-down menu to wish to escalate
select the privilege elevation method. To bypass privileges.
this function, leave this field set to Nothing.

Caution: In your WALLIX Bastion account, the

WALLIX Bastion super admin must have enabled
"credential recovery" on your account for PAM to
be enabled. Otherwise, your scan may not return
any results. For more information, see your
WALLIX Bastion documentation.

Note: Multiple options for privilege escalation are

supported, including su, su+sudo and sudo. For
example, if you select sudo, more fields for sudo
user, Escalation Account Name, and Location of
su and sudo (directory) are provided and can be
completed to support authentication and privilege
escalation through WALLIX Bastion PAM. The
Escalation Account Name field is then required to
complete your privilege escalation.

Note: For more information about supported

privilege escalation types and their accompanying
fields, see Privilege Escalation.

Privilege Escalation

- 424 -
Some SSH credential types support privilege escalation.

Note: BeyondTrust's PowerBroker (pbrun) and Centrify's DirectAuthorize (dzdo) are proprietary root task
delegation methods for Unix and Linux systems.

Tip: Scans run using su+sudo allow the user to scan with a non-privileged account and then switch to a
user with sudo privileges on the remote host. This is important for locations where remote privileged login
is prohibited.

Note: Scans run using sudo vs. the root user do not always return the same results because of the
different environmental variables applied to the sudo user and other subtle differences. For more
information, see https://www.sudo.ws/docs/man/sudo.man/.

The following table describes the additional options to configure for privilege escalation.

Option SSH Types Description

Escalation Arcon The username for the account with elevated

Username privileges.
Checkpoint Gaia
'Expert'

Kerberos

Password

Public Key

WALLIX Bastion

Escalation Kerberos The password for the account with elevated

Password privileges.
Password

Public Key

WALLIX Bastion

Escalation Path Arcon The directory path for the privilege escalation
commands.
Kerberos

Password

- 425 -
Option SSH Types Description

Public Key

WALLIX Bastion

Escalation Su User Arcon The username for the account with su privileges.

CyberArk

Kerberos

Password

Public Key

WALLIX Bastion

Escalation Arcon The name parameter for the account with elevated
Account Name privileges.
Checkpoint Gaia
'Expert' Note: For CyberArk credentials, the system uses the
password associated with the CyberArk account
CyberArk
name you provide for all scanned hosts.
Delinea Secret
Server

CyberArk Checkpoint Gaia The name parameter for the account with elevated
Escalation 'Expert' privileges.
Account Details
CyberArk Note: For CyberArk credentials, the system uses the
Name
password associated with the CyberArk account
name you provide for all scanned hosts.

Escalation CyberArk The username for the account with elevated

Account privileges.

Escalation Senhasegura The credential ID or identifier for the account with

Account elevated privileges.
Credential ID or
Identifier

- 426 -
Option SSH Types Description

Escalation Hashicorp Vault The key secret for the Hashicorp account with
Account Secret elevated privileges.
Name

Escalation sudo CyberArk The username for the account with sudo privileges.
user

Escalation Checkpoint Gaia The secret name for the account with elevated
Credential ID 'Expert' privileges.

Delinea Secret
Server

Expert Password Checkpoint Gaia The password for Expert mode in Gaia.
'Expert'

Location of dzdo CyberArk The directory path for the dzdo command.
(directory)
Delinea Secret
Server

Hashicorp Vault

Senhasegura

Location of pbrun CyberArk The directory path for the pbrun command.
(directory)
Delinea Secret
Server

Hashicorp Vault

Senhasegura

Location of su CyberArk The directory path for the su command.

(directory)
Delinea Secret
Server

Hashicorp Vault

- 427 -
Option SSH Types Description

Senhasegura

Location of su and CyberArk The directory path for the su and sudo commands.
sudo (directory)
Delinea Secret
Server

Hashicorp Vault

Senhasegura

Location of sudo CyberArk The directory path for the sudo command.
(directory)
Delinea Secret
Server

Hashicorp Vault

su user Delinea Secret The username for the account with su privileges.
Server

Hashicorp Vault

Senhasegura

su login CyberArk The username for the account with su privileges.

Hashicorp Vault

Senhasegura

sudo user Hashicorp Vault The username for the account with sudo privileges.

Senhasegura

sudo login CyberArk The username for the account with sudo privileges.

Thycotic Checkpoint Gaia The name parameter for the account with elevated
Escalation 'Expert' privileges.
Account
Thycotic Secret Note: For Thycotic credentials, the system uses the
Server password associated with the Thycotic account name
you provide for all scanned hosts.

- 428 -
Windows Credentials
Tenable Security Center has vulnerability checks that can use a Microsoft Windows domain account
to find local information from a remote Windows host. For example, using credentials enables
Tenable Security Center to determine if important security patches have been applied.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes
sense to create a special Tenable Security Center user with administrative privileges that is used solely for
scheduled scanning.

Configure the following options for Windows credentials, including options specific for your
authentication method:

l The following table describes the additional options to configure when using Arcon as the
authentication method for Windows credentials.

l The following table describes the options to configure when using BeyondTrust as the
authentication method for Windows credentials.

l Centrify Options

l The following table describes the options to configure when using CyberArk Vault (Legacy) as
the authentication method for Windows credentials.

l The following table describes the additional options to configure when using CyberArk
Windows Auto-Discovery as the authentication method for Windows credentials.

l The following table describes the additional options to configure when using CyberArk Vault
as the authentication method for Windows credentials.

l The following table describes the additional options to configure when using Delinea Secret
Server as the authentication method for Windows credentials.

l The following table describes the additional options to configure when using Hashicorp Vault
as the authentication method for Windows credentials.

l The following table describes the options to configure when using Kerberos as the
authentication method for Windows credentials.

l The following table describes the additional options to configure when using Lieberman as the
authentication method for Windows credentials.

- 429 -
 l The following table describes the options to configure when using LM Hash as the
authentication method for Windows credentials.

l The following table describes the options to configure when using NTLM Hash as the
authentication method for Windows credentials.

l The following table describes the options to configure when using Password as the
authentication method for Windows credentials.

l QiAnXin Options

l The following table describes the options to configure when using Senhasegura as the
authentication method for Windows credentials.

l The following table describes the options to configure when using Thycotic Secret Server as
the authentication method for Windows credentials.

l The following table describes the additional options to configure when using WALLIX Bastion
as the authentication method for Windows credentials.

General Options Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

Arcon Options

The following table describes the additional options to configure when using Arcon as the
authentication method for Windows credentials.

Option Description

Arcon Host (Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

- 430 -
 Arcon Port (Required) The port on which Arcon listens. By default, Tenable Security
Center uses port 444.

API User (Required) The API user provided by Arcon.

API Key (Required) The API key provided by Arcon.

Authentication (Required) The URL Tenable Security Center uses to access Arcon.
URL

Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.

Checkout Duration (Required) The length of time, in hours, that you want to keep
credentials checked out in Arcon. Configure the Checkout Duration to
exceed the typical duration of your Tenable Security Center scans. If a
password from a previous scan is still checked out when a new scan
begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password

changes do not disrupt your Tenable Security Center scans. If Arcon
changes a password during a scan, the scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Arcon before
enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Arcon before enabling this option.

BeyondTrust Options

The following table describes the options to configure when using BeyondTrust as the
authentication method for Windows credentials.

- 431 -
 Option Description

Username The username to log in to the hosts you want to scan.

Domain The domain of the username, if required by BeyondTrust.

BeyondTrust Host The BeyondTrust IP address or DNS address.

BeyondTrust Port The port BeyondTrust is listening on.

BeyondTrust The API user provided by BeyondTrust.

API User

BeyondTrust The API key provided by BeyondTrust.

API Key

Checkout Duration The length of time, in minutes, that you want to keep credentials
checked out in BeyondTrust. Configure the Checkout duration to exceed
the typical duration of your Tenable Security Center scans. If a password
from a previous scan is still checked out when a new scan begins, the
new scan fails.

Tip: Configure the password change interval in BeyondTrust so that

password changes do not disrupt your Tenable Security Center scans. If
BeyondTrust changes a password during a scan, the scan fails.

Use SSL If enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in BeyondTrust
before enabling this option.

Verify If enabled, Tenable Security Center validates the SSL certificate. You
SSL Certificate must configure SSL through IIS in BeyondTrust before enabling this
option.

Centrify Options

The following table describes the additional options to configure when using Centrify as the
authentication method for Windows credentials.

Option Description

- 432 -
Centrify Host (Required) The Centrify IP address or DNS address.

Note: If your Centrify installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/subdirectory
path.

Centrify Port (Required) The port on which Centrify listens. By default, Tenable
Security Center uses port 443.

API User (Required) The API user provided by Centrify.

API Key (Required) The API key provided by Centrify.

Tenant (Required) The Centrify tenant associated with the API. By default,
Tenable Security Center uses centrify.

Authentication (Required) The URL Tenable Security Center uses to access Centrify. By
URL default, Tenable Security Center uses /Security.

Password Query (Required) The URL Tenable Security Center uses to query the
URL passwords in Centrify. By default, Tenable Security Center uses
/RedRock.

Password Engine (Required) The URL Tenable Security Center uses to access the
URL passwords in Centrify. By default, Tenable Security Center uses
/ServerManage.

Username (Required) The username to log in to the hosts you want to scan.

Checkout Duration (Required) The length of time, in minutes, that you want to keep
credentials checked out in Centrify.

Configure the Checkout Duration to exceed the typical duration of your

Tenable Security Center scans so that password changes do not disrupt
your Tenable Security Center scans. If Centrify changes a password
during a scan, the scan fails. If a password from a previous scan is still
checked out when a new scan begins, the new scan fails.

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Centrify before

- 433 -
 enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Centrify before enabling this
option.

CyberArk Vault (Legacy) Options

The following table describes the options to configure when using CyberArk Vault (Legacy) as the
authentication method for Windows credentials.

Option Description

Username The username for the target system.

Domain The domain, if the username is part of a domain.

Central The CyberArk Central Credential Provider IP/DNS address.

Credential
Provider URL
Host

Central The port the CyberArk Central Credential Provider is listening on.
Credential
Provider URL
Port

Vault Username The username for the vault, if the CyberArk Central Credential Provider is
configured for basic authentication.

Vault Password The password for the vault, if the CyberArk Central Credential Provider is
configured for basic authentication.

Safe The safe on the CyberArk Central Credential Provider server that contains
the credentials you want to retrieve.

CyberArk Client The file that contains the PEM certificate used to communicate with the
Certificate CyberArk host.

CyberArk Client The file that contains the PEM private key for the client certificate.

- 434 -
Option Description

Certificate
Private Key

CyberArk Client The passphrase for the private key, if required.

Certificate
Private Key
Passphrase

AppID The AppID with CyberArk Central Credential Provider permissions to

retrieve the target password.

Folder The folder on the CyberArk Central Credential Provider server that
contains the credentials you want to retrieve.

PolicyID The PolicyID assigned to the credentials you want to retrieve.

Vault Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in CyberArk Central
Credential Provider before enabling this option.

Vault Verify SSL When enabled, Tenable Security Center validates the SSL certificate. You
must configure SSL through IIS in CyberArk Central Credential Provider
before enabling this option.

For more information about using self-signed certificates, see Custom

Plugin Packages for NASL and CA Certificate Upload.

CyberArk The unique name of the credential you want to retrieve from CyberArk.
Escalation
Account Details
Name

- 435 -
 Option Description

CyberArk AIM The URL for the CyberArk AIM web service. By default, Tenable Security
Service URL Center uses /AIMWebservice/v1.1/AIM.asmx.

CyberArk Windows Auto-Discovery Options

The following table describes the additional options to configure when using CyberArk Windows
Auto-Discovery as the authentication method for Windows credentials.

Option Description Required

CyberArk Host The IP address or FQDN name for the user’s CyberArk yes
Instance.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Safe Users may optionally specify a Safe to gather account no

information and request passwords.

AIM Web Service There are two authentication methods established in yes
Authentication the feature. IIS Basic Authentication and Certificate
Type Authentication. Certificate Authentication can be either
encrypted or unencrypted.

- 436 -
Option Description Required

Username (Appears if AIM Web Service Authentication Type is no

IIS Basic Authentication) The username for a user on
the CyberArk server.

Password (Appears if AIM Web Service Authentication Type is no

IIS Basic Authentication) The password associated with
the username you provided.

Client Certificate (Appears if AIM Web Service Authentication Type is no

Certificate Authentication) The file that contains the
PEM certificate used to communicate with the CyberArk
host.

Client Certificate (Appears if AIM Web Service Authentication Type is yes, if

Private Key Certificate Authentication) The file that contains the private key
PEM private key for the client certificate. is applied

Client Certificate (Appears if AIM Web Service Authentication Type is yes, if

Private Key Certificate Authentication) The passphrase for the private key
Passphrase private key, if required. is applied

CyberArk PVWA Username to log in to CyberArk web console. This is yes

Web UI Login used to authenticate to the PVWA REST API and gather
Name bulk account information.

CyberArk PVWA Password for the username to log in to CyberArk web yes
Web UI Login console. This is used to authenticate to the PVWA REST
Password API and gather bulk account information.

CyberArk String used in the PVWA REST API query parameters to yes
Platform Search gather bulk account information. For example, the user
String can enter UnixSSH Admin TestSafe, to gather all
Windows platform accounts containing a username
Admin in a Safe called TestSafe.

Note: This is a non-exact keyword search. A best practice

- 437 -
 Option Description Required

would be to create a custom platform name in CyberArk

and enter that value in this field to improve accuracy.

Use SSL If enabled, the scanner uses SSL through IIS for secure yes
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

CyberArk Vault Options

The following table describes the additional options to configure when using CyberArk Vault as the
authentication method for Windows credentials.

Option Description Required

CyberArk Host The IP address or FQDN name for the CyberArk AIM Web yes
Service. This can be the host, or the host with a custom
URL added on in a single string.

Port The port on which the CyberArk API communicates. By yes

default, Tenable uses 443.

AppID The Application ID associated with the CyberArk yes

API connection.

Client Certificate The file that contains the PEM certificate used to no
communicate with the CyberArk host.

Client Certificate The file that contains the PEM private key for the client yes, if
Private Key certificate. private key
is applied

Client Certificate The passphrase for the private key, if required. yes, if
Private Key private key

- 438 -
Option Description Required

Passphrase is applied

Kerberos Target If enabled, Kerberos authentication is used to log in to no

Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port (Required if Kerberos Target Authentication is enabled) yes

The port on which the Kerberos authentication API
communicates. By default, Tenable uses 88.

KDC Transport (Required if Kerberos Target Authentication is enabled) yes

The KDC uses TCP by default in Linux implementations.
For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

Domain (Required if Kerberos Target Authentication is enabled) yes

The domain to which Kerberos Target Authentication
belongs, if applicable.

Get credential by The method with which your CyberArk API credentials yes
are retrieved. Can be Username, Identifier, or Address.

Note: The frequency of queries for Username is one query

per target. The frequency of queries for Identifier is one
query per chunk. This feature requires all targets have the
same identifier.

Note: The Username option also adds the Address

parameter of the API query and assigns the target IP of the
resolved host to the Address parameter. This may lead to
failure to fetch credentials if the CyberArk Account Details
Address field contains a value other than the target IP
address.

- 439 -
 Option Description Required

Username (If Get credential by is Username) The username of the no

CyberArk user to request a password from.

Safe The CyberArk safe the credential should be retrieved no

from.

Address The option should only be used if the Address value is no

unique to a single CyberArk account credential.

Account Name (If Get credential by is Identifier) The unique account no

name or identifier assigned to the CyberArk
API credential.

Use SSL If enabled, the scanner uses SSL through IIS for secure no
communications. Enable this option if CyberArk is
configured to support SSL through IIS.

Verify SSL If enabled, the scanner validates the SSL certificate. no

Certificate Enable this option if CyberArk is configured to support
SSL through IIS and you want to validate the certificate.

Delinea Secret Server Options

The following table describes the additional options to configure when using Delinea Secret Server
as the authentication method for Windows credentials.

Option Description Required

Delinea The value of the secret on the Delinea server. The secret is yes
Secret Name labeled Secret Name on the Delinea server.

Delinea Host The Delinea Secret Server IP address for API requests. yes

Delinea Port The Delinea Secret Server Port for API requests. By default, yes
Tenable uses 443.

Delinea Login The username to authenticate to the Delinea server. yes

Name

- 440 -
 Delinea The password to authenticate to the Delinea server. This is yes
Password associated with the Delinea Login Name you provided.

Checkout The duration Tenable should check out the password from yes
Duration Delinea. Duration time is in hours and should be longer than
the scan time.

Use SSL Enable if the Delinea Secret Server is configured to support no

SSL.

Verify SSL If enabled. verifies the SSL Certificate on the Delinea server. no
Certificate

Hashicorp Vault Options

The following table describes the additional options to configure when using Hashicorp Vault as the
authentication method for Windows credentials.

Option Default Value Required

Hashicorp Host The Hashicorp Vault IP address or DNS address. yes

Note: If your Hashicorp Vault installation is in a

subdirectory, you must include the subdirectory path. For
example, type IP address or hostname/subdirectory path.

Hashicorp Port The port on which Hashicorp Vault listens. yes

Authenticaton Specifies the authentication type for connecting to the yes

Type instance: App Role or Certificates.

If you select Certificates, additional options for

Hashicorp Client Certificate (Required) and Hashicorp
Client Certificate Private Key (Required) appear. Select
the appropriate files for the client certificate and
private key.

Role ID The GUID provided by Hashicorp Vault when you yes

configured your App Role.

- 441 -
Role Secret ID The GUID generated by Hashicorp Vault when you yes
configured your App Role.

Authentication The path/subdirectory to the authentication endpoint. yes

URL This is not the full URL. For example:

/v1/auth/approle/login

Namespace The name of a specified team in a multi-team no

environment.

Hashicorp Vault The type of Hashicorp Vault secrets engine: yes

Type
l KV1 — Key/Value Secrets Engine Version 1

l KV2 — Key/Value Secrets Engine Version 2

l AD — Active Directory

l LDAP - LDAP secrets engine

KV1 Engine URL The URL Tenable Security Center uses to access the yes
Hashicorp Vault secrets engine.
KV2 Engine URL
Example: /v1/path_to_secret. No trailing /
AD Engine URL

LDAP Engine URL

Username Source (Only displays if Hashicorp Vault Type is KV1 or KV2) yes
Specifies if the username is input manually or pulled
from Hashicorp Vault.

Username Key (Only displays if Hashicorp Vault Type is KV1 or KV2) The yes
name in Hashicorp Vault that usernames are stored
under.

Password Key (Only displays if Hashicorp Vault Type is KV1 or KV2) The yes
key in Hashicorp Vault that passwords are stored under.

Secret Name The key secret you want to retrieve values for. yes

Kerberos Target If enabled, Kerberos authentication is used to log in to no

- 442 -
 Authentication the specified Linux or Unix target.

Key Distribution (Required if Kerberos Target Authentication is enabled) yes

Center (KDC) This host supplies the session tickets for the user.

KDC Port (Required if Kerberos Target Authentication is enabled) yes

The port on which the Kerberos authentication API
communicates. By default, Tenable uses 88.

KDC Transport (Required if Kerberos Target Authentication is enabled) yes

The KDC uses TCP by default in Linux implementations.
For UDP, change this option. If you need to change the
KDC Transport value, you may also need to change the
port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.

Domain (Required if Kerberos Target Authentication is enabled) yes

The domain to which Kerberos Target Authentication
belongs, if applicable.

Use SSL When enabled, Tenable Security Center uses SSL for no
secure communications. You must configure SSL in
Hashicorp Vault before enabling this option.

Verify SSL When enabled, Tenable Security Center validates the no

SSL certificate. You must configure SSL in Hashicorp
Vault before enabling this option.

Kerberos Options

The following table describes the options to configure when using Kerberos as the authentication
method for Windows credentials.

Option Description

Username The username for a user on the target system.

Password The password associated with the username you provided.

- 443 -
 Option Description

Domain The authentication domain, typically the domain name of the target (e.g.,
example.com).

KDC Host The host supplying the session tickets.

KDC Port The port you want to use for the KDC connection. By default, Tenable
Security Center uses port 88.

KDC Transport The method you want to use to connect to the KDC server.

Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP
protocol uses either port 88 or port 750.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the
authentication method for Windows credentials.

Option Description

Username The username for a user on the database.

Domain The domain of the username, if required by Lieberman.

Lieberman Host The Lieberman IP address or DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include

the subdirectory path. For example, type IP address or
hostname/subdirectory path.

Lieberman Port The port Lieberman is listening on.

Lieberman User The username for the Lieberman explicit user you want Tenable Security
Center to use for authentication to the Lieberman Rapid Enterprise
Defense (RED) API.

Lieberman The password for the Lieberman explicit user.

Password

- 444 -
 Option Description

Use SSL When enabled, Tenable Security Center uses SSL through IIS for secure
communications. You must configure SSL through IIS in Lieberman
before enabling this option.

Verify When enabled, Tenable Security Center validates the SSL certificate.
SSL Certificate You must configure SSL through IIS in Lieberman before enabling this
option.

For more information about using self-signed certificates, see Custom

Plugin Packages for NASL and CA Certificate Upload.

System Name The name for the database credentials in Lieberman.

LM Hash Options

The following table describes the options to configure when using LM Hash as the authentication
method for Windows credentials.

Option Description

Username The username for a user on the target system.

Hash The LM hash you want to use.

Domain The domain of the username, if required.

NTLM Hash Options

The following table describes the options to configure when using NTLM Hash as the authentication
method for Windows credentials.

Option Description

Username The username for a user on the target system.

Hash The NTLM hash you want to use.

Domain The domain of the username, if required.

- 445 -
 Password Options

The following table describes the options to configure when using Password as the authentication
method for Windows credentials.

Option Description

Username The username for a user on the target system.

Password The password associated with the username you provided.

Domain The domain of the username, if required.

QiAnXin Options

The following table describes the options to configure when using QiAnXin as the authentication
method for Windows credentials.

Option Description Required

QiAnXin Host The IP address or URL for the QiAnXin host. yes

QiAnXin Port The port on which the QiAnXin API communicates. yes
By default, Tenable uses 443.

QiAnXin API Client ID The Client ID for the embedded account yes
application created in QiAnXin PAM.

QiAnXin API Client The Secret ID for the embedded account yes
Secret application created in QiAnXin PAM.

QiAnXin Username The username to log in to the hosts you want to yes
scan.

Domain The domain to which the username belongs. no

QiAnXin Asset Address Specify the host IP of the asset containing the no
account to use. If not specified, the scan target IP
is used.

- 446 -
Option Description Required

QiAnXin Asset Specify the platform (based on asset type) of the no

Platform asset containing the account to use. If not
specified, a default target is used based on
credential type (for example, for Windows
credentials, the default is WINDOWS). Possible
values:

l ACTIVE_DIRECTORY — Windows Domain

Account

l WINDOWS — Windows Local Account

l LINUX — Linux Account

l SQL_SERVER — SQL Server Database

l ORACLE — Oracle Database

l MYSQL — MySQL Database

l DB2 — DB2 Database

l HP_UNIX — HP Unix

l SOLARIS — Solaris

l OPENLDAP — OpenLDAP

l POSTGRESQL — PostgreSQL

QiAnXin Region ID Specify the region ID of the asset containing the Only if using
account to use. multiple
regions.

Use SSL When enabled, Tenable uses SSL for secure no

communication. This is enabled by default.

Verify SSL Certificate When enabled, Tenable verifies that the SSL no
Certificate on the server is signed by a trusted CA.

Senhasegura Options

- 447 -
The following table describes the options to configure when using Senhasegura as the
authentication method for Windows credentials.

Option Description Required

Senhasegura The IP address or url for the Senhasegura host. yes

Host

Senhasegura The port on which the Senhasegura API yes

Port communicates. By default, Tenable uses 443.

Senhasegura The Client ID for the applicable Senhasegura A2A yes

API Client ID Application for Oauth 2.0 API authentication.

Senhasegura The Secret ID for the applicable Senhasegura A2A yes

API Client Application for Oauth 2.0 API authentication.
Secret

Domain The domain to which the username belongs. no

Senhasegura The credential ID or identifier for the credential yes

Credential ID or that you are requesting to retrieve.
Identifier

Private Key File The Private Key used to decrypt encrypted Required if you have
sensitive data from A2A. enabled encryption
of sensitive data in
Note: You can enable encryption of sensitive data in A2A Application
the A2A Application Authorizations. If enabled, you
must provide a private key file in the scan
Authorizations.
credentials. This can be downloaded from the
applicable A2A application in Senhasegura.

Use SSL When enabled, Tenable Security Center uses SSL no

for secure communications. This setting is
enabled by default.

Verify SSL When enabled, Tenable Security Center validates no

Certificate the SSL certificate. This setting is disabled by
default.

- 448 -
 Thycotic Secret Server Options

The following table describes the options to configure when using Thycotic Secret Server as the
authentication method for Windows credentials.

Option Description

Username (Required) The username for a user on the target system.

Domain The domain of the username, if set on the Thycotic server.

Thycotic Secret The Secret Name value on the Thycotic server.

Name

Thycotic Secret (Required) The value you want Tenable Security Center to use when setting
Server URL the transfer method, target, and target directory for the scanner. Find the
value on the Thycotic server, in Admin > Configuration > Application
Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, Tenable

Security Center determines it is an SSL connection, that pw.mydomain.com
is the target address, and that /SecretServer is the root directory.

Thycotic Login (Required) The username for a user on the Thycotic server.
Name

Thycotic (Required) The password associated with the Thycotic Login Name you
Password provided.

Thycotic In cloud instances of Thycotic, the value that identifies which organization
Organization the Tenable Security Center query should target.

Thycotic The domain, if set for the Thycotic server.

Domain

Use Private Key If enabled, Tenable Security Center uses key-based authentication for
SSH connections instead of password authentication.

Verify SSL If enabled, Tenable Security Center verifies the SSL Certificate on the
Certificate Thycotic server.

- 449 -
 Option Description

For more information about using self-signed certificates, see Custom

Plugin Packages for NASL and CA Certificate Upload.

WALLIX Bastion Options

The following table describes the additional options to configure when using WALLIX Bastion as
the authentication method for Windows credentials.

Option Description Required

WALLIX Host The IP address for the WALLIX Bastion host. yes

WALLIX Port The port on which the WALLIX Bastion API yes
communicates. By default, Tenable uses 443.

Authentication Type Basic authentication (with WALLIX Bastion no

user interface username and Password
requirements) or API Key authentication (with
username and WALLIX Bastion-generated API
key requirements).

WALLIX User Your WALLIX Bastion user interface login yes

username.

WALLIX Password Your WALLIX Bastion user interface login yes

password. Used for Basic authentication to
the API.

WALLIX API Key The API key generated in the WALLIX Bastion yes
user interface. Used for API Key
authentication to the API.

Get Credential by The account name associated with a Device Required only if
Device Account Name you want to log in to the target systems with. you have a target
and/or device with
Note: If your device has more than one account multiple accounts.
you must enter the specific device name for the

- 450 -
 Option Description Required

account you want to retrieve credentials for.

Failure to do this may result in credentials for
the wrong account returned by the system.

HTTPS This is enabled by default. yes

Caution: The integration fails if you disable

HTTPS.

Verify SSL Certificate This is disabled by default and is not no

supported in WALLIX Bastion PAM
integrations.

Web Authentication Credentials

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Configure the following options for Web Authentication credentials, including options specific for
your authentication method: Client Certificate Authentication Options, HTTP Server Authentication
Options, and Web Application Authentication Options.

For information about web app scans, see Web App Scans.

General Options Description

Name (Required) A name for the credential.

Description A description for the credential.

Tag A tag for the credential. For more information, see Tags.

Client Certificate Authentication Options

The following table describes the additional options to configure when using Client Certificate
Authentication as the authentication method for Web Authentication credentials.

- 451 -
 Option Description

Client Certificate The file that contains the PEM-formatted certificate used to
communicate with the host.

Client Certificate The file that contains the PEM-formatted private key for the client
Private Key certificate.

Client Certificate The passphrase for the private key, if required.

Private Key
Passphrase

Page to Verify The URL that Tenable Security Center can access to validate the
Successful authenticated session.
Authentication

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Successful the authentication is successful (for example, Welcome, your username!).
Authentication Leading slashes are escaped and .* is not required at the beginning or
end of the pattern.

HTTP Server Authentication Options

The following table describes the additional options to configure when using HTTP Server
Authentication as the authentication method for Web Authentication credentials.

Option Description

Username (Required) The username that Tenable Security Center uses to

authenticate to the HTTP server.

Password (Required) The password that Tenable Security Center uses to

authenticate to the HTTP server.

Authentication The method used to authenticate to the HTTP server:

Type
l Basic/Digest

l NTLM

l Kerberos

- 452 -
 Option Description

Kerberos Realm (Required when enabling the Kerberos Authentication Type) The realm to
which Kerberos Target Authentication belongs, if applicable.

Key Distribution (Required when enabling the Kerberos Authentication Type) The host
Center (KDC) that supplies the session tickets for the user.

Web Application Authentication Options

The following table describes the additional options to configure when using Web Application
Authentication as the authentication method for Web Authentication credentials.

Option Description

Authentication The method used to authenticate to the HTTP server:

Method
l Login Form

l Cookie Authentication

l API Key

l Selenium Authentication

l Bearer Authentication

Login Form

Login Page The URL of the login page for the web application you want to scan.

Login Parameters For each field in the target's login form (for example, username,
password, domain, etc.) enter one login parameter in each row:

a. In the left box, type the login field's name or id HTML DOM attribute.

b. In the right box, type the value to insert in that text field at login.

c. (Optional) Click Add to add additional login parameters.

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Successful Auth the authentication is successful (for example, Welcome, your username).
Note that leading slashes are escaped and .* is not required at the

- 453 -
Option Description

beginning or end of the pattern.

Page to Verify The URL that Tenable Security Center can continually access to validate
Active Session the authenticated session.

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Active Session the session is still active (for example, Hello, your username). Note that
leading slashes are escaped and .* is not required at the beginning or end
of the pattern.

Cookie Authentication

Cookies Enter one cookie authentication credential in each row:

a. In the left box, type the name of the cookie authentication

credential.

b. In the right box, type the value of the cookie authentication

credential.

c. (Optional) Click Add to add additional cookie authentication

credentials.

Page to Verify The URL that Tenable Security Center can continually access to validate
Active Session the authenticated session.

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Active Session the session is still active (for example, Hello, your username). Note that
leading slashes are escaped and .* is not required at the beginning or end
of the pattern.

API Key

Headers Enter one HTTP header in each row:

a. In the left box, type the name of the HTTP header.

b. In the right box, type the value of the HTTP header.

c. (Optional) Click Add to add additional headers.

- 454 -
Option Description

Page to Verify The URL that Tenable Security Center can continually access to validate
Active Session the authenticated session.

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Active Session the session is still active (for example, Hello, your username). Note that
leading slashes are escaped and .* is not required at the beginning or end
of the pattern.

Selenium Authentication

Selenium Script Use the following steps to add a .side file:

(.side)
a. In the Selenium IDE extension, record your authentication
credentials.

b. Click Add File.

The file manager for your operating system appears.

c. Navigate to and select your Selenium credentials .side file.

Tenable Security Center imports the credentials file.

Page to Verify The URL that Tenable Security Center can continually access to validate
Active Session the authenticated session.

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Active Session the session is still active (for example, Hello, your username). Note that
leading slashes are escaped and .* is not required at the beginning or end
of the pattern.

Bearer Authentication

Bearer Token The value of the bearer token.

Page to Verify The URL that Tenable Security Center can continually access to validate
Active Session the authenticated session.

Pattern to Verify A word, phrase, or regular expression that appears on the website only if
Active Session the session is still active (for example, Hello, your username). Note that

- 455 -
 Option Description

leading slashes are escaped and .* is not required at the beginning or end
of the pattern.

Audit Files
The Tenable Nessus vulnerability scanner allows you to perform compliance audits of numerous
platforms including (but not limited to) databases, Cisco, Unix, and Windows configurations as well
as sensitive data discovery based on regex contained in audit files. Audit files are XML-based text
files that contain the specific configuration, file permission, and access control tests to be
performed. For more information, see Manage Audit Files.

After you create an audit file, you can reference the audit file in a template-based Policy
Compliance Auditing scan policy or a custom scan policy. For more information about compliance
options in custom scan policies, see The Compliance tab specifies compliance the audit files to
reference in a scan policy. The options available depend on the type of audit file selected..

For more information on compliance checks and creating custom audits, see the Compliance
Checks Reference.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is
limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to
incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in
your scan policies be targeted and specific for the scan's scope and compliance requirements.

Template-Based Audit Files

You can add template-based audit files using templates embedded within Tenable Security Center.
Tenable updates these templates regularly through the Tenable Security Center feed.

For more information, see Add a Template-Based Audit File.

Custom Audit Files

You can add custom audit files to upload any of the following:

- 456 -
 l a Tenable-created audit file downloaded from the Tenable downloads page.

l a Security Content Automation Protocol (SCAP) Data Stream file downloaded from a
SCAP repository (e.g., https://nvd.nist.gov/ncp/repository).

The file must contain full SCAP content (Open Vulnerability and Assessment Language
(OVAL) and Extensible Configuration Checklist Description Format (XCCDF) content) or
OVAL standalone content.

Note: XCCDF standalone content audit files lack automated checks and do not return scan results in
Tenable Security Center.

l a custom audit file created or customized for a specific environment. For more information,
see the knowledge base article.

For more information, see Add a Custom Audit File.

Add a Template-Based Audit File

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can add template-based audit files using templates embedded within Tenable Security Center.
Tenable updates these templates regularly through the Tenable Security Center feed.

For more information, see Audit Files.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is
limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to
incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in
your scan policies be targeted and specific for the scan's scope and compliance requirements.

To add a template-based audit file:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Audit Files (administrator users) or Scans > Audit Files (organizational
users).

The Audit Files page appears.

3. Click Add

- 457 -
 The Audit File Templates page appears.

4. In the Common section, click a template category tile.

The Add Audit Template page appears.

5. In the Name box, type a name for the audit file.

6. (Optional) In the Description box, type a description for the audit file.

7. (Optional) Edit the template-specific options if you do not want to use the default values.

8. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Reference the audit file in a template-based Policy Compliance Auditing scan policy or a
custom scan policy. For more information about compliance options in custom scan policies,
see The Compliance tab specifies compliance the audit files to reference in a scan policy. The
options available depend on the type of audit file selected..

Add a Custom Audit File

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can add custom audit files to upload any of the following:

l a Tenable-created audit file downloaded from the Tenable downloads page.

l a Security Content Automation Protocol (SCAP) Data Stream file downloaded from a
SCAP repository (e.g., https://nvd.nist.gov/ncp/repository).

The file must contain full SCAP content (Open Vulnerability and Assessment Language
(OVAL) and Extensible Configuration Checklist Description Format (XCCDF) content) or
OVAL standalone content.

Note: XCCDF standalone content audit files lack automated checks and do not return scan results in
Tenable Security Center.

- 458 -
 l a custom audit file created or customized for a specific environment. For more information,
see the knowledge base article.

For more information, see Audit Files.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is
limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to
incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in
your scan policies be targeted and specific for the scan's scope and compliance requirements.

Before you begin:

l Download or prepare the file you intend to upload.

To add a custom audit file or SCAP Data Stream file:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Audit Files (administrator users) or Scans > Audit Files (organizational
users).

The Audit Files page appears.

3. Click Add

The Audit File Templates page appears.

4. In the Other section, click the Advanced tile.

5. In the Name box, type a descriptive name for the audit file.

6. In the Description box, type a description for the audit file.

7. Click Choose File and browse to the Audit File you want to upload.

The system uploads the file. If you uploaded a SCAP Data Stream file, additional options
appear.

8. If you uploaded a Data Stream file with full SCAP content, continue configuring options for the
file:

a. If you uploaded SCAP 1.2 content or later, in the Data Stream Name box, select the Data
Stream identifier found in the SCAP 1.2 Data Stream content.

- 459 -
 b. In the Benchmark Type box, select the operating system that the SCAP content targets.

c. In the Benchmark Name box, select the benchmark identifier found in the
SCAP XCCDF component.

d. In the Profile box, select the benchmark profile identifier found in the
SCAP XCCDF component.

9. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Reference the audit file in a template-based Policy Compliance Auditing scan policy or a
custom scan policy. For more information about compliance options in custom scan policies,
see The Compliance tab specifies compliance the audit files to reference in a scan policy. The
options available depend on the type of audit file selected..

Manage Audit Files

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Audit Files.

To manage your audit files:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Audit Files.

The Audit Files page appears.

3. To filter the audit files that appear on the page, apply a filter as described in Apply a Filter.

4. To add an audit file, see Add a Template-Based Audit File or Add a Custom Audit File.

5. To view details for an audit file:

a. Right-click the row for the audit file.

The actions menu appears.

- 460 -
 -or-

Select the check box for the audit file.

The available actions appear at the top of the table.

b. Click View.

The View Audit File page appears.

6. To edit or replace an audit file:

a. Right-click the row for the audit file.

The actions menu appears.

-or-

Select the check box for the audit file.

The available actions appear at the top of the table.

b. Click Edit.

The Edit Audit File page appears.

c. To edit the name or description, type a new Name or Description.

d. To replace the audit file, click the delete button ( ) next to the file and upload a new
audit file.

e. Click Submit.

Tenable Security Center saves your configuration.

7. To share or revoke access to an audit file:

a. Right-click the row for the audit file.

The actions menu appears.

-or-

Select the check box for the audit file.

The available actions appear at the top of the table.

- 461 -
 b. Click Share.

c. Share or revoke access for each group in your organization.

d. Click Submit.

Tenable Security Center saves your configuration.

8. To export an audit file:

a. Right-click the row for the audit file.

The actions menu appears.

-or-

Select the check box for the audit file.

The available actions appear at the top of the table.

b. Click Export.

Tenable Security Center exports the audit file.

9. To delete an audit file:

a. Right-click the row for the audit file.

The actions menu appears.

-or-

Select the check box for the audit file.

The available actions appear at the top of the table.

b. Click Delete.

A confirmation window appears.

c. Click Delete.

Tenable Security Center deletes the audit file.

Scan Zones

- 462 -
Scan zones are areas of your network that you want to target in an active scan, associating an
IP address or range of IP addresses with one or more scanners in your deployment. You must create
scan zones in order to run active scans in Tenable Security Center.

For more information, see Add a Scan Zone, View Your Scan Zones, Edit a Scan Zone, and Delete a
Scan Zone.

Option Description

Name A name for the scan zone.

Description (Optional) A description for the scan zone.

Ranges One or more IP addresses that you want the scan zone to target. Supported
formats:

l a comma-separated list of IP addresses and/or CIDR addresses.

l a newline-separated list of IP addresses and/or CIDR addresses.

l a hyphenated range of IP addresses (e.g., 192.0.2.0-192.0.2.25).

Scanners One or more scanners that you want to use to scan the Ranges in this scan
zone.

Note: Do not choose scanners that cannot reach the areas of your network
identified in the Ranges. Similarly, consider the quality of the network
connection between the scanners you choose and the Ranges.

Best Practices
Tenable recommends pre-planning your scan zone strategy to efficiently target discrete areas of
your network. If configured improperly, scan zones prevent scanners from reaching their targets.
Consider the following best practices:

l It is simplest to configure and manage a small number of scan zones with large ranges.

l It is simplest to target ranges (versus large lists of individual IP addresses).

l If you use Nessus Manager for agent management, do not target Nessus Manager in any scan
zone ranges.

- 463 -
Overlapping Scan Zones
In some cases, you may want to configure overlapping scan zones to ensure scanning coverage or
redundancy.

Note: Do not configure overlapping scan zones without pre-planning your scan zone and Distribution
Method strategy.

Two or more scan zones are redundant if they target the same area of your network. If Tenable
Security Center executes a scan with redundant scan zones, it first attempts the scan using the
narrowest, most specific scan zone.

In this example, the red numbers represent specific IP addresses on your network. The grey circles
represent the network coverage of individual scan zones.

See the following table to understand the primary and redundant scan zones for the IP addresses in
this example.

IP Address Primary Scan Zone Redundant Scan Zones

1 Scan Zone A None.

- 464 -
 2 Scan Zone B Scan Zone A.

3 Scan Zone C Scan Zone B, then Scan Zone A.

4 Scan Zone C Scan Zone A.

5 Scan Zone D Scan Zone A.

6 Scan Zone E Scan Zone A.

7 Scan Zone F Scan Zone E, then Scan Zone A.

Add a Scan Zone

Required User Role: Administrator

For more information about scan zone options, see Scan Zones.

To add a scan zone:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Scan Zones.

The Scan Zones page appears.

3. At the top of the table, click Add.

The Add Scan Zone page appears.

4. In the Name box, type a name for the scan zone.

5. In the Description box, type a description for the scan zone.

6. In the Ranges box, type one or more IP addresses, CIDR addresses, or ranges to target with
the scan zone.

7. In the Scanners box, choose one or more scanners to associate with the scan zone.

8. Click Submit.

Tenable Security Center saves your configuration.

What to do next:

- 465 -
 l Configure scan zone-related organization settings, as described in Organizations.

l Configure an active scan that targets your scan zone, as described in Add an Active Scan.

View Your Scan Zones

Required User Role: Administrator

For more information, see Scan Zones.

To view a list of configured scan zones:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Scan Zones.

The Scan Zones page appears.

3. View details about each scan zone.

l Name — The name of the scan zone.

l Status — The status of the scan zone.

Scan Zone Status Description

All Scanners Available All of the scanners in the scan zone are Working.

x/y Scanners Available Only some of the scanners in the scan zone are Working.

No Scanners Available None of the scanners in the scan zone are Working.

For information about Working and other scanner statuses, see Tenable
Nessus Scanner Statuses.

l Scanners — The number of Tenable Nessus scanners in the scan zone.

l Last Modified — The date and time the scan zone was last modified.

Edit a Scan Zone

Required User Role: Administrator

For more information about scan zone options, see Scan Zones.

- 466 -
To edit a scan zone:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Scan Zones.

The Scan Zones page appears.

3. Right-click the row for the scan zone you want to edit.

The actions menu appears.

-or-

Select the check box for the scan zone you want to edit.

The available actions appear at the top of the table.

4. Click Edit.

The Edit Scan Zone page appears.

5. Modify the following scan zone options. For more information, see Scan Zones.

l Name

l Description

l Ranges

l Scanners

6. Click Submit.

Tenable Security Center saves your configuration.

Delete a Scan Zone

Required User Role: Administrator

For more information, see Scan Zones.

Before you begin:

- 467 -
 l Confirm that no scans target the scan zone you want to delete. Tenable Security Center scans
may fail if you delete an actively targeted scan zone.

To delete a scan zone:

1. Log in to Tenable Security Center via the user interface.

2. Click Resources > Scan Zones.

The Scan Zones page appears.

3. Select the scan zone you want to delete:

To delete a single scan zone:

a. In the table, right-click the row for the scan zone you want to delete.

The actions menu appears.

b. Click Delete.

To delete multiple scan zones:

a. In the table, select the check box for each scan zone you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the scan zone.

Scan Policies
Scan policies contain plugin settings and advanced directives for active scans.

When an administrator user creates a scan policy, the policy is available to all organizations. When
an organizational user creates a scan policy, the scan policy is available only to their organization.
Users with the appropriate permissions can use scan policies in an active scan, modify policy
options, and more. For more information about user permissions, see User Roles.

For more information, see:

- 468 -
 l Add a Scan Policy

l Scan Policy Templates

l Scan Policy Options

l View Your Scan Policies

l View Scan Policy Details

l Edit a Scan Policy

l Share or Revoke Access to a Scan Policy

l Export a Scan Policy

l Import a Scan Policy

l Copy a Scan Policy

l Delete a Scan Policy

Add a Scan Policy

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can create template-based or custom scan policies for your active scans. When you create a
custom scan policy, you can configure any scan policy option. When you configure a template-
based scan policy, you can configure the options included for the template type. For more
information about Tenable-provided scan policy templates, see Scan Policy Templates.

For more information, see Scan Policies and Active Scans.

To add a template-based scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. At the top of the table, click Add.

The Add Policy page appears.

- 469 -
 4. In the Template section, click a policy template. For more information, see Scan Policy
Templates.

The policy template page appears.

5. Configure the options described in Scan Policy Options.

6. Click Submit.

Tenable Security Center saves your configuration.

To add a custom scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. At the top of the table, click Add.

The Add Policy page appears.

4. In the Custom section, click Advanced Scan.

The Advanced Scan page appears.

5. Configure the options described in Scan Policy Options.

6. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l Reference the scan policy in an active scan configuration, as described in Add an Active Scan.

Scan Policy Templates

Tenable Security Center provides scan policy templates with pre-configured plugin settings and
advanced directives for active scans. You can configure a Tenable-provided template or you can
create a fully customized scan policy from all of the available scan policy options in Tenable
Security Center.

- 470 -
Each Tenable-provided scan policy template contains a different set of scan policy options. You can
only modify the settings included for that scan policy template type.

Custom scan policies, such as Advanced Scan, contain all scan policy options. You can modify any
scan policy options for custom scans.

For more information, see Scan Policies and Scan Policy Options.

Note: If there is a Tenable-provided template that does not appear in this list, it may be a scan policy that
is not supported by Tenable Security Center.

Template Description

Common

Advanced Agent The most configurable scan type. You can configure this scan template
Scan to match any policy. This template has the same default settings as the
basic scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow you to scan more deeply using custom
configuration, such as faster or slower checks, but misconfigurations can
cause asset outages or network saturation. Use the advanced templates
with caution.

Advanced Scan The most configurable scan type. You can configure this scan template
to match any policy. This template has the same default settings as the
basic scan template, but it allows for additional configuration options.

Basic Network Performs a full system scan that is suitable for any host. Use this
Scan template to scan an asset or assets with all of Nessus's plugins enabled.
For example, you can perform an internal vulnerability scan on your
organization's systems.

Credentialed Authenticates hosts and enumerates missing updates.

Patch Audit
Use this template with credentials to give Tenable Security Center direct
access to the host, scan the target hosts, and enumerate missing patch
updates.

Web Application Scan for published and unknown web vulnerabilities.

Tests

- 471 -
Compliance Configuration

Internal PCI Performs an internal PCI DSS (11.2.1) vulnerability scan.

Network Scan
This template creates scans that you can use to satisfy internal (PCI DSS
11.2.1) scanning requirements for ongoing vulnerability management
programs that satisfy PCI compliance requirements. You can use these
scans for ongoing vulnerability management and to perform rescans
until passing or clean results are achieved. You can provide credentials
to enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or
"clean" scans on at least a quarterly basis, you must also perform scans after
any significant changes to your network (PCI DSS 11.2.3).

PCI Quarterly Performs quarterly external scans as required by PCI.

External Scan
You can use this template to simulate an external scan (PCI DSS 11.2.2)
to meet PCI DSS quarterly scanning requirements. However, you cannot
submit the scan results from this template to Tenable for PCI Validation.
Only Tenable Vulnerability Management customers can submit their PCI
scan results to Tenable for PCI ASV validation.

Policy Compliance Audits system configurations against a known baseline.

Auditing
Note: The maximum number of audit files you can include in a single Policy
Compliance Auditing scan is limited by the total runtime and memory that
the audit files require. Exceeding this limit may lead to incomplete or failed
scan results. To limit the possible impact, Tenable recommends that audit
selection in your scan policies be targeted and specific for the scan's scope
and compliance requirements.

The compliance checks can audit against custom security policies, such
as password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can
test for a large percentage of anything that can be described in a
Windows policy file. For Unix systems, the compliance audits test for
running processes, user security policy, and content of files.

SCAP and OVAL Audits systems using SCAP and OVAL definitions.

- 472 -
Auditing The National Institute of Standards and Technology (NIST) Security
Content Automation Protocol (SCAP) is a set of policies for managing
vulnerabilities and policy compliance in government agencies. It relies
on multiple open standards and policies, including OVAL, CVE, CVSS,
CPE, and FDCC policies.

l SCAP compliance auditing requires sending an executable to the

remote host.

l Systems running security software (for example, McAfee Host

Intrusion Prevention), may block or quarantine the executable
required for auditing. For those systems, you must make an
exception for either the host or the executable sent.

l When using the SCAP and OVAL Auditing template, you can
perform Linux and Windows SCAP CHECKS to test compliance
standards as specified in NIST’s Special Publication 800-126.

Other

2022 Threat Detects vulnerabilities featured in Tenable's 2022 Threat Landscape

Landscape Retrospective report.
Restrospective
(TLR)

Active Directory Scans for misconfigurations in Active Directory.

Starter Scan
Use this template to check Active Directory for Kerberoasting, Weak
Kerberos encryption, Kerberos pre-authentication validation, non-
expiring account passwords, unconstrained delegation, null sessions,
Kerberos KRBTGT, dangerous trust relationships, Primary Group ID
integrity, and blank passwords.

CISA Alerts AA22- Performs remote and local checks for vulnerabilities from CISA alerts
011A and AA22- AA22-011A and AA22-047A.
047A

ContiLeaks Performs remote and local checks for ContiLeaks vulnerabilities.

GHOST (glibc) Performs local checks to detect vulnerabilities related to CVE-2015-

- 473 -
Detection 0235.

Host Discovery Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated
information such as IP address, FQDN, operating systems, and open
ports, if available. After you have a list of hosts, you can choose what
hosts you want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive

network monitor, such as Nessus Network Monitor, run this scan weekly
to discover new assets on your network.

Note: Assets identified by discovery scans do not count toward your license.

Intel AMT Security Performs remote and local checks for CVE-2017-5689.
Bypass Detection

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

via local checks.

Log4Shell Remote Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Checks via remote checks.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Vulnerability via local and remote checks. This template is dynamic and is regularly
Ecosystem updated with new plugins as third-party vendors patch their software.

Malware Scan Scans for malware on Windows and Unix systems.

Tenable Security Center detects malware using a combined allow list

and block list approach to monitor known good processes, alert on
known bad processes, and identify coverage gaps between the two by
flagging unknown processes for further inspection.

PrintNightmare Performs local checks for CVE-2021-34527, the PrintNightmare Windows

Print Spooler vulnerability.

ProxyLogon: Performs remote and local checks to detect Microsoft Exchange Server
MS Exchange vulnerabilities related to CVE-2021-26855, CVE-2021-26857, CVE-2021-

- 474 -
 26858, and CVE-2021-27065.

Ransomware Performs local and remote checks for common ransomware

Ecosystem vulnerabilities.

Solarigate Detects SolarWinds Solorigate vulnerabilities using remote and local

checks.

Spectre and Performs remote and local checks for CVE-2017-5753, CVE-2017-5715,
Meltdown and CVE-2017-5754.
Detection

WannaCry Scans for the WannaCry ransomware (MS17-010).

Ransomeware
Detection

Zerologon Remote Detects Microsoft Netlogon elevation of privilege vulnerability

Scan (Zerologon).

Web Application Scanning

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

API A scan that checks an API for vulnerabilities. This scan analyzes RESTful
APIs described via an OpenAPI (Swagger) specification file.

Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j.

PCI A scan that assesses web applications for compliance with Payment
Card Industry Data Security Standards (PCI DSS) for PCI ASV.

Quick Scan A high-level scan similar to the Config Audit scan policy template that
analyzes HTTP security headers and other externally facing
configurations on a web application to determine if the application is
compliant with common security industry standards. Does not include
scheduling.

If you create a scan using the Quick Scan scan policy template, Tenable

- 475 -
 Security Center analyzes your web application only for plugins related to
security industry standards compliance.

Scan A comprehensive scan that assesses web applications for a wide range
of vulnerabilities.

The Scan scan policy template provides plugin family options for all
active web application plugins.

If you create a scan using the Scan scan policy template, Tenable
Security Center analyzes your web application for all plugins that the
scanner checks for when you create a scan using the Web App Config
Audit, Web App Overview, or SSL_TLS scan policy templates, as well as
additional plugins to detect specific vulnerabilities.

A scan run with this scan template provides a more detailed assessment
of a web application and take longer to complete that other web app
scans.

SSL_TLS A scan to determine if a web application uses SSL/TLS public-key

encryption and, if so, how the encryption is configured.

When you create a scan using the SSL_TLS scan policy template,
Tenable Security Center analyzes your web application only for plugins
related to SSL/TLS implementation. The scanner does not crawl URLs or
assess individual pages for vulnerabilities.

Web App Config A high-level scan that analyzes HTTP security headers and other
Audit externally facing configurations on a web application to determine if the
application is compliant with common security industry standards.

If you create a scan using this scan policy template, Tenable Security
Center analyzes your web application only for plugins related to security
industry standards compliance.

Web App Overview A high-level preliminary scan that determines which URLs in a web
application Tenable Security Center scans by default.

This scan template does not analyze the web application for active
vulnerabilities. Therefore, this scan policy template does not offer as

- 476 -
 many plugin family options as the Scan template.

Scan Policy Options

Scan policy options specify granular configurations for your active scans.

When you create a custom scan policy, you can configure any scan policy option. When you
configure a template-based scan policy, you can configure the options included for the template
type. For more information about Tenable-provided scan policy templates, see Scan Policy
Templates.

l Setup Options

l Advanced Options

l Host Discovery Options

l Port Scanning Options

l Service Discovery Options

l Assessment Options

l Brute Force Options

l Malware Options

l SCADA Options

l Web Applications Options

l Windows Options

l Report Options

l Authentication Options

l Compliance Options

l Plugins Options

Setup Options

- 477 -
Option Description

Name A unique name for the policy.

Description (Optional) A description for the policy.

Tag A tag for the policy. For more information, see Tags.

Advanced Options

Option Description

General Settings

Enable safe checks Tenable Nessus attempts to identify remote vulnerabilities by

interpreting banner information and attempting to exercise a
vulnerability. When Enable safe checks is enabled, Tenable Nessus
does not attempt to exercise any vulnerabilities. This is not as reliable
as a full probe, but is less likely to negatively impact a targeted system.

Scan for Determines whether the scan searches for unpatched vulnerabilities.
unpatched This includes CVEs marked as "Will Not Fix" by the related vendor.
vulnerabilities (no
Enabling this setting may increase your overall findings count; each
patches or
platform and package combination results in an individual plugin. If
mitigations
additional CVEs are found to affect a platform and package
available)
combination, the CVEs are added to the existing plugin.

This setting is disabled by default.

Note: If you configure a scan to produce findings for unpatched

vulnerabilities and then the setting is unchecked, Tenable Security Center
remediates unpatched findings in the next scan. Additionally, if multiple
scans target the same device and one has enabled findings for unpatched
vulnerabilities and another does not, the findings results may vary per scan.

Stop scanning During a scan, hosts may become unresponsive after a period of time.
hosts that become Enabling this setting stops scan attempts against hosts that stop
unresponsive sending results.
during the scan

- 478 -
Option Description

Automatically When enabled, if a credentialed scan tries to connect via SSH to a

accept detected FortiOS host that presents a disclaimer prompt, the scanner provides
SSH disclaimer the necessary text input to accept the disclaimer prompt and continue
prompts the scan.

The scan initially sends a bad ssh request to the target in order to
retrieve the supported authorization methods. This allows you to
determine how to connect to the target, which is helpful when you
configure a custom ssh banner and then try to determine how to
connect to the host.

When disabled, credentialed scans on hosts that present a disclaimer

prompt fail because the scanner cannot connect to the device and
accept the disclaimer. The error appears in the plugin output.

Scan targets with When disabled, to avoid overwhelming a host, Tenable Nessus prevents
multiple domain against simultaneously scanning multiple targets that resolve to a single
names in parallel IP address. Instead, Tenable Nessus scanners serialize attempts to scan
the IP address, whether it appears more than once in the same scan
task or in multiple scan tasks on that scanner. Scans may take longer to
complete.

When enabled, a Tenable Nessus scanner can simultaneously scan

multiple targets that resolve to a single IP address within a single scan
task or across multiple scan tasks. Scans complete more quickly, but
hosts could potentially become overwhelmed, causing timeouts and
incomplete results.

Create unique When enabled, the scanner creates a unique identifier (Tenable UUID) .
identifier on hosts Tenable Vulnerability Management and Tenable Security Center use the
scanned using Tenable UUID to merge incoming scan data with historical results for
credentials the asset and ensure that license counts are accurately reflected.

For more information, see Why Tenable Tags and Agent IDs are created
during authenticated scans.

- 479 -
Option Description

Performance Options

Slow down the When Tenable Nessus detects congestion during a scan, it will slow the
scan when speed of the scan in an attempt to ease the burden on the affected
network segment(s).
congestion is
detected

Network timeout Determines the amount of time, in seconds, to determine if there is an

(in seconds) issue communicating over the network.

Max simultaneous This setting limits the maximum number of checks a Tenable Nessus
checks per host scanner performs against a single host at one time. The default value of
this option is 5 simultaneous checks per host.

Type an integer greater than 0. If you enter 0, enter a negative integer,

or delete the value in the field, Tenable Security Center does not
perform any checks and scans will not complete.

Max simultaneous This setting limits the maximum number of hosts that a single Tenable
hosts per scan Nessus scanner scans at the same time. The default value of this option
is 30 hosts per scan.

If the scan is using a zone with multiple scanners, each scanner will
accept up to the amount specified in the Max simultaneous hosts per
scan option. For example, if the Max simultaneous hosts per scan is
set to 5 and there are 5 scanners per zone, each scanner will accept 5
hosts to scan, allowing a total of 25 hosts to be scanned between the 5
scanners.

If you set Max Simultaneous hosts per scan to more than the Nessus
scanner’s max_hosts value, the following message appears in the
scanner's nessusd.messages: Tried to raise the maximum hosts number
- 150. Using 100. Change 'max_hosts' in the server configuration if you
believe this is incorrect. You can ignore this message; Tenable Security
Center send scans to the scanner into scan chunks of up to eight IPs

- 480 -
Option Description

and will not reach the scanner's max_hosts, which must be nine or
greater.

Max number of Specifies the maximum number of established TCP sessions for a single
concurrent TCP host.
sessions per host
This TCP throttling option also controls the number of packets per
second the SYN scanner sends, which is 10 times the number of TCP
sessions. For example, if this option is set to 15, the SYN scanner sends
150 packets per second at most.

Type an integer between 1-2000. If you leave the box empty or enter 0,
Tenable Security Center does not enforce a limit.

Max number of This setting limits the maximum number of TCP sessions established by
concurrent TCP any of the active scanners during a scan.
sessions per scan
Type an integer between 1-2000. If you leave the box empty or enter 0,
Tenable Security Center does not enforce a limit.

Unix find command Options

Exclude Filepath A plain text file containing a list of filepaths to exclude from all plugins
that search using the find command on Unix systems.

In the file, enter one filepath per line, formatted per patterns allowed by
the Unix find command -path argument. For more information, see
the find command man page.

Exclude Filesystem A plain text file containing a list of filesystems to exclude from all
plugins that search using the find command on Unix systems.

In the file, enter one filesystem per line, using filesystem types
supported by the Unix find command -fstype argument. For more
information, see the find command man page.

Include Filepath A plain text file containing a list of filepaths to include from all plugins
that search using the find command on Unix systems.

- 481 -
Option Description

In the file, enter one filepath per line, formatted per patterns allowed by
the Unix find command -path argument. For more information, see
the find command man page.

Including filepaths increases the locations that are searched by plugins,

which extends the duration of the scan. Make your inclusions as specific
as possible.

Tip: Avoid having the same filepaths in Include Filepath and

Exclude Filepath. This conflict may result in the filepath being excluded
from the search, though results may vary by operating system.

Windows file search Options

Windows Exclude A plain text file containing a list of filepaths to exclude from all plugins
Filepath that search using Tenable's unmanaged software directory scans.

In the file, enter one absolute or partial filepath per line, formatted as
the literal strings you want to exclude. You can include absolute or
relative directory names, examples such as E:\, E:\Testdir\, and
\Testdir\.

Tip: The default exclusion paths include \Windows\WinSxS\ and

\Windows\servicing\ if you do not configure this setting. If you configure
this setting, Tenable recommends adding those two paths to the file; those
directories are very slow and do not contain unmanaged software.

Windows Include A plain text file containing a list of filepaths to include in all plugins that
Filepath search using Tenable's unmanaged software directory scans.

In the file, enter one absolute or partial filepath per line, formatted as
the literal strings you want to exclude. You can only include absolute
directory names, examples such as E:\, E:\Testdir\, and C:\.

Caution: Avoid having the same filepaths in the Windows Include Filepath
and Windows Exclude Filepath settings. This conflict results in the filepath
being excluded from the search.

- 482 -
Option Description

Compliance Output Settings

Maximum Controls the maximum output length in kilobytes for each individual
Compliance Output compliance check value that the target returns. If a compliance check
Length in KB value that is greater than this setting's value, Tenable Security Center
truncates the result. The default value is 128000.

Generate Gold Attaches a compliance gold image .audit established by generated

Image Audit compliance scan results. For more information, see Compliance Export
Gold Image.

Generate Attaches XCCDF result files generated from compliance .audit scans.
XCCDF Result File For more information, see Compliance Export XCCDF Results.

Generate Attaches .audit JSON result files. For more information, see Compliance
JSON Result File Export JSON Results.

Note: You cannot download the JSON file directly from Tenable
Security Center.

Debug Settings

Note:Tenable does not recommend enabling debug settings in production environments.

Debug settings generate a substantial amount of data, and can alter the overall scan time
and performance. Tenable only recommends the settings for specific debugging instances,
and not for constant use.

Always Report When enabled, Tenable Security Center generates a report of all the
SSH Commands commands run over SSH on the host in a machine-readable format. You
can view the reported commands under plugin 168017.

Note: The setting does not function correctly if you disable plugin 168017.

Enumerate Shows a list of plugins that were launched during the scan. You can
Launched Plugins view the list in scan results under plugin 112154.

- 483 -
Option Description

Stagger scan start

Maximum delay (Agents 8.2 and later) If set, each agent in the agent group delays
(minutes) starting the scan for a random number of minutes, up to the specified
maximum. Staggered starts can reduce the impact of agents that use a
shared resource, such as virtual machine CPU.

If the maximum delay you set exceeds your scan window, Tenable
shortens your maximum delay to ensure that agents begin scanning at
least 30 minutes before the scan window closes.

Host Discovery Options

Option Description

Ping the When enabled, Tenable Nessus attempts to ping the hosts in the scan to
remote host determine if the host is alive or not.

General Settings (available when Ping the remote host is enabled)

Test the local This option allows you to include or exclude the local Tenable Nessus host
Tenable Nessus from the scan. This is used when the Tenable Nessus host falls within the
host target network range for the scan.

Use fast When Tenable Nessus pings a remote IP address and receives a reply, it
network performs extra checks to make sure that it is not a transparent proxy or a
discovery load balancer that would return noise but no result (some devices answer to
every port 1 - 65535 even when there is no service behind the device). Such
checks can take some time, especially if the remote host is firewalled. If
Use fast network discovery is enabled, Tenable Nessus does not perform
these checks.

Ping Methods (available when Ping the remote host is enabled)

ARP Ping a host using its hardware address via Address Resolution Protocol
(ARP). This only works on a local network.

- 484 -
Option Description

TCP Ping a host using TCP.

Destination Destination ports can be configured to use specific ports for TCP ping. This
ports option specifies the list of ports that are checked via TCP ping. Type one of
the following:

l a single port

l a comma-separated list of ports

l built-in

For more information about which ports built-in specifies, see the
knowledge base article.

ICMP Ping a host using the Internet Control Message Protocol (ICMP).

Assume ICMP When a ping is sent to a host that is down, its gateway may return an ICMP
unreachable unreachable message. When enabled, this option considers this to mean
means the host the host is dead. This is to help speed up discovery on some networks.
is down
Some firewalls and packet filters use this same behavior for hosts that are
up but are connecting to a port or protocol that is filtered. With this option
enabled, this leads to the scan considering the host is down when it is
indeed up.

Maximum (If you enabled ICMP) Allows you to specify the number of attempts to try to
number of ping the remote host. The default is two attempts.
retries

UDP Ping a host using the User Datagram Protocol (UDP).

Tip: UDP is a stateless protocol, meaning that communication is not performed

with handshake dialogues. UDP-based communication is not always reliable,
and because of the nature of UDP services and screening devices, they are not
always remotely detectable.

Fragile Devices

- 485 -
Option Description

Scan Network Instructs the Tenable Nessus scanner not to scan network printers if
Printers unselected. Since many printers are prone to denial of service conditions,
Tenable Nessus can skip scanning them once identified. This is
recommended if scanning is performed on production networks.

Scan Novell Instructs the Tenable Nessus scanner not to scan Novel Netware hosts if
Netware hosts unselected. Since many Novell Netware hosts are prone to denial of service
conditions, Tenable Nessus can skip scanning them once identified. This is
recommended if scanning is performed on production networks.

Scan When enabled, Tenable Security Center performs a full scan of Operational
Operational Technology (OT) devices such as programmable logic controllers (PLCs) and
Technology remote terminal units (RTUs) that monitor environmental factors and the
devices activity and state of machinery.

When disabled, Tenable Security Center uses ICS/SCADA Smart Scanning to

identify OT devices cautiously and stops scanning them once they are
discovered.

Wake-on-LAN

List of MAC Wake on Lan (WOL) packets will be sent to the hosts listed, one on each
addresses line, in an attempt to wake the specified host(s) during a scan.

Boot time wait The number of minutes Tenable Nessus will wait to attempt a scan of hosts
(in minutes) sent a WOL packet.

Port Scanning Options

Option Description

Ports

Consider If a port is not scanned with a selected port scanner (for example, out of
unscanned the range specified), the scanner will consider it closed.
ports as closed

Port scan range Specifies a keyword (default) or a custom port range that you want the

- 486 -
Option Description

scanner to target.

l Type default to instruct the scanners to scan approximately 4,790

commonly used ports. The list of ports can be found in the nessus-
services file.

l Type all to instruct the scanner to scan all 65,536 ports, including
port 0.

l Type a custom port range to instruct the scanners to scan the

custom range of ports. Type a custom port range as a comma-
separated list of ports or port ranges. For example, 21,23,25,80,110 or
1-1024,8080,9000-9200.

Tenable Security Center applies the custom range to the protocols

you specify in the Network Port Scanners section. If you want to
scan both TCP and UDP, you can specify a split range specific to
each protocol. For example, if you want to scan a different range of
ports for TCP and UDP in the same policy, type T:1-1024,U:300-500.
You can also specify a set of ports to scan for both protocols, as well
as individual ranges for each separate protocol. For example, 1-
1024,T:1024-65535,U:1025.

Local Port Enumerators

SSH (netstat) When enabled, the scanner uses netstat to check for open ports from the
local machine. It relies on the netstat command being available via an SSH
connection to the target. This scan is intended for Linux-based systems
and requires authentication credentials.

WMI (netstat) When enabled, the scanner uses netstat to determine open ports while
performing a WMI-based scan.

In addition, the scanner:

l Ignores any custom range specified in the Port Scan Range setting.

- 487 -
Option Description

l Continues to treat unscanned ports as closed if the Consider

unscanned ports as closed setting is enabled.

If any port enumerator (netstat or SNMP) is successful, the port range

becomes all.

SNMP When enabled, if the appropriate credentials are provided by the user, the
scanner can better test the remote host and produce more detailed audit
results. For example, there are many Cisco router checks that determine
the vulnerabilities present by examining the version of the returned SNMP
string. This information is necessary for these audits.

Only run If a local port enumerator runs, all network port scanners will be disabled
network port for that asset.
scanners if local
port
enumeration
failed

Verify open TCP When enabled, if a local port enumerator (for example, WMI or netstat)
ports found by finds a port, the scanner also verifies that the port is open remotely. This
local port approach helps determine if some form of access control is being used (for
enumerators example, TCP wrappers or a firewall).

Network Port Scanners

TCP Use the built-in Tenable Nessus TCP scanner to identify open TCP ports on
the targets, using a full TCP three-way handshake. If you enable this
option, you can also set the Override Automatic Firewall Detection option.

Note: On some platforms (for example, Windows and macOS), if the operating
system is causing serious performance issues using the TCP scanner, Tenable
Nessus launches the SYN scanner instead.

SYN Use the built-in Tenable Nessus SYN scanner to identify open TCP ports on
the target hosts. SYN scans do not initiate a full TCP three-way handshake.

- 488 -
 Option Description

The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and
determines the port state based on a response or lack of response.

If you enable this option, you can also set the Override Automatic Firewall
Detection option.

Override Rely on local port enumeration first before relying on network port scans.
automatic
firewall
detection

UDP This option engages the built-in Tenable Nessus UDP scanner to identify
open UDP ports on the targets.

Due to the nature of the protocol, it is generally not possible for a port
scanner to tell the difference between open and filtered UDP ports.
Enabling the UDP port scanner may dramatically increase the scan time
and produce unreliable results. Consider using the netstat or SNMP port
enumeration options instead if possible.

Service Discovery Options

The Service Discovery tab specifies how the scanner looks for services running on the target’s
ports.

Option Description

Probe all ports When enabled, the scanner attempts to map each open port with the
to find service that is running on that port, as defined by the Port scan range
services option.

Caution: In some rare cases, probing might disrupt some services and cause
unforeseen side effects.

Search for Controls how the scanner tests SSL-based services.

SSL/TLS

- 489 -
Option Description

services Caution: Testing for SSL capability on all ports may be disruptive for the tested
host.

Search for Specifies which ports on target hosts the scanner searches for SSL/TLS
SSL/TLS on services.

This setting has two options:

l Known SSL/TLS ports

l All ports

Search for Specifies which ports on target hosts the scanner searches for DTLS
DTLS on services.

This setting has the following options:

l None

l Known SSL/TLS ports

l All TCP ports

Identify Identifies SSL certificates that age out within the specified timeframe. Type
certificates a value to set a timeframe (in days).
expiring within
x days

Enumerate all When Tenable Security Center performs an SSL scan, it tries to determine
SSL/TLS the SSL ciphers used by the remote server by attempting to establish a
ciphers connection with each different documented SSL cipher, regardless of what
the server says is available.

Enable CRL Direct Tenable Nessus to check SSL certificates against known Certificate
checking Revocation Lists (CRL). Enabling this option makes a connection and query
(connects to one or more servers on the internet.
the Internet)

Assessment Options

- 490 -
The Assessment tab specifies how the scanner tests for information during the scan.

Value Description

Accuracy

Override In some cases, Tenable Nessus cannot remotely determine whether a flaw is
normal present or not. If report paranoia is set to Paranoid then a flaw is reported
accuracy every time, even when there is a doubt about the remote host being affected.
Conversely, a paranoia setting of Avoid false alarms will cause Tenable
Nessus to not report any flaw whenever there is a hint of uncertainty about
the remote host. Normal is a middle ground between these two settings.

Perform Causes various plugins to use more aggressive settings. For example, when
thorough looking through SMB file shares, a plugin can analyze 3 directory levels deep
tests (may instead of its default of 1. This could cause much more network traffic and
disrupt your analysis in some cases. Note that by being more thorough, the scan will be
network or more intrusive and is more likely to disrupt the network, while potentially
impact scan providing better audit results.
speed)

Antivirus

Antivirus This option determines the delay in the number of days of reporting the
definition software as being outdated. The valid values are between 0 (no delay, default)
grace period and 7.
(in days)

SMTP

Third party Tenable Nessus attempts to send spam through each SMTP device to the
domain address listed in this option. This third party domain address must be outside
the range of the site being scanned or the site performing the scan.
Otherwise, the test may be aborted by the SMTP server.

From The test messages sent to the SMTP server(s) will appear as if they originated
address from the address specified in this option.

To Address Tenable Nessus attempts to send messages addressed to the mail recipient

- 491 -
 Value Description

listed in this option. The postmaster address is the default value since it is a
valid address on most mail servers.

Brute Force Options

The Brute Force tab specifies how the scanner tests for information against SCADA systems.

Additionally, if Hydra is installed on the same host as a Tenable Nessus server linked to Tenable
Security Center, the Hydra section is enabled. Hydra extends brute force login testing for the
following services: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-
FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-
FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP,
NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec,
Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2),
Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Option Description

General Settings

Only use In some cases, Tenable Nessus can test default accounts and known default
credentials passwords. This can cause the account to be locked out if too many
provided by consecutive invalid attempts trigger security protocols on the operating
the user system or application. By default, this setting is enabled to prevent Tenable
Nessus from performing these tests.

Oracle Database

Test default Test for known default accounts in Oracle software.

Oracle
accounts
(slow)

Hydra

Always enable Enables Hydra whenever the scan is performed.

Hydra (slow)

- 492 -
Option Description

Logins file A file that contains user names that Hydra will use during the scan.

Passwords file A file that contains passwords for user accounts that Hydra will use during
the scan.

Number of The number of simultaneous Hydra tests that you want to execute. By
parallel tasks default, this value is 16.

Timeout (in The number of seconds per login attempt.

seconds)

Try empty If enabled, Hydra will additionally try user names without using a password.
passwords

Try login as If enabled, Hydra will additionally try a user name as the corresponding
password password.

Stop brute If enabled, Hydra will stop brute forcing user accounts after the first time an
forcing after account is successfully accessed.
the first
success

Add accounts If disabled, only the user names specified in the logins file will be used for
found by other the scan. Otherwise, additional user names discovered by other plugins will
plugins to the be added to the logins file and used for the scan.
login file

PostgreSQL The database that you want Hydra to test.

database name

SAP R3 Client The ID of the SAP R3 client that you want Hydra to test.
ID (0 - 99)

Windows Can be set to Local accounts, Domain Accounts, or Either.

accounts to
test

Interpret If enabled, Hydra will interpret passwords as NTLM hashes.

- 493 -
 Option Description

passwords as
NTLM hashes

Cisco login This password is used to login to a Cisco system before brute forcing enable
password passwords. If no password is provided here, Hydra will attempt to login
using credentials that were successfully brute forced earlier in the scan.

Web page to Type a web page that is protected by HTTP basic or digest authentication. If
brute force a web page is not provided here, Hydra will attempt to brute force a page
discovered by the Tenable Nessus web crawler that requires HTTP
authentication.

HTTP proxy If Hydra successfully brute forces an HTTP proxy, it will attempt to access
test website the website provided here via the brute forced proxy.

LDAP DN The LDAP Distinguish Name scope that Hydra will authenticate against.

Malware Options

The Malware tab specifies options for DNS Resolution, hash, and allowlist files and file system
scanning.

Option Description

Malware Scan Settings

Malware scan When enabled, displays the General Settings, Hash and Allowlist
Files, and File System Scanning sections.

Hash and Allowlist Files (available when Malware scan is enabled)

Provide your own list Additional known bad MD5 hashes can be uploaded via a text file
of known bad that contains one MD5 hash per line.
MD5/SHA1/SHA256
If you want to add a description for each hash, type a comma after
hashes
the hash, followed by the description. If any matches are found when
scanning a target and a description was provided for the hash, the
description will show up in the scan results.

- 494 -
Provide your own list Additional known good MD5 hashes can be uploaded via a text file
of known good that contains one MD5 hash per line.
MD5/SHA1/SHA256
If you want to add a description for each hash, type a comma after
hashes
the hash, followed by the description. If any matches are found when
scanning a target and a description was provided for the hash, the
description will show up in the scan results.

Hosts file allowlist Tenable Nessus checks system hosts files for signs of a compromise
(e.g., Plugin ID 23910). This option allows you to upload a file
containing a list of IPs and hostnames that will be ignored by
Tenable Nessus during a scan. Include one IP address and hostname
(formatted identically to your hosts file on the target) per line in a
regular text file.

File System Scanning (available when Malware scan is enabled)

Scan file system Turning on this option allows you to scan system directories and
files on host computers.

Caution: Enabling this setting in scans targeting 10 or more hosts could

result in performance degradation.

Directories (available when File System Scanning is enabled)

Scan %Systemroot% Enable file system scanning to scan %Systemroot%.

Scan %ProgramFiles% Enable file system scanning to scan %ProgramFiles%.

Scan %ProgramFiles Enable file system scanning to scan %ProgramFiles(x86)%.

(x86)%

Scan %ProgramData% Enable file system scanning to scan %ProgramData%.

Scan User Profiles Enable file system scanning to scan user profiles.

Custom Filescan A custom file that lists directories for malware file scanning. List
Directories each directory on one line.

Caution: Root directories such as C:\ or D:\ are not accepted.

- 495 -
 Yara Rules Files A .yar file containing the YARA rules to be applied in the scan. You
can only upload one file per scan, so include all rules in a single file.
For more information, see yara.readthedocs.io.

SCADA Options

The SCADA tab specifies how the scanner tests for information against SCADA systems.

Option Description

Modbus/TCP Coil Access

Start at These options are available for commercial users. This drop-down box item is
register dynamically generated by the SCADA plugins available with the commercial
version of Tenable Nessus. Modbus uses a function code of 1 to read coils in a
End at
Modbus slave. Coils represent binary output settings and are typically mapped
register
to actuators. The ability to read coils may help an attacker profile a system and
identify ranges of registers to alter via a write coil message. The defaults for
this are 0 for the Start at register value and 16 for the End at register value.

ICCP/COTP TSAP Addressing Weakness

Start COTP The ICCP/COTP TSAP Addressing menu determines a Connection Oriented
TSAP Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an
ICCP server by trying possible values. The start and stop values are set to 8 by
Stop COTP
default.
TSAP

Web Applications Options

The Web Applications tab specifies how the scanner tests for information against web server
applications.

Value Description

Web Application Settings

Scan web When enabled, displays the General Settings, Web Crawler, and
applications Application Test Settings sections.

- 496 -
Value Description

Use a custom Specifies which type of web browser Tenable Nessus will impersonate while
User-Agent scanning.

Web Crawler (available when Scan web applications is enabled)

Start crawling The URL of the first page that will be tested. If multiple pages are required,
from use a colon delimiter to separate them (e.g., /:/php4:/base).

Excluded pages Enable exclusion of portions of the web site from being crawled. For
(regex) example, to exclude the /manual directory and all Perl CGI, set this option
to: (^/manual)|(\.pl(\?.*)?$). Tenable Nessus supports POSIX regular
expressions for string matching and handling, as well as Perl-compatible
regular expressions (PCRE).

Maximum The maximum number of pages to crawl.

pages to crawl

Maximum depth Limit the number of links Tenable Nessus will follow for each start page.
to crawl

Follow When enabled, Tenable Nessus will follow dynamic links and may exceed
dynamically the parameters set above.
generated
pages

Application Test Settings (available when Scan web applications is enabled)

Enable generic Enables the Application Test Settings options.

web application
tests

Abort web If Tenable Nessus cannot login to the target via HTTP, then do not run any
application web application tests.
tests if HTTP
login fails

Try all HTTP This option will instruct Tenable Nessus to also use POST requests for

- 497 -
Value Description

Methods enhanced web form testing. By default, the web application tests will only
use GET requests, unless this option is enabled. Generally, more complex
applications use the POST method when a user submits data to the
application. This setting provides more thorough testing, but may
considerably increase the time required. When selected, Tenable Nessus
will test each script/variable with both GET and POST requests. This setting
provides more thorough testing, but may considerably increase the time
required.

Attempt HTTP When performing web application tests, attempt to bypass filtering
Parameter mechanisms by injecting content into a variable while supplying the same
Pollution variable with valid content as well. For example, a normal SQL injection test
may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP)
enabled, the request may look like /target.cgi?a='&a=1&b=2.

Test embedded Embedded web servers are often static and contain no customizable CGI
web servers scripts. In addition, embedded web servers may be prone to crash or
become non-responsive when scanned. Tenable recommends scanning
embedded web servers separately from other web servers using this
option.

Test more than This option manages the combination of argument values used in the HTTP
one parameter requests. The default, without checking this option, is testing one
at a time per parameter at a time with an attack string, without trying non-attack
form variations for additional parameters. For example, Tenable Nessus
attempts /test.php?arg1=XSS&b=1&c=1 where b and c allows other
values, without testing each combination. This is the quickest method of
testing with the smallest result set generated.

This drop-down box has five selections:

l One value — This tests one parameter at a time with an attack string,
without trying non-attack variations for additional parameters. For
example, Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1
where b and c allows other values, without testing each combination.

- 498 -
Value Description

This is the quickest method of testing with the smallest result set
generated.

l Some pairs — This form of testing will randomly check a combination

of random pairs of parameters. This is the fastest way to test multiple
parameters.

l All pairs (slower but efficient) — This form of testing is slightly slower
but more efficient than the one value test. While testing multiple
parameters, it will test an attack string, variations for a single variable
and then use the first value for all other variables. For example,
Tenable Nessus attempts /test.php?arg1=XSS&b=1&c=1 and then
cycles through the variables so that one is given the attack string, one
is cycled through all possible values (as discovered during the mirror
process) and any other variables are given the first value. In this case,
Tenable Nessus will never test for /test.php?a=XSS&b=3&c=3&d=3
when the first value of each variable is 1.

l Some combinations — This form of testing will randomly check a

combination of three or more parameters. This is more thorough than
testing only pairs of parameters. Note that increasing the amount of
combinations by three or more increases the web application test
time.

l All combinations (extremely slow) — This method of testing will do a

fully exhaustive test of all possible combinations of attack strings
with valid input to variables. Where All-pairs testing seeks to create a
smaller data set as a tradeoff for speed, all combinations makes no
compromise on time and uses a complete data set of tests. This
testing method may take a long time to complete.

Do not stop This option determines when a new flaw is targeted. This applies at the
after the first script level; finding an XSS flaw will not disable searching for SQL injection
flaw is found or header injection, but you will have at most one report for each type on a
per web page given port, unless thorough tests is set. Note that several flaws of the same

- 499 -
 Value Description

type (e.g., XSS, SQLi, etc.) may be reported sometimes, if they were caught
by the same attack. The drop-down has four options:

l Per CGI — As soon as a flaw is found on a CGI by a script, Tenable

Nessus switches to the next known CGI on the same server, or if there
is no other CGI, to the next port/server. This is the default option.

l Per port (faster) — As soon as a flaw is found on a web server by a

script, Tenable Nessus stops and switches to another web server on a
different port.

l Per parameter (slow) — As soon as one type of flaw is found in a

parameter of a CGI (e.g., XSS), Tenable Nessus switches to the next
parameter of the same CGI, or the next known CGI, or to the next
port/server.

l Look for all flaws (slower) — Perform extensive tests regardless of

flaws found. This option can produce a very verbose report and is not
recommend in most cases.

URL for During Remote File Inclusion (RFI) testing, this option specifies a file on a
Remote File remote host to use for tests. By default, Tenable Nessus will use a safe file
Inclusion hosted by Tenable for RFI testing. If the scanner cannot reach the Internet,
using an internally hosted file is recommended for more accurate RFI
testing.

Maximum run This option manages the amount of time in minutes spent performing web
time (minutes) application tests. This option defaults to 60 minutes and applies to all ports
and CGIs for a given web site. Scanning the local network for web sites with
small applications will typically complete in under an hour, however web
sites with large applications may require a higher value.

Windows Options

The Windows tab specifies basic Windows SMB domain options.

- 500 -
 Option Description

General Settings

Request When enabled, Tenable Nessus queries domain users instead of local
information users.
about the SMB
Domain

User Enumeration Methods

SAM Registry When enabled, Tenable Nessus enumerates users via the Security Account
Manager (SAM) registry.

ADSI Query When enabled, Tenable Nessus enumerates users via Active Directory
Service Interfaces (ADSI). To use ADSI, you must also configure
ADSI authentication options.

WMI Query When enabled, Tenable Nessus enumerates users via Windows
Management Interface (WMI).

RID Brute When enabled, Tenable Nessus enumerates users via relative identifier
Forcing (RID) brute forcing. Enabling this setting enables the Enumerate Domain
User and Enumerate Local User options.

Enumerate Domain Users (available when RID Brute Forcing is enabled)

Start UID 1000

End UID 1200

Enumerate Local Users (available when RID Brute Forcing is enabled)

Start UID 1000

End UID 1200

Report Options

The Report tab specifies information to include in the scan’s report.

- 501 -
Option Description

Processing

Override normal Determines the verbosity of the detail in the output of the scan results:
verbosity
l Normal — Provides the standard level of plugin activity in the report.

l Quiet — Provides less information about plugin activity in the report

to minimize impact on disk space.

l Verbose — Provides more information about plugin activity in the

report. When this option is selected, the output includes the
informational plugins 56310, 64582, and 58651.

Show missing Show patches in the report that have not been applied but have been
patches that superseded by a newer patch if enabled.
have been
superseded

Hide results from If a plugin is only run due to it being a dependency of a selected plugin,
plugins initiated hide the results if enabled.
as a dependency

Output

Designate hosts When possible, designate hosts by their DNS name rather than IP address
by their DNS in the reports.
name

Display hosts When enabled, show a list of hosts that respond to pings sent as part of
that respond to the scan.
ping

Display Display a list of hosts within the scan range that were not able to be
unreachable reached during the scan, if enabled.
hosts

Display Unicode When enabled, Unicode characters appear in plugin output such as
characters usernames, installed application names, and SSL certificate information.

- 502 -
 Option Description

Note: Plugin output may sometimes incorrectly parse or truncate strings with
Unicode characters. If this issue causes problems with regular expressions in
plugins or custom audits, disable this setting and scan again.

Generate SCAP Generate a SCAP XML results file as a part of the report output for the
XML Results scan.

Authentication Options

The Authentication tab specifies authentication options during a scan.

Option Description

Authentication

Type Specifies the type of authentication you want scanners to use for
credentialed access to scan targets. Credentialed access gathers more
complete data about a target.

l Host

l Database Credentials

l Miscellaneous

l Plaintext Authentication

l Patch Management

SNMP

UDP Port This is the UDP port that will be used when performing certain SNMP
scans. Up to four different ports may be configured, with the default port
Additional UDP
being 161.
port #1

Additional UDP
port #2

Additional UDP

- 503 -
Option Description

port #3

SSH

known_hosts file If an SSH known_hosts file is provided for the scan policy, Tenable
Nessus will only attempt to log in to hosts defined in this file. This helps
to ensure that the same username and password you are using to audit
your known SSH servers is not used to attempt a login to a system that
may not be under your control.

Preferred port This option is set to direct the scan to connect to a specific port if SSH
is known to be listening on a port other than the default of 22.

Client version Specifies which type of SSH client to impersonate while performing
scans.

Attempt least Enables or disables dynamic privilege escalation. When enabled, if the
privilege scan target credentials include privilege escalation, Tenable Nessus first
(experimental) attempts to run commands without privilege escalation. If running
commands without privilege escalation fails, Tenable Nessus retries the
commands with privilege escalation.

Plugins 102095 and 102094 report whether plugins ran with or without
privilege escalation.

Note: Enabling this option may increase the time required to perform scans
by up to 30%.

Windows

Never send By default, Windows credentials are not sent to the target host in the
credentials in the clear.
clear

Do not use When disabled, it is theoretically possible to trick Tenable Nessus into
NTLMv1 attempting to log in to a Windows server with domain credentials via the
authentication NTLM version 1 protocol. This provides the remote attacker with the

- 504 -
Option Description

ability to use a hash obtained from Tenable Nessus. This hash can be
potentially cracked to reveal a username or password. It may also be
used to directly log in to other servers.

Because NTLMv1 is an insecure protocol, this option is enabled by

default.

Start the Remote This option tells Tenable Nessus to start the Remote Registry service on
Registry service computers being scanned if it is not running. This service must be
during the scan running in order for Tenable Nessus to execute some Windows local
check plugins.

Enable This option will allow Tenable Nessus to access certain registry entries
administrative that can be read with administrator privileges.
shares during the
scan

Start the Server When enabled, the scanner temporarily enables the Windows Server
service during the service, which allows the computer to share files and other devices on a
scan network. The service is disabled after the scan completes.

By default, Windows systems have the Windows Server service enabled,

which means you do not need to enable this setting. However, if you
disable the Windows Server service in your environment, and want to
scan using SMB credentials, you must enable this setting so that the
scanner can access files remotely.

Plaintext Authentication

Perform patch When enabled, Tenable Security Center uses telnet to connect to the
audits over telnet host device for patch audits.

Note: This protocol is sent in cleartext and could contain unencrypted

usernames and passwords.

Perform patch When enabled, Tenable Security Center permits patch audits over a rsh
audits over rsh connection.

- 505 -
Option Description

Note: This protocol is sent in cleartext and could contain unencrypted

usernames and passwords.

Perform patch When enabled, Tenable Security Center permits patch audits over a
audits over rexec rexec connection.

Note: This protocol is sent in cleartext and could contain unencrypted

usernames and passwords.

HTTP

Login method Specify whether the login action is performed via a GET or POST request.

Re-authenticate The delay between authentication attempts, in seconds.

delay (seconds)
Tip: A time delay can help prevent triggering brute force lockout
mechanisms.

Follow 30x If a 30x redirect code is received from a web server, this directs Tenable
redirections (# of Nessus to follow the link provided or not.
levels)

Invert The regex pattern you want Tenable Security Center to look for on the
authenticated login page that, if found, denies authentication.
regex
Tip: Tenable Security Center can attempt to match a given string, such as
Authentication failed.

Use authenticated When enabled, Tenable Security Center searches the HTTP response
regex on HTTP headers for a given regex pattern instead of searching the body of a
headers response to better determine authentication state.

Case insensitive When enabled, Tenable Security Center ignores case in regex.
authenticated
regex

Compliance Options

- 506 -
The Compliance tab specifies compliance the audit files to reference in a scan policy. The options
available depend on the type of audit file selected.

For more information, see Audit Files and Configure Compliance Options.

Option Description

Generic (Generic SSH audits only) The command to use for accomplishing the
SSH Escalation privilege escalation. This is similar to the enable command for Cisco
command devices.

Generic (Generic SSH audits only) A regular expression that must match after the
SSH Escalation escalation has succeeded. This can be the prompt or any other message
success check notifying the success of privilege escalation.

Plugins Options

The Plugins tab specifies which plugins are used during the policy’s Tenable Nessus scan. You can
enable or disable plugins in the plugin family view or in the plugin view for more granular control.

For more information, see Configure Plugin Options.

Caution: The Denial of Service plugin family contains plugins that could cause outages on network hosts if
the Safe Checks option is not enabled, but it also contains useful checks that do not cause any harm. The
Denial of Service plugin family can be used in conjunction with Safe Checks to ensure that any potentially
dangerous plugins are not run. However, Tenable does not recommend enabling the Denial of Service
plugin family in production environments.

Configure Compliance Options

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can configure compliance options within a scan policy to reference one or more audit files in a
template-based Policy Compliance Auditing scan policy or a custom scan policy.

For more information, see Audit Files, Scan Policies, and Scan Policy Options.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is
limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to

- 507 -
 incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in
your scan policies be targeted and specific for the scan's scope and compliance requirements.

To configure compliance options for a scan policy:

1. Begin configuring a scan policy, as described in Add a Scan Policy.

2. In the left navigation bar, click Compliance.

The Compliance options appear.

3. Click + Add Audit File.

The Select a Type drop-down box appears.

4. In the Select a Type drop-down box, select the type of audit file you want to reference in the
scan policy.

The Select an Audit File drop-down box appears.

5. In the Select an Audit File drop-down box, select the name of the audit file you want to
reference in the scan policy.

6. Click the button.

Tenable Security Center applies the audit file to the scan policy.

7. If required, configure additional options for the audit file you applied to the scan policy. For
more information, see The Compliance tab specifies compliance the audit files to reference in
a scan policy. The options available depend on the type of audit file selected..

Configure Plugin Options

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can configure plugin options within a scan policy to enable or disable plugins at the plugin
family level or individual plugin level.

Note: When Tenable adds new plugins to Tenable Security Center, Tenable Security Center automatically
enables the new plugins if the entire plugin family they belong to is enabled in your scan policy template.

To configure plugin options at the plugin family level:

- 508 -
1. Begin configuring a scan, policy as described in Add a Scan Policy.

2. In the left navigation bar, click Plugins.

The Plugins page appears with the plugin family view displayed.

3. In the Status column, view the plugin family status and the number of enabled plugins within
the plugin family:

l Enabled — All plugins in the family are enabled. The scan targets the parameters in the
plugins.

l Disabled — All plugins in the family are disabled. The scan does not target the
parameters in the plugins.

Note: Disabling a plugin family reduces the time and resources required to run the scan.

l Mixed — The plugin family contains a combination of Enabled and Disabled plugins.
Mixed plugin families have a padlock icon that is locked or unlocked:

l Locked - New plugins added to the plugin family via plugin feed updates will be
disabled automatically in the policy.

l Unlocked - New plugins added to the plugin family via plugin feed updates will be
enabled automatically in the policy.

4. In the Total column, view the number of plugins in the family.

5. To enable or disable all plugins in the family, select the Enabled or Disabled slider in the
Status column.

6. To filter the plugin families listed on the page, use the Select a Filter drop-down box to build
and apply a filter.

The Total column becomes the Matched column and indicates the number of plugins in the
family that match the current filter.

7. To view only enabled or disabled plugin families, click the Enabled or Disabled tab above the
table.

- 509 -
 8. To sort the plugin families listed on the page, click the Status, Plugin Family, or Total column
title.

9. To lock or unlock all mixed plugin families displayed on the page, click Lock All Mixed or
Unlock All Mixed.

10. To enable or disable all of the plugin families displayed on the page, click Enable Shown or
Disable Shown.

Tenable Security Center enables or disables all plugins within the plugin families shown on the
page, not just the number of plugins in the Total or Matched column. For more granular
control, set plugin statuses in the plugin view.

11. To enable or disable individual plugins within a family, click the plugin family name to access
the plugin view.

The plugin view appears.

To configure plugin options at the individual plugin level:

1. Begin configuring a scan policy as described in Add a Scan Policy.

2. Click Plugins in the left navigation bar.

The Plugins page appears.

3. Click the plugin family name.

The plugin view appears.

4. In the Status column, view the plugin status:

l Enabled — The plugin is enabled. The scan targets the parameters in the plugins.

l Disabled — The plugin is disabled. The scan does not target the parameters in the
plugins.

Disabling a plugin family reduces the time and resources required to run the scan.

5. In the Plugin ID column, click the information icon to display the plugin details.

6. To enable or disable a plugin, click the Status box.

- 510 -
 7. To filter the plugins listed on the page, use the Select a Filter drop-down box to build and
apply a filter.

8. To view only enabled or disabled plugins, click the Enabled or Disabled tab above the table.

9. To sort the plugins listed on the page, click the Status, Plugin Name, or Plugin ID column title.

10. To enable or disable all of the plugins displayed on the page, click Enable Shown or Disable
Shown.

Tenable Security Center enables or disables all plugins shown on the page.

11. To return to the plugin family view, click the Back option.

12. To view the plugins in a different family, click the drop-down box and select a different plugin
family.

Host

Tenable Security Center can use SNMPv3 credentials to scan remote systems that use an encrypted
network management protocol (including network devices). Tenable Security Center uses these
credentials to scan for patch auditing or compliance checks.

You can configure SNMPv3 options in scan policies, as described in The Authentication tab
specifies authentication options during a scan. and Add a Scan Policy.

SNMPv3 Options
Option Description Default

Username The username for the SNMPv3 account that -

Tenable Security Center uses to perform checks on
the target system.

Port (Required) The TCP port that SNMPv3 listens on for 161
communications from Tenable Security Center.

Security Level The security level for SNMP: Authentication

and privacy
l No authentication and no privacy

l Authentication without privacy

- 511 -
 Option Description Default

l Authentication and privacy

Authentication The algorithm the remove service supports: MD5, SHA1

algorithm SHA1, or SHA2.

Authentication The password associated with the Username. -

password

Privacy algorithm The encryption algorithm to use for SNMP traffic: AES-192
AES-192, AES-256, or DES.

Privacy password A password used to protect encrypted SNMP -

communication.

Miscellaneous

Tenable Security Center supports the following additional authentication methods:

l ADSI

l F5

l IBM iSeries

l Red Hat Enterprise Virtualization (RHEV)

l Netapp API

l Palo Alto Networks PAN-OS

l VMware ESX SOAP API

l VMware vCenter SOAP API

l X.509

You can configure these authentication methods in scan policies, as described in The
Authentication tab specifies authentication options during a scan. and Add a Scan Policy.

ADSI

- 512 -
ADSI allows Tenable Security Center to query an ActiveSync server to determine if any Android or
iOS-based devices are connected. Using the credentials and server information, Tenable Security
Center authenticates to the domain controller (not the Exchange server) to directly query it for
device information. These settings are required for mobile device scanning and Active Directory
Starter Scans.

Tenable Security Center supports obtaining the mobile information from Exchange Server 2010 and
2013 only.

Option Description Default

Domain (Required) The name of the domain controller for -

Controller ActiveSync.

Domain (Required) The name of the NetBIOS domain for -

ActiveSync.

Domain Admin (Required) The domain administrator's username. -

Domain (Required) The domain administrator's password. -

Password

F5
Option Description Default

Username (Required) The username for the scanning F5 account that -

Tenable Security Center uses to perform checks on the target
system.

Password (Required) The password for the F5 user. -

Port (Required) The TCP port that F5 listens on for 443

communications from Tenable Security Center.

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify SSL When enabled, Tenable verifies that the SSL certificate on the enabled

- 513 -
 Certificate server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

IBM iSeries
Option Description Default

Username (Required) The username for the IBM iSeries account that -
Tenable Security Center uses to perform checks on the target
system.

Password (Required) The password for the IBM iSeries user. -

Red Hat Enterprise Virtualization (RHEV)

Option Description Default

Username (Required) The username for RHEV account that Tenable -

Security Center uses to perform checks on the target system.

Password (Required) The password for the RHEV user. -

Port (Required) The TCP port that the RHEV server listens on for 443
communications from Tenable Security Center.

Verify SSL When enabled, Tenable verifies that the SSL certificate on the enabled
Certificate server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

Netapp API
Option Description Default

Username (Required) The username for the Netapp API account with -
HTTPS access that Tenable Security Center uses to perform
checks on the target system.

- 514 -
 Password (Required) The password for the Netapp API user. -

vFiler The vFiler nodes to scan for on the target systems. -

To limit the audit to a single vFiler, type the name of the vFiler.

To audit for all discovered Netapp virtual filers (vFilers) on

target systems, leave the field blank.

Port (Required) The TCP port that Netapp API listens on for 443
communications from Tenable Security Center.

Palo Alto Networks PAN-OS

Option Description Default

Username (Required) The username for the PAN-OS account that -

Tenable Security Center uses to perform checks on the target
system.

Password (Required) The password for the PAN-OS user. -

Port (Required) The TCP port that PAN-OS listens on for 443
communications from Tenable Security Center.

Verify SSL When enabled, Tenable verifies that the SSL certificate on the enabled
Certificate server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

VMware ESX SOAP API

For more information about configuring VMWare ESX SOAP API, see Configure vSphere Scanning.

Tenable can access VMware servers through the native VMware SOAP API.

Option Description Default

Username (Required) The username for the ESXi server account that -
Tenable uses to perform checks on the target system.

- 515 -
 Option Description Default

Password (Required) The password for the ESXi user. -

Do not verify Do not validate the SSL certificate for the ESXi server. disabled
SSL
Certificate

VMware vCenter SOAP API

For more information about configuring VMWare vCenter SOAP API, see Configure vSphere
Scanning.

Tenable can access vCenter through the native VMware vCenter SOAP API. If available, Tenable uses
the vCenter REST API to collect data in addition to the SOAP API.

Note: Tenable supports VMware vCenter/ESXi versions 7.0.3 and later for authenticated scans. This does
not impact vulnerability checks for VMware vCenter/ESXi, which do not require authentication.

Note: The SOAP API requires a vCenter account with read permissions and settings privileges. The REST
API requires a vCenter admin account with general read permissions and required Lifecycle Manager
privileges to enumerate VIBs.

Option Description Default

vCenter Host (Required) The name of the vCenter host. -

vCenter Port (Required) The TCP port that vCenter listens on for 443
communications from Tenable.

Username (Required) The username for the vCenter server account with -
admin read/write access that Tenable uses to perform checks
on the target system.

Password (Required) The password for the vCenver server user. -

HTTPS When enabled, Tenable connects using secure enabled

communication (HTTPS). When disabled, Tenable connects
using standard HTTP.

- 516 -
 Option Description Default

Verify SSL When enabled, Tenable verifies that the SSL certificate on the enabled
Certificate server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

X.509
Option Description Default

Client Certificate (Required) The client certificate. -

Client Key (Required) The client private key. -

Password (Required) The passphrase for the client private key. -

CA Certificate to (Required) The trusted Certificate Authority's (CA) digital -

Trust certificate.

Plaintext Authentication

Caution: Tenable does not recommend plaintext credentials. Instead, use encrypted authentication
methods when possible.

If a secure method of performing credentialed checks is not available, you can configure Tenable
Security Center to perform checks over unsecure protocols using plaintext authentication settings.

Tenable Security Center supports the following plaintext authentication methods:

l telnet/rsh/rexec

l NNTP

l FTP

l POP2

l POP3

l IMAP

- 517 -
 l IPMI

l HTTP

You can configure plaintext authentication options in scan policies, as described in The
Authentication tab specifies authentication options during a scan. and Add a Scan Policy.

telnet/rsh/rexec
Tenable Security Center performs patch auditing on non-Windows targets only.

Setting Description Default

Username (Required) The username for the telnet, rsh, or rexec account -
that Tenable Security Center uses to perform checks on the
target system.

Password (Required) The password for the telnet, rsh, or rexec user. -
(Unsafe!)

NNTP
Setting Description Default

Username (Required) The username for the NNTP account that Tenable -
Security Center uses to perform checks on the target system.

Password (Required) The password for the NNTP user. -

FTP
Setting Description Default

Username (Required) The username for the FTP account that Tenable -
Security Center uses to perform checks on the target system.

Password (Required) The password for the FTP user. -

POP2

- 518 -
 Setting Description Default

Username (Required) The username for the POP2 account that Tenable -
Security Center uses to perform checks on the target system.

Password (Required) The password for the POP2 user. -

POP3
Setting Description Default

Username (Required) The username for the POP3 account that Tenable -
Security Center uses to perform checks on the target system.

Password (Required) The password for the POP3 user. -

IMAP
Setting Description Default

Username (Required) The username for the IMAP account that Tenable -
Security Center uses to perform checks on the target system.

Password (Required) The password for the IMAP user. -

IPMI
Setting Description Default

Username (Required) The username for the IMPI account that Tenable -
Security Center uses to perform checks on the target system.

Password (Required) The password for the IPMI user. -

(Sent in Clear)

HTTP

- 519 -
Setting Description Default

Authentication (Required) The authentication method. HTTP Login

Method Form
l Automatic authentication

l Basic/Digest authentication

l HTTP login form — Controls the start location of

authenticated testing of a custom web-based
application.

l HTTP cookies import — Tenable Security Center

uses cookies imported from another piece of
software (such as a web browser or web proxy)
to facilitate web application testing by using
when attempting to access a web application.

Username (Required) The username for the HTTP account that –

Tenable Security Center uses to perform checks on
the target system.

Password (Required) The password for the HTTP user. –

Login page (Required) The absolute path to the application login –

page. For example, /login.html.

Login submission (Required) The action parameter for the form method. –
page For example, for <form method="POST"
name="auth_form" action="/login.php">, use
/login.php.

Login parameters (Required) The authentication parameters (for –

example, login=%USER%&password=%PASS%).

Tenable Security Center replaces the %USER% and

%PASS% keywords with values supplied on the Login
configurations drop-down menu.

Tip: If needed, you can provide additional parameters,

such as a group name or other information required for

- 520 -
 Setting Description Default

authentication.

Check (Required) The absolute path of a protected web page –

authentication on that requires authentication. For example,
page /admin.html.

Regex to verify (Required) The regex pattern you want Tenable –

successful Security Center to look for on the login page to
authentication validate authentication.

Tip: Tenable Security Center can attempt to match a

given string, such as Authentication successful.

Cookies file (Required) A cookie file in Netscape cookies.txt –

format.

Patch Management

Tenable Security Center can leverage credentials for patch management systems to perform patch
auditing on systems for which credentials may not be available.

Tenable Security Center supports:

l Dell KACE K1000

l HCL BigFix

l Microsoft System Center Configuration Manager (SCCM)

l Microsoft Windows Server Update Services (WSUS)

l Red Hat Satellite Server

l Symantec Altiris

You can configure patch management options in scan policies, as described in Authentication
Options and Add a Scan Policy.

IT administrators are expected to manage the patch monitoring software and install any agents
required by the patch management system on their systems.

- 521 -
 Note: If the credential check sees a system but it is unable to authenticate against the system, it uses the
data obtained from the patch management system to perform the check. If Tenable Security Center is able
to connect to the target system, it performs checks on that system and ignores the patch management
system output.

Note: The data returned to Tenable Security Center by the patch management system is only as current as
the most recent data that the patch management system has obtained from its managed hosts.

Scanning with Multiple Patch Managers

If you provide multiple sets of credentials to Tenable Security Center for patch management tools,
Tenable Security Center uses all of them.

If you provide credentials for a host and for one or more patch management systems, Tenable
Security Center compares the findings between all methods and report on conflicts or provide a
satisfied finding. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch
data differences between the host and a patch management system.

Dell KACE K1000

KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux,
Windows, and macOS systems. Tenable Security Center can query KACE K1000 to verify whether or
not patches are installed on systems managed by KACE K1000 and display the patch information
through the Tenable Security Center user interface.

Tenable Security Center supports KACE K1000 versions 6.x and earlier.

KACE K1000 scanning uses the following Tenable plugins: 76867, 76868, 76866, and 76869.

Option Description Default

Server (Required) The KACE K1000 IP address or system name. -

Database Port (Required) The TCP port that KACE K1000 listens on for 3306
communications from Tenable Security Center.

Organization (Required) The name of the organization component for the ORG1
Database Name KACE K1000 database (e.g., ORG1).

Database (Required) The username for the KACE K1000 account that R1
Username Tenable Security Center uses to perform checks on the

- 522 -
 Option Description Default

target system.

K1000 Database (Required) The password for the KACE K1000 user. -
Password

HCL BigFix
HCL Bigfix is available to manage the distribution of updates and hotfixes for desktop
systems.Tenable Security Center can query HCL Bigfix to verify whether or not patches are installed
on systems managed by HCL Bigfix and display the patch information.

Package reporting is supported by RPM-based and Debian-based distributions that HCL Bigfix
officially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and
Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless
HCL Bigfix officially supports them, there is no support available.

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian,
Ubuntu, and Solaris are supported. Plugin 160250 must be enabled.

Tenable Security Center supports HCL Bigfix 9.5 and later and 10.x and later.

HCL Bigfix scanning uses the following Tenable plugins: 160247, 160248, 160249, 160250, and
160251.

Option Description Default

Web Reports (Required) The name of HCL Bigfix Web Reports server. -
Server

Web Reports (Required) The TCP port that the HCL Bigfix Web Reports -
Port server listens on for communications from Tenable Security
Center.

Web Reports (Required) The username for the HCL Bigfix Web Reports -
Username administrator account that Tenable Security Center uses to
perform checks on the target system.

Web Reports (Required) The password for the HCL Bigfix Web Reports -
Password administrator user.

- 523 -
 Option Description Default

HTTPS When enabled, Tenable connects using secure communication Enabled

(HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify SSL When enabled, Tenable verifies that the SSL certificate on the Enabled
certificate server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this setting.

HCL Bigfix Server Configuration

In order to use these auditing features, you must make changes to the HCL Bigfix server. You must
import a custom analysis into HCL Bigfix so that detailed package information is retrieved and
made available to Tenable Security Center.

From the HCL BigFix Console application, import the following .bes files.

BES file:

<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. <
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:43:29 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then
repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset"
architecture of operating system) of filesets of products of object repository else if (exists true whose (if tr
debianpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|
architecture of it & "|" & architecture of operating system) of packages whose (exists version of it) of debianp
(exists true whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of
"|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exi
(if true then (exists ips image) else false)) then unique values of (full name of it & "|" & version of it as st
"pkg" & "|" & architecture of operating system) of latest installed packages of ips image else if (exists true w
then (exists pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of p
pkgdb else "<unsupported>"]]></Property>
<Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Prop
<Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowerc
"SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file
"/var/opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>

- 524 -
 </Analysis>
</BES>

BES file:

<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Task>
<Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
<Description><![CDATA[&lt;enter a description of the task here&gt; ]]></Description>
<GroupRelevance JoinByIntersection="false">
<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
<SearchText>SunOS 5.10</SearchText>
<Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS
5.10" as lowercase)</Relevance>
</SearchComponentPropertyReference>
</GroupRelevance>
<Category></Category>
<Source>Internal</Source>
<SourceID></SourceID>
<SourceReleaseDate>2021-05-12</SourceReleaseDate>
<SourceSeverity></SourceSeverity>
<CVENames></CVENames>
<SANSID></SANSID>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:50:58 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<DefaultAction ID="Action1">
<Description>
<PreLink>Click </PreLink>
<Link>here</Link>
<PostLink> to deploy this action.</PostLink>
</Description>
<ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_
patches.b64

]]></ActionScript>
</DefaultAction>
</Task>
</BES>

Microsoft System Center Configuration Manager (SCCM)

Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of
Windows-based systems. Tenable Security Center can query the SCCM service to verify whether or
not patches are installed on systems managed by SCCM and display the patch information through
the scan results.

- 525 -
Tenable Security Center connects to the server that is running the SCCM site (e.g., credentials must
be valid for the SCCM service, so the selected user must have privileges to query all the data in the
SCCM MMC). This server may also run the SQL database, or the database and the SCCM repository
can be on separate servers. When leveraging this audit, Tenable Security Center must connect to
the SCCM server via WMI and HTTPS.

Note: SCCM scanning with Tenable products requires one of the following roles: Read-only Analyst,
Operations Administrator, or Full Administrator. For more information, see Setting Up SCCM Scan Policies.

SCCM scanning uses the following Tenable plugins: 57029, 57030, 73636, and 58186.

Note: SCCM patch management plugins support versions from SCCM 2007 up to and including
Configuration Manager version 2309.

Credential Description Default

Server (Required) The SCCM IP address or system name. -

Domain (Required) The name of the SCCM server's domain. -

Username (Required) The username for the SCCM user account that -
Tenable Security Center uses to perform checks on the target
system. The user account must have privileges to query all
data in the SCCM MMC.

Password (Required) The password for the SCCM user with privileges to -
query all data in the SCCM MMC.

Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of
updates and hotfixes for Microsoft products. Tenable Security Center can query WSUS to verify
whether or not patches are installed on systems managed by WSUS and display the patch
information through the Tenable Security Center user interface.

WSUS scanning uses the following Tenable plugins: 57031, 57032, and 58133.

- 526 -
 Option Description Default

Server (Required) The WSUS IP address or system name. -

Port (Required) The TCP port that Microsoft WSUS listens on 8530
for communications from Tenable Security Center.

Username (Required) The username for the WSUS administrator -

account that Tenable Security Center uses to perform
checks on the target system.

Password (Required) The password for the WSUS administrator -

user.

HTTPS When enabled, Tenable connects using secure Enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify When enabled, Tenable verifies that the SSL certificate Enabled
SSL Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Red Hat Satellite Server

Red Hat Satellite is a systems management platform for Linux-based systems. Tenable Security
Center can query Satellite to verify whether or not patches are installed on systems managed by
Satellite and display the patch information.

Although not supported by Tenable, the Red Hat Satellite plugin also works with Spacewalk Server,
the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based
on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat
Enterprise Linux.

Satellite scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, and 84238.

Option Description Default

Satellite (Required) The Red Hat Satellite IP address or system name. -

- 527 -
 Option Description Default

Server

Port (Required) The TCP port that Red Hat Satellite listens on for 443
communications from Tenable Security Center.

Username (Required) The username for the Red Hat Satellite account -
that Tenable Security Center uses to perform checks on the
target system.

Password (Required) The password for the Red Hat Satellite user. -

Verify SSL When enabled, Tenable verifies that the SSL certificate on Enabled
Certificate the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Red Hat Satellite 6 Server

Red Hat Satellite 6 is a systems management platform for Linux-based systems. Tenable Security
Center can query Satellite to verify whether or not patches are installed on systems managed by
Satellite and display the patch information.

Although not supported by Tenable, the Red Hat Satellite 6 plugin also works with Spacewalk
Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage
distributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite
server for Red Hat Enterprise Linux.

Red Hat Satellite 6 scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, 84238,
84231, 84232, and 84233.

Option Description Default

Satellite Server (Required) The Red Hat Satellite 6 IP address or system -

name.

Port (Required) The TCP port that Red Hat Satellite 6 listens 443
on for communications from Tenable Security Center.

- 528 -
 Option Description Default

Username (Required) The username for the Red Hat Satellite 6 -

account that Tenable Security Center uses to perform
checks on the target system.

Password (Required) The password for the Red Hat Satellite 6 user. -

HTTPS When enabled, Tenable connects using secure Enabled

communication (HTTPS).

When disabled, Tenable connects using standard HTTP.

Verify When enabled, Tenable verifies that the SSL certificate Enabled
SSL Certificate on the server is signed by a trusted CA.

Tip: If you are using a self-signed certificate, disable this

setting.

Symantec Altiris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux,
Windows, and macOS systems. Tenable Security Center has the ability to use the Altiris API to verify
whether or not patches are installed on systems managed by Altiris and display the patch
information through the Tenable Security Center user interface.

Tenable Security Center connects to the Microsoft SQL server that is running on the Altiris host.
When leveraging this audit, if the MSSQL database and Altiris server are on separate hosts, Tenable
Security Center must connect to the MSSQL database, not the Altiris server.

Altiris scanning uses the following Tenable plugins: 78013, 78012, 78011, and 78014.

Credential Description Default

Server (Required) The Altiris IP address or system name. -

Database Port (Required) The TCP port that Altiris listens on for 5690
communications from Tenable Security Center.

Database Name (Required) The name of the MSSQL database that Symantec_
manages Altiris patch information. CMDB

- 529 -
 Credential Description Default

Database (Required) The username for the Altiris MSSQL -

Username database account that Tenable Security Center uses to
perform checks on the target system. Credentials
must be valid for a MSSQL databas account with the
privileges to query all the data in the Altiris MSSQL
database.

Database (Required) The password for the Altiris MSSQL -

Password database user.

Use Windows When enabled, use NTLMSSP for compatibility with Enabled
Authentication older Windows Servers.

When disabled, use Kerberos.

View Your Scan Policies

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Scan Policies.

To view a list of configured scan policies:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. View details about each scan policy.

l Name — The name of the scan policy.

l Tag — The tag applied to the scan policy.

l Type — The name of the template used to add the scan policy.

l Group — The group associated with the scan policy.

- 530 -
 l Owner — The username for the user associated with the scan policy.

l Last Modified — The date and time the scan policy was last modified.

View Scan Policy Details

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can view details for individual scan policies. For more information, see Scan Policies.

To view details of a scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. Right-click the row for the scan policy you want to view.

The actions menu appears.

-or-

Select the check box for the scan policy you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Policy page appears.

Section Action

General View general information for the scan policy.

l Name — The name of the scan policy.

l Description — The description for the scan policy.

l Tag — The tag applied to the scan policy.

l Type — The name of the template used to add the scan policy.

- 531 -
 Section Action

l Created — The date and time the scan policy was added.

l Last Modified — The date and time the scan policy was last
modified.

l Owner — The username for the user associated with the scan
policy.

l Group — The group associated with the scan policy.

l ID — The scan policy ID.

Configuration (Template-based policies only) View a summary of options

configured for the scan policy. For more information, see Scan
Policy Options.

Options tabs View all of the options configured for the scan policy. The tabs
displayed depend on the scan policy type. For more information, see
Scan Policy Options.

Edit a Scan Policy

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Scan Policies.

To edit a scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. Right-click the row for the scan policy you want to edit.

The actions menu appears.

-or-

- 532 -
 Select the check box for the scan policy you want to edit.

The available actions appear at the top of the table.

4. Click More > Edit.

The Edit Policy page appears.

5. Modify the scan policy. For more information, see Scan Policy Options.

6. Click Submit.

Tenable Security Center saves your configuration.

Share or Revoke Access to a Scan Policy

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can share or revoke access to a scan policy to allow or restrict access to a user group. When
you share a scan policy with a user group, users in the group with the appropriate permissions can
use the policy in an active scan, modify policy options, and more.

For more information, see Scan Policies. For more information about user groups, see Groups.

To share or revoke access to a scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. Right-click the row for the scan policy for which you want to share or revoke access.

The actions menu appears.

-or-

Select the check box for the scan policy for which you want to share or revoke access.

The available actions appear at the top of the table.

4. Click Share.

- 533 -
 The Share Policy window appears.

5. In the Share Policy window, select the groups for which you want to share or revoke access to
the scan policy.

6. Click Submit.

Tenable Security Center saves your configuration.

Export a Scan Policy

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

Note: Exported scan policies are not backwards-compatible. If you are running Tenable Security Center
6.0.0 or later and you export a scan policy, you can only import the scan policy into another instance of
Tenable Security Center 6.0.0 or later.

You can export a scan policy as a .nessus file and import it to another Tenable Security Center to
use in an active scan configuration.

In some cases, Tenable Support may also ask you to export a scan policy for troubleshooting.

Note: Exported scan policy files do not include audit files or credentials. You can re-configure audit files
and credentials you want to use with the scan policy on the Tenable Security Center where you import the
scan policy. For more information, see Audit Files and Credentials.

For more information, see Scan Policies.

Before you begin:

l Add a scan policy, as described in Add a Scan Policy.

l Confirm your PHP Serialization Mode setting is set to PHP Serialization ON. For more
information, see Use the Security section to define the Tenable Security Center user interface
login parameters and options for account logins. You can also configure banners, headers,
and classification headers and footers..

To export a scan policy:

- 534 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. To export a single scan policy:

a. In the table, right-click the row for the scan policy you want to export.

The actions menu appears.

To export multiple scan policies:

a. In the table, select the check box for each scan policy you want to export.

The available actions appear at the top of the table.

4. Click Export.

Tenable Security Center exports the scan policy as a .xml file.

What to do next:
l Do any of the following:
o Import the scan policy into another Tenable Security Center, as described in Import a
Scan Policy.
o If Tenable Support requested a scan policy file for troubleshooting, share the scan policy
file with Tenable Support.

Import a Scan Policy

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can import a .nessus scan policy file from Tenable Nessus or from another Tenable Security
Center to use in an active scan configuration. For more information, see Scan Policies.

Note: Imported scan policies do not include audit files or credentials. For more information, see Audit Files
and Credentials.

Before you begin:

- 535 -
 l Ensure your PHP Serialization Mode setting is PHP Serialization ON. For more information,
see Use the Security section to define the Tenable Security Center user interface login
parameters and options for account logins. You can also configure banners, headers, and
classification headers and footers..

l Do one of the following:

o Export a scan policy from another Tenable Security Center, as described in Export a
Scan Policy.
o Export a scan policy from Tenable Nessus. For more information, see Policies in the
Tenable Nessus User Guide.

To import a scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. At the top of the table, click Upload Policy.

The Upload Policy page appears.

4. In the Name box, type a name for the scan policy.

5. (Optional) In the Description box, type a description for the scan policy.

6. (Optional) In the Tag box, type or select a tag for the scan policy.

7. Click Choose File and browse to the .nessus scan policy file you want to import.

8. Click Submit.

Tenable Security Center imports the scan policy.

What to do next:
l (Optional) Modify the scan policy settings, as described in Edit a Scan Policy.

l (Optional) Configure audit files and credentials you wish to reference with the scan policy, as
described in Add a Custom Audit File and Add Credentials.

l Reference the scan policy in an active scan configuration, as described in Add an Active Scan.

- 536 -
Copy a Scan Policy

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Scan Policies.

To create a copy of a scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. To copy a single scan policy:

a. In the table, right-click the row for the scan policy you want to copy.

The actions menu appears.

To copy multiple scan policies:

a. In the table, select the check box for each scan policy you want to copy.

The available actions appear at the top of the table.

4. Click Copy.

Tenable Security Center copies the scan policy. The copy appears, named Copy of
PolicyName.

Delete a Scan Policy

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Scan Policies.

Note: If you delete a scan policy referenced by an active scan, Tenable Security Center disables the scan.
For more information, see Scan Result Statuses.

Before you begin:

- 537 -
 l If any active scans reference the scan policy you intend to delete, update the active scans to
use a different scan policy, as described in Manage Active Scans.

To delete a scan policy:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. In the table, right-click the row for the scan policy you want to delete.

The actions menu appears.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the scan policy.

To delete multiple scan policies:

1. Log in to Tenable Security Center via the user interface.

2. Click Scanning > Policies (administrator users) or Scans > Policies (organizational users).

The Policies page appears.

3. In the table, select the check box for each scan policy you want to delete.

The available actions appear at the top of the table.

4. At the top of the table, click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the scan policies.

Agent Scanning

- 538 -
To perform agent scanning, Tenable Security Center fetches agent scan results from agent-capable
Tenable Nessus Manager or Tenable Vulnerability Management instances. Using Tenable Nessus
Agents for scanning reduces network usage and allows devices to maintain their scan schedules
even when disconnected from the network. Tenable Security Center fetches these results for
review with other acquired information about the host and network.

You can configure one or both methods of fetching agent scan results in Tenable Security Center:

l Agent scans fetch results from agent scans you add and launch in Tenable Security Center.
When you add an agent scan in Tenable Security Center, Tenable Security Center creates a
corresponding agent scan in an instance of Tenable Nessus Manager or Tenable Vulnerability
Management that you linked to Tenable Security Center. When you launch an agent scan in
Tenable Security Center, Tenable Security Center launches the corresponding scan in Tenable
Nessus Manager or Tenable Vulnerability Management, then imports the results into Tenable
Security Center.

You can create agent scans in Tenable Security Center using the Advanced Agent Scan
template. For more information, see Scan Policy Templates.

For more information, see Agent Scans.

l Agent synchronization jobs fetch results from agent scans you previously created and
launched in Tenable Nessus Manager or Tenable Vulnerability Management.

Agent synchronization jobs can fetch results from agent scans configured in Tenable Nessus
Manager or Tenable Vulnerability Management using any agent scan template.

For more information, see Agent Synchronization Jobs.

To configure agent scanning:

1. Configure Tenable Nessus Agents in either Tenable Nessus Manager or Tenable Vulnerability
Management, as described in Deployment Workflow in the Tenable Nessus Agent Deployment
and User Guide.

2. Add your agent-capable Tenable Nessus Manager or Tenable Vulnerability Management

instance as a Tenable Nessus scanner in Tenable Security Center, as described in Tenable
Nessus Scanners.

- 539 -
 3. Add one or more agent repositories in Tenable Security Center, as described in Add a
Repository.

4. Do one or both of the following:

l Add an agent scan using the Basic Agent Scan or Advanced Agent Scan template in
Tenable Security Center, as described in Add an Agent Scan.

l Add an agent synchronization job in Tenable Security Center, as described in Add an

Agent Synchronization Job.

What to do next:
l View scan results, as described in Scan Results.

l View vulnerability data by unique Agent ID, as described in Vulnerability Analysis.

Agent Scans
Agent scans fetch results from agent scans you add and launch in Tenable Security Center. When
you add an agent scan in Tenable Security Center, Tenable Security Center creates a corresponding
agent scan in an instance of Tenable Nessus Manager or Tenable Vulnerability Management that you
linked to Tenable Security Center. When you launch an agent scan in Tenable Security Center,
Tenable Security Center launches the corresponding scan in Tenable Nessus Manager or Tenable
Vulnerability Management, then imports the results into Tenable Security Center.

You can create agent scans in Tenable Security Center using the Advanced Agent Scan template.
For more information, see Scan Policy Templates.

For more information about agent scanning in Tenable Security Center, see Agent Scanning.

The Agent Scans page displays a list of all available agent scans. Tenable Security Center shares
newly created agent scan import schedules to everyone within the same user group when users
have the appropriate permissions.

When more than one agent scan result is ready on Tenable Vulnerability Management or Tenable
Nessus Manager, the scan results queue for import to Tenable Security Center.

For more information about agent scans, see:

- 540 -
 l Add an Agent Scan

l Agent Scan Settings

l Manage Agent Scans

Add an Agent Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can create agent scans in Tenable Security Center using the Advanced Agent Scan template.
For more information, see Scan Policy Templates.

For more information, see Agent Scans and Agent Scan Settings.

Before you begin:

l Confirm you understand the complete agent scanning configuration process, as described in
Agent Scanning.

l (Optional) Configure an Advanced Agent Scan policy template, as described in Add a Scan
Policy.

To add an agent scan:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Agent Scans.

The Agent Scans page appears.

3. At the top of the table, click Add.

The Add Agent Scan page appears.

4. Click General.

5. Type a Name for the scan.

6. (Optional) Type a Description for the scan.

7. (Optional) To reference an Advanced Agent Scan policy in the scan:

- 541 -
 a. Click Custom Policy to enable the toggle.

b. In the Policy drop-down menu, select the Advanced Agent Scan policy.

8. Select an Agent Scanner.

9. Select one or more Agent Groups.

10. Select a Scan Window.

11. (Optional) Select a Schedule for the scan.

12. Click Settings.

13. Select an Import Repository for the scan.

14. (Optional) Click Post Scan.

l If you want to configure automatic report generation, click Add Report. For more
information, see Add a Report to a Scan.

15. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l View scan results, as described in Scan Results.

l View vulnerability data by unique Agent ID, as described in Vulnerability Analysis.

Manage Agent Scans

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about agent scans, see Agent Scans.

To manage agent scans:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Agent Scans.

The Agent Scans page appears.

- 542 -
3. To filter the scans that appear on the page, apply a filter as described in Apply a Filter.

4. To start an agent scan, see Start or Pause a Scan.

5. To view details for a scan:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click View.

The View Agent Scan page appears.

6. To edit a scan:
a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click Edit.

The Edit Agent Scan page appears.

c. Modify the scan options. For more information, see Agent Scan Settings.

d. Click Submit.

Tenable Security Center saves your configuration.

7. To delete a scan:

- 543 -
 a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click Delete.

Tenable Security Center deletes the scan.

8. To delete multiple scans:

a. In the table, select the check box for each scan you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

c. Click Delete.

Tenable Security Center deletes the scans.

Agent Scan Settings

For more information, see Agent Scans.

l General Options

l Settings Options

l Post Scan Options

General Options
Parameter Description Default

General

Name The scan name associated with the scan’s results. This may --

- 544 -
Parameter Description Default

be any name or phrase (for example, SystemA, DMZ Scan, or

Daily Scan of the Web Farm).

Description Descriptive information related to the scan. --

Custom Policy When enabled, select an agent scan policy to apply to the Disabled
scan. For more information, see Scan Policy Templates.

When disabled, the scan uses a Tenable Nessus or Tenable

Vulnerability Management Basic Agent Scan template. For
more information, see Agent Scan and Policy Templates in
the Tenable Nessus Agent Deployment and User Guide and
Tenable-Provided Agent Templates in the Tenable
Vulnerability Management User Guide.

Policy (If Custom Policy is enabled) The name of the agent scan --
policy.

Agent Scanner The Agent-enabled scanner from which to retrieve agent --

results.

Agent Groups Specifies the agent group or groups in Tenable Nessus --

Manager you want the scan to target. For more information,
see Agent Groups in the Tenable Nessus User Guide.

Scan Window Specifies the amount of time Tenable Security Center waits 1 hour
before fetching the results of the agent scan: 15 minutes,
30 minutes, 1 hour, 3 hours, 6 hours, 12 hours, or 1 day.

If Tenable Security Center fetches results for the scan

before the scan completes, Tenable Security Center displays
the results available at the time the scan window expired.
The agent scan continues to run in Tenable Vulnerability
Management or Tenable Nessus Manager during the scan
window specified in Tenable Vulnerability Management or
Tenable Nessus Manager, even if the scan window in
Tenable Security Center expires.

- 545 -
 Parameter Description Default

Note: To view complete agent scan result data in Tenable

Security Center, Tenable recommends setting a Scan Window
value that allows your agent scans to complete before Tenable
Security Center fetches the results.

Schedule

Schedule The frequency you want Tenable Security Center to fetch On Demand
agent scan results: Now, Remediation, Once, Daily, Weekly,
Monthly, or On Demand.

Note: If you schedule your scan to repeat monthly, Tenable

recommends setting a start date no later than the 28th day. If
you select a start date that does not exist in some months
(e.g., the 29th), Tenable Security Center cannot run the scan on
those days.

Tip: Retrieve agent scan results as close to the completion

time of the scan as possible to most accurately display within
Tenable Security Center when the scan discovered the
vulnerability results.

Settings Options
Parameter Description Default

Import Specifies the repository where you want the agent scan --
Repository results to import. Select an agent repository to receive scan
data.

Note: You cannot import agent scan data to a non-agent

repository.

Post Scan Options

- 546 -
These options determine what actions occur immediately before and after the agent scan
completes.

Option Description Default

Add This option provides a list of reports available to the user to run --
Report when the agent scan data import completes. For more
information, see Add a Report to a Scan.

Agent Synchronization Jobs

Agent synchronization jobs fetch results from agent scans you previously created and launched in
Tenable Nessus Manager or Tenable Vulnerability Management. Agent synchronization jobs can
fetch results from agent scans configured in Tenable Nessus Manager or Tenable Vulnerability
Management using any agent scan template. For more information about agent scanning in Tenable
Security Center, see Agent Scanning.

The Agent Synchronization Jobs page displays a list of all available agent synchronization jobs.
Tenable Security Center shares newly created agent scan import schedules to everyone within the
same user group when users have the appropriate permissions.

When more than one agent scan result is ready on Tenable Nessus Manager, the scan results queue
for import to Tenable Security Center.

For more information about agent synchronization jobs, see:

l Add an Agent Synchronization Job

l Agent Synchronization Job Settings

l Manage Agent Synchronization Jobs

Add an Agent Synchronization Job

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about agent synchronization jobs, see Agent Synchronization Jobs. For more
information about agent synchronization job options, see Agent Synchronization Job Settings.

Before you begin:

- 547 -
 l Confirm you understand the complete agent scanning configuration process, as described in
Agent Scanning.

To add an agent synchronization job:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Agent Synchronization Jobs.

The Agent Synchronization Jobs page appears.

3. At the top of the table, click Add.

The Add Agent Synchronization Job page appears.

4. Click General.

5. Type a Name for the agent synchronization job.

6. (Optional) Type a Description for the agent synchronization job.

7. Select an Agent Scanner.

8. Type an Agent Scan Name Filter.

9. (Optional) If you want to limit the scan results fetched by Tenable Security Center, enable
Scan Result Threshold and select a date and time to specify the oldest scan results you want
Tenable Security Center to fetch.

10. (Optional) Select a Schedule for the agent synchronization job.

11. Click Settings.

12. Select an Import Repository for the agent synchronization job.

13. (Optional) Click Post Scan.

l If you want to configure automatic report generation, click Add Report. For more
information, see Add a Report to a Scan.

l If you previously added an email address to your account profile and you want to
configure email notifications, enable or disable E-Mail Me on Launch or E-Mail Me on
Completion.

- 548 -
 14. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l View scan results, as described in Scan Results.

l View vulnerability data by unique Agent ID, as described in Vulnerability Analysis.

Manage Agent Synchronization Jobs

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Agent Synchronization Jobs.

To manage agent synchronization jobs:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Agent Synchronization Jobs.

The Agent Synchronization Jobs page appears.

3. To filter the agent synchronization jobs that appear on the page, apply a filter as described in
Apply a Filter.

4. To start or pause an agent synchronization job, see Start or Pause a Scan.

5. To view details for an agent synchronization job:

a. Right-click the row for the agent synchronization job.

The actions menu appears.

-or-

Select the check box for the agent synchronization job.

The available actions appear at the top of the table.

b. Click View.

The View Agent Synchronization Job page appears.

- 549 -
6. To edit an agent synchronization job:
a. Right-click the row for the agent synchronization job.

The actions menu appears.

-or-

Select the check box for the agent synchronization job.

The available actions appear at the top of the table.

b. Click Edit.

The Edit Agent Synchronization Job page appears.

c. Modify the agent synchronization job options. For more information, see Agent
Synchronization Job Settings.

d. Click Submit.

Tenable Security Center saves your configuration.

7. To copy an agent synchronization job:

a. Right-click the row for the agent synchronization job.

The actions menu appears.

-or-

Select the check box for the agent synchronization job.

The available actions appear at the top of the table.

b. Click Copy.

Tenable Security Center creates a copy of the agent synchronization job.

To copy multiple agent synchronization jobs:

a. In the table, select the check box for each agent synchronization job you want to copy.

The available actions appear at the top of the table.

b. At the top of the table, click Copy.

- 550 -
 Tenable Security Center creates a copy of the agent synchronization job.

8. To delete an agent synchronization job:

a. Right-click the row for the agent synchronization job.

The actions menu appears.

-or-

Select the check box for the agent synchronization job.

The available actions appear at the top of the table.

b. Click Delete.

Tenable Security Center deletes the agent synchronization job.

To delete multiple agent synchronization jobs:

a. In the table, select the check box for each agent synchronization job you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

c. Click Delete.

Tenable Security Center deletes the scans.

Agent Synchronization Job Settings

For more information, see Agent Synchronization Jobs.

l General Options

l Settings Options

l Post Scan Options

General Options

- 551 -
Option Description

Name The agent synchronization job name associated with the scan’s results. This
may be any name or phrase (e.g., SystemA, DMZ Scan, Daily Scan of the
Web Farm, etc.).

Description A description for the agent synchronization job.

Agent Scanner The agent-capable scanner from which you want Tenable Security Center to
retrieve agent results.

Agent Scan A filter for agent scan results to retrieve from the Tenable Nessus Agent-
Name Filter enabled scanner. Filters can use the specific name of the result(s) to
retrieve or an asterisk (*) or question mark (?) for all or part of the scan
result name(s) to retrieve. You can find the available agent scans retrieved
from the selected scanner on the Scan page of the user logged in to the
Nessus server.

You can click the Preview Filter button to view results that match the filter.

Scan Result Specifies whether Tenable Security Center fetches all or some agent scan
Threshold results from the agent-capable scanner.

l When disabled, Tenable Security Center fetches all agent scan results.

l When enabled, Tenable Security Center restricts the agent scan

results it fetches.

Note: You cannot modify the Scan Result Threshold after initial creation of the
agent synchronization job.

After you create the agent synchronization job, the Edit Agent
Synchronization Job and View Agent Synchronization Job pages display
the Last Fetched date to indicate when Tenable Security Center performed
the most recent successful agent synchronization job.

Select Date When Scan Result Threshold is enabled, specifies the oldest agent scan
and Time results you want Tenable Security Center to fetch.

Schedule The frequency you want Tenable Security Center to fetch agent scan results.

- 552 -
 Option Description

Select Now, Once, Daily, Weekly, Monthly, On Demand, or Dependent to

create an agent scan result retrieval template that you can launch manually
at any time. The other time frames allow you to retrieve agent scan results
at specified times and intervals.

Tenable recommends retrieving agent scan results as close to the

completion time of the scan as possible to most accurately display within
Tenable Security Center when the scan discovered the vulnerability results.
For more information about how Tenable Security Center determines
vulnerability discovery dates, see Vulnerability Discovered.

Note: If you schedule your scan to repeat monthly, Tenable recommends setting
a start date no later than the 28th day. If you select a start date that does not
exist in some months (e.g., the 29th), Tenable Security Center cannot run the
scan on those days.

Settings Options
Parameter Description

Import Specifies the agent repository where you want the agent scan results to
Repository import.

Note: You cannot import agent scan data to a non-agent repository.

Post Scan Options

These options determine what actions occurs immediately before and after the agent
synchronization job completes. The table below describes the post agent synchronization job
options available to users:

Option Description

Add This option provides a list of reports available to the user to run when the agent
Report scan data import completes.

- 553 -
 Option Description

The initial choices are to click the group and owner of the report to present a list
of valid report options. Next, click the report from the list that can be searched
using the text search box. When hovering over a report name, you can select the
information icon to display the name and description of the report. You can base
the generated report on the current scan’s results or the results in the
Cumulative database.

Selecting the check mark causes the report to launch once the agent
synchronization job completes. Selecting the X removes the changes. Once
added, you can modify or delete the report information.

Web App Scans

Required Additional License: Tenable Web App Scanning for Tenable Security Center

Web application scanning in Tenable Security Center allows you to scan and address web
application vulnerabilities that traditional scanners cannot scan.

You can use a Tenable Nessus scanner to perform web app scans. For more information about
Tenable Nessus scanners, see Tenable Nessus Scanners.

For more information about web app scans in Tenable Security Center, see Manage Web App Scans
and Web App Scan Settings.

For more information about your Tenable Web App Scanning for Tenable Security Center license,
see License Requirements.

Note: Tenable Security Center allows only one concurrent web app scan per configured Tenable Nessus
scanner at a time.

To fully configure web app scans using a Tenable Nessus scanner:

1. Apply the Tenable Web App Scanning for Tenable Security Center license, as described in
Update an Existing License.

- 554 -
 2. Ensure the Tenable Web App Scanning plugins are updated, as described in Plugin/Feed
Settings. The plugins automatically update when the license is updated.

3. If you are configuring a Tenable Nessus scanner,

a. Ensure you are running Docker version 20.0.0 or later on your Tenable Nessus host.
Tenable recommends the official Docker builds and install packages.

b. Ensure you are running Tenable Nessus version 10.6.1 or later.

c. Ensure your system meets the hardware requirements for Tenable Nessus with Tenable
Web App Scanning enabled.

Note: The following platforms do not support web app scanning in Tenable Nessus:
l Any host system that does not support official Docker builds.
l Any host that uses an ARM-based processor (for example, AArch64 Linux
distributions and macOS M1 and M2 systems).
l Tenable Core + Tenable Nessus, or any instance of Tenable Nessus that already runs
within a Docker image.
For more information about Docker support on virtualized hosts, see the Docker
documentation.

4. Enable the Tenable Web App Scanning Capable option for the Tenable Nessus scanner in
Tenable Security Center, as described in Tenable Nessus Scanners.

5. Add a scan zone in Tenable Security Center, as described in Add a Scan Zone.

6. Add a universal repository for the scan data in Tenable Security Center, as described in Add a
Repository.

7. Configure your Tenable Web App Scanning credentials, as described in Add Credentials.

8. Create a Web App Scanning scan policy, as described in Add a Scan Policy.

9. Add a web app scan in Tenable Security Center, as described in Add a Web App Scan.

What to do next:
l View scan results, as described in Scan Results.

l View web app scan vulnerability data, as described in Web App Scanning Analysis.

- 555 -
Add a Web App Scan

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can create web app scans in Tenable Security Center using Web Application Scanning
templates. For more information, see Scan Policy Templates.

For more information, see Web App Scans and Web App Scan Settings.

Before you begin:

l Confirm you understand the complete web app scanning configuration process, as described
in Web App Scans.

l Configure a Web App Scanning scan policy, as described in Add a Scan Policy.

To add a web app scan:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Web App Scans.

The Web App Scans page appears.

3. At the top of the table, click Add.

The Add Web App Scan page appears.

4. Click General.

a. Type a Name for the scan.

b. (Optional) Type a Description for the scan.

c. In the Policy drop-down menu, select the Web App Scanning scan policy.

d. (Optional) Select a Schedule for the scan.

5. Click Settings.

- 556 -
 a. Select a Scan Zone for the scan.

b. Select an Import Repository for the scan.

6. Click Targets.

a. Type a target URL for the scan.

7. Click Credentials.

a. Click Add Credential.

b. In the drop-down boxes, select a credential type and a preconfigured credential.

c. Click the check mark to save your selection.

8. (Optional) Click Post Scan.

a. If you want to configure automatic report generation, click Add Report. For more
information, see Add a Report to a Scan.

9. Click Submit.

Tenable Security Center saves your configuration.

What to do next:
l View scan results, as described in Scan Results.

l View web app scan vulnerability data, as described in Web App Scanning Analysis.

Manage Web App Scans

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about web app scans, see Web App Scans.

To manage web app scans:

- 557 -
1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Web App Scans.

The Web App Scans page appears.

3. To filter the scans that appear on the page, apply a filter as described in Apply a Filter.

4. To start a scan, see Start or Pause a Scan.

Note: Pausing is not supported for web app scans.

5. To view details for a scan:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click View.

The View Web App Scan page appears.

6. To edit a scan:
a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click Edit.

The Edit Web App Scan page appears.

c. Modify the scan options. For more information, see Web App Scan Settings.

- 558 -
 d. Click Submit.

Tenable Security Center saves your configuration.

7. To delete a scan:
a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click Delete.

Tenable Security Center deletes the scan.

8. To delete multiple scans:

a. In the table, select the check box for each scan you want to delete.

The available actions appear at the top of the table.

b. At the top of the table, click Delete.

A confirmation window appears.

c. Click Delete.

Tenable Security Center deletes the scans.

Web App Scan Settings

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

For more information, see Web App Scans.

l Parameter

l Parameter

- 559 -
 l Option

l The Credentials section allows users to select pre-configured credential sets for
authenticated scanning. For more information, see Credentials.

l These options determine what actions occur immediately before and after the web app scan
completes.

General Options

Parameter Description Default

General

Name The scan name that is associated with the scan’s results. --
This can be any name or phrase (for example, SystemA, DMZ
Scan, or Daily Scan of the Web Farm).

Description Descriptive information related to the scan. --

Policy The policy on which you want to base the scan. You can --
scroll through the list, or search by entering text in the
search box at the top of the list of available policies. For
more information, see Scan Policy Templates.

Schedule

Schedule The frequency you want to run the scan. On Demand

l Now specifies that you want Tenable Security Center

to launch the scan immediately without saving the
configuration for later.

Note: Scans configured to run Now do not appear on the

Active Scans page.

l Once specifies that you want Tenable Security Center

to launch the scan at the specified time without saving
the configuration for later.

- 560 -
Parameter Description Default

Note: Scans configured to run Once do not appear on

the Active Scans page.

l Daily, Weekly, or Monthly specifies that you want

Tenable Security Center to launch the scan at a
scheduled interval.

Note: If you schedule your scan to repeat monthly,

Tenable recommends setting a start date no later than
the 28th day. If you select a start date that does not exist
in some months (e.g., the 29th), Tenable Security Center
cannot run the scan on those days.

l On Demand specifies that you want to launch the scan

manually at any time.

l Dependent specifies that you want Tenable Security

Center to launch the scan every time Tenable Security
Center finishes a scheduled run of the dependent scan
you select.

Settings Options

Parameter Description

Basic

Scan Zone Note: If your organization's Distribution Method setting is Locked Zone, you
cannot modify this setting. If your organization's Distribution Method setting
is Automatic Distribution Only, Tenable Security Center automatically
chooses one or more scan zones and hides this setting.

Specifies the scan zone you want to use to run the scan. Depending on
your organization's Distribution Method setting, you can select one of
the following:

l An available zone — use a single scan zone to run the scan.

- 561 -
Parameter Description

Note: If you select a single scan zone, Tenable Security Center

ignores the ranges in the scan zone and scans all of the targets you
specify in the scan configuration.

l Automatic Distribution — allow Tenable Security Center to choose

the best scan zone to run the scan.

For more information, see Organizations and Scan Zones.

Import Repository Specifies the repository where Tenable Security Center imports the
scan results. Select a Universal repository to receive IPv4 or IPv6 results
appropriate to the scan. For more information about repositories, see
Repositories.

Advanced

Immediately If a previously responsive host does not reply to a scan, Tenable

remove Security Center removes the host's vulnerabilities from the cumulative
vulnerabilities database. If the host has vulnerabilities in the mitigated database, they
from scanned remain in the mitigated database.
hosts that do not
l If you enable this option, the system removes the vulnerabilities
reply
immediately after the scan completes.

l If you disable this option, the system removes the vulnerabilities

according to the interval set in the Number of days to wait before
removing dead hosts option.

Max scan duration Specifies the maximum number of hours you want a scan to run. If a
(hours) scan reaches this threshold, the scan stops and Tenable Security Center
discards the scan results.

Inactivity timeout Specifies the maximum number of hours you want a scan to be inactive
duration (hours) before it times out.

The value for Inactivity timeout duration must be less than the value for
Max scan duration.

- 562 -
 Targets Options

Option Description Default

URLs One or more URL targets for the scan. Type multiple targets as a --
comma-separated list of URLs.

Credentials Options

The Credentials section allows users to select pre-configured credential sets for authenticated
scanning. For more information, see Credentials.

Tenable Security Center web app scans support Web Authentication Credentials.

Note: You cannot add credentials to web app scans that have multiple targets.

Post Scan Options

These options determine what actions occur immediately before and after the web app scan
completes.

Option Description Default

Notifications

E-mail Me on When enabled, Tenable Security Center sends a notification disabled

Launch to the email address associated with your user account
when the scan launches.

E-mail Me on When enabled, Tenable Security Center sends a notification disabled

Completion to the email address associated with your user account
when the scan completes.

Reports to Run on Scan Completion

Add Report This option provides a list of reports available to the user to --
run when the web app scan data import completes. For
more information, see Add a Report to a Scan.

- 563 -
Freeze Windows
You can set a freeze window in Tenable Security Center to specify a time frame when you do not
want Tenable Security Center to scan specific targets. This prevents remediation or ad-hoc scans
from scanning assets during undesired time frames, such as during production hours. For more
information about what happens to in-progress scans at the start of a freeze window, see the
knowledge base article.

Freeze windows are organizational and affect all scans in the creating user’s organization. Only
users with the Manage Freeze Windows permission can add, edit, or delete freeze windows.

Note: If a freeze window becomes active in Tenable Security Center after an Agent scan or a
web app scan launches, the freeze window will not stop any Agent scans or web app scans that
are currently in progress. However, if you launch a web app scan while a freeze window is
already active, and the freeze window applies to any of the web app scan targets, then those
web app scan targets will not be scanned.
To stop Agent scans, configure a freeze window in each Tenable Nessus Manager.

For more information, see Add a Freeze Window, Edit a Freeze Window, and Delete a Freeze
Window.

Option Description

Name A name for the freeze window.

Description (Optional) A description for the freeze window.

Enabled When enabled, Tenable Security Center does not scan any assets that
are affected by the freeze window. If a scan does not include any
assets outside of the freeze window, then the scan will abort.

When disabled, Tenable Security Center scans all assets as scheduled.

Targets Specifies the targets you do not want to scan during the freeze
window.

l All Systems — Tenable Security Center does not scan any

assets.

l Assets — Tenable Security Center does not scan specific

- 564 -
Option Description

Tenable-provided or user-defined asset lists.

l IPs — Tenable Security Center does not scan specific

IP addresses.

l Mixed — Tenable Security Center does not scan a combination of

IP addresses and/or Tenable-provided or user-defined asset
lists.

Note: If you select an Import Repository later in the configuration,

Tenable Security Center applies your Target selections only to scans
configured with that import repository. Scans configured with other
import repositories still run and scan targeted assets, regardless of your
freeze window Targets selection.

Assets If you selected Assets or Mixed as the Targets, specifies one or more
Tenable-provided or user-defined asset lists that you do not want to
scan during the freeze window.

IPs If you selected IPs or Mixed as the Targets, specifies one or more
asset IP addresses that you do not want to scan during the freeze
window.

ImportRepository (Optional) If you selected Assets, IPs, or Mixed as your Targets,

specifies whether you want to restrict the freeze window to apply to
scans configured with a specific import repository.

l If you select a repository, Tenable Security Center applies the

freeze window to scans with the repository configured.

l If you do not select a repository, Tenable Security Center does

not restrict the freeze by repository.

Starts On Specifies a schedule for the freeze window.

Frequency

Repeat Every

Repeat On

- 565 -
Add a Freeze Window

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information about configuration options, see Freeze Windows.

To add a freeze window:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Freeze Windows.

The Freeze Windows page appears.

3. At the top of the table, click Add.

The Add Freeze Window page appears.

4. In the Name box, type a name for the freeze window.

5. In the Description box, type a description for the freeze window.

6. Confirm the Enabled toggle is enabled.

7. In the Targets drop-down box, select a target: All Systems, Assets, IPs, or Mixed.

Additional options appear based on the targets you specified.

8. In the Assets and/or IPs boxes, select or type targets for the freeze window.

9. (Optional) If you selected Assets or Mixed as the Targets and you want to restrict the freeze
window by scan repository, in the Repository section, select a repository.

10. Modify the Starts On, Frequency, Repeat Every, and Repeat On options to set the schedule
for the freeze window.

11. Click Submit.

Tenable Security Center saves your configuration.

Edit a Freeze Window

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

- 566 -
For more information, see Freeze Windows.

To edit a freeze window:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Freeze Windows.

The Freeze Windows page appears.

3. Right-click the row for the freeze window you want to edit.

The actions menu appears.

-or-

Select the check box for the freeze window you want to edit.

The available actions appear at the top of the table.

4. Click Edit.

The Edit Freeze Window page appears.

5. To disable the freeze window, click the Enabled slider.

6. To edit the freeze window settings, modify options described in Edit a Freeze Window.

7. Click Submit.

Tenable Security Center saves your configuration.

Delete a Freeze Window

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Freeze Windows.

To delete a freeze window:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Freeze Windows.

The Freeze Windows page appears.

- 567 -
 3. To delete a single freeze window:

a. In the table, right-click the row for the freeze window you want to delete.

The actions menu appears.

To delete multiple freeze windows:

a. In the table, select the check box for each freeze window you want to delete.

The available actions appear at the top of the table.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the freeze window.

Tags
You can use tags in Tenable Security Center to label assets, policies, credentials, or queries with a
custom descriptor to improve filtering and object management. For example, you could add a tag
named East Coast Employees to label all of your assets in that geographic area.

After you create a tag and apply it to an object, the tag is visible to all users who can view or modify
that object. However, tags are not shared across object types.

For more information, see Add a Tag and Remove or Delete a Tag.

Add a Tag

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Tags.

To add a tag:

1. Log in to Tenable Security Center.

2. Navigate to the assets, policies, credentials, or queries page:

- 568 -
 l Click Assets > Assets.

l Click Scanning > Policies (administrator users) or Scans > Policies (organizational
users).

l Click Scanning > Credentials (administrator users) or Scans > Credentials

(organizational users).

l Click Analysis > Queries.

3. Right-click the row for the asset, policy, credential, or query you want to tag.

The actions menu appears.

-or-

Select the check box for the asset, policy, credential, or query you want to tag.

The available actions appear at the top of the table.

4. Click Edit.

5. In the Tag drop-box, select an existing tag or type a new tag.

6. Click Submit.

The tag appears, applied to the asset, policy, credential, or query.

Remove or Delete a Tag

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can remove a tag from an asset, policy, credential, or query to stop associating that object with
the tag. To completely delete a tag from Tenable Security Center, you must remove the tag from all
assets, policies, credentials, or queries. For more information, see Tags.

To remove a tag or completely delete a tag from Tenable Security Center:

1. Log in to Tenable Security Center via the user interface.

2. Navigate to the assets, policies, credentials, or queries page:

- 569 -
 l Click Assets > Assets.

l Click Scanning > Policies (administrator users) or Scans > Policies (organizational
users).

l Click Scanning > Credentials (administrator users) or Scans > Credentials

(organizational users).

l Click Analysis > Queries.

3. In the table, right-click the row for the asset, policy, credential, or query where you want to
remove the tag.

The actions menu appears.

4. Click Edit.

5. In the Tag drop-box, remove the tag from the asset, policy, credential, or query.

6. Click Submit.

Tenable Security Center removes the tag from the asset, policy, credential, or query.

7. (Optional) If you want to delete the tag from Tenable Security Center, repeat steps 2 through 6
until you have removed all uses of the tag for the object type.

Tenable Security Center deletes the tag.

- 570 -
Analyze Data
See the following sections to analyze and respond to Tenable Security Center data.

Analysis Tool Description

Scan Results View a table of scan results from active and agent scans.

Dashboards View graphical summaries of scans, scan results, and system activity.

Solutions View recommended solutions for all vulnerabilities on your network.

Analysis

Vulnerability View a table of cumulative or mitigated vulnerability data.

Analysis

Event Analysis View a table of Tenable Log Correlation Engine security event data.

Mobile Analysis View a table of vulnerability data discovered by scanning an ActiveSync,

Apple Profile Manager, AirWatch, Good, or MobileIron MDM server.

Reports Create custom or template-based reports to export Tenable Security Center

data for further analysis.

Assurance Create ARCs to develop security program objectives and assess your
Report Cards organization's security posture.

You can use Filters and Queries to manipulate the data you see in analysis tools and save views for
later access. You can perform Workflow Actions (alerting, ticketing, accepting risk, recasting risk)
from some analysis tools.

If you are licensed for Tenable Lumin, you can synchronize Tenable Security Center with Tenable
Lumin to take advantage of Cyber Exposure features, as described in Tenable Lumin
Synchronization. For more information, contact your Tenable representative.

Dashboards
Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

- 571 -
Administrator users can view Tenable-provided Overview , LCE Overview, and Health Overview
dashboards. For more information, see Overview Dashboard , LCE Overview Dashboard, and Health
Overview Dashboard.

Organizational users can configure custom or template-based dashboards that contain dashboard
components, which display vulnerability, event, ticket, user, and alert data for analysis. When
viewing vulnerability or event data, you can drill into the underlying dataset for further evaluation.

Tip: Tenable provides many dashboard templates (for example, the VPR Summary dashboard).
For a complete index of Tenable-provided dashboard templates, see the Tenable Security
Center Dashboards blog.

Dashboards allow you to organize similar dashboard components to streamline your analysis.
Instead of creating a single dashboard with several dozen dashboard components, you can create
several dashboards that group similar dashboard components together. For example, you can
create two separate dashboards to view active scanning data and passive scanning data.

Note: Dashboards display vulnerability, event, and other scan data. Tenable recommends
configuring several data sources to optimize the data you see in dashboards. For more
information, see Scanning Overview.

Tip: Tenable Security Center automatically refreshes dashboard data once per day. To refresh
all dashboard components on demand as an organizational user, click Refresh All.

For more information, see:

l View a Dashboard

l Add a Template-Based Dashboard

l Add a Custom Dashboard

l Import a Dashboard

l Manage Dashboards

l Manage Dashboard Components

Dashboard Options

- 572 -
 Option Description

General

Name The name of the dashboard.

Description (Optional) A description for the dashboard.

Layout The number and arrangement of dashboard columns.

View a Dashboard

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

For more information, see Dashboards.

To view a dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears, displaying your default dashboard.

3. If you want to switch to a different dashboard:

a. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

b. Click the dashboard you want to view.

The dashboard appears.

If you are an organizational user, you can:

l Add a dashboard component to the dashboard in view, as described in Add a

Template-Based Dashboard Component or Add a Custom Dashboard Component.

l Manage dashboard components on the dashboard in view, as described in Manage

Dashboard Components.

l Edit the dashboard settings for the dashboard in view, as described in Edit
Settings for a Dashboard.

- 573 -
 l Share or revoke access to the dashboard in view, as described in Share or Revoke
Access to a Dashboard.

l Create a report from the dashboard in view:

a. In the upper-right corner of the page, click the Options drop-down box.

b. Click Send to Report.

For more information about reports, see Reports.

l Delete the dashboard in view, as described in Delete a Dashboard.

l Customize the table, as described in Interact with a Customizable Table.

Overview Dashboard
Tenable provides the Overview dashboard to administrator users by default. For more information,
see View a Dashboard.

Widget Action

Licensing Status View a graph of your total license size compared to your total
currently active IP addresses.
How close am I to hitting my
license limit?

Web App Scanning FQDNs View a graph of your total license size compared to your total
currently active FQDNs.
How close am I to hitting my
license limit? For more information about web app scans, see Web App
Scans.

Repository Statistics View information about your repositories:

How am I using my l Name — The name of the repository.

repositories?
l Vuln Count — The number of vulnerability instances in
the repository.

Tip: A vulnerability instance is a single instance of a

vulnerability appearing on an asset, identified uniquely by
plugin ID, port, and protocol.

- 574 -
Widget Action

l Last Update — The date and time of the most recent

scan that updated the repository data.

l IP/Device Count — The number of IP addresses in the

repository counting toward your Tenable Security Center
license.

l Type — The repository type.

l Data Format — The type of data stored in the

repository: IPv4, IPv6, Mobile, or Agent.

System Status l View the status of the job daemon, which powers the job
queue.
Is the Tenable Security
Center job daemon running? l To change the status of the job daemon, click Start or
Stop.

Tenable Security Center changes the status of the job

daemon.

Scanner Status View information about your scanners:

What is the status of my l Name — The name of the scanner or instance.

scanners?
l Type — The type of connection: Passive or Active.

l Status — The status of the scanner or instance.

Latest Plugins View information about the latest plugin changes in feed
updates.
What plugins were most
recently changed in a feed l ID — The plugin ID.
update?
l Name — The name of the plugin.

l Family — The plugin family.

l Type — The plugin type.

l Date — The date and time of the feed update that

contained the plugin change.

- 575 -
Health Overview Dashboard
Tenable provides the Health Overview dashboard to administrator users by default. For more
information, see View a Dashboard.

Widget Action

Application View information about the health of your application with the
Configuration Health following checks:

What is the health of l License Expiration Warning — When a Tenable Security Center
my application license expires, you may not be able to update plugins, receive
configuration? Feed updates or access the tool.

l Percent Licenses Used — When a Tenable Security Center

console reaches it's license limit, scans of additional assets
will not be imported.

l SMTP Configured — If misconfigured, invalid SMTP settings will

prevent Tenable Security Center from being able to send
emails notifying users of events.

l Maximum Recommended LCE Imports Per Day (200) —

Tenable Log Correlation Engine job imports should be
managed to reduce impact on other scan imports.

l Maximum Recommended NNM Imports Per Day (200) —

Nessus Network Monitor job imports should be managed to
reduce impact on other scan imports.

l Maximum Recommended Nessus Scanners (250) — You may

experience degraded performance when a large quantity of
Nessus Scanners are attached to Tenable Security Center.

l Maximum Recommended Repositories (200) — You may

experience degraded performance when a large quantity of
Repositories are configured in Tenable Security Center. See
the Tenable Security Center Large Enterprise Deployment
Guide for more information.

- 576 -
Widget Action

l Maximum Recommended Scan Zones (100) — You may

experience degraded performance when a large quantity of
Scan Zones are configured in Tenable Security Center. See the
Tenable Security Center Large Enterprise Deployment Guide
for more information.

l Passive Activation Code Configured (Requires Tenable

Security Center+ license) — Tenable Security Center+ consoles
should have a passive activation code applied. This allows
usage of Nessus Network Monitor Sensors for more than Asset
Discovery.

Repository Size View information about the size of your repositories.

Warning

What is the size of

each of my
repositories?

Job Queue Health View information about the health of your job queue:
Summary
l Job Delay — Jobs that have been delayed by more than an hour
What is the health of since their scheduled run time.
my job queue?
l Pending Jobs — Jobs that are scheduled to run in the future. If
too many jobs are scheduled, you may experience delays in
processing vulnerability data, generating reports, or other
processes.

Refine Scan Zone View information about the size of your scan zones.
Scope

What is the size of

each of my scan
zones?

Job Queue Delay View information about delays in the job queue.

- 577 -
Widget Action

Details

Why were there delays

in the job queue?

Scan Zones with View information about the size of your scan zones, and whether
Overlap they have overlapping boundaries.

Do I have scan zones

that overlap each
other?

Non-Working View information about non-working scanners in your scan zones.

Scanners

Are there any non-

working scanners in
my configuration?

Maximum View information about the maximum suggested number of

Recommended scanners for each of your scan zones.
Scanners in a Zone

What is the maximum

number of scanners I
should have in my scan
zones?

Nessus Agent View a list of Nessus Agent Managers currently configured to use as
Managers as Network Network Scanners.
Scanners

Are there any Nessus

Agent Managers being
used as Network
Scanners?

Degraded Scan Zones View information about scan zones with non-working scanners.

- 578 -
 Widget Action

Which scan zones have

non-working scanners?

Nessus Agent View a list of Nessus Agent Managers not configured to use
Managers Not Using API keys.
API Authentication

Are there any Nessus

Agent Managers not
configured to use
API authentication?

Large Asset Lists View lists of assets with more than 20,000 characters.

Are there any large

asset lists that may
contribute to
performance issues?

LCE Overview Dashboard

Tenable provides the LCE Overview dashboard to administrator users by default. For more
information, see View a Dashboard.

Widget Action

LCE Status View information about your Tenable Log Correlation

Engine server:
What is the status of my
Tenable Log Correlation l Name — The name of the Tenable Log Correlation
Engine servers? Engine server.

l Status — The status of the Tenable Log Correlation

Engine server.

LCE Client Status View information about your Tenable Log Correlation
Engine clients:
What is the status of my
Tenable Log Correlation l Client IP — The IP address of the Tenable Log

- 579 -
 Widget Action

Engine clients? Correlation Engine client.

l LCE — The Tenable Log Correlation Engine server

associated with the Tenable Log Correlation
Engineclient.

l Last Update — The date and time of the most recent

Tenable Log Correlation Engine client import to
Tenable Security Center.

l Status — The status of the Tenable Log Correlation

Engine client.

Set a Dashboard as Your Default Dashboard

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards.

To set a dashboard as your default dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears, displaying your default dashboard.

3. If you want to switch to a different dashboard:

a. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

b. Click the dashboard you want to view.

The dashboard appears.

4. In the upper-right corner of the page, click the Options drop-down box.

5. Click Set as Default.

The system sets the dashboard as your default.

- 580 -
Add a Template-Based Dashboard

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can add a dashboard by configuring a Tenable-provided dashboard template. To add a custom
dashboard instead, see Add a Custom Dashboard. To import a dashboard, see Import a Dashboard.

For more information, see Dashboards and Dashboard and Component Templates.

To add a template-based dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears.

3. In the upper-right corner of the page, click the Options drop-down button.

4. Click Add Dashboard

The Dashboard Templates page appears.

5. In the Common section, click a template category tile.

The Add Dashboard Template page appears.

6. Click a template.

The Add Dashboard Template page updates to reflect the template you selected.

7. Modify the dashboard template:

l To edit the dashboard name, click the name box and edit the name.

l To edit the dashboard description, click the Description box and edit the description.

l To restrict the target data displayed in the dashboard, click the Targets drop-down box.

l To edit the dashboard refresh schedule, click the Schedule link.

8. Click Add.

Tenable Security Center saves your configuration and the Dashboards page appears.

- 581 -
 9. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

10. Click the name of the dashboard you just created.

The page for the dashboard appears.

What to do next:
l Add dashboard components, as described in Add a Template-Based Dashboard Component or
Add a Custom Dashboard Component.

Add a Custom Dashboard

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can add a fully customized dashboard. To add a dashboard from a Tenable-provided template
instead, see Add a Template-Based Dashboard.

For more information, see Dashboards.

To add a custom dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears.

3. In the upper-right corner of the page, click the Options drop-down button.

4. Click Add Dashboard

The Dashboard Templates page appears.

5. In the Other section, click the Advanced tile.

6. In the Name box, type a name for the dashboard.

7. In the Description box, type a description for the dashboard.

8. In the Layout section, select the layout you want to use for the dashboard.

9. Click Submit.

- 582 -
 Tenable Security Center saves your configuration and the Dashboards page appears.

10. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

11. Click the name of the dashboard you just created.

The page for the dashboard appears.

What to do next:
l Add dashboard components, as described in Add a Template-Based Dashboard Component or
Add a Custom Dashboard Component.

Dashboard and Component Templates

Tenable Security Center provides a selection of dashboards and dashboard component templates.
You can configure a Tenable-provided dashboard template or you can create a fully customized
dashboard. For more information, see Dashboards and Custom Dashboard Component Options.

For a complete index of Tenable-provided report templates, see the Tenable Security Center
Dashboards blog.

Template Description

Common

Compliance & Configuration Dashboards that aid with configuration, change, and
Assessment compliance management.

Discovery & Detection Dashboards that aid in trust identification, rogue detection,
and new device discovery.

Executive Dashboards that provide operational insight and metrics

geared towards executives.

Monitoring Dashboards that provide intrusion monitoring, alerting, and

analysis.

Security Industry Trends Dashboards related to trends, reports, and analysis from
industry leaders.

Threat Detection Dashboards that aid with identifying vulnerabilities and

& Vulnerability Assessments potential threats.

- 583 -
 Other (Dashboards)

Advanced A custom dashboard with no pre-configured settings.

Import Import a dashboard. For more information, see Import a

Dashboard.

Other (Dashboard Components)

Table Add a table to your dashboard.

Bar Chart Add a bar chart to your dashboard.

Pie Chart Add a pie chart to your dashboard.

Matrix Add a matrix to your dashboard.

Line Chart Add a line chart to your dashboard.

Area Chart Add an area chart to your dashboard.

Import a Dashboard

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards.

To import a dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard.

The Dashboards page appears.

3. In the upper-right corner of the page, click the Options drop-down button.

4. Click Add Dashboard

The Dashboard Templates page appears.

5. In the Other section, click Import.

- 584 -
 The Import Dashboard page appears.

6. In the Name box, type a name for the dashboard.

7. Click Choose File and browse to the dashboard file you want to import.

8. Click Submit.

Tenable Security Center imports the dashboard.

Manage Dashboards

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards.

To manage dashboards:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears.

3. In the upper-right corner of the page, click the Options drop-down button.

4. Click Manage Dashboards

The Manage Dashboards page appears.

5. To add a dashboard, click Add. For more information, see Add a Template-Based Dashboard
or Add a Custom Dashboard.

6. To filter the dashboards in the table, see Apply a Filter.

7. To manage a single dashboard, right-click the dashboard.

-or-

To manage multiple dashboards, select the check box for the dashboard.

The actions menu appears.

From this menu, you can:

- 585 -
 l Click View to view details for the dashboard.

l Click Share to share or revoke access to the dashboard.

l Click Export to download an XML version of the dashboard.

l Click Copy to copy the dashboard.

l Click Edit to edit the dashboard.

l Click Hide from Dashboard to hide the dashboard from the Switch Dashboard drop-
down on the Dashboards page.

l Click Show on Dashboard to show the dashboard on the Switch Dashboard drop-down
on the Dashboards page.

l Click Delete to delete the dashboard.

To export the dashboard as an XML file:

a. Click Export.

b. Then, identify how you want Tenable Security Center to handle object references:
o Remove All References – all object references are removed, altering the definitions of
the components. Importing users do not need to make any changes for components to
be useable.
o Keep All References – object references are kept intact. Importing users must be in the
same organization and have access to all relevant objects for the components to be
useable.
o Replace With Placeholders – object references are removed and replaced with their
respective names. Importing users see the name of the reference object, but need to
replace it with an applicable object within their organization before the component is
useable.

Note: Due to version-specific changes in dashboard XML file formats, exported dashboards are not always
compatible for import between Tenable Security Center versions.

Edit Settings for a Dashboard

- 586 -
 Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards.

To edit the settings for a dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears, displaying your default dashboard.

3. If you want to switch to a different dashboard:

a. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

b. Click the dashboard you want to view.

The dashboard appears.

4. In the upper-right corner of the page, click the Options drop-down box.

5. Click Edit Dashboard.

The Edit Dashboard page appears.

6. Edit the Name, Description, or Layout.

7. Click Submit.

Tenable Security Center saves your configuration.

Share or Revoke Access to a Dashboard

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can share access to a dashboard to give users in a group the ability to view the dashboard. The
user's role and custom permissions determine if they can drill down into other pages with more
information. For more information, see Dashboards.

To share or revoke access to a dashboard:

- 587 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears, displaying your default dashboard.

3. If you want to switch to a different dashboard:

a. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

b. Click the dashboard you want to view.

The dashboard appears.

4. In the upper-right corner of the page, click the Options drop-down box.

5. Click Share.

The Share Dashboard window appears.

6. In the box, search for and select the groups for which you want to share or revoke access.

7. Click Submit.

Tenable Security Center saves your configuration.

Delete a Dashboard

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards.

To delete a dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears, displaying your default dashboard.

3. If you want to switch to a different dashboard:

- 588 -
 a. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

b. Click the dashboard you want to view.

The dashboard appears.

4. In the upper-right corner of the page, click the Options drop-down box.

5. Click Delete.

A confirmation window appears.

6. Click Delete.

The system deletes the dashboard.

Manage Dashboard Components

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards.

To manage dashboard components:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Dashboard.

The Dashboards page appears.

To edit a dashboard component:

1. Hover over the dashboard component.

2. Click the menu.

The actions menu appears.

3. Click Edit.

4. Edit the dashboard component options. For more information, see Custom Dashboard
Component Options.

To view the data behind a dashboard component:

- 589 -
 1. Hover over the dashboard component.

2. In the lower right corner, click View Data.

The analysis page appears.

Note: Only dashboard components that display vulnerability analysis or event analysis data support
viewing the data behind a dashboard component.

To reorder a dashboard component:

1. Click the title of a dashboard component.

2. Drag the dashboard component around the page.

To copy a dashboard component to the dashboard in view or a different dashboard:

1. Hover over the dashboard component.

2. Click the menu.

The actions menu appears.

3. Click Copy.

4. In the Name box, edit the name for the copied dashboard component.

5. In the Dashboard drop-down box, click the name of the dashboard where you want to copy the
dashboard component.

6. Click Copy.

Tenable Security Centercopies the dashboard component.

To refresh the dashboard component data:

1. Hover over the dashboard component.

2. Click the menu.

The actions menu appears.

3. Click Refresh.

Tenable Security Centerrefreshes the dashboard component data.

- 590 -
To delete the dashboard component:
1. Hover over the dashboard component.

2. Click the menu.

The actions menu appears.

3. Click Delete.

A confirmation window appears.

4. Click Delete.

Tenable Security Center deletes the dashboard component.

Add a Template-Based Dashboard Component

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can add a dashboard component by configuring a Tenable-provided dashboard component

template. To add a custom dashboard component instead, see Add a Custom Dashboard
Component.

For more information, see Dashboards and Dashboard and Component Templates.

Before you begin:

l Add a dashboard, as described in Add a Template-Based Dashboard, Add a Custom
Dashboard, or Import a Dashboard.

To add a template-based dashboard component to a dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard.

The Dashboards page appears.

3. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

4. Click the name of the dashboard for which you want to add a component.

- 591 -
 The dashboard appears.

5. In the upper-right corner of the page, click the Options drop-down box.

6. Click Add Component.

The Component Templates page appears.

7. In the Common section, click the template you want to use for the dashboard component.

The Add Component Template page updates to reflect the template you selected.

8. Modify the dashboard component template:

l To edit the dashboard component name, click the name box and edit the name.

l To edit the dashboard component description, click the Description box and edit the
description.

l To restrict the target data displayed in the dashboard component, click the Targets
drop-down box.

l To edit the dashboard component refresh schedule, click the Schedule link.

9. Click Add.

Tenable Security Center saves your configuration and the Dashboards page appears.

Add a Custom Dashboard Component

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can configure a custom dashboard component to add a table, bar chart, pie chart, line chart,
area chart, or matrix to a dashboard. For more information, see Dashboards and Dashboard and
Component Templates.

For an example matrix component configuration, see Configure a Simple Matrix Dashboard
Component.

Before you begin:

- 592 -
 l Add a dashboard, as described in Add a Template-Based Dashboard, Add a Custom
Dashboard, or Import a Dashboard.

To add a custom dashboard component to a dashboard:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard.

The Dashboards page appears.

3. In the upper-right corner of the page, click the Switch Dashboard drop-down box.

4. Click the name of the dashboard for which you want to add a component.

The dashboard page appears.

5. In the upper-right corner of the page, click the Options drop-down box.

6. Click Add Component.

The Component Templates page appears.

7. In the Other section, click the type of component you want to configure.

The component configuration page appears.

8. Configure the options for your component type, as described in Custom Dashboard
Component Options.

9. Click Submit.

Tenable Security Center saves your configuration.

Custom Dashboard Component Options

Use the following options to configure custom dashboard components. For more information about
dashboard component types, see Dashboard and Component Templates.

Tenable Security Center supports the following custom dashboard components:

l Table Component Options

l Bar Chart Component Options

l Pie Chart Component Options

- 593 -
 l Matrix Component Options

l Line and Area Chart Component Options

General Options
Configure the following options for all custom dashboard component types.

Option Description Default

Name (Required) A name for the dashboard component. --

Description A description for the dashboard component. The description --

appears on the Dashboards page when you hover over a
dashboard component.

Schedule (Required for all except Matrix components) Specifies how Daily
often the component polls the data source to obtain updates:

l Never — The component never polls the data source.

l Minutely — Polls every 15, 20, or 30 minutes.

l Hourly — Polls every 1, 2, 4, 6, or 12 hours.

l Daily — Polls daily or every specified number of days at

the specified time.

l Weekly — Polls weekly or every specified number of

weeks at the specified time.

l Monthly — Polls monthly or every specified number of

months at the specified day and time.

Caution: Excessively frequent updates may cause the

application to become less responsive due to the added
processing load imposed on the host OS.

Table Component Options

- 594 -
Option Description Default

Data

Type The type of data: Vulnerability, Event, Mobile, User, Vulnerability

Ticket, or Alert.

Query Predefined query used to further narrow down the data --

source options. If a query does not exist or is not desired,
it may be left unselected. The query may be used as is or
as a template on which to base the Filters option.

Source (If Type is Vulnerability or Event) Specifies the data Cumulative

source.

For vulnerability data, select Cumulative or Mitigated.

For event data, the data source is Active. Tenable

Security Center can use only active event data for event-
based components.

Tool The analysis tool to use for creating the chart. For more Vulnerability
information, see Vulnerability Analysis Tools and Event Summary
Analysis Tools.

Filters Additional filters to use on the data source. For more --

information, see Filters.

Display

Results The number of displayed results. You can choose to 10

Displayed display up to 999 results.

If the Viewport Size setting is smaller than this setting,

the results display is limited to the Viewport Size setting
with a scrollbar to display the additional results.

Viewport The number of records (maximum: 50) to display along 10

Size with a scrollbar to handle additional records. For example,
if Results Displayed is set to 100 and Viewport Size is 15,

- 595 -
 Option Description Default

15 records are displayed with a scrollbar to view the

additional 85 records.

Sort Column (Not available if Type is Event) The column Tenable Plugin ID
Security Center uses to sort the results.

Sort (Not available if Type is Event) The sort Descending

Direction direction: Descending or Ascending.

Display The columns to display in the component output. --

Columns

Bar Chart Component Options

Option Description Default

Data

Type The type of data: Vulnerability, Event, Mobile, or Ticket. Vulnerability

Query Predefined query used to further narrow down the data --

source options. If a query does not exist or is not desired,
it may be left unselected. The query may be used as is or
as a template on which to base the Filters option.

Source (If Type is Vulnerability or Event) Specifies the data Cumulative

source.

For vulnerability data, select Cumulative or Mitigated.

For event data, the data source is Active. Tenable

Security Center can use only active event data for event-
based components.

Tool The analysis tool to use for creating the chart. For more Vulnerability
information, see Vulnerability Analysis Tools and Event Summary
Analysis Tools.

Filters Additional filters to use on the data source. For more --

- 596 -
 Option Description Default

information, see Filters.

Display

Results The number of displayed results. You can choose to 10

Displayed display up to 100 results.

Sort Column (If Type is Vulnerability or Ticket) The column Tenable Plugin ID
Security Center uses to sort the results.

Sort (If Type is Vulnerability or Ticket) The sort Descending

Direction direction: Descending or Ascending.

Display The columns to display in the component output. --

Column

Pie Chart Component Options

Option Description Default

Data

Type The type of data: Vulnerability, Event, Mobile, or Ticket. Vulnerability

Query Predefined query used to further narrow down the data --

source options. If a query does not exist or is not desired,
it may be left unselected. The query may be used as is or
as a template on which to base the Filters option.

Source (If Type is Vulnerability or Event) Specifies the data Cumulative

source.

For vulnerability data, select Cumulative or Mitigated.

For event data, the data source is Active. Tenable

Security Center can use only active event data for event-
based components.

Tool The analysis tool to use for creating the chart. For more Vulnerability

- 597 -
 Option Description Default

information, see Vulnerability Analysis Tools and Event Summary

Analysis Tools.

Filters Additional filters to use on the data source. For more --

information, see Filters.

Display

Results The number of displayed results. 10

Displayed

Sort Column The column Tenable Security Center uses to sort the Plugin ID
results.

Sort The sort direction: Descending or Ascending. Descending

Direction

Display The columns to display in the component output. --

Column

Matrix Component Options

For information about configuring matrix components and to download samples, visit the Tenable
Security Center Dashboards blog. For an example matrix component, see Configure a Simple Matrix
Dashboard Component.

When you create a matrix component, you define rules to determine what displays in each cell in a
table of customizable columns and rows.

l Use columns to define a group of vulnerability, mobile, event, ticket, user, or alert data. For
example, you could create columns for critical, high, medium, low, and informational
vulnerabilities.

l Use rows to define the operations performed against each column element for that row. For
example, if each column determines the vulnerability type (critical, high, medium, low, and
informational), you can create a row to calculate the ratio of the particular vulnerability type
count against the total vulnerability count.

- 598 -
By default, each cell definition includes a single customizable rule that defines what appears in the
cell if no other conditions have been defined or triggered.

Tenable Security Center reviews each rule in a cell from top to bottom and triggers the display rule
on the first rule match. Once a rule triggers, Tenable Security Center stops reviewing rules for the
cell. If none of the added rules match, Tenable Security Center performs the default rule.

Option Action

Cells

Size Use the drop-down menus to select the number of columns and rows for the
matrix. Tenable Security Center supports matrices from 1x1 to 10x10.

Click Generate Cells create a blank matrix with customizable cells.

icon Click the icon in a row or column header cell to manage the column or row.

l To edit the header name or refresh frequency, click Edit Header.

Tip: You can choose to refresh the data more often to see the most current
view. However, frequent refreshes can cause slow system performance.

l To delete the row or column, click Delete Cells.

Tenable Security Center deletes the row or column.

l To copy the row or column, click Copy.

Tenable Security Center copies the row or column.

icon Click the icon inside a cell to configure rules for the cell. For more information,
see Matrix Component Query Options.

Matrix Component Query Options

Option Description Default

Data

Data Type The type of data: Vulnerability, Mobile, Event, User, Vulnerability
Alert, or Ticket.

- 599 -
Option Description Default

The Data Type determines which query values are

available in the Condition option.

Type The matrix component display type: Count or Ratio Count

Source (If Data Type is Vulnerability or Event) Specifies the Cumulative

data source.

For vulnerability data, select Cumulative or Mitigated.

For event data, the data source is Active. Tenable

Security Center can use only active event data for
event-based components.

Filters (If Type is Count) Additional filters to use on the data --

source. For more information, see Filters.

Numerator (If Type is Ratio) The filters to apply to the ratio --

Filters numerator. For more information, see Filters.

Denominator (If Type is Ratio) The filters to apply to the ratio --

Filters denominator. For more information, see Filters.

Rules

Condition Specifies the conditions for the matrix component. --

Use the drop-down menus to define the quantity and
query value to use for the rule.

Quantities: Less than or equal to, Greater than or

equal to, Exactly, or Not Equal to.

Query values: Events, Hosts, Vulnerabilities, Ports,

Devices, Users, Alerts, or Tickets.

Note: The available query values depend on the Data

Type.

Display Specifies the appears of the matrix component when Text

- 600 -
 Option Description Default

the rule Condition is met.

l Text — Displays the Query Value or custom User-

Defined text.

l Icon — Displays the selected indicator icon.

l (If Type is Ratio) Indicator — Displays a

percentage.

Text Color (If Display is Text) The matrix component text color. #1a1a40

Background (If Display is Text) The matrix component background #333333 or

color. #ffffff

Line and Area Chart Component Options

Option Description Default

Data

Date The date type: Relative

Type
l Relative — A date relative to the current time when the chart
is loaded.

l Absolute — An absolute time frame that is the same on each

page visit.

Date The date range for the line or area chart. Within 24
Range Hours
If Date Type is Relative, select from the following options:

l Within x Minutes — Display data within the last 15, 20, or 30

minutes.

l Within x Hours — Display data within the last 1, 2, 4, 6, 12, 24,

48, or 72 hours.

l Within x Days — Display data within the last 5, 7, 25, or 50

- 601 -
 Option Description Default

days.

l Within x Months — Display data within the last 3 or 6

months.

l Within 1 Year — Display data within the last year.

If Date Type is Absolute, select a date and time for the beginning
and end of the range.

Series Click to add a series to the line or area chart. For more --
information, see Line and Area Chart Series Options.

Line and Area Chart Series Options

Option Description Default

Name The name of the series. --

Data

Data Type The type of data: Vulnerability or Event. Vulnerability

Note: For line/area charts, vulnerability data analysis often

requires that the underlying repository be a trending repository.
If the selected repository is not a trending repository, no
historical analysis is available.

Query Predefined query used to further narrow down the data --

source options. If a query does not exist or is not desired, it
may be left unselected. The query may be used as is or as a
template on which to base the Filters option.

Filters Additional filters to use on the data source. For more --

information, see Filters.

Display

Series Data to display in the chart: Total, Info, Low, Medium, High, All
Data or Critical.

- 602 -
Configure a Simple Matrix Dashboard Component

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Dashboards and Matrix Component Options.

Before you begin:

l Begin adding a custom matrix dashboard component, as described in Add a Custom
Dashboard Component.

To construct a simple matrix dashboard component:

1. On the Add Matrix Component page, in the Name box, type a name for the dashboard
component.

2. Type a Description for the dashboard component.

3. In the Cells section, select the number of Columns and Rows for the matrix.

- 603 -
 For example, 5 columns and 3 rows.

4. Click Generate Cells.

The matrix editor appears.

5. Next to the header label, click the menu.

The actions menu appears.

6. Click Edit Header.

7. Type a Label for the column or row header.

8. Click Submit.

The matrix editor appears, with the new header label displayed.

9. Repeat the header label steps for the other header cells.

10. Hover over the body cells and click the edit icon.

The Add Matrix Component page appears.

11. Customize the matrix component options.

- 604 -
 For example, this matrix component displays Vulnerability data by a ratio from the Cumulative
database. The numerator filters are looking for vulnerabilities that have an exploit available
with a Critical severity discovered within the last 7 days. The Denominator filters are for
vulnerabilities that have a Critical severity discovered within the last 7 days. The rules are
looking for percentages of the vulnerabilities that match and designate the ratio value with
the corresponding color based on the percentages found.

12. Repeat the body cell steps for the other body cells.

In the example above, the other cells are similar with many of the same rules. The differences
are adding a Numerator filter to include the Exploit Framework we are looking for and a
Denominator filter for the Exploit Available option.

- 605 -
 13. Click Submit.

The matrix element appears.

Interact with a Customizable Table

To interact with a customizable table:

1. Log in to Tenable Security Center via the user interface.

2. View a customizable table.

3. Do any of the following:

Navigate the table:

l To adjust the sort order, click a column title.

Tenable Security Center sorts all pages of the table by the data in the column that you
selected.

l To view all action buttons available in a single row, right-click the row:

A drop-down menu appears with all the available actions.

l To navigate to another page of the table, click the arrows:

- 606 -
 Button Action

Navigate to the first page of the table.

Navigate to the last page of the table.

Navigate to the next page of the table.

Navigate to the previous page of the table.

o Click any row to navigate to another page to view more details.

o On the Dashboard page, click any plugin ID to view the Plugin ID pane.

l To change the column order, drag and drop a column header to another position in the
table.

l Remove or add columns:

1. Roll over any column.

The appears in the header.

2. Click the button.

A column selection box appears.

3. Select or clear the check box for any column you want to show or hide in the table.

Tenable Security Center updates the table based on your selection.

l Adjust column width:

a. Roll over the header between two columns until the resize cursor appears.

Click and drag the column width to the desired width.

l To sort data in the table, click a column header.

Tenable Security Center sorts all pages of the table by the data in the column you
selected.

Scan Results

- 607 -
The Scan Results page displays scan results and statuses from active scans, agent scans, and
agent synchronization jobs .

Note: Tenable Security Center does not include all agent scans in the scan results table. If an agent scan
imports scan results identical to the previous agent scan, Tenable Security Center omits the most recent
agent scan from the scan results table.

Note: If you added the parent node of a Tenable Nessus Manager cluster as a scanner in Tenable Security
Center, Tenable Security Center displays scan results for all child nodes. For more information, see
Clustering in the Tenable Nessus User Guide.

Note: For each agent synchronization job result for a child node, Tenable Security Center
imports a metadata record containing no vulnerability data. This metadata record appears as a
second result on the Scan Results page. To prevent Tenable Security Center from importing the
metadata file, configure and launch agent scans from Tenable Security Center, as described in
Agent Scans.

For more information, see Manage Scan Results and Scan Result Statuses.

Scan Result Statuses

You can view the scan status and the import status for all scan results, as described in View Scan
Result Details.

l Scan Status

l Import Status

Scan Status
The scan status specifies the status of the scan.

Status Description

Active Scans

Queued The scan is queued.

Preparing Tenable Security Center is preparing to run the scan.

Resolving Tenable Security Center is resolving hostnames before running the

- 608 -
 Status Description

Hostnames scan.

Verifying Targets Tenable Security Center is verifying targets before running the scan.

Initializing Scanners Tenable Security Center is initializing scanners before running the
scan.

Running The scan is running.

Pausing You paused the scan and Tenable Security Center is pausing the scan.

Paused The scan is paused.

Resuming You resumed the scan and Tenable Security Center is resuming the
scan.

Stopping Tenable Security Center is stopping the scan.

Completed The scan finished successfully.

Partial The scan finished and some results are available.

Error The scan did not finish.

Agent Scans

Queued The scan is queued.

Running The scan is running.

Completed The scan finished successfully.

Error The scan did not finish.

Import Status
The scan status specifies the status of the scan result import to Tenable Security Center.

Status Description

Active and Agent Scans

- 609 -
 Status Description

No Results The scan finished successfully but yielded no results.

Import Tenable Security Center is preparing to start the import.

Pending

Importing Tenable Security Center is importing the scan result data.

Finished The import finished successfully.

Blocked Tenable Security Center did not import the scan result for one of the following
reasons:

l You have exceeded your license limit.

l The scan result import would cause you to exceed your license.

For more information about license limits, see License Requirements.

Error The import did not finish.

Manage Scan Results

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Depending on the state of a scan result, you can perform different management actions (for
example, you cannot download results for a scan with errors).

For more information, see Scan Results.

To manage scan results:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Scan Results.

The Scan Results page appears.

3. Manage the results:

To filter the scan results:

- 610 -
 l Click the filter icon.

Filters allow you to view only desired scan results. Filter parameters include:

l Access - filters by whether the scan is manageable or usable.

l Group - filters by the groups that can access the scans.

l Name - filters by the scan name.

l Owner - filters by the scan owner.

l Scan Policy - filters by the scan policy.

l Status - filters by the scan status.

l Time (Created) - filters by when the scan result was created.

l Time (Finished) - filters by when the scan finished running.

l Type - filters by the type of scan.

To remove all filters:

l Under the filter options, click Clear Filters.

Note: To return to the default filter for your user account, refresh your browser window. The
number in grey next to the filter displays how many filters are currently in use.

To view a set of scan results:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Browse.

The Vulnerability Summary analysis tool appears, populated with data from the scan.

To view scan result details for a set of scan results:

- 611 -
 a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Click View.

The View Scan Result page appears. For more information, see Scan Result Details.

To download the results of a scan:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Download.

Tip: On a standard scan, you can download a Tenable Nessus results file. If the scan contains
SCAP results, you can use an additional option to download the SCAP results.

To manually import scans listed on the scan results page:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Import.

- 612 -
 Tip: This option is useful for cases where a scan may have not fully imported after
completion. For example, if Tenable Security Center blocked a scan because importing it
would have exceeded the licensed IP address count, you can increase the IP address count,
then import the scan results previously not imported.

To share scan results with other users:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Copy.

Selecting a Group from the drop-down box displays a list of users from that group. You
can select one or more users from the list.

To send a copy of the scan results to users without access to Tenable

Security Center:
a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Email.

To generate a report for the scan results based off a preconfigured report:
a. Right-click the row for the scan.

The actions menu appears.

-or-

- 613 -
 Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Send to Report.

Tenable Security Center sends the scan results to a report.

To upload Tenable Nessus scan results performed by other systems:

l See Upload Scan Results.

To pause or resume a running scan:

l In the row for the scan, click the pause or play button, as described in Start or Pause a
Scan.

To delete a set of scan results from Tenable Security Center:

a. Right-click the row for the scan.

The actions menu appears.

-or-

Select the check box for the scan.

The available actions appear at the top of the table.

b. Select Delete.

Tenable Security Center deletes the scan results.

View Scan Results

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Scan Results.

Note: Tenable Security Center does not include all agent scans in the scan results table. If an agent scan
imports scan results identical to the previous agent scan, Tenable Security Center omits the most recent
agent scan from the scan results table.

- 614 -
 Note: If you added the parent node of a Tenable Nessus Manager cluster as a scanner in Tenable Security
Center, Tenable Security Center displays scan results for all child nodes. For more information, see
Clustering in the Tenable Nessus User Guide.

Note: For each agent synchronization job result for a child node, Tenable Security Center
imports a metadata record containing no vulnerability data. This metadata record appears as a
second result on the Scan Results page. To prevent Tenable Security Center from importing the
metadata file, configure and launch agent scans from Tenable Security Center, as described in
Agent Scans.

To view a list of scan results:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Scan Results.

The Scan Results page appears.

3. View details about each scan result.

l Name — The name for the scan associated with the result.

l Type — The type of scan that generated the scan result.

l Scan Policy — The name of the scan policy that generated the scan result.

l Scanned IPs — The number of IP addresses scanned.

l Group — The group associated with the scan.

l Owner — The username for the user who added the scan.

l Duration — The total time elapsed while running the scan.

l Import Time — The date and time Tenable Security Center completed the scan result
import.

l Status — The status of the scan that generated the scan result. For more information,
see Scan Status.

4. To view additional details for a scan result, see View Scan Result Details.

View Scan Result Details

- 615 -
 Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view details for any scan result. For more information, see Scan Results.

To view scan result details:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Scan Results.

The Scan Results page appears.

3. Right-click the row for the scan result.

The actions menu appears.

-or-

Select the check box for the scan result.

The available actions appear at the top of the table.

4. Click View.

The View Scan Result page appears.

Section Action

General View general information for the scan result.

l Name — The scan result name.

l Type — The type of scan that generated the scan result.

l Scan Policy — The name of the scan policy that generated

the scan result.

l Repository — The name of the repository associated with

the scan policy that generated the scan result.

l Scanned IPs / Total IPs — The number of IP addresses

scanned compared to the total number of IP addresses
targeted in the scan.

- 616 -
Section Action

l Status — The scan status. For more information, see Scan

Status.

l Start Time — The date and time Tenable Security Center

started the scan.

l Finish Time — The date and time Tenable Security Center

completed the scan.

l Status — The scan status. For more information, see Scan

Status.

l Duration — The total time elapsed while running the scan.

l Import Start — The date and time Tenable Security Center

started the scan result import.

l Import Finish — The date and time Tenable Security Center

completed the scan result import.

l Import Status — The scan result import status. For more

information, see Import Status.

l Import Duration — The total time elapsed during scan result

import.

l Owner — The username for the user who added the scan.

l Group — The group associated with the scan.

l ID — The scan result ID.

Tenable View synchronization summary data:

Synchronization l Status — The status of the Tenable Lumin synchronization
Data
containing this scan result data:

l Not Synced — The repository containing this scan

result data is not configured for Tenable Lumin

- 617 -
 Section Action

synchronization.

l Syncing — The Tenable Lumin synchronization

containing this scan result data is in progress.

l Finished — The most recent synchronization that

included this scan result data succeeded.

l Error — An error occurred. For more information, see

View Tenable Lumin Data Logs.

l Start Time — The date and time Tenable Security Center

started the most recent transfer of data to Tenable
Vulnerability Management.

l Finish Time — The date and time Tenable Security Center

finished the most recent transfer of data to Tenable
Vulnerability Management.

l Duration — The total time elapsed during the most recent

transfer of data to Tenable Vulnerability Management.

l Details — If the Status is Error, details about the error.

For more information about Tenable Lumin synchronization, see

Tenable Lumin Synchronization.

Upload Scan Results

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can upload active or agent scan results from scans performed by other systems. Tenable
Security Center supports either raw (.nessus) or compressed (.zip) files, with one .nessus file per
archive before uploading. This allows you to import scan results from scans run in remote locations
without network connectivity to Tenable Security Center.

Note: To upload files greater than 300 MB to Tenable Security Center, you must modify upload_max_
filesize in /opt/sc/support/etc/php.ini to accommodate the larger uploads.

- 618 -
Scan Result-Repository Incompatibility

Caution: Tenable does not recommend importing scan results to incompatible repositories since data may
be omitted.

If you upload agent scan results to a non-agent repository, Tenable Security Center omits all
vulnerabilities without IP Address data for the host. Non-agent repositories cannot uniquely
identify hosts without IP Address data for the host.

If you upload non-agent scan results to an agent repository, Tenable Security Center omits all
vulnerabilities without Agent ID data for the host. Agent repositories cannot uniquely identify hosts
without Agent ID data for the host.

To upload scan results:

1. Log in to Tenable Security Center via the user interface.

2. Click Scans > Scan Results.

The Scan Results page appears.

3. At the top of the table, click Upload Scan Results.

4. In the Scan File option, click Choose File.

The file uploads to Tenable Security Center.

5. In the Import Repository drop-down box, select a repository.

6. If you selected an IPv4, IPv6, or Universal repository, enable or disable the Advanced options:
Track hosts which have been issued new IP address, Scan Virtual Hosts, and Immediately
remove vulnerabilities from scanned hosts that do not reply.

For more information about the advanced options, see Active Scan Settings.

7. Click Submit.

Tenable Security Center saves your configuration.

Solutions Analysis
Tenable provides recommended solutions for all vulnerabilities on your network. You can perform
the recommended action in a solution to lower the risk on your network.

- 619 -
For more information, see:

l View Solutions

l View Solution Details

View Solutions

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can use the Solutions page to view solutions for specific assets on your network or drill into
solution details.

To view solutions for assets on your network:

1. Log in to Tenable Security Center via the user interface.

2. Click Solutions.

The Solutions page appears.

3. To filter the solutions in the table by an asset list, in the Targeted Assets drop-down box,
click an asset list name.

The system refreshes the page and filters the table by the asset list you selected. For more
information about asset lists, see Assets.

4. To customize the table, see Interact with a Customizable Table.

5. View information about each solution.

l Solution — A description for the solution.

l Risk Reduction — The percent you would reduce your risk by addressing the vulnerability
in the solution. Tenable Security Center calculates the risk reduction percentage by
dividing the score of the vulnerabilities in the solution by the score of all of the
vulnerabilities on your network.

l Hosts Affected — The number of devices affected by the solution.

l Vulnerabilities — The number of vulnerability instances included in the solution.

- 620 -
 Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset,
identified uniquely by plugin ID, port, and protocol.

l VPR — The highest VPR for a vulnerability included in the solution.

l CVSSv3 Base Score — The highest CVSSv3 score for a vulnerability included in the
solution. If only CVSSv2 is available, the column is blank.

6. To view details for a solution, click a row.

The Solution Details page appears. For more information, see Solution Details.

View Solution Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can use the Solution Details page to view details for a specific solution. To export the details
for a solution, see Export Hosts Affected by a Solution.

To view details for a specific solution:

1. Log in to Tenable Security Center via the user interface.

2. Click Solutions.

The Solutions page appears.

3. Click a solution row.

The Solution Details page appears.

Section Action

Metrics summary View summary statistics for the recommended solution.

l Hosts Affected — The number of devices affected by the

solution.

l Vulnerabilities — The total number of vulnerability instances

included in the solution.

- 621 -
Section Action

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

l VPR — The highest VPR for a vulnerability included in the

solution.

l CVSSv3 Base Score — The highest CVSSv3 score for a

vulnerability included in the solution. If only CVSSv2 is
available, the column is blank.

Vulnerabilities View all vulnerabilities related to the recommended solution, sorted

Included table by decreasing VPR.

l Plugin — The plugin ID.

l Hosts Affected — The number of devices affected by the

solution.

l VPR — The VPR for the vulnerability.

l CVSSv3 Base Score — The CVSSv3 score for the vulnerability

included in the solution. If only CVSSv2 is available, the
column is blank.

Hosts Affected View device information.

table l IP Address — The IP address for the device.

l NetBIOS — The NetBIOS name, if known.

l DNS — The DNS name, if known.

l OS CPE — The operating system common platform

enumeration (CPE) name.

l Repository — The repository name where device's scan data is

stored.

- 622 -
 Section Action

A device appears in multiple rows if the device's scan data is

stored in multiple repositories.

What to do next:
l (Optional) Export the hosts affected by the solution to share with others in your organization,
as described in Export Hosts Affected by a Solution.

Export Hosts Affected by a Solution

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can export a list of hosts affected by a solution as a .csv file to share the data with others in
your organization. For more information, see Solutions Analysis.

To export hosts affected by a solution:

1. Log in to Tenable Security Center via the user interface.

2. Click Solutions.

The Solutions page appears.

3. Click the row for the solution for which you want to export a list of affected hosts.

The Solution Details page appears.

4. In the upper-right corner, click Export as CSV.

A confirmation window appears.

Note: If the number of affected hosts is greater than 1,000, Tenable Security Center prompts you to
type a name for the CSV report result you want to generate. After generation, you can download the
report result, as described in Download a Report Result.

5. Select or clear the check boxes to indicate which columns you want to appear in the exported
file.

- 623 -
Column Name Description

Solution ID The plugin ID associated with the recommended solution.

Solution A description for the solution.

Tenable UUID The Tenable UUID, if applicable. A Tenable UUID uniquely identifies:

l Agent-detected assets that may share a common IP address.

l OT Security assets that may not have an IP address. For more

information, see OT Security Instances.

DNS The DNS name of the device, if known.

IP Address The IP address for the device.

OS The operating system running on the device.

CVEs The number of unique CVEs associated with vulnerabilities on the

affected host that are addressed by the solution.

CVE Instances The total number of CVE instances associated with vulnerabilities
on the affected host that are addressed by the solution.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

OS CPE The operating system common platform enumeration (CPE) name of

the device.

Repository The name of the repository that stores the device's scan data.

MAC The MAC address of the device, if known.

NetBIOS The NetBIOS name of the device, if known.

Vulnerabilities The total number of vulnerability instances on the affected host

addressed by the solution.

- 624 -
 Tip: A vulnerability instance is a single instance of a vulnerability
appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

Vulnerability The number of vulnerability instances on the affected host

Percentage addressed by the solution as a percentage of total vulnerability
instances.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

Score The sum of the weighted CVSS score across vulnerability instances
on the affected host addressed by the solution.

Note: Tenable Security Center uses either CVSSv2 or CVSSv3 to assess

the severity of vulnerabilities, depending on your configuration. For
more information, see Organizations.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

Risk Reduction The percent you would reduce your risk across all solutions and
affected hosts by addressing the vulnerabilities on this affected
host associated with the solution. Tenable Security Center
calculates the risk reduction percentage by dividing the total CVSS
score of the vulnerabilities on the affected host addressed by the
solution by the total CVSS score of all of the vulnerabilities on your
network.

Note: Tenable Security Center uses either CVSSv2 or CVSSv3 to assess

the severity of vulnerabilities, depending on your configuration. For
more information, see Organizations.

MS Bulletins The number of unique MS Bulletins associated with vulnerabilities

- 625 -
 on the affected host that are addressed by the solution.

MS Bulletin The total number of vulnerabilities with associated MS Bulletins on

Instances the affected host that are addressed by the solution.

VPR The highest VPR of all vulnerabilities on the affected host that are
addressed by the solution. If no VPR is available, the column is
blank.

CVSS v3 The highest CVSSv3 score of all vulnerabilities on the affected host
that are addressed by the solution. If only a CVSSv2 score is
available, the column is blank.

6. Click Download.

Tenable Security Center exports the list of hosts affected by the solution.

Vulnerability Analysis
The Vulnerabilities page displays vulnerabilities from either the cumulative or mitigated
vulnerability database. For more information, see Cumulative vs. Mitigated Vulnerabilities.

Note: If multiple vulnerabilities share the same IP Address or Agent ID data, Tenable Security Center
assumes they are from the same host.

To perform a common type of vulnerability analysis, see View Vulnerabilities by Plugin or View
Vulnerabilities by Host.

To view a specific vulnerability analysis tool, see Vulnerability Analysis Tools.

Cumulative vs. Mitigated Vulnerabilities

Tenable Security Center stores vulnerabilities in two databases: the cumulative database and the
mitigated database. You can choose to view cumulative vulnerabilities or mitigated vulnerabilities in
any vulnerability analysis tool. For more information, see View Cumulative or Mitigated
Vulnerabilities.

Cumulative Vulnerabilities

- 626 -
The cumulative database contains currently vulnerable vulnerabilities, including recast, accepted, or
previously mitigated vulnerabilities.

Mitigated Vulnerabilities
The mitigated database contains vulnerabilities that Tenable Security Center determines are not
vulnerable, based on the scan definition, the results of the scan, the current state of the cumulative
view, and authentication information.

A vulnerability is mitigated if:

l The IP address of the vulnerability was in the target list of the scan.

l The plugin ID of the vulnerability was in the list of scanned plugins.

l The port of the vulnerability was in the list of scanned ports.

l The vulnerability with that IP address/port/plugin ID combination was not in the scan result.

To start, the vulnerability must appear in the cumulative view to be considered for mitigation. The
import process then looks at each vulnerability in the import repository. The import process also
verifies that authentication was successful before mitigating any local check vulnerabilities that
meet the above criteria.

Note: Mitigation logic works with scans using policies defined by templates, advanced policies, and
remediation scans. These policies are set up to take advantage of this new mitigation logic.

For more information about mitigation, see the knowledge base article.

View Cumulative or Mitigated Vulnerabilities

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For general information about cumulative vulnerabilities and mitigated vulnerabilities, see
Cumulative vs. Mitigated Vulnerabilities.

To switch between viewing mitigated or cumulative vulnerabilities:

- 627 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the upper-right corner, click Cumulative or Mitigated.

The page updates to display data from the mitigated or cumulative vulnerability database.

CVSS vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to
quantify the risk and urgency of a vulnerability.

Note: When you view these metrics on an analysis page organized by plugin (for example, the
Vulnerabilities page), the metrics represent the highest value assigned or calculated for a
vulnerability associated with the plugin.

CVSS
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved
from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities.

Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the
vulnerability's static CVSS score (the CVSS version depends on your configuration). For more
information, see Organizations.

Tenable Security Center analysis pages provide summary information about vulnerabilities using the
following CVSS categories.

Severity CVSSv2 Range CVSSv3 Range

Critical The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is 10.0. CVSSv3 score is between 9.0 and 10.0.

High The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is between 7.0 and 9.9. CVSSv3 score is between 7.0 and 8.9.

Medium The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is between 4.0 and 6.9. CVSSv3 score is between 4.0 and 6.9.

- 628 -
 Low The plugin's highest vulnerability The plugin's highest vulnerability
CVSSv2 score is between 0.1 and 3.9. CVSSv3 score is between 0.1 and 3.9.

Info The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is 0. CVSSv3 score is 0.

- or - - or -

The plugin does not search for The plugin does not search for
vulnerabilities. vulnerabilities.

Vulnerability Priority Rating

Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the
current threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher
likelihood of exploit.

VPR Category VPR Range

Critical 9.0 to 10.0

High 7.0 to 8.9

Medium 4.0 to 6.9

Low 0.1 to 3.9

Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many
vulnerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these
vulnerabilities according to their CVSS-based severity.

Note: You cannot edit VPR values.

Tenable Security Center provides new and updated VPR values through the Tenable Security Center
feed. For more information, see Edit Plugin and Feed Schedules.

Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores
and summary data in:

- 629 -
 l The Tenable-provided Vulnerability Priority Rating (VPR) Summary dashboard, described in
Dashboards.

l The Vulnerability Summary, Vulnerability List, and Vulnerability Detail List tools, described in
View Vulnerabilities by Plugin.

VPR Key Drivers

You can view the following key drivers to explain a vulnerability's VPR.

Note:Tenable does not customize these values for your organization; VPR key drivers reflect a
vulnerability's global threat landscape.

Key Driver Description

Vulnerability The number of days since the National Vulnerability Database (NVD)
Age published the vulnerability.

CVSSv3 Impact The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Score not provide a score, Tenable Security Center displays a Tenable-predicted
score.

Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from
internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit,
etc.). The possible values (High, Functional, PoC, or Unproven) parallel the
CVSS Exploit Code Maturity categories.

Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.

Threat Sources A list of all sources (e.g., social media channels, the dark web, etc.) where
threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.

Threat Intensity The relative intensity based on the number and frequency of recently
observed threat events related to this vulnerability: Very Low, Low,
Medium, High, or Very High.

- 630 -
 Threat Recency The number of days (0-180) since a threat event occurred for the
vulnerability.

Threat Event Examples

Common threat events include:

l An exploit of the vulnerability

l A posting of the vulnerability exploit code in a public repository

l A discussion of the vulnerability in mainstream media

l Security research about the vulnerability

l A discussion of the vulnerability on social media channels

l A discussion of the vulnerability on the dark web and underground

l A discussion of the vulnerability on hacker forums

Vulnerability Analysis Tools

On the Vulnerabilities page, you can use the drop-down box to select the vulnerability analysis tool
you want to view.

To perform a common type of vulnerability analysis, see View Vulnerabilities by Plugin or View
Vulnerabilities by Host.

Analysis Tool Description

Asset Summary This tool summarizes the scores and counts of vulnerabilities for all
dynamic or static asset lists.

A breakdown of each asset’s specific vulnerabilities and counts for each

severity level is also included.

You can click a count to view the IP Summary tool, filtered by the asset
list you selected.

CCE Summary This displays a summary of hosts which have Common Configuration
Enumeration (CCE) vulnerabilities.

- 631 -
Analysis Tool Description

You can click a count to view the Vulnerability Summary tool, filtered by
the CCE vulnerability you selected.

Class A Summary Summarizes host information.

Class B Summary The vulnerability score for an address is computed by adding up the
number of vulnerabilities at each severity level and multiplying it with the
Class C Summary
organization’s severity score.

Starting out with a Class A or Class B summary can identify more active
network ranges for networks with a large number of active IP addresses.

You can click a Class A or Class B row to view the Class B or Class C tool,
filtered by the asset list you selected. You can click a Class C row to view
the IP Summary tool, filtered by the asset list you selected.

CVE Summary This view groups vulnerabilities based on their CVE ID, severity, and
vulnerability count.

DNS Name Tenable Security Center includes the ability to summarize information by
Summary vulnerable DNS name. The DNS Name Summary lists the matching
hostnames, the repository, vulnerability count, and a breakdown of the
individual severity counts.

You can click a DNS name to view the Vulnerability List tool, filtered by
the DNS name you selected.

IAVM Summary This view groups vulnerabilities based on their IAVM ID, severity, and
vulnerability count.

IP Summary Summarizes host information, organized by IP address/agent ID. You can

click the IP Address to view host details, as described in View Host
Details.

For more information, see View Vulnerabilities by Host.

List Mail Clients Tenable Security Center uses Tenable Nessus Network Monitor to
determine a unique list of email clients. The list contains the email client
name, count of detections, and the detection method.

- 632 -
Analysis Tool Description

You can click a count to view the IP Summary tool, filtered by the email
client you selected.

List OS Tenable Security Center understands both actively and passively

fingerprinted operating systems. This tool lists what has been discovered.

The method (active, passive, or event) of discovery is also indicated.

You can click a count to view the IP Summary tool, filtered by operating
system.

List Services Tenable Security Center processes information from scans and creates a
summary of unique services discovered. The service discovered, count of
hosts, and detection method are listed.

You can click a service to view the IP Summary tool, filtered by the
service you selected.

List Software Tenable Security Center processes information from scans and creates a
summary of unique software packages discovered. The software name,
count of hosts, and detection method are listed.

You can click a software name to view the IP Summary tool, filtered by
the software you selected.

List SSH Servers This tool utilizes active and passive scan results to create a unique list of
known SSH servers. The list contains the ssh server name, count of
detections, and the detection method.

Tip: Not all SSH servers run on port 22. Do not be surprised if you encounter
SSH servers running on unexpected ports.

You can click a count to view the IP Summary tool, filtered by the SSH
server you selected.

List Web Clients Tenable Security Center understands Tenable Nessus Network Monitor
plugin ID 1735, which passively detects the web client in use. This tool
lists the unique web clients detected. The list contains the user-agents,

- 633 -
Analysis Tool Description

count of detections, and the detection method.

You can click a count to view the IP Summary tool, filtered by the web
client you selected.

List Web Servers This tool takes the passive output from passive and active scans to
create a unique list of known web servers. The list contains the web
server name, count of detections, and the detection method.

Tip: Not all web servers run on port 80 or 443. Do not be surprised if you
encounter web servers running on unexpected ports.

You can click a count to view the IP Summary tool, filtered by the web
server you selected.

MS Bulletin This tool filters vulnerabilities based on Microsoft Bulletin ID. Displayed
Summary are the IDs, Vulnerability Totals, Host Total, and Severity. This view is
particularly useful in cases where Microsoft releases a new bulletin and a
quick snapshot of vulnerable hosts is required.

Plugin Family This tool charts the Nessus, Tenable Nessus Network Monitor, or Event
Summary plugin family as well as their relative counts based on severity level for all
matching vulnerabilities.

You can click a count to view the Vulnerability List tool, filtered by the
plugin family you selected.

Port Summary A summary of the ports in use is displayed for all matched vulnerabilities.
Each port has its count of vulnerabilities as well as a breakdown for each
severity level.

You can click a port to view the IP Summary tool, filtered by the port you
selected.

Protocol This tool summarizes the detected IP protocols such as TCP, UDP, and
Summary ICMP. The tool also breaks out the counts for each protocol’s severity
levels.

- 634 -
Analysis Tool Description

You can click a count to view the IP Summary tool, filtered by the count
you selected.

Remediation The Remediation Summary tool provides a list of remediation actions that
Summary may be taken to prioritize tasks that have the greatest effect to reduce
vulnerabilities in systems. This list provides a solution to resolve a
particular CPE on a given OS platform. The data provided includes:

l Risk Reduction — The percent you would reduce your risk by

addressing the vulnerability in the solution. Tenable Security Center
calculates the risk reduction percentage by dividing the score of the
vulnerabilities in the solution by the score of all of the vulnerabilities
on your network.

l Hosts Affected — The number of unique hosts that would be

affected by performing the remediation action.

l Vulnerabilities — The count of vulnerabilities (Tenable Nessus

plugins) that would be remediated by performing the remediation
action.

l Score — This is calculated by adding up the score for each

vulnerability that would be remediated by performing the
remediation action.

l CVE — The number of distinct CVEs that would be remediated by

performing the remediation action.

l MS Bulletin — The number of unique MS Bulletins that would be

remediated by performing the remediation action.

l Vulnerability % — The count of vulnerabilities (Tenable Nessus

plugins) that would be remediated by performing the remediation
action over the total vulnerability count returned by the query as a
percentage.

Severity This tool considers all of the matching vulnerabilities and then charts the
Summary total number of info, low, medium, high, and critical vulnerabilities.

- 635 -
 Analysis Tool Description

You can click a count to view the Vulnerability Summary tool, filtered by
the severity you selected.

User This displays a list of the users who are assigned responsibility for the
Responsibility vulnerability based on the user’s assigned asset list. Multiple users with
Summary the same responsibility are displayed on the same line. Users without any
assigned responsibilities are not displayed in the list. Tenable Security
Center populates this list after you assign an asset to a user account.

Vulnerability Displays the details for a specific vulnerability instance on your network.
Detail List
Tip: A vulnerability instance is a single instance of a vulnerability appearing on
an asset, identified uniquely by plugin ID, port, and protocol.

Important options include CVSS v2/CVSS v3 score, CVSS v2/CVSSv3

temporal score, VPR, VPR key drivers, availability of public exploit, CVE,
BID, synopsis, description, and solution.

For more information, see View Vulnerability Instance Details.

Vulnerability List Displays a table of all vulnerability instances found on your network,
organized by plugin ID.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on

an asset, identified uniquely by plugin ID, port, and protocol.

For more information, see View Vulnerabilities by Plugin.

Vulnerability Displays a table of all plugins associated with vulnerabilities on your

Summary network, organized by plugin ID.

For more information, see View Vulnerabilities by Plugin.

Vulnerability Analysis Filter Components

For general information about using filters, see Filters.

- 636 -
Filter
Availability Description
Component

Accept Risk Cumulative Displays vulnerabilities based on their Accepted Risk

View workflow status. Available choices include Accepted
Risk or Non-Accepted Risk. Choosing both options
displays all vulnerabilities regardless of acceptance
status.

Address All This filter specifies an IPv4 or IPv6 address, range, or

CIDR block to limit the viewed vulnerabilities. For
example, entering 198.51.100.28/24 and/or 2001:DB8::/32
limits any of the web tools to show vulnerability data
from the specified networks. You can enter addresses in
a comma-separated list or on separate lines.

Agent ID All Displays results matching the specified agent UUID

(Tenable UUID). An agent UUID uniquely identifies:

l Agent-detected assets that may share a common

IP address.

l OT Security assets that may not have an

IP address. For more information, see OT Security
Instances.

Application CPE All Allows a text string search to match against available
CPEs. The filter may be set to search based on a
contains, Exact Match, or Regex Filter filter. The Regex
Filter is based on Perl-compatible regular expressions
(PCRE).

Asset All This filter displays systems from the assets you select.
If more than one asset contains the systems from the
primary asset (i.e., there is an intersect between the
asset lists), those assets are displayed as well.

Tip: Use NOT, OR, and AND operators to exclude unwanted

- 637 -
Filter
Availability Description
Component

assets from the view.

Asset Criticality All (Requires Tenable Security Center+ license) Filters for
Rating (ACR) vulnerabilities on hosts within the specified ACR range,
between 0 and 10.

For more information, see Asset Criticality Rating in the

Tenable Vulnerability Management User Guide.

Tip: To edit the ACR for an asset, see Edit an ACR

Manually.

Asset Exposure All (Requires Tenable Security Center+ license) Filters for
Score (AES) hosts within the specified AES range, between 0 and
1000.

For more information, see Asset Exposure Score in the

Tenable Vulnerability Management User Guide.

AES Severity All (Requires Tenable Security Center+ license) Filters for
hosts with the specified AES severity.

For more information, see Asset Exposure Score in the

Tenable Vulnerability Management User Guide.

Audit File All Filters vulnerabilities by plugin IDs associated with the
audit file used to perform a scan.

CCE ID All Displays results matching the entered CCE ID.

CVE ID All Displays vulnerabilities based on one or more CVE IDs.

Type multiple IDs as a comma-separated list (e.g., CVE-
2011-3348,CVE-2011-3268,CVE-2011-3267).

CVSS v2 Score All Displays vulnerabilities within the chosen Common

Vulnerability Scoring System version 2 (CVSS v2) score

- 638 -
Filter
Availability Description
Component

range.

CVSS v2 Vector All Filters results based on a search against the CVSS v2
vector information.

CVSS v3 Score All Displays vulnerabilities within the chosen Common

Vulnerability Scoring System version 3 (CVSS v3) score
range.

CVSS v3 Vector All Filters results based on a search against the CVSS v3
vector information.

Cross All Filters results based on a search against the cross

References reference information in a vulnerability.

Data Format All Displays results matching the specified data type: IPv4,
IPv6, or Agent.

DNS Name All This filter specifies a DNS name to limit the viewed
vulnerabilities. For example, entering host.example.com
limits any of the web tools to only show vulnerability
data from that DNS name.

Exploit All If set to yes, displays only vulnerabilities for which a

Available known public exploit exists.

Exploit All When set, the text option can be equal to or contain the
Frameworks text entered in the option.

IAVM ID All Displays vulnerabilities based on one or more IVAM IDs.

Type multiple IDs as a comma-separated list (e.g., 2011-
A-0005,2011-A-0007,2012-A-0004).

MS Bulletin ID All Displays vulnerabilities based on one or more Microsoft

Bulletin IDs. Type multiple IDs as a comma-separated list
(e.g., MS10-012,MS10-054,MS11-020).

- 639 -
Filter
Availability Description
Component

Mitigated All Displays vulnerabilities for a specific mitigation status:

l Previously Mitigated — the vulnerability was

previously mitigated but it reappeared in a scan
and is currently vulnerable

l Never Mitigated — the vulnerability is currently

vulnerable and has never been mitigated

For more information about mitigation, see Mitigated

Vulnerabilities.

NetBIOS Name All Displays vulnerabilities that match the specified

NetBIOS name.

In the drop-down, select Exact Match, Contains, or

Regex Match. Regex Match is based on Perl-compatible
regular expressions (PCRE).

Output Assets Asset This filter displays only the desired asset list systems.
Summary
Analysis Tool

Patch Published All Some plugins contain information about when a patch
was published for a vulnerability. This filter allows the
user to search based on when a vulnerability's patch
became available:

l None (displays vulnerabilities that do not have a

patch available)

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

- 640 -
Filter
Availability Description
Component

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Plugin Family All This filter chooses a Nessus or Tenable Nessus Network
Monitor plugin family. Only vulnerabilities from that
family display.

Plugin ID All Type the plugin ID desired or range based on a plugin ID.
Available operators are equal to (=), not equal to (!=),
greater than or equal (>=) and less than or equal to (<=).

Plugin Modified All Tenable plugins contain information about when a plugin
was last modified. This filter allows users to search
based on when a particular plugin was modified:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

- 641 -
Filter
Availability Description
Component

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Plugin Name All Using the Contains option, type all or a portion of the
actual plugin name. For example, entering MS08-067 in
the plugin name filter displays vulnerabilities using the
plugin named MS08-067: Microsoft Windows Server
Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check). Similarly,
entering the string uncredentialed displays a list of
vulnerabilities with that string in the plugin name.

Use the Regex Match option to filter plugin names

based on Perl-compatible regular expressions (PCRE).

Plugin All Tenable plugins contain information about when a plugin

Published was first published. This filter allows users to search
based on when a particular plugin was created:

l Within the last day

- 642 -
Filter
Availability Description
Component

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Plugin Type All Select whether to view all plugin types or passive,
active, event, or compliance vulnerabilities.

Port All This filter is in two parts. First the equality operator is
specified to allow matching vulnerabilities with the same
ports, different ports, all ports less than or all ports
greater than the port filter. The port filter allows a
comma separated list of ports. For the larger than or
less than filters, only one port may be used.

Note: All host-based vulnerability checks are reported with

a port of 0 (zero).

- 643 -
Filter
Availability Description
Component

Protocol All This filter provides boxes to select TCP, UDP, or ICMP-
based vulnerabilities.

Recast Risk Cumulative Displays vulnerabilities based on their Recast Risk

View workflow status. Available choices include Recast Risk
or Non-Recast Risk. Choosing both options displays all
vulnerabilities regardless of recast risk status.

Repositories All Displays vulnerabilities from the chosen repositories.

STIG Severity All Displays vulnerabilities with the chosen STIG severity in
the plugins database.

Scan Policy All Displays vulnerabilities found by the currently enabled

Plugins plugins in the scan policy. For more information, see The
Plugins tab specifies which plugins are used during the
policy’s Tenable Nessus scan. You can enable or disable
plugins in the plugin family view or in the plugin view for
more granular control..

Security End of All When available, Tenable plugins contain information

Life Date about software end of life dates. This filter allows users
to search based on when a particular software is end of
life:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

- 644 -
Filter
Availability Description
Component

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Severity All Displays vulnerabilities with the selected severity. For

more information, see CVSS vs. VPR.

Users All Allows selection of one or more users who are

responsible for the vulnerabilities.

Vulnerability All Tenable Security Center tracks when each vulnerability

Discovered was first discovered. This filter allows you to see when
vulnerabilities were discovered:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

- 645 -
Filter
Availability Description
Component

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Note: The discovery date is based on when the

vulnerability was first imported into Tenable Security
Center. For Tenable Nessus Network Monitor, this date
does not match the exact vulnerability discovery time as
there is normally a lag between the time that Tenable
Nessus Network Monitor discovers a vulnerability and the
import occurs.

Note: Days are calculated based on 24-hour periods prior

to the current time, not calendar days. For example, if the
report run time was 1/8/2019 at 1:00 PM, using a 3-day
count would include vulnerabilities starting 1/5/2019 at
1:00 PM and not from 12:00 AM.

Vulnerability Cumulative This filter allows the user to see when the vulnerability
Last Observed View was last observed by Tenable Nessus, Tenable Log
Correlation Engine, or Tenable Nessus Network Monitor:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

- 646 -
Filter
Availability Description
Component

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Note: The observation date is based on when the

vulnerability was most recently imported into Tenable
Security Center. For Tenable Nessus Network Monitor, this
date does not match the exact vulnerability discovery as
there is normally a lag between the time that Tenable
Nessus Network Monitor discovers a vulnerability and the
import occurs.

Vulnerability Mitigated View This filter allows the user to filter results based on when
Mitigated the vulnerability was mitigated:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

- 647 -
Filter
Availability Description
Component

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Vulnerability All Displays vulnerabilities within the chosen VPR range. For
Priority Rating more information, see CVSS vs. VPR.
(VPR)
Tip:The Vulnerabilities page displays vulnerabilities by
plugin. The VPR that appears is the highest VPR of all the
vulnerabilities associated with that plugin.

Vulnerability All When available, Tenable plugins contain information

Published about when a vulnerability was published. This filter
allows users to search based on when a particular
vulnerability was published:

l All

l Within the last day

l Within the last 7 days

l Within the last 30 days

- 648 -
Filter
Availability Description
Component

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year

quarter)

l Last Quarter (during the previous calendar year

quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you

specify)

l Explicit (at a specific time you specify)

Vulnerability All Displays vulnerabilities containing the entered text (e.g.,

Text php 5.3) or regex search term.

Web App All Required Additional License: Tenable Web App Scanning
Scanning
Required Tenable Nessus Version: 10.6.1 or later

Select whether to display web app scan results in the

list:

l Exclude Web App Results - do not display web

app scan results in the list of vulnerabilities.

l Include Web App Results - include web app scan

results in the list of vulnerabilities.

- 649 -
 Filter
Availability Description
Component

l Only Web App Results - filter the list to display

only web app scans results.

Web App URL All Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

The URL for the discovered web application associated

with the vulnerability.

View Vulnerabilities by Host

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can drill into analysis views, filtering by host, to view vulnerabilities and vulnerability instances
on a host.

To view vulnerabilities and vulnerability instances associated with a host:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the drop-down box, click IP Summary.

The IP Summary tool appears.

4. Filter the tool to locate the host where you want to view vulnerability instance details, as
described in Filters and Vulnerability Analysis Filter Components.

5. To customize the table, see Interact with a Customizable Table.

6. To view details of a vulnerability instance:

- 650 -
a. Click the row for the vulnerability instance for which you want to view the details.

The Vulnerability List tool appears, filtered by the vulnerability instance you selected.

In this tool, you can:

Options Actions

Jump to View the Vulnerability Detail List page. This page displays the
Vulnerability synopsis, description, solution, and the plugin output of the
Detail vulnerability.

Export Export data as a .csv or a .pdf file, as described in Export

Vulnerability Data.

Save l Save Query — Save a query, as described in Add or Save a

Query.

l Save Asset — Save an asset, as described in Assets.

More l Open Ticket — Open a ticket, as described in Open a

Ticket.

l Set as Default View — Set this view as your default view.

Cumulative Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

Mitigated Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

Filters side bar Apply a filter, as described in Apply a Filter and Vulnerability
Analysis Filter Components.

Vulnerability l Click the Plugin ID to view the plugin details associated

row with the vulnerability, as described in View Plugin Details.

l Click the IP Address to view the host details for the

- 651 -
 vulnerability, as described in View Host Details.

l Click the row to view the vulnerability instance details in

the Vulnerability Detail List tool, as described in View
Vulnerability Instance Details.

Tip: A vulnerability instance is a single instance of a

vulnerability appearing on an asset, identified uniquely by
plugin ID, port, and protocol.

7. To view the host details of an instance:

a. Click the IP Address link.

The System Information pane appears. For more information, see View Host Details.

View Vulnerabilities by Plugin

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can drill into analysis views, filtering by plugin, to view vulnerabilities and vulnerability instances
related to that plugin.

To view vulnerabilities and vulnerability instances associated with a plugin:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the drop-down box, click Vulnerability Summary.

The Vulnerability Summary tool appears.

In this tool, you can:

Options Actions

Jump to View the Vulnerability Detail List page. This page displays the

- 652 -
Vulnerability synopsis, description, solution, and the plugin output of the
Detail vulnerability.

Export Export data as a .csv or a .pdf file, as described in Export

Vulnerability Data.

Save l Save Query: Save a query, as described in Add or Save a Query.

l Save Asset: Save an asset, as described in Assets.

More l Open Ticket: Open a ticket, as described in Open a Ticket.

l Set as Default View: Set this view as your default view.

Cumulative Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

Mitigated Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

Table Customize the table, as described in Interact with a Customizable

Table.

Filters side bar Apply a filter, as described in Apply a Filter and Vulnerability Analysis
Filter Components.

Plugin row l Click the Plugin ID to view the plugin details for the plugin, as
described in View Plugin Details.

l Click the row to view the vulnerability details in the

Vulnerability List tool.

Plugin row You can right-click any row to do the following:

l View Asset Summary tool, DNS Summary tool, or IP Summary

tool.

l Create an accept risk rule, as described in Add an Accept Risk

- 653 -
 Rule.

l Create a recast risk rule, as described in Add a Recast Risk

Rule.

l Launch a remediation scan, as described in Launch a

Remediation Scan.

4. Click the row for the plugin where you want to view vulnerability instance details.

The Vulnerability List tool appears, filtered by the plugin you selected.

In this tool, you can:

Options Actions

Jump to View the Vulnerability Detail List page. This page displays the
Vulnerability synopsis, description, solution, and the plugin output of the
Detail vulnerability.

Export Export data as a .csv or a .pdf file, as described in Export

Vulnerability Data.

Save l Save Query — Save a query, as described in Add or Save a

Query.

l Save Asset — Save an asset, as described in Assets.

More l Open Ticket — Open a ticket, as described in Open a Ticket.

l Set as Default View — Set this view as your default view.

Cumulative Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

Mitigated Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

Filters side bar Apply a filter, as described in Apply a Filter and Vulnerability Analysis

- 654 -
 Filter Components.

Vulnerability l Click the Plugin ID to view the plugin details associated with
row the vulnerability, as described in View Plugin Details.

l Click the IP Address to view the host details for the

vulnerability, as described in View Host Details.

l Click the row to view the vulnerability instance details in the

Vulnerability Detail List tool, as described in View Vulnerability
Instance Details.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

View Vulnerability Instance Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can drill into analysis views to view details for a specific instance of a vulnerability found on
your network.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely
by plugin ID, port, and protocol.

To view vulnerability instance details:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the drop-down box, click Vulnerability Detail List.

The Vulnerability Detail List tool appears.

In this tool, you can:

- 655 -
Section Actions

Options menu l Export data as a .csv or a .pdf file, as described in Export

Vulnerability Data.

l Save a query, as described in Add or Save a Query.

l Save an asset.

l Open a ticket, as described in Open a Ticket.

l Set this view as your default view.

l Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

arrows Click the arrows to view other vulnerability instances related to the
plugin.

toolbar l Launch a remediation scan, as described in Launch a

Remediation Scan.

l Create an accept risk rule, as described in Add an Accept Risk

Rule.

l Create a recast risk rule, as described in Add a Recast Risk

Rule.

Synopsis and View information about the plugin, vulnerability instance, and
Description affected assets.

Solution View the Tenable-recommended action to remediate the

vulnerability.

See Also View related links about the plugin or vulnerability.

Discovery View details about when the vulnerability was discovered and last
seen on your network.

Host View details about the asset.

- 656 -
 Information

Risk View metrics (e.g., CVSS score, VPR, etc.) about the risk associated
Information with the vulnerability.

Exploit View details about the exploit.

Information

Plugin Details View details about the plugin.

VPR Key Drivers View the key drivers Tenable used to calculate the VPR score. For
more information, see CVSS vs. VPR.

Vulnerability View Common Platform Enumeration (CPE) details.

Information

Reference View related links to the CVE, BID, MSFT, CERT, and other industry
Information materials about the vulnerability.

View Host Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can drill into analysis views to view details for a specific host on your network.

To view host details from the Vulnerabilities page:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the drop-down box, click Vulnerability List.

The Vulnerability List tool appears.

4. In the IP Address column, click the IP address link to view host details for a specific
vulnerability instance.

- 657 -
 Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified
uniquely by plugin ID, port, and protocol.

The host details panel appears.

Section Actions

System View information about the host system.

Information l IP Address — The host's IP address, if available.

l UUID — The host's UUID, if available.

l NetBIOS Name — The host's NetBIOS name, if available.

l DNS Name — The host's DNS name, if available.

l MAC Address — The host's MAC address, if available.

l OS — The operating system running on the host, if available.

l CPE — The host's application common platform enumeration

(CPE).

l Score — The cumulative score for all vulnerability instances

on the host. For more information about vulnerability scoring,
see CVSS vs. VPR.

Tip: A vulnerability instance is a single instance of a vulnerability

appearing on an asset, identified uniquely by plugin ID, port, and
protocol.

l Repository — The repository that contains vulnerability data

associated with the host.

l Last Scan — The date and time Tenable Security Center last
scanned the host.

l Passive Data — Indicates whether a passive scan detected

the vulnerability.

- 658 -
 l Compliance Data — Indicates whether the scan that detected
the vulnerability included compliance plugins.

Vulnerabilities View the number of vulnerabilities on the host, organized by

severity category. For more information, see CVSS vs. VPR.

Links l View SANS and ARIN links for the host. If configured, this
section also displays custom resource links.

l Click a resource link to view details for the current IP

address/agent IDs. For example, if the current IP address was
a publicly registered address, click the ARIN link to view the
registration information for that address.

Assets View the asset lists containing the asset. For more information, see
Assets.

To view host details from the Host Assets page:

1. Log in to Tenable Security Center via the user interface.

2. Click Assets > Host Assets.

The Host Assets page appears.

3. Click the row for the host.

The Host Asset Details page appears.

Section Action

Host Information View general information about the host.

l Name — The name of the host.

l System Type — The host's device type, as determined by

plugin 54615.

l Operating System — The operating system running on the

host, if available.

l IP Addresses — The host's IP address, if available.

- 659 -
Section Action

l MAC Addresses — The host's MAC address, if available.

l Host ID — The ID of the host.

l Repository — The repository that contains vulnerability data

associated with the host.

Asset Exposure (Requires Tenable Security Center+ license) View the host's AES. For
Score more information, see Asset Exposure Score in the Tenable
Vulnerability Management User Guide.

Asset Criticality (Requires Tenable Security Center+ license) View the host's ACR and
Rating details about modifications to the ACR.

l Overwrite Reasoning — The justification for overwriting the

host's ACR.

l Notes — Notes associated with overwriting the host's ACR.

l Overwritten By — The user that overwrote the host's ACR.

l ACR By Key Drivers — The key drivers used to calculate the

host's ACR.

For more information, see Asset Criticality Rating and ACR Key
Drivers in the Tenable Vulnerability Management User Guide.

To edit the host's ACR, see Edit an ACR Manually.

OT Properties View the Tenable OT Security properties for the host. This section
appears only for hosts discovered by Tenable OT Security scans.

l Additional Names - Any additional names for the asset in the

network.

l Additional IP Addresses - Any additional IP addresses for the

asset.

l Segment - The network segment that the IP address(es) of

- 660 -
Section Action

this asset are assigned to.

l Slot - For assets that are on backplanes, shows the number of

the slot to which the asset is attached.

l Family - The family name of the product as defined by the

asset vendor.

l State - The device state:

l Backup – the controller is running as a backup to a

primary controller.

l Fault – the controller is in fault mode.

l NoConfig – no configuration has been set for the

controller.

l Running – the controller is running.

l Stopped – the controller is not running.

l Unknown – the state is unknown.

l Category - The type of asset identified by Tenable OT

Security. For more information about categories, see Asset
Types in the Tenable OT Security user guide.

l Purdue - The Purdue level of the asset:

l 0 - Physical process

l 1 - Intelligent devices

l 2 - Control systems

l 3 - Manufacturing operations systems

l 4 - Business logistics systems

l Last Update - The date and time that the asset was last

- 661 -
Section Action

updated.

l Risk Score - A measure of the degree of risk related to this

asset on a scale from 0 (no risk) to 100 (extremely high risk).
For an explanation of how the Risk score is calculated, see
Risk Assessment in the Tenable OT Security user guide.

l Description - A brief description of the asset, as configured by

the user in the Tenable OT Security asset details. For more
information, see Inventory in the Tenable OT Security user
guide.

l Back Plane - The backplane unit that the asset is connected

to.

l System Type - A brief description of the asset, as configured

by the user in the OT Security asset details.

l Model - The model name of the asset.

l Firmware - The firmware version currently installed on the

asset.

l Location - The location of the asset as input by the user in the

Tenable OT Security asset details.

l Vendor - The asset vendor.

l Criticality - A measure of the importance of this asset to the

proper functioning of the system. A value is assigned
automatically to each asset based on the asset type. You can
manually adjust the value.

Scan Information View scan information related to the host.

l First Seen — The date and time Tenable Security Center first
detected the host on your network.

- 662 -
 Section Action

l Last Seen — The date and time last Tenable Security Center
detected the host on your network.

l Source — The type of scan that discovered the host on your

network: Tenable Nessus Scan, Tenable Nessus Network
Monitor, Log Correlation Engine, Agent Scan, or Tenable OT
Security Scan.

Findings tab l View the vulnerabilities detected on the host. For more
information, see CVSS vs. VPR.

l Customize the table, as described in Interact with a

Customizable Table.

Installed View the software packages installed on the host, if available.

Software tab
Customize the table, as described in Interact with a Customizable
Table.

View Plugin Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can drill into analysis views to view details for a specific instance of a vulnerability found on
your network.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely
by plugin ID, port, and protocol.

To view plugin details:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the drop-down box, click Vulnerability Summary.

- 663 -
 The Vulnerability Summary tool appears.

4. To customize the table, see Interact with a Customizable Table.

5. In the Plugin ID column, click the plugin ID to view plugin details for a specific plugin.

The Plugin Details panel appears.

In this panel, you can:

Section Actions

Description View information about the plugin, vulnerability instance, and

affected assets.

Solution View the Tenable-recommended action to remediate the

vulnerability.

Vulnerability Priority View the key drivers Tenable used to calculate the
Rating (VPR) Key vulnerability VPR. For more information, see CVSS vs. VPR.
Drivers

CVE and BID View related links to the CVE and BID materials about the
vulnerability.

Cross-References View related documentation for the vulnerability.

See Also View related links about the plugin or vulnerability.

Export Vulnerability Data

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can export data from the Vulnerabilities page as a .csv or a .pdf file.

To export data from the Vulnerabilities page:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

- 664 -
 3. In the Export drop-down box, click Export > Export as CSV or Export as PDF.

Note: If the record count (rows displayed) of any CSV export is greater than 1,000, Tenable Security
Center prompts you for the name of the CSV report you want to generate. After generation, you can
download the report from the Report Results page.

4. Select or clear the check boxes to indicate which columns you want to appear in the exported
file.

5. Click Submit.

Tenable Security Center exports the vulnerability data.

Web App Scanning Analysis

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

The Web App Scanning page displays vulnerabilities discovered by web app scans.

Web application scanning in Tenable Security Center allows you to scan and address web
application vulnerabilities that traditional scanners cannot scan. For more information about web
app scanning, see Web App Scans.

For more information about the Web App Scanning analysis page, see:

Web App Scanning Analysis Tools

Web App Scanning Analysis Filter Components

View Web App Scanning Vulnerability Details

Export Web App Scanning Data

Web App Scanning Analysis Tools

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

- 665 -
On the Web App Scanning page, you can use the drop-down box to select the web app scanning
analysis tool you want to view.

Analysis Tool Description

Asset Summary Summarizes the scores and counts of web app vulnerabilities for all
dynamic or static asset lists.

A breakdown of each asset’s specific web app vulnerabilities and counts

for each severity level is also included.

You can click a count to view the IP Summary tool, filtered by the asset
list you selected.

CCE Summary Displays a summary of hosts which have Common Configuration

Enumeration (CCE) vulnerabilities.

You can click a count to view the Vulnerability Summary tool, filtered by
the CCE vulnerability you selected.

Class A Summary Summarizes host information.

Class B Summary The vulnerability score for an address is computed by adding up the
number of vulnerabilities at each severity level and multiplying it with the
Class C Summary
organization’s severity score.

Starting out with a Class A or Class B summary can identify more active
network ranges for networks with a large number of active IP addresses.

You can click a Class A or Class B row to view the Class B or Class C tool,
filtered by the asset list you selected. You can click a Class C row to view
the IP Summary tool, filtered by the asset list you selected.

CVE Summary Displays web app vulnerabilities grouped by CVE ID, severity, and
vulnerability count.

DNS Name Tenable Security Center includes the ability to summarize information by
Summary vulnerable DNS name. The DNS Name Summary displays the matching
hostnames, the repository, vulnerability count, and a breakdown of the
individual severity counts.

You can click a DNS name to view the Vulnerability List tool, filtered by

- 666 -
Analysis Tool Description

the DNS name you selected.

IAVM Summary Displays web app vulnerabilities grouped by IAVM ID, severity, and
vulnerability count.

IP Summary Summarizes host information, organized by IP address/agent ID. You can

click the IP Address to view host details, as described in View Host
Details.

For more information, see View Vulnerabilities by Host.

List OS Tenable Security Center understands both actively and passively

fingerprinted operating systems. This tool displays a list of discovered
operating systems, including the method of discovery (for example,
active, passive, or event).

You can click a count to view the IP Summary tool, filtered by operating
system.

Plugin Family Charts the Nessus, Tenable Nessus Network Monitor, or Event plugin
Summary family as well as their relative counts based on severity level for all
matching vulnerabilities.

You can click a count to view the Vulnerability List tool, filtered by the
plugin family you selected.

Port Summary Summarizes the ports in use for all matched vulnerabilities. Each port
displays a count of vulnerabilities and a breakdown for each severity level.

You can click a port to view the IP Summary tool, filtered by the port you
selected.

Severity Displays the total number of info, low, medium, high, and critical
Summary vulnerabilities.

You can click a count to view the Vulnerability Summary tool, filtered by
the severity you selected.

User Displays a list of the users who are assigned responsibility for the

- 667 -
 Analysis Tool Description

Responsibility vulnerability based on the user’s assigned asset list. Multiple users with
Summary the same responsibility are displayed on the same line. Users without any
assigned responsibilities are not displayed in the list. Tenable Security
Center populates this list after you assign an asset to a user account.

Vulnerability Displays a table of all plugins associated with vulnerabilities on your

Summary network, organized by plugin ID.

For more information, see View Vulnerabilities by Plugin.

Web App Displays a list of all web apps associated with vulnerabilities on your
URL Summary network, organized by URL.

Web App Vuln Displays details for each web app vulnerability. For more information, see
Detail List View Web App Scanning Vulnerability Details.

Web App Vuln Displays a list of all web app vulnerabilities discovered on your network,
List organized by plugin ID.

Web App Scanning Analysis Filter Components

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Filters limit the results of the displayed web app vulnerability data and can be added, modified, or
reset as desired. For more information, see Filters.

Filter
Description
Component

Asset Criticality (Requires Tenable Security Center+ license) Filters for vulnerabilities on
Rating (ACR) hosts within the specified ACR range, between 0 and 10.

For more information, see Asset Criticality Rating in the Tenable

Vulnerability Management User Guide.

Tip: To edit the ACR for an asset, see Edit an ACR Manually.

- 668 -
Filter
Description
Component

Asset Exposure (Requires Tenable Security Center+ license) Filters for hosts within the
Score (AES) specified AES range, between 0 and 1000.

For more information, see Asset Exposure Score in the Tenable

Vulnerability Management User Guide.

AES Severity (Requires Tenable Security Center+ license) Filters for hosts with the
specified AES severity.

For more information, see Asset Exposure Score in the Tenable

Vulnerability Management User Guide.

Accept Risk Displays web app vulnerabilities based on their Accepted Risk workflow
status. Available choices include Accepted Risk or Non-Accepted Risk.
Choosing both options displays all vulnerabilities regardless of acceptance
status.

Address This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit
the viewed vulnerabilities. For example, entering 198.51.100.28/24 and/or
2001:DB8::/32 limits any of the web tools to show vulnerability data from
the specified networks. You can enter addresses in a comma-separated list
or on separate lines.

Agent ID Displays results matching the specified agent UUID (Tenable UUID). An
agent UUID uniquely identifies:

l Agent-detected assets that may share a common IP address.

l OT Security assets that may not have an IP address. For more

information, see OT Security Instances.

Application CPE Allows a text string search to match against available CPEs. The filter may
be set to search based on a contains, Exact Match, or Regex Filter filter.
The Regex Filter is based on Perl-compatible regular expressions (PCRE).

Asset This filter displays systems from the assets you select. If more than one
asset contains the systems from the primary asset (i.e., there is an

- 669 -
Filter
Description
Component

intersect between the asset lists), those assets are displayed as well.

Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the
view.

Audit File Filters vulnerabilities by plugin IDs associated with the audit file used to
perform a scan.

CCE ID Displays results matching the entered CCE ID.

CVE ID Displays vulnerabilities based on one or more CVE IDs. Type multiple IDs as
a comma-separated list (e.g., CVE-2011-3348,CVE-2011-3268,CVE-2011-
3267).

CVSS v2 Score Displays vulnerabilities within the chosen Common Vulnerability Scoring
System version 2 (CVSS v2) score range.

CVSS v2 Vector Filters results based on a search against the CVSS v2 vector information.

CVSS v3 Score Displays vulnerabilities within the chosen Common Vulnerability Scoring
System version 3 (CVSS v3) score range.

CVSS v3 Vector Filters results based on a search against the CVSS v3 vector information.

Cross Filters results based on a search against the cross reference information in
References a vulnerability.

DNS Name This filter specifies a DNS name to limit the viewed vulnerabilities. For
example, entering host.example.com limits any of the web tools to only
show vulnerability data from that DNS name.

Data Format Displays results matching the specified data type: IPv4, IPv6, or Agent.

Exploit If set to yes, displays only vulnerabilities for which a known public exploit
Available exists.

Exploit When set, the text option can be equal to or contain the text entered in the
Frameworks option.

- 670 -
Filter
Description
Component

Host ID Displays the host ID of the discovered asset.

IAVM ID Displays vulnerabilities based on one or more IVAM IDs. Type multiple IDs as
a comma-separated list (e.g., 2011-A-0005,2011-A-0007,2012-A-0004).

Input Name If the asset is vulnerable to injection attacks, this displays the name of the
asset component where an attacker could inject malicious code.

Input Type If the asset is vulnerable to injection attacks, this displays the component
of the asset where an attacker could inject malicious code (for example, a
form or session cookie).

MS Bulletin ID Displays vulnerabilities based on one or more Microsoft Bulletin IDs. Type
multiple IDs as a comma-separated list (e.g., MS10-012,MS10-054,MS11-020).

Mitigated Displays vulnerabilities for a specific mitigation status:

l Previously Mitigated — the vulnerability was previously mitigated but

it reappeared in a scan and is currently vulnerable

l Never Mitigated — the vulnerability is currently vulnerable and has

never been mitigated

For more information about mitigation, see Mitigated Vulnerabilities.

NetBIOS Name Displays vulnerabilities that match the specified NetBIOS name.

In the drop-down, select Exact Match, Contains, or Regex Match. Regex

Match is based on Perl-compatible regular expressions (PCRE).

Note: This filter searches for exact matches only. Type the NetBIOS name as
workgroup \ NetBIOS name.

Operating The operating system that a scan identified as installed on the asset.
System

Patch Published Some plugins contain information about when a patch was published for a
vulnerability. This filter allows the user to search based on when a

- 671 -
Filter
Description
Component

vulnerability's patch became available:

l None (displays vulnerabilities that do not have a patch available)

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Plugin Family This filter chooses a Nessus or Tenable Nessus Network Monitor plugin
family. Only vulnerabilities from that family display.

Plugin ID Type the plugin ID desired or range based on a plugin ID. Available
operators are equal to (=), not equal to (!=), greater than or equal (>=) and
less than or equal to (<=).

Plugin Modified Tenable plugins contain information about when a plugin was last modified.
This filter allows users to search based on when a particular plugin was
modified:

- 672 -
Filter
Description
Component

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Plugin Name Using the Contains option, type all or a portion of the actual plugin name.
For example, entering MS08-067 in the plugin name filter displays
vulnerabilities using the plugin named MS08-067: Microsoft Windows
Server Service Crafted RPC Request Handling Remote Code Execution
(958644) (uncredentialed check). Similarly, entering the string
uncredentialed displays a list of vulnerabilities with that string in the plugin
name.

Use the Regex Match option to filter plugin names based on Perl-
compatible regular expressions (PCRE).

Plugin Tenable plugins contain information about when a plugin was first
Published published. This filter allows users to search based on when a particular
plugin was created:

- 673 -
Filter
Description
Component

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Plugin Type Select whether to view all plugin types or passive, active, event, or
compliance vulnerabilities.

Port This filter is in two parts. First the equality operator is specified to allow
matching vulnerabilities with the same ports, different ports, all ports less
than or all ports greater than the port filter. The port filter allows a comma
separated list of ports. For the larger than or less than filters, only one
port may be used.

Note: All host-based vulnerability checks are reported with a port of 0 (zero).

Protocol This filter provides boxes to select TCP, UDP, or ICMP-based vulnerabilities.

Recast Risk Displays vulnerabilities based on their Recast Risk workflow status.

- 674 -
Filter
Description
Component

Available choices include Recast Risk or Non-Recast Risk. Choosing both

options displays all vulnerabilities regardless of recast risk status.

Repositories Displays vulnerabilities from the chosen repositories.

STIG Severity Displays vulnerabilities with the chosen STIG severity in the plugins
database.

Scan Policy Displays vulnerabilities found by the currently enabled plugins in the scan
Plugins policy. For more information, see The Plugins tab specifies which plugins
are used during the policy’s Tenable Nessus scan. You can enable or
disable plugins in the plugin family view or in the plugin view for more
granular control..

Security End of When available, Tenable plugins contain information about software end of
Life Date life dates. This filter allows users to search based on when a particular
software is end of life:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

- 675 -
Filter
Description
Component

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Severity Displays vulnerabilities with the selected severity. For more information,
see CVSS vs. VPR.

Users Allows selection of one or more users who are responsible for the
vulnerabilities.

Vulnerability Tenable Security Center tracks when each vulnerability was first
Discovered discovered. This filter allows you to see when vulnerabilities were
discovered:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

l Explicit (at a specific time you specify)

Note: The discovery date is based on when the vulnerability was first imported

- 676 -
Filter
Description
Component

into Tenable Security Center. For Tenable Nessus Network Monitor, this date
does not match the exact vulnerability discovery time as there is normally a lag
between the time that Tenable Nessus Network Monitor discovers a
vulnerability and the import occurs.

Note: Days are calculated based on 24-hour periods prior to the current time,
not calendar days. For example, if the report run time was 1/8/2019 at 1:00 PM,
using a 3-day count would include vulnerabilities starting 1/5/2019 at 1:00 PM
and not from 12:00 AM.

Vulnerability ID The ID for the vulnerability. The authority that identifies a given
vulnerability determines the vulnerability's ID format.

Vulnerability This filter allows the user to see when the vulnerability was last observed
Last Observed by Tenable Nessus, Tenable Log Correlation Engine, or Tenable Nessus
Network Monitor:

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

- 677 -
Filter
Description
Component

l Explicit (at a specific time you specify)

Note: The observation date is based on when the vulnerability was most
recently imported into Tenable Security Center. For Tenable Nessus Network
Monitor, this date does not match the exact vulnerability discovery as there is
normally a lag between the time that Tenable Nessus Network Monitor
discovers a vulnerability and the import occurs.

Vulnerability Displays vulnerabilities within the chosen VPR range. For more information,
Priority Rating see CVSS vs. VPR.
(VPR)

Vulnerability When available, Tenable plugins contain information about when a

Published vulnerability was published. This filter allows users to search based on
when a particular vulnerability was published:

l All

l Within the last day

l Within the last 7 days

l Within the last 30 days

l More than 7 days ago

l More than 30 days ago

l Current Month

l Last Month

l Current Quarter (during the current calendar year quarter)

l Last Quarter (during the previous calendar year quarter)

l Current Year

l Last Year

l Custom Range (during a specific range you specify)

- 678 -
 Filter
Description
Component

l Explicit (at a specific time you specify)

Vulnerability Displays vulnerabilities containing the entered text (e.g., php 5.3) or regex
Text search term.

Web App URL The URL for the discovered web application associated with the
vulnerability. Separate multiple URLs with single quotations and commas.

View Web App Scanning Vulnerability Details

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can drill into web app scanning vulnerabilities to view details for each vulnerability instance
found on your network.

Tip: A vulnerability instance is a single instance of a web app vulnerability appearing on an asset, identified
uniquely by plugin ID, port, protocol, URL, input type, input name, and HTTP method.

To view web app scanning vulnerability instance details:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Web App Scanning.

The Web App Scanning page appears.

3. In the drop-down box, click Web App Vuln Detail List.

The Web App Vuln Detail List tool appears.

In this tool, you can:

- 679 -
Section Actions

Options menu l Export data as a .csv or a .pdf file, as described in Export

Web App Scanning Data.

l Set this view as your default view.

l Switch between viewing cumulative vulnerabilities or mitigated

vulnerabilities, as described in View Cumulative or Mitigated
Vulnerabilities.

l Save an asset.

l Open a ticket, as described in Open a Ticket.

l Save a query, as described in Add or Save a Query.

arrows Click the arrows to view other vulnerability instances related to the
plugin.

toolbar l Create an accept risk rule, as described in Add an Accept Risk

Rule.

l Create a recast risk rule, as described in Add a Recast Risk

Rule.

Synopsis and View information about the plugin, vulnerability instance, and
Description affected assets.

See Also View related links about the plugin or vulnerability.

Affected Host View details about the affected host asset, as well as the plugin
Asset output.

Discovery View details about when the vulnerability was first discovered and
last observed on your network.

Asset Criticality View the ACR value for the vulnerability.

Rating
For more information about ACR values, see Asset Criticality Rating
in the Tenable Vulnerability Management User Guide.

- 680 -
 Asset Exposure View the AES value for the vulnerability.
Score
For more information, about AES values, see Asset Exposure Score
in the Tenable Vulnerability Management User Guide.

Risk Information View metrics (e.g., CVSS score, VPR, etc.) about the risk associated
with the vulnerability.

Exploit View details about the exploit.

Information

Plugin Details View details about the plugin.

Attachments View related attachments for the vulnerability, including the

HTTP request and response.

Export Web App Scanning Data

Required Additional License: Tenable Web App Scanning

Required Tenable Nessus Version: 10.6.1 or later

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can export data from the Web App Scanning page as a .csv or a .pdf file.

To export data from the Web App Scanning page:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Web App Scanning.

The Web App Scanning page appears.

3. In the Export drop-down box, click Export > Export as CSV or Export as PDF.

Note: If the record count (rows displayed) of any CSV export is greater than 1,000, Tenable Security
Center prompts you for the name of the CSV report you want to generate. After generation, you can
download the report from the Report Results page.

- 681 -
 4. Select or clear the check boxes to indicate which columns you want to appear in the exported
file.

5. Click Submit.

Tenable Security Center exports the web app scanning data.

Event Analysis
The Events display page contains an aggregation of security events from Tenable Log Correlation
Engine. Events can be viewed in a list format with options similar to the Vulnerability interface.

Raw Syslog Events

Tenable Security Center’s event filters includes a Syslog Text option to narrow down the scope of a
set of events, and supports the use of keyword searches for active filters.

Active vs. Archived

In the upper-right corner, click Active or Archived to switch between the active and archived data.
This selection determines whether the displayed events are pulled from the active or an archived
event database. The Active view is the default that displays all currently active events. The Archived
view prompts for the selection of the Log Correlation Engine and an Archive Silo from which the
event data is displayed. In the example below, the Log Correlation Engine and Silo date range are
displayed to help the user choose the correct archive data for analysis.

- 682 -
Analysis Tools
A wide variety of analysis tools are available for comprehensive event analysis.

When viewing the analysis tool results, clicking on result will generally take you to the next level of
detail for the analysis. For instance, from the Type summary page clicking on a type will display the
Normalized Event Summary. Clicking on an even in that list will display the List of Events page
featuring that event. Along each progression a new drop-down menu will appear allowing for easy
access to either pivot to another analysis tool based on the current view or to return to the previous
view.

Additionally most results will have a gear icon next to them. This icon will provide summaries,
normally based on time restrictions or a view of the vulnerability summary for the affected host,
around that item’s result.

For more information, see Event Analysis Tools.

Load Query

- 683 -
The Load Query option enables users to load a predefined query and display the current dataset
against that query. Click on Load Query in the filters list to display a box with all available queries.
The query names are displayed in alphabetical order. After clicking on an individual query, the
vulnerability view is changed to match the query view for the current dataset.

Event Analysis Filters

For more information, see Event Analysis Filter Components.

Event Analysis Actions

You can use the Options drop-down menu to perform the following event analysis actions.

Save Query
You can save the current view as a query for reuse. For more information about queries, see
Queries.

Save Asset
Event results can be saved to an asset list for later use. For more information, see Assets.

Save Watchlist
Event results can be saved to a watchlist asset list for later use. For more information, see Assets.

Open Ticket
Tickets are used within Tenable Security Center to assist with the assessment and remediation of
vulnerabilities and security events. For more information, see Open a Ticket.

View Settings
When available, this setting controls the columns displayed in your view.

Switch to Archived / Switch Archive / Switch to Active

The Switch to Archived item is displayed when viewing active event data and when selected will
present a dialog to choose the archived event data to display by Tenable Log Correlation Engine and
date range.

- 684 -
The Switch Archive menu item is displayed when viewing archived event data. Selecting this option
displays the same menu and selections as above to select a different archive silo for viewing.

The Switch to Active menu item is displayed when viewing archived data and when selected,
changes the view to active event data for analysis.

Export as CSV
Event results can be exported to a comma-separated file for detailed analysis outside of Tenable
Security Center by clicking on the Options drop-down menu and then the Export as CSV option.
When selected, a window opens with an option to choose the columns to be included in the CSV
file.

If the record count (rows displayed) of any CSV export is greater than 1,000 records, a note is
displayed that prompts for the name of the CSV report to be generated. When complete, the report
can be downloaded from the Report Results page. For CSV exports of under 1,000 records, the
browser’s standard Save As dialog window is displayed.

Once the appropriate selections are made, click the Submit button to create the CSV file or Cancel
to abort the process.

Event Analysis Tools

A wide variety of analysis tools are available for comprehensive event analysis. Clicking on the drop-
down menu indicating the current view (Type Summary by default) displays a list of analysis tools to
choose from.

When viewing the analysis tool results, clicking on result will generally take you to the next level of
detail for the analysis. For instance, from the Type summary page clicking on a type will display the
Normalized Event Summary. Clicking on an even in that list will display the List of Events page
featuring that event. Along each progression a new drop-down menu will appear allowing for easy
access to either pivot to another analysis tool based on the current view or to return to the previous
view.

Additionally most results will have a gear icon next to them. This icon will provide summaries,
normally based on time restrictions or a view of the vulnerability summary for the affected host,
around that item’s result.

- 685 -
Tool Description

Asset This tool can be used to see how certain types of activity, remote attackers,
Summary or non-compliant events have occurred across different asset groups.

Clicking on the Total count for the listed asset displays a Type Summary
analysis tool.

Connection This tool lists connections made between two different hosts by source and
Summary destination IP address and the counts of connections between them.

Clicking on a host will display the Type Summary analysis tool.

Date Summary When analyzing large amounts of data, it is often useful to get a quick
summary of how the data set manifests itself across several dates.

For example, when analyzing a suspected attacker’s IP address, creating a

filter for that IP address and looking at the type of events is simple enough.
However, displaying that same data over the last few days or weeks can
paint a much more interesting picture of a potential attacker’s activity.

Selecting a date will display the Type Summary analysis tool.

Destination IP This tool displays events listed by the destination IP address recorded. The
Summary table lists the Tenable Log Correlation Engine it was discovered on, the IP
address, and the count. Clicking on the information icon next to the IP
address displays the system information pertaining to the host IP address.

Clicking on one of the hosts displays the Type Summary analysis tool.

Detailed Event This tool displays a summary of the various events based on their full event
Summary name and count. Clicking on an event displays the List of Events analysis
tool.

Event Trend This analysis tool displays an event trend area graph with total events over
the last 24 hours. Modify the filters for this graph to display the desired
event trend view.

IP Summary Tenable Security Center provides the ability to quickly summarize matching
IP addresses by single IP address, Class A, Class B, and Class C addresses.
Class A

- 686 -
Tool Description

Summary The IP Summary tool displays the associated Tenable Log Correlation Engine
server along with the IP address of the reporting system and about the event
Class B
count for that system.
Summary
Clicking on an IP address displays a Host Detail window for that IP address.
Class C
Clicking the information icon next to the IP address displays information
Summary
about the NetBIOS Name (if known), DNS Name (if known), MAC address (if
known), OS (if known), Score, Repository, Last Scan, Passive Data,
Compliance Data, and Vulnerability severity counts. The Assets box displays
which asset lists the IP address belongs to. The Useful Links box contains a
list of resources that can be queried by IP address. Clicking on one of the
Resource links causes the resource to be queried with the current IP
address. For example, if the current IP address was a publicly registered
address, clicking on the ARIN link causes the ARIN database to be queried
for the registration information for that address. If custom resources have
been added by an administrative user (via the Manage IP Address
Information Links selection under the Customization tab), they will be
displayed here.

The Sum by Class A, B, and C tools work by displaying matching addresses.

Clicking on the number displayed in the Total column will display the Type
Summary for that IP address range.

List of Events This tool displays a line of data for each matching event. The line includes
many pieces of information such as time, event name, number of correlated
vulnerabilities involved IP addresses, and sensor.

Normalized This tool summarizes a listing of all normalized events and their count for
Event the chosen time period. Normalized events are lower-level events that have
Summary been assigned a Tenable name based on Tenable Log Correlation Engine
scripts parsing of the log records (e.g., Snort-HTTP_Inspect).

Clicking on the event name displays the List of Events analysis tool.

Port Summary A port summary can be invoked. This tool produces a table of the top used
ports and combines counts for source and destination ports into one overall

- 687 -
Tool Description

count.

Clicking on the port will display a Type Summary of events filtered for that
port.

Note: Port 0 events are host-based events that are not specific to any particular
TCP/UDP port.

Protocol This tool summarizes counts of events based on IP protocols.

Summary
Clicking on the event total displays a Type Summary view of events filtered
by the selected protocol.

Raw Syslog Users can choose to view the original log message or IDS event for full
Events forensic analysis.

It is recommended that users attempt some sort of filtering match first

before attempting to find their desired event. Users will typically sort their
results and drill into the list until they find what they are looking for before
attempting to view the raw data.

Sensor This tool displays the unique event counts for any query from unique sensor
Summary types.

When a sensor is clicked on, the Type Summary analysis tool is displayed for
events from the selected sensor.

Source IP This tool displays events listed by the source IP address recorded. The table
Summary lists the Tenable Log Correlation Engine it was discovered on, the IP
address, and the count. Clicking on the information icon next to the IP
address displays the system information pertaining to the host IP address.

Clicking on one of the hosts displays the Type Summary analysis tool.

Type Summary This tool displays the matching unique event types and the number of
corresponding events for each.

The unique event types are based on normalized logs or events such as
firewall, system, correlated, network and IDS. These types are high-level

- 688 -
 Tool Description

types used to describe event types (e.g., login or lce).

Clicking on any of the event counts displays the Normalized Event Summary
for the type.

User Summary This tool displays the matching unique event types and the number of
corresponding events for each user when user tracking is enabled in Tenable
Log Correlation Engine.

The unique event types are based on normalized logs such as firewall,
system, correlated, network, and IDS.

Clicking on any of the event counts under the Total column will display the
Type Summary analysis tool.

Event Analysis Filter Components

Filters limit the results of the event data displayed and can be added, modified, or reset as desired.
For more information, see Filters.

The Events page also supports using a filter bar for filtering. To display the filter bar, in the toolbar,
click More > Show Filter Bar.

Note: The filter bar does not display or adjust the timeframe filter.

Filter
Description
Component

Address Specifies an IP address, range, or CIDR block to limit the displayed events.
For example, entering 198.51.100.64/24 limits any of the web tools to show
only the event data from that network. You can enter addresses on
separate lines or comma separated.

Asset Filter the event by the specified asset list.

Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the
view.

- 689 -
Filter
Description
Component

Destination Specifies an IP address or CIDR block to limit the displayed events based
Address on destination. For example, entering 198.51.100.64/24 limits any of the
analysis tools to show only the event data with destination IPs in that
block. Addresses can be comma-separated.

Destination Filter the destination address of the event data by the specified asset list.
Asset
Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the
view.

Destination Port This filter is in two parts. Specify the type of filter to allow matching events
with the same ports (=) or different ports (≠). The port filter may specify a
single, comma separated list of ports or range of ports (for example, 8000-
8080).

Detailed Event This is the detailed event name given by the IDS vendor. For example, an
event received from a Snort sensor can have a detailed event name of
DOUBLE DECODING ATTACK, which means that HTTP_INSPECT 119:2:1 fired
and was sent to the Log Correlation Engine.

Direction Filter by event direction of All by default or select Inbound, Outbound, or

Internal.

Log Correlation Specify one or more Log Correlation Engines to obtain events from by
Engines checking the box next to the choices.

Normalized The name given to the event by the Log Correlation Engine after the Log
Event Correlation Engine runs its PRM and TASL scripts against it.

Port This filter is in two parts. Specify the type of filter to allow matching
vulnerabilities with the specified ports (=), excluding ports (≠), ports greater
than or equal to (≥), or ports less than or equal to (≤). The specified and
excluding port filter may specify a single port, comma-separated list of
ports, or range of ports (for example, 8000-8080).

- 690 -
Filter
Description
Component

Note: Tenable Security Center reports all host-based vulnerability checks with
a port of 0 (zero).

Protocol Specify the protocol of the event TCP, UDP, or ICMP.

Repositories Specify the Repositories to obtain events from. You can search the
repositories using the search filter at the top. You can select multiple
repositories from the list.

Sensor Filter the events by sensor using the equal (=) or not equal (!=) operators.

Source Address Specifies an IP address or CIDR block to limit the displayed events based
on source. For example, entering 198.51.100.64/24 limits any of the analysis
tools to show only the event data with source IPs in that block. Addresses
can be comma separated.

Source Asset Filter the source address of the event data by asset list and select an asset
list from those available or the NOT operator to exclude asset lists. After
you add each list, the AND or OR operators are available to customize the
combining of asset lists.

Source Port This filter is in two parts. Specify the type of filter to allow matching events
with the same ports (=) or different ports (≠). The port filter may specify a
single port, comma-separated list of ports, or range of ports (for example,
8000-8080).

Syslog Text (Raw Syslog Events Analysis Tool) String to search for within the filtered
event.

Targeted IDS This filter box selects IDS events that have targeted systems and ports
Events with vulnerabilities likely to be exploited by the detected attack. This is
determined by comparing the host’s vulnerabilities (CVE, etc.) against those
tied to the actual IDS event.

Timeframe Tip: Tenable Security Center always uses this filter. By default, it is set for the
last 24 hours, based on the time of the page load.

- 691 -
 Filter
Description
Component

By default, Tenable Security Center displays an explicit timeframe using

the last 24 hours. Specify either an explicit or relative timeframe for the
event filter. Choosing explicit allows for selecting dates and times from a
calendar and time sliders for the start and end time. Relative timeframes,
available from the drop-down box, range using various time periods from
the last 15 minutes to the last 12 months and All.

Type Use this to filter by the event type (for example, error, lce, login, or
intrusion).

User Specify only events tied to a particular username.

Note: Clicking on Clear Filters causes the filters to return to the default settings.

Mobile Analysis
The Mobile page displays lists of vulnerabilities discovered by scanning an ActiveSync, Apple Profile
Manager, AirWatch, Good, and/or MobileIron MDM servers.

For information about mobile analysis filtering, see Mobile Analysis Filter Components.

Mobile Analysis Actions

You can use the options in the toolbar to perform the following mobile analysis actions:

l Save Query

l Export as CSV or PDF

Save Query
You can save the current view as a query for reuse. For more information about queries, see
Queries.

Export as CSV or PDF

- 692 -
You can export mobile results in the current view to a comma-separated file or a PDF for detailed
analysis outside of Tenable Security Center.

Note: If the record count (rows displayed) of any CSV export is greater than 1,000 records, a note is
displayed that prompts for the name of the CSV report to be generated. When complete, the report can be
downloaded from the Report Results page. For CSV exports of under 1,000 records, the browser’s standard
Save As dialog window is displayed.

Select the columns of data you want exported, then click Submit.

Mobile Analysis Filter Components

For general information about using filters, see Filters.

Option Description

Analysis Tool Filter

Analysis Tool This drop-down box is used to choose the analysis tool used by the
filter. This is the same as selecting the desired analysis tool from the
Analysis > Mobile dialog.

Active Filters Displays the existing filters and allows the user to selectively remove
filters as needed.

Filters

Identifier A text based search filter that looks at the Identifier option in the
repository.

MDM Type A drop-down box to select the MDM server type of ActiveSync, Apple
Profile Manager, Good, AirWatch, and MobileIron MDM server.

Model A text based search filter that looks at the Model option in the
repository.

Operating System A text based search filter that looks at the Operating System CPE option
CPE in the repository.

Plugin ID Type the Plugin ID to filter results on.

Plugin Output Filter results based on a text search of plugin output.

- 693 -
 Option Description

Repositories Display vulnerabilities from the chosen repositories.

Serial Number This is a text based search filter that looks at the Serial Number option
in the repository.

Severity Displays vulnerabilities with the selected severity (Info, Low, Medium,
High, Critical).

Username This is a text based search filter that looks at the User option in the
repository.

Version This is a text based search filter that looks at the OS Version option in
the repository.

Vulnerability Last This filter allows the user to see when the vulnerability was last
Observed observed.
(Cumulative only)

Reports
You can create reports in Tenable Security Center to share data with users in other organizations.
For more information about which users can access what data, see Tenable Security Center
Architecture.

Tenable provides reporting through an assortment of report templates and customizable report
formats, including PDF and CSV.

Custom CyberScope, DISA ASR, and DISA ARF reports are also available for specialized needs. An
administrator user must enable report generation options before organizational users can generate
reports with CyberScope, DISA ASR, or DISA ARF data.

Custom CyberScope, DISA ASR, DISA ARF, and DISA Consolidated ARF reports are also available for
specialized needs. An administrator user must enable report generation options before
organizational users can generate reports with CyberScope, DISA ASR, DISA ARF, or
DISA Consolidated ARF data.

In Tenable Security Center, organizational users can create custom reports or template-based
reports, as described in Create a Custom Report or Create a Template Report.

- 694 -
 Note: To create custom PDF reports and template-based reports, you must install either the Oracle Java
JRE or OpenJDK (along with their accompanying dependencies) on the system hosting the Tenable
Security Center.

Tip: Tenable provides report templates through the Tenable Security Center feed. For a complete index of
Tenable-provided report templates, see the Tenable Security Center Report Templates blog.

For more information, see:

l Manage Reports

l Manage Report Results

l CyberScope and DISA Report Attributes

l Report Images

Manage Reports

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

On the Reports page of Tenable Security Center, you can manage report definitions and launch
reports. For more information, see Reports.

To manage reports:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. Do any of the following:

l Filter existing report definitions in the reports table.

l Create a custom report.

l Create a template report.

l Edit a report definition.

l Edit a report outline.

l Manage filters for a chapter report.

- 695 -
 l Manage filters for a non-chapter report.

l View a report definition.

l Copy a report definition.

l Export a report definition.

l Import a report definition.

l Delete a report definition.

l Launch a report on demand.

l Add a report to a scan.

Create a Custom Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Reports.

Before you begin:

l If you want to create a CyberScope, DISA ASR, DISA ARF, or DISA Consolidated ARF report,
confirm an administrator user enabled the corresponding report generation options, as
described in Configuration Settings.

l If you want to create a CyberScope, DISA ARF, or DISA Consolidated ARF report, create report
attributes as described in CyberScope and DISA Report Attributes.

To create a custom report definition:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Reporting > Reports.

The Reports page appears.

3. At the top of the table, click Add.

The Report Template page appears.

4. In the Other section, click a report tile. For more information, see Report Templates.

- 696 -
 5. Configure the options for the report.

Tenable Security Center displays options relevant to the report format you selected.

6. (Optional) Edit the report outline.

7. Click Submit to save your report.

Tenable Security Center saves your configuration.

Create a Template Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Template reports are formatted reports that can be customized using chapter and target
selections. For more information, see Reports.

To create a template report:

1. Log in to Tenable Security Center via the user interface.

2. In the left navigation, click Reporting > Reports.

The Reports page appears.

3. At the top of the table, click Add.

The Report Template page appears.

4. Do one of the following to locate a specific template:

l In the Search Templates box in the top right corner of the page, search for a specific
template by keyword.

Tip: After the initial search, you can limit search results by template category.

l In the Common section, click a template category to view the related templates. For
more information, see Report Templates.

5. Click a template report.

- 697 -
 Note: Each template description specifies which Tenable Security Center data must be available to
obtain a complete report. For more information, see Data Required for Template-Based Reports.

6. (Optional) In the Chapters section, select which chapters from the template you want to
include in your report. By default, the report includes all chapters from the template.

7. In the Focus section, do one of the following:

Target all systems in the report.

Note: This is the default setting.

To return to this setting, click All Systems in the Targets drop-down box.

Target specific assets in the report.

a. In the Targets drop-down box, click Assets.

b. Select Assets and Repositories.

Target specific IP addresses in the report.

a. In the Targets drop-down box, click IP Addresses.

b. In the IP Addresses box, type the IP address or addresses where you want the report to
focus. Use commas to separate multiple addresses.

c. In the Repositories box, select a target repository or repositories.

Target specific repositories in the report.

a. In the Targets drop-down box, click Repositories.

b. In the Repositories box, select a target repository or repositories.

8. (Optional) Edit the default text in the Description box.

Note: You cannot modify any information in the Details section of the page.

9. Click Add.

Tenable Security Center creates a report based on the template and displays the Reports
page. The new report appears as the last entry in reports table.

- 698 -
 10. (Optional) Modify report options that are common to both custom and template reports. For
more information, see Report Options.

For example, the default value for the Schedule option for all template-based reports is On
Demand. If you want to run the report automatically, modify the Schedule option for the
report.

11. (Optional) Customize the report outline, as described in Edit a Report Outline.

For example, you might want to use text elements to add your business context to template-
based chapters.

Data Required for Template-Based Reports

Each report template description contains icons that represent which types of data must be
available on Tenable Security Center to obtain a complete report.

Hover the cursor over the icon to display the label.

Icon Label Action Required

Asset Required Configure an IPv4/IPv6 repository and store scan results in the
repository; see Local Repositories and IPv4/IPv6 Repositories.

Audit File
Required Upload audit files and add them to your scan policy; see Audit
Compliance Files and Scan Policies.
Data Required

Local Checks Configure and run credentialed scans; see Active Scans.
Required

Mobile Data Configure a mobile repository and store scan results in the
Required repository; see Mobile Repositories.

Active Data Configure a Tenable Nessus scanner and run active scans. For
Required more information, see Tenable Nessus Scanners and Active
Scans.

Passive Data Configure a Tenable Nessus Network Monitor (NNM) scanner;

Required see Tenable Nessus Network Monitor Instances.

- 699 -
 Event Data Configure a Tenable Log Correlation Engine server; see
Required Tenable Log Correlation Engines.

Report Templates
Tenable Security Center provides a selection of report templates and customizable report formats.
You can configure a Tenable-provided report template or you can create a fully customized report
from one of the available formats. For more information, see Reports.

For a complete index of Tenable-provided report templates, see the Tenable Security Center Report
Templates blog.

Template Description

Common

Compliance Reports that aid with configuration, change, and compliance

& Configuration management.
Assessment

Discovery Reports that aid in trust identification, rogue detection, and new device
& Detection discovery.

Executive Reports that provide operational insight and metrics geared towards
executives.

Monitoring Reports that provide intrusion monitoring, alerting, and analysis.

Security Industry Reports related to trends, reports, and analysis from industry leaders.
Trends

Threat Detection Reports that aid with identifying vulnerabilities and potential threats.
& Vulnerability
Assessments

Other

PDF Create a Portable Document Format (PDF) report that can be viewed
universally.

CSV Create a Comma Separated Values (CSV) report that can be imported

- 700 -
 into spreadsheets or databases.

DISA ARF (Requires Report Generation configuration) Create a report that meets
the standards of the Defense Information Systems Agency Assessment
Results Format (DISA ARF).

DISA Consolidated (Requires Report Generation configuration) Create a report that meets
ARF the standards of the Defense Information Systems Agency Consolidated
Assessment Results Format (DISA Consolidated ARF).

DISA ASR (Requires Report Generation configuration) Create a report that meets
the standards of the Defense Information Systems Agency Assessment
Summary Results (DISA ASR).

CyberScope (Requires Report Generation configuration) Create a report that meets

CyberScope reporting standards to support FISMA compliance.

Edit a Report Definition

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, you can edit both custom reports and reports based on templates.

To edit a report definition:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. In the reports table, click the name of the report you want to edit.

-or-

- 701 -
 Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

4. Modify the report options.

Note: Tenable Security Center displays options relevant to the report type.

5. (PDF and template reports only) Edit the report outline.

6. Click Submit to save your changes to the report.

Report Options

In Tenable Security Center, you can configure the options described below for both custom and
template reports. For information on how to create reports, see Create a Custom Report and Create
a Template Report.

The option descriptions on this page are grouped as they appear on the Add Report and Edit
Report pages. In the options tables, the Relevant Reports column specifies which report types use
each option.

Note: Tenable Security Center classifies a template-based report as a PDF report. You can
configure the same options for that report as you can for a PDF report.
During template report creation, Tenable Security Center set these options to default values.
You can change these options for a template report only after creation is complete.

l General Options

l Report Options

l Definition Options

l Display Options

l Distribution Options

General Options

- 702 -
 Relevant
Option Description
Reports

Name Name assigned to the report. Any

Description Descriptive text for the report. Any

Schedule Determines how often the report runs. Options are On Any
Demand, Now, Once, Daily, Weekly, or Monthly. When
you select a frequency from the drop-down box,
Tenable Security Center displays additional options for
the selected time frame.

Attribute Sets Predefined operational attributes that add required DISA ARF, DISA
information to DISA ARF, DISA Consolidated ARF, or Consolidated
CyberScope report types. The drop-down box displays ARF,
only the attribute set defined for the report you are CyberScope
currently creating.

ASR Content When creating a report, this drop-down box offers a DISA ASR, DISA
selection of Benchmark, IAVM, CVE, or Plugin ID to be Consolidated
included. ARF

ASR Record This drop-down box determines the format (Summary DISA ASR
Format or Detail) of the DISA ASR report.

Include ARF When enabled, allows for the inclusion of a DISA DISA ASR
attribute set for the report.

Benchmarks Benchmarks are generated after a scan using certain DISA ASR, DISA
audit files that have been successfully run against at Consolidated
least one target system. ARF,
CyberScope

Report Options

- 703 -
 Relevant
Option Description
Reports

Style A compound value that specifies the report style, paper size, PDF
and orientation. For example, Plain, Letter

Report styles include:

l Plain — a report with basic graphs

l Tenable — a report with basic graphs and a footer logo

on the cover page

l Tenable 3D — a report with enhanced 3D graphs and a

footer logo on the cover page

Note: If an administrator configured a Classification Type

banner, plain report styles are the only options listed.

Paper sizes include:

l Letter — the standard 8.5 inches x 11 inches letter size

Note: Letter size is the default paper size, used by

options that do not explicitly state a paper size. For
example, the paper size for Plain, Landscape is letter
size.

l A4 — the standard 8.27 inches x 11.69 inches A4 size

Orientation options include:

l Portrait — vertical

Note: Portrait is the default orientation, used by options

that do not explicitly state an orientation. For example,
the orientation for Plain, Letter is vertical.

l Landscape — horizontal

Include Cover Include a cover page in the report. Cover pages include: PDF
Page

- 704 -
 Relevant
Option Description
Reports

l a cover logo

l the scan Name

l the date and time you generated the report

l the date and time Tenable Security Center imported

the scan results, if you generated the report from scan
results

l the scan result ID, if you generated the report from

scan results

Include Include a predefined header in the report. PDF

Header

Include Footer Include a predefined footer in the report. PDF

Include Table Include a table of contents with the report. PDF

of Contents

Include Index Include an Index with the report. PDF

Cover Logo Specifies which image to use for the lower-left footer logo PDF
on the cover page of the report. The default logo is the
Tenable logo. To add a custom logo, see Report Images.

Note: The Plain report style suppresses this footer logo on the
cover page.

Footer Logo Specifies which image to use for the lower-left footer logo PDF
on all pages except the cover page. The default logo is the
Tenable logo. To add a custom logo, see Report Images.

Watermark Specifies a watermark for each page of the report. The PDF
default is no watermark. To add a custom watermark, see
Report Images.

- 705 -
 Relevant
Option Description
Reports

Encrypt PDF Protect the PDF with a password and 256-bit Advanced PDF
Encryption Standard (AES) encryption. When enabled, the
Password text box appears. Enter a password to use to
open the report and view its contents.

Definition Options
Tenable Security Center displays definition options relevant to the report or report element type.

Option Description Relevant Reports

Add Chapter The primary component in the report organization. PDF

Chapters are listed in the table of contents for the
report and consist of sections and elements. For
more information, see Add a Custom Chapter to a
Report and Edit a Report Outline.

Add Template A predefined chapter from a Tenable-provided PDF

Chapter report template. For more information, see Add a
Template Chapter to a Report.

Query A list of predefined queries you can use to CSV, DISA ARF, DISA
retrieve data for the report. For more information, Consolidated ARF,
see Queries. DISA ASR,
CyberScope;
Iterator, Table, and
Chart elements in
PDF

Type The type of data to include in the report. CSV; Iterator, Table,
and Chart elements
in PDF

Source The source of the data to include in the report. CSV, DISA ARF, DISA
Consolidated ARF,
For CSV reports, valid values for this field differ

- 706 -
Option Description Relevant Reports

based on the setting of the Type option: DISA ASR,

CyberScope;
l If Type is set to Vulnerability, valid Source
Iterator, Table, and
values are:
Chart elements in
o Cumulative—All vulnerabilities, PDF
regardless of whether the
vulnerabilities have been remediated
or not
o MItigated—Remediated vulnerabilities
o Individual Scan—Vulnerabilities
identified in a specific scan

Note: If you select Individual Scan,

Tenable Security Center displays
the Selected Scan option, which
allows you to select a scan to use
as the basis of the report:
a. Click one of the predefined date
ranges, or click Custom Range
and enter starting and ending
days for the range.

b. Click Fetch Scans to view a list

of possible scans within the date
range.

c. Click the scan you want to use in

the drop-down box.

l If Type is set to Event, valid Source values

are:
o Active—Currently active events
o Archive—Archived events

Note: If you select Archive, Tenable

- 707 -
 Option Description Relevant Reports

Security Center displays additional

options, allowing you to select the LCE
that collected the events and the Silo
that stores the archived events.

l If Type is set to Mobile, Ticket, or Alert, this

option is absent.

For DISA ARF, DISA Consolidated ARF, and DISA

ASR reports, you do not set the Type option. Valid
Source values are limited to Cumulative and
Individual Scan, which operate in the same way as
they do for CSV reports.

Tool Select the tool Tenable Security Center uses to CSV; Iterator, Table,
analyze the data in the report. and Chart elements
in PDF

Filters Specifies additional criteria to refine report data. CSV, DISA ARF, DISA
For more information, see Manage Filter Consolidated ARF,
Components for a Non-Chapter Report. DISA ASR,
CyberScope;
Iterator, Table, and
Chart elements in
PDF

Find/Update This option appears after you add at least one PDF
Filters chapter to the report.

For more information, see Manage Filter

Components for Multiple Elements.

Display Options
These options allow you to specify column format information format. A selection to define the
columns and number of results to appear in the report is then available for configuration.

- 708 -
 Option Description Relevant Reports

Results The number of results included in the CSV file. CSV; Iterator, Table, Bar
Displayed Chart, and Pie Chart
elements in PDF

Sort Column The column that Tenable Security Center uses CSV; Iterator, Table, Bar
to sort results in the CSV file. Chart, and Pie Chart
elements in PDF
Available columns depend on:

l the Type you selected in the Definition

options

l the Display Columns value you select in

the Display options

Sort The sort direction for results in the CSV file. CSV; Iterator, Table, Bar
Direction Chart, and Pie Chart
elements in PDF

Display The columns included in the results file. CSV; Iterator, Table, Bar
Columns Available columns depend on Definition Chart, and Pie Chart
options you select. elements in PDF

Tip: The Display Columns appear in the results

file in the order in which you select them.

Distribution Options
Distribution options specify the actions Tenable Security Center takes when a report run
completes.

Relevant
Option Description
Reports

Email Users Select Tenable Security Center users to whom Tenable Any
Security Center emails the completed report. The drop-down
list includes only users with defined email addresses.

- 709 -
 Relevant
Option Description
Reports

Email Add CC email addresses where Tenable Security Center Any

Addresses emails the completed report. You can specify multiple email
(cc) addresses, separated by commas.

Email Add Bcc email addresses where Tenable Security Center Any
Addresses emails the completed report. You can specify multiple email
(bcc) addresses, separated by commas.

Share Allows you to select which Tenable Security Center users Any
within your organization can view the completed report in
Tenable Security Center. Use this option if organizational
policies prohibit emailing potentially sensitive data.

Publishing Allows you to select predefined publishing sites where Any

Sites Tenable Security Center uploads the completed report. For
more information, see Publishing Sites Settings.

Edit a Report Outline

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, the report outline allows you to modify the structure of a PDF or
template-based report.

The outline consists of the following components:

Component Outline Level Description

chapter primary Highest-level component. Can contain any type of

element (grouping, text, chart).

element subordinate A grouping, text, or chart element. Can be nested in a

chapter or grouping component.

To edit a report outline:

- 710 -
 1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. The outline is, by default, expanded.

4. In the report outline, you can:

l Expand or collapse elements nested in the outline by clicking Collapse All or Expand All
at the top of the outline.

l Expand or collapse elements nested in an individual chapter or element by clicking the

arrow next to the element.

l Add a custom chapter.

l Add a template chapter.

l Add or edit a report element.

l Reorder chapters and elements in a report.

l Delete a report element by clicking the delete icon next to the element.

Note: Tenable Security Center does not ask you to confirm this deletion. However, the
deletion is not final until you save all changes to the report.

5. Click Submit to save your changes to the report.

Add a Custom Chapter to a Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, you can add custom chapters to PDF or template-based reports.

- 711 -
To add a custom chapter to a report definition:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. At the bottom of the report outline, click Add Chapter

Tip: If the report contains multiple chapters or sections, scroll down to locate the bottom navigation
bar. It can also be helpful to click Collapse All on the top navigation bar to collapse the outline to its
highest-level components.

The Add Chapter page appears.

5. In the Name box, enter a title for the chapter.

6. In the Location box, select a relative location for the chapter within the report.

7. In the Style box, select a style for the report.

8. Click Submit.

Tenable Security Center adds the chapter to the report and displays the Edit Report page.

9. Click Submit to save your changes to the report.

Add a Template Chapter to a Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

- 712 -
In Tenable Security Center, you can add template chapters to template reports and custom PDF
reports.

To add a template-based chapter to a report definition:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. At the bottom of the outline, click Add Template Chapter.

5. Do one of the following:

l In the Search Templates box in the top right corner of the page, search for a specific
template by keyword.

Tip: After the initial search, you can limit search results by template category.

l Click a template category icon to view the related templates.

6. Click the report template that contains chapters you want to include in your custom report.

7. (Optional) Modify the default options for the report template:

a. In the Chapters section, select which chapters from the template you want to include in
your report. By default, the report includes all chapters from the template.

- 713 -
 b. Do one of the following:

l
In the Focus section, target all systems in the report.
This is the default setting. To return to this setting, click All Systems in the
Targets drop-down box.

l
Target specific assets in the report.
i. In the Targets drop-down box, click Assets.

ii. Select Assets and Repositories.

l
Target specific IP addresses in the report.
i. In the Targets drop-down box, click IP Addresses.

ii. In the IP Addresses box, type the IP address or addresses where you want
the report to focus. Use commas to separate multiple addresses.

iii. In the Repositories box, select a target repository or repositories.

l
Target specific repositories in the report.
i. In the Targets drop-down box, click Repositories.

ii. In the Repositories box, select a target repository or repositories.

c. (Optional) Edit text in the Description box.

Note: You cannot modify any information in the Details section.

8. Click Add.

Tenable Security Center adds the template chapter or chapters to your custom report and
displays the Add Report page again.

9. (Optional) Change the template chapter options.

a. Click the edit icon next to the chapter you added.

b. In the Name box, edit the chapter title.

c. In the Location box, change the relative location for the chapter within the report.

- 714 -
 d. In the Style box, select a style for the chapter.

e. Click Submit to save your changes to the chapter.

10. Click Submit to save your changes to the report.

Add or Edit a Report Element

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can add or edit elements within chapters or grouping elements in Tenable Security Center
reports.

To add or edit a report element:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Do one of the following:

l Click Add Element next to the element where you want to add the element.

l Click the edit icon next to the element you want to change.

Tip: To display Add Element or the edit icon, hover the cursor over the element.

5. Configure any of the following types of elements:

- 715 -
 l Grouping

l Text

l Charts

6. Click Submit to save your changes to the report.

Configure a Grouping Element in a Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Grouping elements in Tenable Security Centerreports include:

Relevant
Type Description
Reports

Group Groups associated elements on the same page. PDF

Section Allows you to organize content within chapters. PDF

Iterator Allows you to specify how the report groups its data. For PDF
example, if an Iterator Type of Port Summary is chosen for a
vulnerability report, vulnerability data in the report is grouped by
detected ports. If you do not configure an iterator, hosts and
vulnerabilities are listed in the report individually.

To configure a grouping element:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

- 716 -
 The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Click Add Element.

Tip: To display Add Element, hover the cursor over the element.

5. Do one of the following:

l
Add a group to the report.
a. In the Grouping section, click the Group icon.

b. Configure the following options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

l
Add a section to the report.
a. In the Grouping section, click the Section icon.

b. Configure the following options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

l
Add an iterator to the report.
a. In the Grouping section, click the Iterator icon.

b. Configure the following options:

- 717 -
Option Action

General

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

Definition

Query Select a predefined query to define the data included in

the element. For more information, see Queries.

Type Select the type of data to include in the element. Iterator

elements support vulnerability or event data only.

Source Select the source of the data included in the element.

Valid values for this field differ based on the setting of the
Type option:

l If Type is set to Vulnerability, valid Source values

are:
o Cumulative—All vulnerabilities, regardless of
whether the vulnerabilities have been
remediated or not
o MItigated—Remediated vulnerabilities
o Individual Scan—Vulnerabilities identified in a
specific scan

Note: If you select Individual Scan, Tenable

Security Center displays the Selected Scan
option, which allows you to select a scan to
use as the basis of the report:

- 718 -
 a. Click one of the predefined date ranges, or
click Custom Range and enter starting and
ending days for the range.

b. Click Fetch Scans to view a list of possible

scans within the date range.

c. Click the scan you want to use in the drop-

down box.

l If Type is set to Event, valid Source values are:

o Active—Currently active events
o Archive—Archived events

Note: If you select Archive, Tenable Security

Center displays additional options, allowing you
to select the LCE that collected the events and
the Silo that stores the archived events.

Filters Specify additional criteria to refine element data. See

Manage Filters for a Chapter Report

Iterator Type Select a grouping method for iteration data:

l IP Summary—Group vulnerability or event data by the

IP addresses of detected hosts.

l Port Summary—Group vulnerability or event data by

the detected ports.

l Type Summary—Group event data by event type.

l User Summary—Group event data by user.

l Vulnerability Summary—Group vulnerability data by

individual vulnerability.

Results Select the number of results you want to include in the

- 719 -
 Displayed iteration.

Sort Column Select the column that Tenable Security Center uses to
sort the iteration data.

Sort Direction Select the sort direction for the iteration data.

Header Select the columns you want to include in the iteration

Information data. Available columns depend on the settings of the Type
and Source options.

6. Click Submit to save the element.

7. Click Submit to save your changes to the report.

Configure a Text Element in a Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Text elements in Tenable Security Center reports include:

Relevant
Type Description
Reports

Matrix Data in a chart layout. PDF

Table Data in a table layout (max results displayed: 999). PDF

The underlying data set determines the report display. The

default view for most reports is host-centric and Tenable
Security Center presents the user with the ability to choose
a vulnerability-centric report (a listing of vulnerabilities with
all associated hosts).

Paragraph Descriptive text that can be inserted anywhere in the report. PDF
Use this option to describe table elements or report output
for the viewer.

Assurance An element based on the results of a selected Assurance PDF

Report Card Report Card.

- 720 -
To configure a text element in a report:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Do one of the following:

l Click Add Element to add an element.

l Click the edit icon next to the element to edit an existing element.

Tip: To display Add Element and the edit icon, hover the cursor over the element.

5. Do one of the following:

l Add a matrix to the report.

l Add a table to the report.

l
Add a paragraph to the report.
a. In the Text section, click the Paragraph icon.

b. Configure the following options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

- 721 -
 Style Select a style for the element.

Text Type the text of the paragraph.

c. Click Submit to save your changes to the element.

l
Add an Assurance Report Card to the report.
a. In the Text section, click the Assurance Report Card icon.

b. Configure the following options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

Assurance Select the Assurance Report Card (ARC) you want to add to
Report Card the report. For more information on ARCs, see Assurance
Report Cards.

c. Click Submit to save your changes to the element.

6. Click Submit to save your changes to the report.

Configure a Matrix Element in a Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

A matrix element is a type of text element you can insert into a Tenable Security Center report
definition. For more information on text elements, see Configure a Text Element in a Report.

To configure a matrix element in a report:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

- 722 -
 -or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Do one of the following:

l
Add a new element.
a. Click Add Element.

b. In the Text section, click the Matrix icon.

l Click the edit icon next to the element you want to change.

Tip: To display Add Element and the edit icon next to an element, hover the cursor over the
element.

5. Configure the General options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

6. In the Cells section, select the number of columns and rows you want the matrix to include.
By default, the matrix is 4 cells by 4 cells.

7. Click Generate Cells.

Tenable Security Center displays the empty matrix for configuration.

- 723 -
8. Do one of the following:

l
Edit a row or column header.
a. Click the header for the row or column you want to edit.

b. Next to the header label, click the menu.

The actions menu appears.

c. Click Edit Header.

d. In the Label box, type a new header.

e. Click Submit.

l
Add a matrix component.
a. Click the matrix cell where you want to add the component.

b. In the Data Type drop-down box, select the type of data for the component.

c. In the Type drop-down box, select the type of calculation you want the component
to perform.

d. In the Source drop-down box, select a data source.

e. (Optional) In the Filter box, add or edit a filter using the same steps you would to
add a filter to a report element; see Manage Filter Components for a Single
Element.

f. In the Rules section, click Add Rule to add a rule.

-or-

Click the edit icon next to a rule to edit an existing rule.

g. Click Submit to save your changes to the component.

l
Copy a row or column.
a. Click the header for the row or column you want to copy.

b. Next to the header label, click the menu.

- 724 -
 The actions menu appears.

c. Click Copy.

For columns, Tenable Security Center inserts the copied column to the right of the
original column

For rows, Tenable Security Center inserts the copied row under the original row.

l
Delete a row or column.
a. Click the header for the row or column you want to delete.

b. Next to the header label, click the menu.

The actions menu appears.

c. Click Delete Cells.

9. Click Submit to save your changes to the element.

10. Click Submit to save your changes to the report.

Example

Configure a Table Element in a Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

A table element is a type of text element you can insert into a Tenable Security Center report
definition. For more information on text elements, see Configure a Text Element in a Report.

To configure a table element in a report:

- 725 -
1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Do one of the following:

l
Add a new element.
a. Click Add Element.

b. In the Text section, click the Table icon.

l Click the edit icon next to the element you want to change.

Tip: To display Add Element and the edit icon next to an element, hover the cursor over the
element.

5. Configure the General options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

6. Configure the Data options:

Option Description

- 726 -
 Type

Query

Source Equivalent to the Definition option of the same name in Report Options.

Tool

Filters

7. Configure the Display options:

Option Description

Results
Displayed

Sort Column Equivalent to the Display option of the same name in Report
Options.
Sort Direction

Display Columns

8. Click Submit to save your changes to the element.

9. Click Submit to save your changes to the report.

Example

Configure a Charts Element in a Report

- 727 -
 Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Charts elements in Tenable Security Center reports include:

Relevant
Option Description
Reports

Bar Chart Click to add a bar chart element to the report. PDF

Pie Chart Click to add a pie chart element to the report. PDF

Line Click to add a line chart element to the report. PDF

Chart

- 728 -
 Relevant
Option Description
Reports

Line charts are defined by time (x-axis) and series data (y-axis).
When selecting the time, available options include Relative time
and Absolute time. One or more series data elements can be
chosen and displayed as discrete lines for easy comparison.

Area Click to add an area chart element to the report. PDF

Chart

Area charts are defined by time (x-axis) and series data (y-axis).
When selecting the time, available options include Relative time
and Absolute time. One or more series data elements can be
chosen and displayed as a stackable view for easy comparison.

To configure a chart element in a report:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

- 729 -
 -or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Do one of the following:

l
Add a chart element
a. Click Add Element to add an element.

b. In the Charts section, click the icon for the type of chart you want to add.

l Click the edit icon next to an existing chart element.

Tip: To display Add Element and the edit icon, hover the cursor over the element.

5. For all charts, configure the General options:

Option Action

Name Type a name for the element.

Location Select a location for the element in the report.

Style Select a style for the element.

6. For bar charts and pie charts, configure the following Data options:

Option Action

- 730 -
 Type

Query
Equivalent to the option the Definition option of the same name in Report
Source
Options.
Tool

Filters

7. For line charts and area charts, configure the following Data options:

Option Action

Data Valid values are Relative and Absolute. Use to configure the x-axis of the
Type chart.

Data Use to configure the x-axis of the chart:

Range l If you select Relative for Data Type, select a relative date range.

l If you select Absolute for Data Type, select a specific start and end
date for the data.

Series Use to configure the y-axis of the chart. Line charts and area charts require
that you configure at least one series.

8. For bar charts and pie charts, configure the following Display options:

Option Action

Results
Displayed

Sort Column Equivalent to the Display option of the same name in Report
Options.
Sort Direction

Display Columns

9. Click Submit to save your changes to the element.

10. Click Submit to save your changes to the report.

- 731 -
Reorder Report Chapters and Elements

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, you can reorder chapters and elements in a PDF, CSV, or template-
based report.

To reorder report chapters and elements:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Do one of the following:

l In the report outline, click the report element, then drag and drop it to its new location.

l Click the edit icon for the component, and select a new location in the Location drop-
down box.

5. Click Submit to save your changes to the report.

Manage Filters for a Chapter Report

In Tenable Security Center, PDF and template-based reports use a chapter structure, so you can
specify different filters for individual chapter elements of those reports.

You can manage filters for a single element or for multiple elements at the same time. For more
information, see:

- 732 -
 l Manage Filter Components for a Single Element

l Manage Filter Components for Multiple Elements

Manage Filter Components for a Single Element

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Tip: You can build filters using one or more filter components with defined filter component criteria. Filter
components are types of data (e.g., CVE ID or Severity). After you select a filter component, you specify
the filter component criteria (e.g., a specific CVE ID or a specific severity level).

To manage filter components for a single element in a chapter report in Tenable Security
Center:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. Click the edit icon next to the element you want to edit.

Tip: To display icons next to a element, hover the cursor over the element.

- 733 -
5. Do one of the following:

l
Add a filter component.
Use these steps to add one or more filter components to a single element. For
information about the filter components available for vulnerability analysis data or event
analysis data, see Vulnerability Analysis Filter Components or Event Analysis Filter
Components.

a. In the Data section, click Add Filter.

b. Select a filter component from the drop-down box.

c. Set the filter component criteria, as prompted.

Depending on the filter component you selected, Tenable Security Center prompts
you to type the value you want to filter for or to select from valid values and
operators.

Note: If Tenable Security Center does not prompt you to specify an operator, the
unstated operator is equivalent to is equal to or is set to.

d. Click the check mark next to the filter component to stop editing it.

Note: The new filter component is not saved until you click Submit.

l
Edit a filter component.
a. In the Data section, click the pencil icon next to the filter component.

b. Edit the filter component criteria.

c. Click the check mark next to the filter component to stop editing it.

Note: Your changes to the filter are not saved until you click Submit.

l
Delete a filter component.
In the Data section, click the delete icon next to the filter component.

- 734 -
 Note:Tenable Security Center does not prompt you to confirm the deletion. However, the
deletion is not final until you click Submit to save your changes.

6. Click Submit.

Manage Filter Components for Multiple Elements

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

When managing filter components for a chapter report in Tenable Security Center, you can search
the report for elements that use certain filter components, then update the filter component
criteria for all matching elements in that report at the same time.

Tip: You can build filters using one or more filter components with defined filter component criteria. Filter
components are types of data (e.g., CVE ID or Severity). After you select a filter component, you specify
the filter component criteria (e.g., a specific CVE ID or a specific severity level).

You can use the following filter components to search and update: Address, Audit File, Asset, CVE
ID, DNS Name, IAVM ID, Repositories, Scan Policy, and Severity.

For example, if you search a report definition for all elements where the Severity filter component
is set to Info, you can update the Severity filter component to Medium for all elements, and add an
Audit File filter component to the elements at the same time.

To manage filter components for multiple elements in a chapter report:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. On the left side of the page, click Definition.

- 735 -
 The report outline appears. This outline is, by default, expanded. For more information, see
Edit a Report Outline.

4. At the top of the outline, click Find/Update Filters.

To search for specific elements in the report:

1. In the Search Filters section, click Add Search Filter.

2. Select a filter component from the drop-down box.

3. Select an operator from the drop-down box.

a. If you selected is equal to or contains as operator, type filter component criteria or

select a value from the list of valid filter component criteria, as appropriate to the filter
component you selected.

4. Click the check mark at the end of the filter box.

Tenable Security Center searches the report outline for elements that match your search
criteria and displays the results in the Matching Filters box.

To specify the filter updates you want to make:

1. In the Update Actions section, click Add Search Filter.

2. Select a filter component from the drop-down box.

3. Select an operator from the drop-down box.

4. Type filter component criteria or select a value from the list of valid filter values, as
appropriate to the filter component and operator you selected.

5. Click the check mark at the end of the filter box.

To review and update the filter updates:

1. In the Matching Filters box, review the list to verify that you want to apply the update to all
the listed elements.

Tip: If you do not want to apply the current update to all the listed elements, it may be more
appropriate to manage filter components by individual element. For more information, see Manage
Filter Components for a Single Element.

- 736 -
 2. Click Update Filters.

Tenable Security Center applies the updates to the matching elements and returns you to the
report outline.

3. Click Submit to save your changes to the report.

Manage Filter Components for a Non-Chapter Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, CSV, DISA ARF, DISA ASR, and Cyberscope reports do not use a chapter
structure, so you can create a set of filter components that apply to every element of the report.

Tip: You can build filters using one or more filter components with defined filter component criteria. Filter
components are types of data (e.g., CVE ID or Severity). After you select a filter component, you specify
the filter component criteria (e.g., a specific CVE ID or a specific severity level).

To manage filter components for a non-chapter report:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the reports table, click the name of the report you want to edit.

-or-

Right-click the row for the report you want to edit, and click Edit.

The Edit Report page appears.

3. Do one of the following:

l
Add a filter component.
Use these steps to add one or more filter components to a single element. For
information about the filter components available for vulnerability analysis data or event
analysis data, see Vulnerability Analysis Filter Components or Event Analysis Filter
Components.

- 737 -
 a. In the Definition section, click Add Filter.

b. Select a filter component from the drop-down box.

c. Set the filter component criteria, as prompted.

Depending on the filter component you selected, Tenable Security Center prompts
you to type the value you want to filter for or to select from valid values and
operators.

d. Click the check mark next to the filter component to stop editing it.

Note: The new filter component is not saved until you click Submit.

l
Edit a filter component.
a. In the Definition section, click the edit icon next to the filter component.

b. Edit the filter criteria.

c. Click the check mark next to the filter component to stop editing it.

Note: Your changes to the filter component are not saved until you click Submit.

l
Delete a filter component.
In the Definition section, click the delete icon next to the filter component.

Note:Tenable Security Center does not prompt you to confirm the deletion. However, the
deletion is not final until you click Submit to save your changes.

4. Click Submit to save your changes.

View a Report Definition

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To view a report definition:

- 738 -
 1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the row for the report definition you want to view, click the menu.

The actions menu appears.

3. In the table, right-click the row for the report definition you want to view.

The actions menu appears.

4. Click View.

Tenable Security Center displays a read-only version of the report definition.

Note: If you want to edit or delete the report definition from this page, see Edit a Report Definition
or Delete a Report Definition.

Copy a Report Definition

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can share a copy of a report definition with other users in your organization in Tenable Security
Center. This feature is useful for maintaining consistency throughout your organization.

After you share the copy, the other users own their local copy and can edit or delete as with any
report they create themselves. Later changes you make to the original do not synchronize
automatically to the copy.

To copy a report definition:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the table, right-click the row for the report definition you want to copy.

The actions menu appears.

3. Click Copy.

The Copy Report page appears.

- 739 -
 4. In the Group box, select the group you want to grant access to a copy of the report.

5. Specify the user(s) that you want to grant access to a copy of the report.

6. Click Copy.

Tenable Security Center copies the report definition to the other accounts you specified. The
copy appears, named Copy of DefinitionName.

Export a Report Definition

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, you can export a report definition as an .xml file. This feature is useful
for organizations running multiple Tenable Security Center deployments to provide consistent
reports without duplicating the work needed to create definition templates.

To export a report definition:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the table, right-click the row for the report definition you want to export.

The actions menu appears.

3. Click Export.

- 740 -
 4. Click the export option you want to use:

Option Description

Keep All Export the report definition with object references intact.
References
Users who meet the following requirements can use an imported
report definition with intact object references:

l The user must be in the same organization as the user who

exported the report definition.

l The user must have access to all relevant objects in the report
definition.

Remove All Export the report definition with object references removed, altering
References the definitions of the components.

Any user can use an imported report definition with object

references removed.

Replace With Export the report definition with object references replaced with
Placeholders their respective names.

Users must replace the placeholder names with applicable objects

available to their organization in order to use an imported report
definition with placeholder names.

Tenable Security Center downloads the report definition to your computer.

Import a Report Definition

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

In Tenable Security Center, you can only import XML files in the same format used to export report
definitions. This feature is useful for organizations running multiple Tenable Security Center
deployments to provide consistent reports without duplicating the work needed to create definition
templates.

To import a report definition:

- 741 -
 1. Copy the report definition file to your local computer.

2. In the left navigation, click Reporting > Reports.

The Reports page appears.

3. At the top of the table, click Import Report.

4. In the Name box, type a name for the report.

5. Click Choose File next to the Report Definition box.

6. Browse to the local copy of the report definition XML file.

7. Click Import.

Tenable Security Center imports the report definition.

8. (Optional) Edit the report definition as desired.

Delete a Report Definition

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To delete a report definition:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. To delete a single report definition:

a. In the table, right-click the row for the report definition you want to delete.

The actions menu appears.

To delete multiple report definitions:

a. In the table, select the check box for each report definition you want to delete.

The available actions appear at the top of the table.

3. Click Delete.

4. Click Delete to confirm the deletion.

- 742 -
 Tenable Security Center deletes the report definition.

Note: Tenable Security Center retains any report results associated with the deleted definition. You
must manually delete results associated with the report.

Launch a Report on Demand

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To launch a report on demand:

1. In the left navigation, click Reporting > Reports.

The Reports page appears.

2. In the table, right-click the row for the report you want to launch.

-or-

Select the check box for the report you want to launch.

The actions menu appears.

3. Click Launch.

4. (Optional) Monitor the status of the report in the Report Results page.

To view this page, do one of the following:

l In the launch notification message, click View Report Results.

l In the left navigation, click Reporting > Report Results.

Note: In the Report Results page, you can also stop the currently running report.

Add a Report to a Scan

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

After you create one or more on demand reports, you can add them to active scan, agent scan, or
agent synchronization job configurations.

- 743 -
To add a preconfigured report to an active scan, agent scan, or agent synchronization job:

1. Do one of the following:

l Begin configuring an active scan, as described in Add an Active Scan.

l Begin configuring an agent scan, as described in Add an Agent Scan.

l Begin configuring an agent synchronization job, as described in Add an Agent

Synchronization Job.

2. In the Post Scan section, click Add Report.

The page displays available on demand reports.

3. Select the report you want to add.

4. (Optional) If you want the report to include cumulative data in Tenable Security Center, enable
the Create report using cumulative data option.

If you disable this option, the report includes data only from the configured scan.

5. Click the checkmark icon to save the report.

6. (Optional) If you want to add multiple reports, repeat steps 2-5 for each additional report.

7. Click Submit.

Tenable Security Center saves your configuration.

Manage Report Results

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

On the Report Results page of Tenable Security Center, you can manage both currently running
reports and completed report results. Completed report results include successful and failed report
runs, so you can access and distribute a successful report result or troubleshoot a report failure.
For more information, see Reports.

To manage report results:

- 744 -
 1. Click Reporting > Report Results.

The Report Results page appears.

2. Do any of the following:

l Filter existing report results in the report results table.

l Stop a currently running report.

l Download a successful report result to your computer.

l View a successful report result.

l Publish a successful result.

l Email a copy of a successful result to specified users.

l Share a copy of a successful result with other Tenable Security Center user accounts.

l View error conditions for a failed report.

l Delete a report result.

Stop a Running Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

If you want to stop a report that is currently running:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Right-click the row for the report you want to stop, and click Stop.

Tenable Security Center stops the report run.

Note: You cannot restart a stopped report run. You can only launch the report again.

Download a Report Result

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

- 745 -
To download a successful report result to your computer:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Do one of the following:

l In the Results table, click the name of the report.

l Right-click the row for the report result.

The actions menu appears.

a. Click Export.

l Select the check box for the report result.

At the top of the table, click Download.

View a Report Result

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To view a successful report result:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Right-click the row for the report result you want to view.

The actions menu appears.

3. Click View.

The report appears.

4. (Optional) To download the report result to your computer, click Download.

The report result downloads.

5. (Optional) To delete the report result, click Delete.

Tenable Security Center deletes the report result.

- 746 -
Publish a Report Result

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To publish a successful report result:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Right-click the row for the report result you want to publish.

The actions menu appears.

3. Click Publish.

The Publish Report Results window appears.

4. Search for and select a publishing site.

5. Click Publish.

Tenable Security Center publishes the report result.

Email a Report Result

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To email a copy of a successful report result to specific users:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Right-click the row for the report result you want to email.

The actions menu appears.

3. Click Email.

4. Do one of the following:

- 747 -
 l Use the Group and User boxes to select the Tenable Security Center user or users you
want to receive the report result.

l Type the email address of recipients who are not Tenable Security Center users.

5. Click Submit.

Tenable Security Center sends the report result.

Copy a Report Result

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To share a copy of a successful report result with other Tenable Security Center user
accounts:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Right-click the row for the report result you want to copy.

The actions menu appears.

3. Click Copy.

4. In the Group box, select the group you want to grant access to a copy of the report result.

5. Specify a user or users that you want to grant access to a copy of the report result.

6. Click Copy.

Tenable Security Center copies the report result to the other accounts you specified. The
copy appears, named Copy of ResultName.

View Errors for a Failed Report

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To view error conditions for a failed report:

- 748 -
 1. Click Reporting > Report Results.

The Report Results page appears.

2. Click the name of the failed result in the results table.

The View Report Results page appears.

3. Review the Error Details section.

Delete a Report Result

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To delete a report result:

1. Click Reporting > Report Results.

The Report Results page appears.

2. Right-click the row for the report result you want to delete.

The actions menu appears.

3. Click Delete.

A confirmation window appears.

4. Click Delete to confirm the deletion.

Tenable Security Center deletes the report result.

CyberScope and DISA Report Attributes

Report attributes are used for adding required information to CyberScope or DISA report types.
After you create an attribute, you can select it during CyberScope, DISA ARF, or DISA Consolidated
ARF report creation. For more information, see Create a Custom Report.

To filter the Report Attributes page, see Apply a Filter.

Configure the following options, including options specific for your attribute type: CyberScope
Options or DISA Options.

- 749 -
 General Option Description

Name A name for the attribute.

Description (Optional) A description for the attribute.

Type The type of attribute you want to create. Your Type selection determines the
other options you must configure: CyberScope Options or DISA Options.

CyberScope Options
The following table describes the additional options to configure when configuring a CyberScope
attribute.

Option Description

Reporting The CyberScope value for a reporting component (e.g., Department of

Component Justice).

Component The CyberScope value for a FISMA reporting entity within the Reporting
Bureau Component (e.g., Justice Management Division).

Enclaves The CyberScope value for an enclave associated with the Reporting
Component or Component Bureau.

DISA Options
The following table describes the additional options to configure when configuring a DISA attribute.

Option Description

Owning Unit

Name (Required) The Cyber Operational Attributes Management

System (COAMS) fully qualified hierarchy name of the owning
organization.

Owning Service

Name The COAMS fully qualified hierarchy name of the owning

combatant command, service, or agency.

- 750 -
 Option Description

Current AOR The COAMS fully qualified hierarchy name of the appropriate
combatant command area of responsibility (COCOM AOR).

Region A region for the owning service.

Administration Unit

Name The COAMS fully qualified hierarchy name of the administering

organization.

Administration POC

Any required information you need to provide about the administration unit's point of contact
(POC).

Tip: Tenable recommends leaving the Generational Qualifier option blank.

CND Service Provider

Name The COAMS fully qualified hierarchy name of the Computer

Network Defense Service Provider (CNDSP).

Por Managed (Required) Specifies if the reported assets are centrally

managed by a program management office (PMO): true or false.

System Affiliation The COAMS operationalacredit value that specifies the fully
qualified hierarchy name of the system affiliation.

Location

Tip: Tenable recommends leaving all options blank except the Street Address. The Street Address
specifies the COAMS geolocation area.

Report Images
In Tenable Security Center, the Report Images interface allows a user with permissions to view
details, add, edit, or delete PDF report images. From this interface, you can manage two types of
images: logos and watermarks. Logos appear at the bottom of each page, while watermarks appear
prominently across the center of the report page.

- 751 -
 Note: Image files must be of type .png or .jpg. Images used must be consistent when selecting the bit
depth (8-bit, 16-bit, 24-bit, etc.). Otherwise, errors might be encountered when generating reports.

To filter the Report Images page, see Apply a Filter.

Report Image Options

Option Description

Add Add a new logo or watermark image. Note that only PNG and JPEG formats are
supported. The default image sizes are as follows, all at 300 DPI:

l default-cover-logo = 987x130

l default-footer-logo = 380x100

l default-page-logo = 579x84

l default-watermark = 887x610

While there are no set limitations on image size or resolution, using images that
are different from these specifications can have a negative impact on report
appearance.

Note: The image size must be set to 300 DPI to prevent image breaks.

Edit Edit any of the selected image’s options, including name, description, type and
file.

Detail View image details, including name, description, date uploaded, last modified,
and type.

Delete Delete the highlighted image.

Assurance Report Cards

Assurance Report Cards (ARCs) provide an overview of the security posture of your network. These
configurable reports provide quick visible feedback using a pass or fail methodology for each policy
statement in the ARC.

- 752 -
Organizational users with appropriate permissions can add a template-based ARC using Tenable-
provided templates or you can add a custom ARC. For more information about Tenable-provided
ARC templates, see the Assurance Report Cards blog. For more information about user
permissions, see User Roles.

l Add a Template-Based Assurance Report Card

l Add a Custom Assurance Report Card

l Assurance Report Card Options

l Edit an Assurance Report Card

l View Your Assurance Report Cards

l View Details for an Assurance Report Card

l Share or Revoke Access to an Assurance Report Card

l Export an Assurance Report Card

l Copy an Assurance Report Card

l Delete an Assurance Report Card

Add a Template-Based Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can use a Tenable-provide template to add an Assurance Report Card (ARC). For more
information about Tenable-provided ARC templates, see the Assurance Report Cards blog. To
create a custom ARC, see Add a Custom Assurance Report Card.

For more information, see Assurance Report Cards.

To add a template-based Assurance Report Card:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

- 753 -
 3. At the top of the table, click Add.

The Assurance Report Card Templates page appears.

4. Click a template category tile.

The list of templates for the selected category appears.

5. Click a template.

The Add Assurance Report Card Template page updates to reflect the template you selected.

6. Modify the ARC template. For more information, see Assurance Report Card Options.

l To edit the ARC name, click ARC template title.

l To edit the ARC description, click the Description box.

l To edit the required assets, click an item in the Required Assets section.

l To restrict the target data displayed in the ARC, click the Targets drop-down box.

l To set how often the ARC polls data sources to obtain updates, click Schedule.

7. Click Add.

Tenable Security Center saves your configuration.

Add a Custom Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can create a fully customized Assurance Report Card (ARC). To add an ARC from a Tenable-
provided template, see Add a Template-Based Assurance Report Card.

For more information, see Assurance Report Cards.

To add a custom Assurance Report Card:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

- 754 -
 3. In the Options drown-down box, click Advanced Add.

The Advanced Add Assurance Report Cards page appears.

4. Configure the ARC options. For more information, see Assurance Report Card Options.

5. Click Submit.

Tenable Security Center saves your configuration.

View Your Assurance Report Cards

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view a summary that displays each Assurance Report Card (ARC), the overall status of the
ARC, and the status of each policy statement in each ARC. To view details for an ARC, see View
Details for an Assurance Report Card.

For more information, see Assurance Report Cards.

Tip: To change the position of an ARC in the list, click the icon next to the ARC and drag it to a new
position.

Before you begin:

l Add an ARC, as described in Add a Template-Based Assurance Report Card or Add a Custom
Assurance Report Card.

To view a summary of your Assurance Report Cards:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

3. Click the row for the ARC.

The ARC expands to display each policy statement in the ARC.

4. View the status of each ARC and its policy statements.

- 755 -
 l A green icon ( ) next to an ARC indicates all policy statement in the ARC passed.

l A red icon ( ) next to an ARC indicates one or more policy statements in the ARC failed.

l A green check mark ( ) next to a policy statement indicates the policy statement
passed.

l A red x ( ) next to a policy statement indicates the policy statement failed.

What to do next:
l (Optional) Click a policy statement to view vulnerability analysis for the policy statement data.
For more information, see Vulnerability Analysis.

View Details for an Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Assurance Report Cards.

Before you begin:

l Add an Assurance Report Card (ARC), as described in Add a Template-Based Assurance
Report Card or Add a Custom Assurance Report Card.

To view details for an Assurance Report Card:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

3. In the Options drop-down menu, click Manage ARCs.

The Manage Assurance Report Cards page appears.

4. Right-click the row for the ARC.

The actions menu appears.

5. Click View.

- 756 -
 The View Assurance Report Card page appears. For more information, see Assurance Report
Card Options.

Section Action

Options drop-down box l To edit the ARC, click Edit.

l To delete the ARC, click Delete.

General View general information about the ARC.

l Name — The ARC name.

l Description — The ARC description.

l Schedule — TheARC schedule.

l Created — The date the ARC was created.

l Last Modified — The date the ARC was last modified.

l Owner — The user who created or owns the ARC.

l Group — The group associated with the Owner.

l ID — The unique identifier for the ARC.

Policy Statements View the policy statements in the ARC.

Focus View the targets configured for the ARC.

Edit an Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Assurance Report Cards.

Before you begin:

l Add an Assurance Report Card (ARC), as described in Add a Template-Based Assurance
Report Card or Add a Custom Assurance Report Card.

To edit an Assurance Report Card:

- 757 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

3. In the Options drop-down menu, click Manage ARCs.

The Manage Assurance Report Cards page appears.

4. Right-click the row for the ARC.

The actions menu appears.

5. Click More > Edit.

The Edit Report Card page appears.

6. Modify the ARC options. For more information, see Assurance Report Card Options.

7. Click Submit.

Tenable Security Center saves your configuration.

Share or Revoke Access to an Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can share access to an Assurance Report Card (ARC) to give users in a group the ability to view
the ARC. The user's role and custom permissions determine if they can drill down into other pages
with more information. For more information, see Assurance Report Cards.

Before you begin:

l Add an ARC, as described in Add a Template-Based Assurance Report Card or Add a Custom
Assurance Report Card.

To share or revoke access to an Assurance Report Card:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

- 758 -
 The Assurance Report Cards page appears.

3. In the Options drop-down menu, click Manage ARCs.

The Manage Assurance Report Cards page appears.

4. Right-click the row for the ARC.

The actions menu appears.

5. Click Share.

The Share Assurance Report Card page appears.

6. In the box, search for and select the groups for which you want to share or revoke access.

7. Click Submit.

Tenable Security Center saves your configuration.

Export an Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can export an Assurance Report Card (ARC) to share with other users in your organization. For
more information, see Assurance Report Cards.

Before you begin:

l Add an ARC, as described in Add a Template-Based Assurance Report Card or Add a Custom
Assurance Report Card.

To export an Assurance Report Card:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

3. In the Options drop-down menu, click Manage ARCs.

The Manage Assurance Report Cards page appears.

- 759 -
4. To export a single ARC:

a. In the table, right-click the row for the ARC you want to export.

The actions menu appears.

To export multiple ARCs:

a. In the table, select the check box for each ARC you want to export.

The available actions appear at the top of the table.

5. Click Export.

The export options appear.

6. Click the export option you want to use:

Option Description

Keep All Export the ARC with object references intact.

References
Users who meet the following requirements can use an imported ARC
with intact object references:

l The user must be in the same organization as the user who

exported the ARC.

l The user must have access to all relevant objects in the ARC.

Remove All Export the ARC with object references removed, altering the
References definitions of the components.

Any user can use an imported ARC with object references removed.

Replace With Export the ARC with object references replaced with their respective
Placeholders names.

Users must replace the placeholder names with applicable objects

available to their organization in order to use an imported ARC with
placeholder names.

Template Export the ARC as a template.

- 760 -
 Tenable Security Center exports the ARC as an .xml file.

Copy an Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Assurance Report Cards.

Before you begin:

l Add an Assurance Report Card (ARC), as described in Add a Template-Based Assurance
Report Card or Add a Custom Assurance Report Card.

To copy an Assurance Report Card:

1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

3. In the Options drop-down menu, click Manage ARCs.

The Manage Assurance Report Cards page appears.

4. Right-click the row for the ARC.

The actions menu appears.

5. Click Copy.

Tenable Security Center copies the ARC. The copy appears, named Copy of ARC Name.

Delete an Assurance Report Card

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Assurance Report Cards.

To delete an Assurance Report Card (ARC):

- 761 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Dashboard > Assurance Report Cards.

The Assurance Report Cards page appears.

3. In the Options drop-down menu, click Manage ARCs.

The Manage Assurance Report Cards page appears.

4. To delete a single ARC:

a. In the table, right-click the row for the ARC you want to delete.

The actions menu appears.

To delete multiple ARCs:

a. In the table, select the check box for each ARC you want to delete.

The available actions appear at the top of the table.

5. Click Delete.

A confirmation window appears.

6. Click Delete.

Tenable Security Center deletes the ARC.

Assurance Report Card Options

You can configure the following options for Assurance Report Cards (ARCs). For more information,
see Assurance Report Cards.

l Assurance Report Card Options

l Policy Statement Options

Assurance Report Card Options

Option Description

General

- 762 -
Option Description

Name The name of the ARC.

Description (Optional) A description for the ARC.

Schedule Specifies how often the ARC polls data sources to obtain updates.

l Daily (default) — The ARC polls data sources every 1-20 days at the
specified time.

l Weekly — The ARC polls data sources every 1-20 weeks at the
specified time and day of the week.

l Monthly — The ARC polls data sources every 1-20 months at the
specified time and day of the month.

For example, Every 2 months on the fourth Thursday at 15:00 -4:00 indicates
the ARC will poll data sources to obtain updates every two months, on the
fourth Thursday of the month, at 15:00 in the America/New York timezone.

Policy Statements

Add Policy Click to add a custom policy statement to the ARC. For more information,
Statement see Policy Statement Options.

Focus

Targets Specifies the target hosts for the ARC to analyze:

l All Systems — Targets all available hosts.

l Assets — Targets the specified assets. For more information, see

Assets.

Tip: Use NOT, OR, and AND operators to exclude unwanted assets from
the view.

l IPs — Targets the specified IP addresses. You can specify single

addresses, IP addresses in CIDR notation, and IP ranges.

l Repositories — Targets the specified repositories. For more

- 763 -
 Option Description

information, see Repositories.

If you want to match the specified assets or IP addresses against one or

more repositories, select the repositories you want to match against.

Note: If an IP address you specified appears in two or more repositories you

selected, the duplicated IP address negatively skews the ARC results.

Policy Statement Options

Option Description

Basic

Statement Specifies pass/fail criteria for the policy statement.

Display Specifies how the ARC displays the policy statement: Ratio (x/y),
Percentage (%), or Compliant/Non-Compliant.

Advanced

Data Type The type of data you want the ARC to analyze: Vulnerabilities or Events.

Base Filters The filters used as the basis for data analysis.

l If the Data Type is Vulnerabilities, you can select from the list of
vulnerability analysis filter components.

l If the Data Type is Events, you can select from a list of event analysis
filter components.

Compliant The filters used to determine the compliance conditions for the data analysis.
Filters For more information, see Vulnerability Analysis and Event Analysis.

l If the Data Type is Vulnerabilities, you can select from the list of
vulnerability analysis filter components.

l If the Data Type is Events, you can select from a list of event analysis
filter components.

- 764 -
 Option Description

Note: Filters set in Base Filters are not present in Compliant Filters, with
exception of the Assets and Plugin IDs. All filters set in Base Filters are carried
over into Compliant Filters.

Compliant Specifies the conditions to match for determining compliance. For more
Condition information, see Vulnerability Analysis and Event Analysis.

Specify a quantity: All, No, Any, > (greater than), < (less than), >= (greater than
or equal to), and <= (less than or equal to).

Specify hosts: Hosts, Vulnerabilities, and Ports.

Drilldown The filters to apply when clicking on the ARC policy statement for more
Filters details. For more information, see Vulnerability Analysis and Event Analysis.

l If the Data Type is Vulnerabilities, you can select from the list of
vulnerability analysis filter components.

l If the Data Type is Events, you can select from a list of event analysis
filter components.

Filters
You can apply filters on many pages of the Tenable Security Center web interface to filter the data
displayed on the page.

You can build filters using one or more filter components with defined filter component criteria.
Filter components are types of data (e.g., CVE ID or Severity). After you select a filter component,
you specify the filter component criteria (e.g., a specific CVE ID or a specific severity level).

If you want to save a filter for repeated use, create a query, as described in Queries.

For more information, see:

l Apply a Filter

l Filter Components

l Vulnerability Analysis Filter Components

- 765 -
 l Event Analysis Filter Components

l Mobile Analysis Filter Components

l Host Asset Filter Components

l Plugin Filter Components

Apply a Filter

Required User Role: Any

You can use filters to narrow the data displayed on specific pages.

Each filterable page in Tenable Security Center has a different set of filter components. On the
Vulnerabilities, Events, and Mobile pages, you can add and remove filter components.

For more information, see Filters and Filter Components.

To filter data:

1. Log in to Tenable Security Center via the user interface.

2. Navigate to any page that supports filtering.

3. On the left side of the page, click the button.

The filter panel appears.

4. (Optional) To customize the filter components on an analysis page, do the following:

a. Click Customize.

The filter components selection window appears.

- 766 -
 b. Select one or more filter component check boxes. For more information about the
components supported for your analysis view, see

c. Click Apply.

The filter panel updates to show the filter components you selected.

5. To modify the criteria for a filter component, click the box for the filter component.

The filter component criteria selection window appears.

6. Modify the filter component criteria.

7. Click OK.

The filter panel updates to show the filter component criteria you modified.

8. Click Apply.

The page updates to reflect the filter you applied.

What to do next:
l (Optional) Save a filter on the Vulnerabilities page, Events page, and Mobile page as a
reusable query, as described in Add or Save a Query.

Filter Components
For general information about using filters, see Filters.

Filter
Description
Component

Access The level of object access to include in the filter:

l Manageable — Shows the objects your user account can modify.

For example, set the filter to show only the credentials you can edit.

l Usable — Shows the objects your user account can view or use.

For example, set the filter to show only the credentials you can use in
a scan.

Actions The alert actions to include in the filter: Email, Notify, Report, Scan,

- 767 -
Filter
Description
Component

SysLog, or Ticket. For more information, see Alerts and Alert Actions.

Agent Scanner The agent scanners to include in the filter. For more information, see
Agent Scanning.

Assignee The ticket assignees to include in the filter. For more information, see
Tickets.

Authorized The Log Correlation Engine Client authorization status to include in the
filter: yes or no.

Client IP The Log Correlation Engine Client IP addresses to include in the filter. For
more information, see Tenable Log Correlation Engine Clients.

Completion The date range for scan results to include in the filter:
Time
l Explicit — Choose start and end dates and times to filter for a
specific date range.

l Last x Minutes — Filter for the last 15, 20, or 30 minutes.

l Last x Hours — Filter for the last 1, 2, 4, 6, 12, 24, 48, or 72 hours.

l Last x Days — Filter for the last 5, 7, 15, 25, 30, 60, 90, 120, or 180
days.

l Last 12 Months — Filter for the last year.

l All — Show all results.

Creator The ticket creators to include in the filter. For more information, see
Tickets.

Data Type The repository data type to include in the filter: Agent, IPv4, IPv6, or
Mobile. For more information, see Repositories.

Date The date range to include in the system log filter (for example, Oct 2021).
For more information, see System Logs.

Filter By The type of plugin data to include in the plugin filter. For more information,

- 768 -
Filter
Description
Component

see Vulnerability Analysis Filter Components.

Finish Time The date range for report results to include in the filter:

l Explicit — Choose start and end dates and times to filter for a
specific date range.

l Last x Minutes — Filter for the last 15, 20, or 30 minutes.

l Last x Hours — Filter for the last 1, 2, 4, 6, 12, 24, 48, or 72 hours.

l Last x Days — Filter for the last 5, 7, 15, 25, 30, 60, 90, 120, or 180
days.

l Last 12 Months — Filter for the last year.

l All — Show all results.

Group The groups to include in the filter. For more information, see Groups.

Host The name of the host to include in the filter. For more information, see
Host.

Initiator The username for a user who initiated a job to include in the filter. For
more information, see Job Queue Events.

Keywords The keywords to include in the system logs filter (for example, login). For
more information, see System Logs.

Log Correlation The Log Correlation Engine servers to include in the filter. For more
Engine Server information, see Tenable Log Correlation Engines.

Module The type of logs to include in the system logs filter. For more information,
see System Logs.

Name The name of the object or user to include in the filter. For example, the
name of a Tenable Nessus scanner or the name of a repository.

Organization The organization to include in the filter. For more information, see
Organizations.

- 769 -
Filter
Description
Component

OS The operating systems to include in the filter. For more information, see
Tenable Log Correlation Engine Clients and Tenable Log Correlation Engine
Client Policies.

Owner The object owners to include in the filter. The object owner is the user who
created an object or inherited objects from a deleted user.

Plugin The plugin IDs to include in the filter.

Plugin Family The plugin family to include in the plugin filter.

Repositories The repositories to include in the filter. For more information, see
Repositories.

Repository The repository to include in the filter. For more information, see
Repositories.

Role The user roles to include in the filter. For more information, see User
Roles.

Scan Policy The scan policies to include in the filter. For more information, see Scan
Policies.

Schedule The schedules to include in the filter. For more information, see Active
Scan Settings, Agent Scan Settings, Agent Synchronization Job Settings,
and Report Options.

Severity The severity to include in the filter. For more information, see CVSS vs.
VPR.

State The Log Correlation Engine Client state to include in the filter: Alive or
Dead. For more information, see Tenable Log Correlation Engine Clients.

Status The statuses to include in the filter.

Tags The tags to include in the filter. For more information, see Tags.

Timeframe The date range to include in the notification filter: Last 24 Hours, Last 7

- 770 -
 Filter
Description
Component

Days, or Last 30 Days.

Type The object type (for example, Active or Agent scan results).

Username The username to include in the filter. For more information, see User
Account Options.

Version The Log Correlation Engine version to include in the filter. For more
information, see Tenable Log Correlation Engines.

Queries
The Queries page displays a list of queries available for use. The information on this page includes
Name, Type, Group, Owner, and the Last Modified time. You can use a filter to narrow the list by
any of the columns (except Last Modified). For more information, see Filters.

For more information about queries, see:

l Add or Save a Query

l Load a Query

l Query Options

l Edit a Query

Add or Save a Query

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can add queries from the Queries page or from the Vulnerabilities page, Web App Scanning
page, Events page, or Mobile page. For more information about query options, see Queries.

Note: If you want to create a mitigated vulnerabilities query, you must add the query from the
Vulnerabilities page.

To add a query from the Queries page:

- 771 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Queries.

The Queries page appears.

3. At the top of the table, click Add.

4. Type a Name and Description.

5. (Optional) If you want to add a tag, type select a Tag from the drop-down. For more
information, see Tags.

6. Select a Type.

The Tool drop-down updates with options for that type.

7. Select a Tool.

8. Click Add Filter.

The Filters section expands. For more information, see Filters.

9. Select a filter component from the Select a Filter drop-down.

The filter component criteria box appears.

10. In the filter component criteria box, type or select filter component criteria.

11. Click the button.

Tenable Security Center adds the filter component.

12. (Optional) To add other filter components, repeat step 8.

13. Click Submit.

Tenable Security Center saves your configuration.

To save a query from an analysis page:

1. Log in to Tenable Security Center via the user interface.

2. Do one of the following to navigate to an analysis page:

- 772 -
 l Click Analysis > Vulnerabilities

l Click Analysis > Web App Scanning

l Click Analysis > Events

l Click Analysis > Mobile

The analysis page appears.

3. Apply a filter for the query, as described in Apply a Filter.

The page updates to reflect the filter you applied.

4. Click Save > Save Query.

The Save Query panel appears.

5. In the Name box, type a name for the query.

6. In the Description box, type a description for the query.

7. (Optional) If you want to add a tag, type or select a Tag from the drop-down. For more
information, see Tags.

8. Click Submit.

Tenable Security Center saves your configuration.

Load a Query

Required User Role: Any

You can load queries from any page that supports filtering. For more information, see Queries and
Filters.

To load a query:

1. Log in to Tenable Security Center via the user interface.

2. Navigate to any page that supports filtering.

3. On the left side of the page, click the filter icon ( ).

The filter panel appears.

- 773 -
 4. Click Load Query.

5. Select the query you want to load.

6. Click Apply.

The page updates, filtered by the query you selected.

Query Options
Queries provide the ability to save custom views of vulnerability, event, ticket, user, and alert data
for repeated access.

Option Description

Name A name for the query.

Description A description for the query.

Tag A tag for the query. For more information, see Tags.

Type The type of data you want the query to use.

For more information about the filter components for Vulnerability, Event,
and Mobile data types, see Vulnerability Analysis Filter Components, Event
Analysis Filter Components, and Mobile Analysis.

For more information about the filter components for Ticket, User, and
Alert data types, see Ticket-Specific Query Options, User-Specific Query
Options, and Alert-Specific Query Options.

Tool Chooses the analysis tool used by the query.

Ticket-Specific Query Options

Ticket queries are a useful way of determining what tickets to alert against. For example, if you
want to be alerted when a specific user receives a ticket, you could create a query with a ticket
filter where the Assignee value is the user's name. You could then create an alert to email you when
the user receives a ticket. The table below contains a list of the ticket query options.

- 774 -
 Option Description

Name Ticket name to filter against

Status Ticket status to filter against.

Classification The ticket classification to filter against.

Owner The manager (owner) of the ticket assignee.

Assignee The ticket assignee to filter against.

Created Ticket creation date/time to filter against. Either specify an explicit

Timeframe timeframe, including the start and end time or choose one of the
predefined periods (e.g., last 15 minutes, last hour, etc.)

Assigned Ticket assigned date/time to filter against. Either specify an explicit

Timeframe timeframe, including the start and end time or choose one of the
predefined periods (e.g., last 15 minutes, last hour, etc.)

Modified Ticket modified date/time to filter against. Either specify an explicit

Timeframe timeframe, including the start and end time or choose one of the
predefined periods (e.g., last 15 minutes, last hour, etc.)

Resolved Ticket resolution date/time to filter against. Either specify an explicit

Timeframe timeframe, including the start and end time or choose one of the
predefined periods (e.g., last 15 minutes, last hour, etc.)

Closed Ticket closed date/time to filter against. Either specify an explicit

Timeframe timeframe, including the start and end time or choose one of the
predefined periods (e.g., last 15 minutes, last hour, etc.)

User-Specific Query Options

User queries are useful for reporting, dashboards and alerts based on user actions. For example,
they can track user logins and locked accounts. They can also track user logins from accounts not
authorized on the monitored systems.

- 775 -
 Option Description

First Name User first name to filter against.

Last Name User last name to filter against.

Username Actual username to filter against.

Group Filter against the group the user(s) belong to.

Role Filters against users who have the specified role.

Email Filters against users based on their email address.

Last Login Filters against users whose last login was that the timeframe specified.
Timeframe Either specify an explicit timeframe, including the start and end time or
choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.).

Account State Filters against the user account state (locked vs. unlocked).

Alert-Specific Query Options

The alert query is useful for reporting, dashboards and alerting when an alert has triggered. This is
useful for situations where you want a report, dashboard element, or conditional alert after the
specified alert filter conditions have been met. For example, you can schedule a daily report
containing a query of all active alerts and their details.

Option Description

Name Filter against alerts with the specified name.

Description Filter against alerts with the specified description.

State Choose from All, Triggered, or Not Triggered.

Created Filters against the alert creation timeframe specified. Either specify an
Timeframe explicit timeframe, including the start and end time or choose one of the
predefined periods (e.g., last 15 minutes, last hour, etc.).

Modified Filters against the most recent alert modification timeframe specified.
Timeframe Either specify an explicit timeframe, including the start and end time or
choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.).

- 776 -
 Option Description

Last Triggered Filters against the most recent alert trigger timeframe specified. Either
Timeframe specify an explicit timeframe, including the start and end time or choose
one of the predefined periods (e.g., last 15 minutes, last hour, etc.).

Last Evaluated Filters against the most recent alert evaluation timeframe specified. Either
Timeframe specify an explicit timeframe, including the start and end time or choose
one of the predefined periods (e.g., last 15 minutes, last hour, etc.).

Edit a Query

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Query Options.

To edit a query:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Queries.

The Queries page appears.

3. In the table, right-click the row for the query you want to edit.

The actions menu appears.

-or-

In the table, select the check box for the query you want to edit.

The available actions appear at the top of the table.

4. Click Edit.

The Edit Query page appears.

5. Modify the query options.

6. Click Submit.

Tenable Security Center saves the modified query.

- 777 -
Workflow Actions
Workflow actions allow organizational users to configure and manage alerting, ticketing, and accept
risk or recast risk rules. These functions allow the user to be notified of and properly handle
vulnerabilities and events as they come in.

For more information, see Alerts, Tickets, Accept Risk Rules, and Recast Risk Rules.

Alerts
Tenable Security Center can be configured to perform actions, such as email alerts, for select
vulnerability or alert occurrences to various users regardless of whether the events correlate to a
local vulnerability or not. Other alert actions include UI notifications, creating or assigning tickets,
remediation scans, launching a report, email notifications, and syslog alerting. Multiple actions can
be assigned for each ticket.

For more information, see:

l Alert Actions

l Add an Alert

l View Alert Details

l Alert Options

l Edit an Alert

l Evaluate an Alert

l Delete an Alert

Alert Actions
Tenable Security Center automatically performs alert actions when an alert triggers. You can
configure the following types of alert actions:

l Assign Ticket

l Email

l Generate Syslog

- 778 -
 l Launch Scan

l Launch Report

l Notify Users

Tip: Use email alerts to interface with third-party ticketing systems by adding variables in the message
option.

For more information, see Alerts.

Assign Ticket
When the alert triggers, Tenable Security Center creates a ticket and assigns the ticket to a user.
For more information, see Tickets.

Option Description Default

Name (Required) The name of the ticket. Ticket opened by alert

Description A description for the ticket. --

Assignee (Required) The user who receives the ticket. --

Email
When the alert triggers, Tenable Security Center sends an email.

Option Description Default

Email

Subject The alert email subject line. Email Alert

Message The body of the email message. You can include the (see
following variables to customize the email: description)

l Alert ID — Designated with the variable: %alertID%,

this specifies the unique identification number
assigned to the alert by Tenable Security Center.

l Alert name — Designated with the variable:

- 779 -
 %alertName%, this specifies the name assigned to
the alert (for example, “Test email alert”).

l Trigger Name — Designated with the variable:

%triggerName%, this specifies if the trigger is IP
address count, Vulnerability count, or Port count.

l Trigger Operator — Designated with the variable:

%triggerOperator%, this specifies the operator
used for the count: >=, =, >= or !=

l Trigger value — Designated with the variable:

%triggerValue%, this specifies the specific
threshold value set that triggers the alert.

l Calculated value — Designated with the variable:

%calculatedValue%, this specifies the actual value
that triggered the alert.

l Alert Name — Designated with the variable:

%alertName%, this specifies the name given to the
alert within Tenable Security Center.

l Alert owner — Designated with the variable:

%owner%, this specifies the user that created the
alert.

l Tenable Security Center URL — Designated with the

variable: %url%, this specifies the URL that you use
to access Tenable Security Center. This is useful
where the URL that users use to access Tenable
Security Center differs from the URL known by
Tenable Security Center.

The following sample email alert contains some of these

keywords embedded into an HTML email:

Alert <strong>%alertName%</strong> (id

- 780 -
 #%alertID%) has triggered.

<strong>Alert Definition:</strong> %triggerName%

%triggerOperator% %triggerValue%
<strong>Calculated Value:</strong>
%calculatedValue%

Please visit your Tenable Security Center (<a

href="%url%">%url%</a>) for more information.
This e-mail was automatically generated by
Tenable Security Center as a result of alert
<strong>%alertName%</strong> owned by
<strong>%owner%</strong>.

If you do not wish to receive this email, contact

the alert owner.

Include When enabled, Tenable Security Center includes the Disabled

Results query results that triggered the alert (maximum of 500).

Recipients

Users The users who receive the alert email. --

Tip: If you delete a user who receives alert emails, the

action option for the alert turns red and Tenable Security
Center displays a notification to the new alert owner with
the new alert status. To resolve this, update the list of users
in the alert email.

Email Specifies additional email addresses to include in the --

Addresses alert email. For multiple recipients, add one email address
per line or use a comma-separated list.

Generate Syslog
When the alert triggers, Tenable Security Center sends a custom message to a syslog server.

Option Description Default

- 781 -
 Host (Required) The host that receives the syslog alert. --

Port The UDP port used by the remote syslog server. 514

Severity The severity level of the syslog messages (Critical, Notice, or Critical
Warning).

Message (Required) The message Tenable Security Center sends with the --
syslog alert.

Launch Scan
When the alert triggers, Tenable Security Center launches an active scan from an existing active
scan template. The active scan Schedule must be On Demand. For more information, see Active
Scans and Active Scan Settings.

Note: At this time, the Launch Scan alert action does not support web app scans, agent scans, or agent
sync.

Option Description Default

Scan (Required) The scan template Tenable Security Center uses for the --
alert scan.

Note: Tenable Security Center scans the host that triggered the scan,
not the host within the scan template. Tenable Security Center uses
the top 100 IP results from the alert query for the scan targets.

Launch Report
When the alert triggers, Tenable Security Center generates a report from an existing report
template. For more information, see Reports.

Option Description Default

Report (Required) The report template Tenable Security Center uses to --

Template generate a report based on the triggered alert data.

Notify Users

- 782 -
When the alert triggers, Tenable Security Center displays a notification to the specified users.

Option Description Default

Message (Required) The notification message Tenable Security Center --

sends when the alert triggers.

Users (Required) The users who receive the notification message. --

Add an Alert

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can configure Tenable Security Center to send alerts for vulnerability occurrences.

For more information about the available options for alerts, see Alert Options.

To add an alert:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Alerts.

The Alerts page appears.

3. Click Add.

The Add Alert page appears.

4. In the Name box, type a name.

5. (Optional) In the Description box, type a description.

6. (Optional) Click the Schedule field to select the frequency of alerts, time, timezone, and
whether to repeat sending alerts at the specified time.

7. (Optional) In the Behavior drop-down box, select the condition you want to trigger the alert.
The default is Perform actions only on first trigger.

8. (Optional) In the Type drop-down box, select the data type for the condition.

9. In the Trigger drop-down box, select the trigger for the alerts.

- 783 -
 10. (Optional) In the Query drop-down box, select the dataset to compare with the trigger
condition.

11. (Optional) Click Add Filterand provide the details of the selected filter.

12. Click Add Actions to specify an action that occurs when the alert triggers. For more
information, see Alert Actions.

13. Click Submit.

Tenable Security Center creates the alert.

View Alert Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view the summary details of an alert with the name, behavior, condition applied, status,
created date, owner, and ID.

To view the details of an alert:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Alerts.

The Alerts page appears.

3. In the table, right-click the row for the alert you want to view.

The actions menu appears.

-or-

In the table, select the check box for the alert you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Alert page appears. For more information about the following fields, see Alert
Options.

- 784 -
Section Action

Options l To edit the alert, click Edit. For more information, see Edit an
drop-down Alert.
box l To delete the alert, click Delete. For more information, see Delete
an Alert.

General View general information about the alert.

l Name — Alert name.

l Description — Descriptive text for the alert.

l Schedule — The schedule for how often the alert checks for
matching conditions.

l Behavior — The setting for how the alert behaves once it is

triggered.

l Last Evaluated — The date on which the alert was last evaluated.

l Last Triggered — The date on which the alert was last triggered.

l Status — The status of the alert.

l Created — The date on which the alert was created.

l Last Modified — The date on which the alert was last modified.

l Owner — The user who created or owns the alert.

l Group — The group associated with the Owner.

l ID — The unique identifier of the alert.

Condition View the conditions specified for the alert:

l Type — The type of the alert. For example, vulnerability, event, or

ticket.

l Trigger — The condition that triggers the alert. For example, IP

count, unique vulnerability/event count, or port count.

- 785 -
 Section Action

l Query — The dataset to which the trigger condition is compared.

l Filters — The filters added for vulnerability or event data.

Actions The actions performed once the alert is triggered.

Alert Options
The following options are available when you create or edit an alert in Tenable Security Center.

Option Description

General

Name The name of the alert.

Description A description for the alert.

Schedule Specifies how often the alert checks for the conditions to be matched:
Minutely, Hourly, Daily, Weekly, Monthly, or Never.

Select Never to create an alert that you trigger manually on demand.

Behavior Specifies how many times Tenable Security Center performs the alert
actions:

l Perform actions only on first trigger — Tenable Security Center

performs the alert actions only the first time the alert conditions
match the trigger configuration.

l Perform action on every trigger — Tenable Security Center performs

the alert actions every time the alert conditions match the trigger
configuration.

Condition

Type The type of data to use for the condition: Vulnerability, Event, or Ticket.

Trigger l IP Count — Trigger on vulnerabilities or events whose IP address count

matches the given parameters.

- 786 -
 Option Description

General

l Unique Vulnerability Count — Trigger an alert when the unique

vulnerability count matches the given parameters. This option appears
when you select Vulnerability for the Type option.

l Event Count — Trigger an alert when the event count matches the
given parameters. This option appears when you select Event for the
Type option.

l Port Count — Trigger an alert when the events or vulnerabilities using a

certain port number match the given parameters.

Query The dataset Tenable Security Center uses to determine if trigger conditions
have been met.

Filters Apply advanced filters to the vulnerability or event data. For more
information, see Filters.

Actions

Add Actions Specifies the actions that occur when the alter triggers: Assign Ticket,
Email, Generate Syslog, Launch Scan, Launch Report, or Notify Users. For
more information, see Alert Actions.

Edit an Alert

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

For more information, see Alert Options.

To edit an alert:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Alerts.

The Alerts page appears.

- 787 -
 3. In the table, right-click the row for the alert you want to edit.

The actions menu appears.

-or-

In the table, select the check box for the alert you want to edit.

The available actions appear at the top of the table.

4. Click More > Edit.

The Edit Alert page appears.

5. Modify the alert options.

6. Click Submit.

Tenable Security Center saves the modified alert.

Evaluate an Alert

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can submit an alert for evaluation to test whether the alert has met the configured time criteria
or not.

To evaluate an alert:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Alerts.

The Alerts page appears.

3. In the table, right-click the row for the alert you want to evaluate.

The actions menu appears.

-or-

In the table, select the check box for the alert you want to evaluate.

The available actions appear at the top of the table.

- 788 -
 4. Click Evaluate.

The alert is submitted for evaluation.

Tenable Security Center returns the evaluation results for the alert.

Delete an Alert

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

To delete an alert:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Alerts.

The Alerts page appears.

3. In the table, right-click the row for the alert you want to delete.

The actions menu appears.

-or-

In the table, select the check box for the alert you want to delete.

The available actions appear at the top of the table.

4. Click More > Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the alert.

Tickets
In Tenable Security Center, you can create tickets manually or automatically using the Alerts
feature. This section describes how to manage your tickets.

For more information, see:

- 789 -
 l Open a Ticket

l View Ticket Details

l Ticket Options

l Edit a Ticket

l Resolve and Close a Ticket

Open a Ticket

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can use tickets within Tenable Security Center to coordinate the assessment and remediation
of vulnerabilities and security events.

You can configure a ticket from an analysis page, or from the Tickets page. For more information
about the options to configure, see Tickets.

To open a ticket from an analysis page:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities or Analysis > Events.

The Vulnerabilities or Events page appears.

3. From the toolbar, click More > Open Ticket.

The Open Ticket pane appears.

4. In the Name box, type a name.

5. (Optional) In the Description box, type a description.

6. (Optional) In the Notes box, type a note to the assignee.

7. In the Assignee drop-down box, select an assignee.

8. In the Classification drop-down box, select a classification.

9. Click Submit.

Tenable Security Centercreates the ticket.

- 790 -
To open a ticket from the Tickets page:
1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Tickets.

The Tickets page appears.

3. Click Add.

4. In the Name box, type a name.

5. (Optional) In the Description box, type a description.

6. (Optional) In the Notes box, type a note to the assignee.

7. In the Assignee drop-down box, select an assignee.

8. In the Classification drop-down box, select a classification.

9. (Optional) Click Add Query View.

10. Click Submit.

Tenable Security Center creates the ticket.

View Ticket Details

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

You can view the summary details of a ticket with the name, status, creator, assignee, history,
queries, description, and ticket notes.

Before you begin:

l Add a ticket, as described in Open a Ticket.

To edit a ticket:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Tickets.

The Tickets page appears.

- 791 -
3. In the table, right-click the row for the ticket you want to view.

The actions menu appears.

-or-

In the table, select the check box for the ticket you want to view.

The available actions appear at the top of the table.

4. Click View.

The View Ticket page appears. For more information, see Ticket Options.

Section Action

Options drop-down l To edit the ticket, click Edit. For more information, see Edit
box a Ticket.

General View general information about the ticket.

l Name — The ticket name.

l Description — The ticket description.

l Notes — The notes added for the ticket.

l Status — The status of the ticket.

l Assignee — The user assigned to the ticket.

l Classification — The classification selected for the ticket.

l Created — The date on which the ticket was created.

l Last Modified — The date on which the ticket was last

modified.

l Owner — The user who created or owns the ticket.

l Group — The group associated with the Owner.

l ID — The unique identifier of the ticket.

Query Views The query added to help provide context for coming up with a
resolution.

- 792 -
Ticket Options
The following options are available when you create or edit a ticket in Tenable Security Center.

Option Description

General

Name Name assigned to the ticket.

Description Descriptive text for the ticket.

Notes Notes for the ticket assignee.

Assignee User that the ticket is assigned to.

Note: If the ticket assignee is deleted, the ticket is automatically reassigned

to the assignee’s owner along with a notification message indicating that the
ticket has been reassigned.

Status (Available The following ticket statuses become available after a ticket has been
during edit) created and are available from the Edit Ticket page:

l Assigned

l Resolved

l More Information

l Not Applicable

l Duplicate

l Closed

Classification The ticket classification: Information, Configuration, Patch, Disable,

Firewall, Schedule, IDS, Accept Risk, Recast Risk, Re-scan Request,
False Positive, System Probe, External Probe, Investigation Needed,
Compromised System, Virus Incident, Bad Credentials, Unauthorized
Software, Unauthorized System, Unauthorized User, and Other.

Query Views

Add Query View Click to choose a query for the ticket assignee to help provide context for

- 793 -
 Option Description

coming up with a resolution.

Edit a Ticket

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

Before you begin:

l Add a ticket, as described in Open a Ticket.

To edit a ticket:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Tickets.

The Tickets page appears.

3. In the table, right-click the row for the ticket you want to edit.

The actions menu appears.

-or-

In the table, select the check box for the ticket you want to edit.

The available actions appear at the top of the table.

4. Click More > Edit.

The Edit Ticket page appears.

5. Modify the ticket options. For more information, see Ticket Options.

6. Click Submit.

Tenable Security Center saves your configuration.

Resolve and Close a Ticket

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

- 794 -
When a ticket is mitigated, you can change the ticket status to Resolved. Once the ticket is
resolved, you can change the status to Closed. Tickets in the Resolved or Closed state can always
be reopened as needed.

Before you begin:

l Add a ticket, as described in Open a Ticket.

To resolve a ticket:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Tickets.

The Tickets page appears.

3. In the table, right-click the row for the ticket you want to resolve.

The actions menu appears.

-or-

In the table, select the check box for the ticket you want to resolve.

The available actions appear at the top of the table.

4. Click Resolve.

The Resolve Ticket page appears.

5. Change the status to Resolved. Optionally, you can add notes to provide details of the
resolution.

6. Click Submit.

7. To close the ticket, click the resolved ticket name and change the status to Closed.

Tenable Security Center updates the ticket status. Resolved tickets still show up in your ticket
queue with an Active status. Closing a ticket removes the ticket from the Active status filter view,
but does not provide the option to add notes similar to editing a ticket.

Accept Risk Rules

- 795 -
The Accept Risk Rules page displays a list of accept risk rules configured in Tenable Security
Center. Organizational users must add accept risk rules before the rules appear on this page. For
more information, see Add an Accept Risk Rule.

Adding a rule moves vulnerabilities from the unfiltered cumulative database view. These
vulnerabilities are not deleted, but only display in the cumulative database vulnerability view if the
Accepted Risk filter option is checked. For more information, see Filters.

Administrator and organizational users can manage accept risk rules. You can access information
on what particular vulnerabilities or hosts have been declared to be accepted and, if noted in the
comments, the reason.

To view details for a rule, click the row. To delete a rule, see Delete an Accept Risk Rule.

Add an Accept Risk Rule

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

If you create an accept risk rule, Tenable Security Center automatically accepts the risk associated
with any vulnerabilities that match the rule. Risk-accepted vulnerabilities do not appear in a
vulnerability search if your filter excludes Accepted Risk vulnerabilities.

For more information, see Accept Risk Rules.

To add an accept risk rule:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the analysis tools drop-down box, select Vulnerability Detail List, Vulnerability List, or
Vulnerability Summary.

The page refreshes to show the analysis tool view you selected.

4. To accept risk, do one of the following:

Accept Risk Rule Actions

- 796 -
 To accept risk rule for l Right-click any row for which you want to accept risk and
a single vulnerability select Accept Risk.

l Select the check box next to the vulnerability for which

you want to accept risk and in the toolbar, click Accept
Risk.

To accept risk rule for l Select more than one row and in the toolbar, click
multiple vulnerabilities Accept Risk.

The Accept Risk pane appears.

5. (Optional) In the Comment box, add a comment.

6. (Optional) In the Expires box, select the date you want the accept risk rule to expire.

7. In the Repository section, select one or more repositories where you want to apply the rule.

8. Click Submit.

Tenable Security Center saves your configuration.

Note: There can be a short delay between clicking on Submit and vulnerabilities showing the new
risk acceptance. You may need to reload the filters to view the applied changes.

What to do next:
l (Optional) Enable Recast and Accept Risk Rule Comments to display contents of the
Comment field in reports and vulnerability analysis views. For more information, see Risk Rule
Comments.

Delete an Accept Risk Rule

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can delete an accept risk rule to stop accepting the risk associated with a vulnerability.

To delete an accept risk rule:

- 797 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Accept Risk Rules (Organizational users) or Repositories > Accept Risk
Rules (Administrator users).

The Accept Risk Rules page appears.

3. To delete a single rule:

a. In the table, right-click the row for the rule you want to delete.

The actions menu appears.

To delete multiple rules:

a. In the table, select the check box for each rule you want to delete.

The available actions appear at the top of the table.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the rule.

6. Click Apply Rules.

Tenable Security Center stops accepting the risk associated with the vulnerability.

Recast Risk Rules

A list of recast rules configured in Tenable Security Center appears on the Recast Risk Rules page.
Organizational users must add recast risk rules before the rules appear on this page. For more
information, see Add a Recast Risk Rule.

Administrator and organizational users can manage recast risk rules. You can access information on
what particular vulnerabilities or hosts have had risk levels recast, their new severity level and, if
noted in the comments, the reason for the severity change. You can search for rules by Plugin ID or
Repository.

You can set an expiration date for a recast risk rule. When a recast risk rule expires, the severity will
reset based on the following criteria:

- 798 -
 l If an administrator has configured Tenable Security Center to use CVSSv3 at the organization
level, and there are CVSSv3 metrics available, the severity level of the vulnerability will return
to the level determined by the CVSSv3 data.

l If an administrator has not configured Tenable Security Center to use CVSSv3, or there are no
CVSSv3 metrics available, the vulnerability will retain the recast severity level. If Tenable
Security Center finds the vulnerability again, the vulnerability will receive the severity level
currently determined by the plugin.

To view details for a rule, click the row. To delete a rule, see Delete a Recast Risk Rule.

Add a Recast Risk Rule

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

If you create a recast risk rule, Tenable Security Center automatically updates the severity for any
vulnerabilities that match the rule to the severity you specified in the rule.

For more information, see Recast Risk Rules.

To add a recast risk rule:

1. Log in to Tenable Security Center via the user interface.

2. Click Analysis > Vulnerabilities.

The Vulnerabilities page appears.

3. In the analysis tools drop-down box, select Vulnerability Detail List, Vulnerability List, or
Vulnerability Summary.

The page refreshes to show the analysis tool view you selected.

4. To recast risk, do one of the following:

Recast Risk Rule Actions

To recast risk rule for a l Right-click any row that you want to recast and select
single vulnerability Recast Risk.

- 799 -
 l Select the check box next to the vulnerability that you
want to recast and in the toolbar, click Recast Risk.

To recast rule for l Select more than one row and in the toolbar, click
multiple vulnerabilities Recast Risk.

The Recast Risk pane appears.

5. In the New Severity drop-down box, select a new severity for the vulnerability.

6. (Optional) In the Comment box, add a comment.

7. (Optional) In the Expires box, select the date you want the recast risk rule to expire.

8. In the Repository section, select one or more repositories where you want to apply the rule.

9. Click Submit.

Tenable Security Center saves your configuration.

Note: There can be a short delay between clicking on Submit and vulnerabilities showing the new
risk. It may be necessary to reload the filters to view the applied changes.

What to do next:
l (Optional) Enable Recast and Accept Risk Rule Comments to display contents of the
Comment field in reports and vulnerability analysis views. For more information, see Risk Rule
Comments.

Edit a Recast Risk Rule

Required User Role: Organizational user with appropriate permissions. For more information, see User
Roles.

If you create a recast risk rule, Tenable Security Center automatically updates the severity for any
vulnerabilities that match the rule to the severity you specified in the rule. You can edit the
expiration date of existing recast risk rules.

For more information, see Recast Risk Rules.

To edit the expiration date of a recast risk rule:

- 800 -
 1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Recast Risk Rules.

The Recast Risk Rules page appears.

3. To edit a single rule:

a. In the table, right-click the row for the rule you want to edit.

The actions menu appears.

To edit multiple rules:

a. In the table, select the check box for each rule you want to edit.

The available actions appear at the top of the table.

4. Click Edit.

The Edit Recast Rules pane appears.

5. In the Expires box, select the date you want the recast risk rule to expire.

6. Click Submit.

Tenable Security Center saves your configuration.

Delete a Recast Risk Rule

Required User Role: Administrator or organizational user with appropriate permissions. For more
information, see User Roles.

You can delete a recast risk rule to remove your custom severity for a vulnerability. Then, if Tenable
Security Center sees the vulnerability again, the vulnerability receives the severity currently
associated with the plugin.

To delete a recast risk rule and remove your custom severity:

1. Log in to Tenable Security Center via the user interface.

2. Click Workflow > Recast Risk Rules (Organizational users) or Repositories > Recast Risk
Rules (Administrator users).

The Recast Risk Rules page appears.

- 801 -
3. To delete a single rule:

a. In the table, right-click the row for the rule you want to delete.

The actions menu appears.

To delete multiple rules:

a. In the table, select the check box for each rule you want to delete.

The available actions appear at the top of the table.

4. Click Delete.

A confirmation window appears.

5. Click Delete.

Tenable Security Center deletes the rule.

6. Click Apply Rules.

If Tenable Security Center sees the vulnerability again, the vulnerability receives the severity
currently associated with the plugin.

- 802 -
Additional Resources
The topics in this section offer guidance in areas related to Tenable Security Center.

l Start, Stop, or Restart Tenable Security Center

l License Declarations

l Encryption Strength

l File and Process Allow List

l Manual Log Correlation Engine Key Exchange

l Manual Tenable Nessus SSL Certificate Exchange

l Offline Plugin and Feed Updates for Tenable Security Center

l Troubleshooting

Start, Stop, or Restart Tenable Security Center

Required User Role: Root user

When Tenable Security Center is installed, the required services are started by default.

To change the status of Tenable Security Center:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. In the CLI in Tenable Security Center, run the following command to check the status of your
Tenable Security Center:

# service SecurityCenter status

The system indicates whether Tenable Security Center is running or stopped.

3. Run one of the following commands to change the status of your Tenable Security Center:

l To start Tenable Security Center, run:

# /bin/systemctl start SecurityCenter

l To stop Tenable Security Center, run:

- 803 -
 # /bin/systemctl stop SecurityCenter

l To restart Tenable Security Center, run:

# /bin/systemctl restart SecurityCenter

License Declarations
Tenable Security Center’s Software License Agreement can be found on Tenable Security Center in
the /opt/sc/docs directory.

For a list of third-party software packages that Tenable utilizes with Tenable Security Center, see
Tenable Third-Party License Declarations.

Encryption Strength
Tenable Security Center uses the following default encryption for storage and communications.

Function Encryption

Storing TNS user SHA-512 and the PBKDF2 function

account passwords

Storing user and service AES-256-CBC

accounts for scan
credentials, as
described in
Credentials.

Storing scan data, as None

described in
Repositories.

Communications SSL/TLS 1.2 with the strongest encryption method supported by

between Tenable Tenable Security Center Apache and your browser, CLI program, or
Security Center and API program: EECDH+AESGCM, EDH+AESGCM, AES256+EECDH, or
clients (Tenable Security AES256+EDH.
Center users).
For more information about strong encryption, see Configure
SSL/TLS Strong Encryption.

- 804 -
Function Encryption

Communications SSL/TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384

between Tenable
Security Center and the
Tenable product
registration server.

Communications SSL/TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384

between Tenable
Security Center and the
Tenable plugin update
server.

Communications SSL/TLS 1.2 with the strongest encryption method supported by

between Tenable Tenable Security Center Apache and your browser, CLI program, or
Security Center and: API program: ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-
GCM-SHA256, ECDHE-RSA-AES256-SHA384, or ECDHE-RSA-
l Tenable Nessus or
AES256-GCM-SHA384.
Tenable Nessus
Manager

l Tenable
Vulnerability
Management

l Tenable Nessus
Network Monitor

l Tenable Log
Correlation Engine

Synchronizations SSL/TLS 1.2

between Tenable
Security Center and
Tenable Vulnerability
Management for
Tenable Lumin.

- 805 -
Configure SSL/TLS Strong Encryption
You can configure SSL/TLS strong encryption for Tenable Security Center-client communications
to meet the security needs of your organization. For more information about Tenable Security
Center encryption, see Encryption Strength.

To configure SSL/TLS strong encryptions for Tenable Security Center communications:

1. Open the /opt/sc/support/conf/sslciphers.conf file in a text editor.

2. Add the following content at the end of the file:

SSLCipherSuite <cipher you want to use for SSL/TLS encryption>

For example:

# SSL Ciphers
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
SSLCipherSuite ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-
AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

3. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security
Center.

Tenable Security Center restarts.

4. In /opt/sc/support/logs, open ssl_request_log.

The log file text appears.

5. Verify the configuration in ssl_request_log matches the cipher you specified. If the
configuration and cipher do not match, investigate the following:

l Confirm that you provided the cipher using correct syntax.

l Confirm that your browser supports the cipher you provided.

l Confirm that you do not have other applications installed that redirect or layer additional
encryption for SSL traffic.

- 806 -
Configure Tenable Security Center for NIAP Compliance
If your organization requires that your instance of Tenable Security Center meets National
Information Assurance Partnership (NIAP) standards, you can configure relevant settings to be
compliant with NIAP standards.

You must run Tenable Security Center 5.15.0 or later to fully configure Tenable Security Center for
NIAP compliance. If you are running Tenable Security Center 5.15.0, you must install a patch to
configure Tenable Security Center for NIAP compliance. Contact Tenable Support for assistance
with the required patch. For more information about upgrading Tenable Security Center, see Before
You Upgrade and Upgrade Tenable Security Center.

For more information about Tenable Security Center storage and communications encryption, see
Encryption Strength.

Before you begin:

l If you are running Tenable Security Center 5.15.0, contact Tenable Support for assistance with
the required patch.

l If you are using SSL certificates to log in to Tenable Security Center, ensure your server and
client certificates are NIAP-compliant. For more information about certificate authentication,
see Certificate Authentication.

l Confirm you have enabled the full disk encryption capabilities provided by the operating
system on the host running Tenable Security Center.

To configure Tenable Security Center for NIAP compliance:

1. Log in to Tenable Security Center via the command line interface (CLI).

2. In the CLI in Tenable Security Center, as the root or tns user, run the following commands to
configure strong SSL/TLS encryption for Tenable Security Center communications:

# /opt/sc/support/bin/sqlite3 /opt/sc/application.db "INSERT INTO Configuration (

type,name,value,visible,editable ) VALUES ( 64, 'SSLVersion', 'TLSv1_2', 'false',
'false' )"

- 807 -
 # /opt/sc/support/bin/sqlite3 /opt/sc/application.db "INSERT INTO Configuration (
type,name,value,visible,editable ) VALUES ( 64, 'SSLCipherList', 'ECDHE-RSA-
AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
AES256-GCM-SHA384', 'false', 'false' )"

3. Configure the Tenable Security Center web server to use strong encryption for storage and
communications, as described in Configure SSL/TLS Strong Encryption.

Note: For NIAP compliance, you must configure TLS 1.2 encryption with any of the following ciphers:
ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA384, or
ECDHE-RSA-AES256-GCM-SHA384.

4. If you connect Tenable Security Center to Tenable Nessus, Tenable Nessus Manager, Tenable
Nessus Network Monitor, or Tenable Log Correlation Engine, you must use certificates to
authenticate the connection. For more information, see Manual Tenable Nessus SSL
Certificate Exchange and Manual Log Correlation Engine Key Exchange.

File and Process Allow List

If you use third-party endpoint security products such as anti-virus applications and host-based
intrusion and prevention systems, Tenable recommends adding Tenable Security Center to the
allow list.

If you configured supporting resources for Tenable Security Center, see the product documentation
for each resource you added for more file and process allow list information. For more information
about supporting resources in Tenable Security Center, see Resources.

Tenable recommends allowing the following Tenable Security Center files and processes.

Allow List

Files

/opt/sc/*

Processes

/opt/sc/bin/*

/opt/sc/src/*

- 808 -
 /opt/sc/support/bin/*

/opt/sc/www/*

Manual Log Correlation Engine Key Exchange

Required User Role: Administrator

You are not normally required to make a manual key exchange between Tenable Security Center and
the Log Correlation Engine; however, in some cases where you are prohibited from remote root
login or required to do key exchange debugging, you must manually exchange the keys.

For the remote Log Correlation Engine to recognize Tenable Security Center, copy the SSH public
key of Tenable Security Center and append it to the /opt/lce/.ssh/authorized_keys file.
The /opt/lce/daemons/lce-install-key.sh script performs this function.

Note: The Log Correlation Engine server must have a valid license key installed and the Log Correlation
Engine daemon must be running before you perform the steps below.

To perform manual Log Correlation Engine key exchange:

1. Log in to Tenable Security Center via the user interface.

2. Download the Tenable Security Center key, as described in Download the Tenable Security
Center SSH Key.

3. Save the file locally as SSHKey.pub.

Caution: Do not edit the file or save it to any specific file type.

4. From the workstation where you downloaded the key file, use a secure copy program (e.g.,
WinSCP) to copy the SSHKey.pub file to the Log Correlation Engine system.

Note: You must have the credentials of an authorized user on the Log Correlation Engine server to
perform this step.

- 809 -
 For example, if you have a user username configured on the Log Correlation Engine server
(hostname lceserver) whose home directory is /home/username, the command on a Unix
system is as follows:

# scp SSHKey.pub username@lceserver:/home/username

5. After you copy the file to the Log Correlation Engine server, in the CLI, run the following
command to move the file to /opt/lce/daemons:

# mv /home/username/SSHKey.pub /opt/lce/daemons

6. On the Log Correlation Engine server, as the root user, run the following command to change
the ownership of the SSH key file to lce:

# chown lce /opt/lce/daemons/SSHKey.pub

7. Run the following command to append the SSH public key to the /opt/lce/.ssh/authorized_
keys file:

# su lce
# /opt/lce/daemons/lce-install-key.sh /opt/lce/daemons/SSHKey.pub

8. To test the communication, as the user tns on the Tenable Security Center system, attempt
to run the id command:

# su tns
# ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id

If you have not previously established a connection, a warning appears that is similar to the
following:

The authenticity of host '198.51.100.28 (198.51.100.28)' can't be established.

RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.
Are you sure you want to continue connecting (yes/no)?

9. Answer yes to this prompt.

- 810 -
 If the key exchange worked correctly, a message similar to the following appears:

# uid=251(lce) gid=251(lce) groups=251(lce)

10. You can add the IP address of Tenable Security Center to the Log Correlation Engine system’s
/etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add
seconds to your query times.

11. You can add the Log Correlation Engine to Tenable Security Center via the normal
administrator process, described in Log Correlation Engines.

Manual Tenable Nessus SSL Certificate Exchange

If you want to use self-signed certificates for the Tenable Security Center-Tenable Nessus
connection, you can perform manual Tenable Nessus SSL certificate exchange.

Caution: Please note that users should be familiar with PKI deployments and it is not recommended that
the Nessus server be used as the site’s PKI system. The method described here is intended to assist in
testing the functionality of the certificate exchange to assist users in the incorporation of the certificates
into their current PKI system. In this method, the same key is shared between multiple servers. This may
not be acceptable in some installations.

l Overview of Tenable Nessus SSL Certificates and Keys

l Tenable Nessus Certificate Configuration for Unix

l Tenable Nessus Certificate Configuration for Windows

Overview of Tenable Nessus SSL Certificates and Keys

Nessus supports authentication protocols based on the OpenSSL toolkit (for more information
about the toolkit, see http://www.openssl.org/). This provides cryptographic protection and secure
authentication.

In the example described in this document, there are three key system components: the certificate
authority, the Nessus server and the Nessus client (Tenable Security Center). It is necessary to
generate the keys required for the SSL communication and copy them to the appropriate
directories.

Certificate Authority

- 811 -
The certificate authority (CA) ensures that the certificate holder is authentic and not an
impersonator. The CA holds a copy of the certificates for registered users to certify that the
certificate is genuine. When the CA receives a certificate signing request (CSR), it validates and
signs the certificate.

In the example provided in this document, the CA resides on the Nessus server (which is not the
recommended method for a production environment). In a proper PKI deployment, the CA would be
a separate system or entity, such as Thawte or Verisign.

Nessus Server
In the example described in this document, the Nessus server is the same physical system that
holds the CA, but this will not likely be the case in a production environment. The Nessus server is
the target of the secure communication and its keys must be generated locally and copied to the
systems that will need to communicate with it using the SSL protocol. The Nessus server has users
defined that authenticate to it either by simple login and password or via SSL. These users will also
have keys associated with them.

Nessus Client (Tenable Security Center)

The Nessus client, Tenable Security Center, communicates with the Nessus server via SSL. It uses
keys generated for a Nessus client and stores these keys and the certificate for the CA in the
/opt/sc/daemons directory. These keys must be owned by the “tns” userid.

Tenable Nessus Certificate Configuration for Unix

The following topic describes the commands and relevant files involved in the Nessus SSL process
on a Red Hat Linux system. This process creates the following files:

File Name Created Purpose Where to Copy to

/opt/nessus/com/nessus/CA/cacert.pem This is the /opt/nessus/com/nessus/CA

certificate on the initial Nessus server
for the and any additional Nessus
Certificate servers that need to
Authority. If authenticate using SSL.
using an
existing PKI,

- 812 -
File Name Created Purpose Where to Copy to

this will be
provided to
you by the
PKI and
must be
copied to
this location.

/opt/nessus/com/nessus/CA/servercert.pe This is the /opt/nessus/com/nessus/CA

m public on any additional Nessus
certificate servers that need to
for the authenticate using SSL.
Nessus
server that
is sent in
response to
a CSR.

/opt/nessus/var/nessus/CA/cakey.pem This is the /opt/nessus/var/nessus/CA

private key on any additional Nessus
of the servers that need to
Certificate authenticate using SSL.
Authority. It
may or may
not be
provided by
the
Certificate
Authority,
depending
on if they
allow the
creation of
sub users.

- 813 -
 File Name Created Purpose Where to Copy to

/opt/nessus/var/nessus/CA/serverkey.pem This is the /opt/nessus/var/nessus/CA

private key on any additional Nessus
of the servers that need to
Nessus authenticate using SSL.
server.

Create Nessus Client Keys

The Nessus user, in this case the user ID that Tenable Security Center uses to communicate with
the Nessus server, is created by the following command:

# /opt/nessus/sbin/nessuscli mkcert-client

This command creates the keys for the Nessus clients and optionally registers them appropriately
with the Nessus server by associating a distinguished name (dname) with the user ID. It is important
to respond y (yes) when prompted to register the user with the Nessus server for this to take effect.
The user name may vary and is referred to here as user.

The certificate filename is a concatenation of cert_, the user name you entered and .pem.
Additionally, the key filename is a concatenation of key_, the user name you entered and .pem.

If the user was previously added via the /opt/nessus/sbin/nessuscli adduser command, you
will still need to run this program to register the user. If you have not previously created the user, it
is not necessary to also run the nessuscli adduser command; the user is created if it does not
already exist. The following files are created by this command:

File Name Created Purpose

/tmp/nessus-xxxxxxxx/cert_ This is the public certificate for the specified user.

{user}.pem

/tmp/nessus-xxxxxxxx/key_ This is the private key for the specified user.

{user}.pem

/opt/nessus/var/nessus/users/ This is the distinguished name to be associated with this

{user}/auth/dname user. The distinguished name consists of a number of

- 814 -
 File Name Created Purpose

options separated by commas in the following format:

/C={country}/ST={state}/L={location}/OU=
{organizational

unit}/O={organization/CN={common name}

Create and Deploy SSL Authentication for Nessus

An example SSL Certificate configuration for Nessus to Tenable Security Center authentication is
included below:

In the example described here, Tenable Security Center and the Nessus scanner are defined as
follows. Your configuration varies:

Tenable Security Center:

IP: 192.0.2.50
OS: Red Hat ES 5

Nessus Scanner:
IP: 192.0.2.202
OS: Red Hat ES 5

Create Keys and User on Nessus Server

Log in to the Nessus scanner and use the su command to become the root user. Create the
Certificate Authority and Nessus server certificate as follows:

# /opt/nessus/sbin/nessuscli mkcert
--------------------------------------------------------------------------
Creation of the Nessus SSL Certificate
--------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your Nessus
daemon will be able to retrieve this information.

- 815 -
 CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [US]:
Your state or province name [NY]:
Your location (e.g. town) [New York]:
Your organization [Nessus Users United]: Tenable Network Security
This host name [Nessus4_2]:

Congratulations. Your server certificate was properly created.

The following files were created :

. Certification authority :

Certificate = /opt/nessus//com/nessus/CA/cacert.pem
Private key = /opt/nessus//var/nessus/CA/cakey.pem

. Nessus Server :
Certificate = /opt/nessus//com/nessus/CA/servercert.pem
Private key = /opt/nessus//var/nessus/CA/serverkey.pem

Next, create the user ID for the Nessus client, which is Tenable Security Center in this case, to log
in to the Nessus server with, key and certificate. This is done with the command
/opt/nessus/sbin/nessuscli mkcert-client. If the user does not exist in the Nessus user
database, it is created. If it does exist, it is registered to the Nessus server and have a distinguished
name (dname) associated with it. It is important to respond y (yes) when prompted to register the
user with the Nessus server for this to take effect. The user must be a Nessus admin, so answer y
when asked. The following example shows the prompts and typical answers:

# /opt/nessus/sbin/nessuscli mkcert-client
Do you want to register the users in the Nessus server
as soon as you create their certificates ? [n]: y

--------------------------------------------------------------------------
Creation Nessus SSL client Certificate
--------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL

- 816 -
 client certificates for Nessus.
Client certificate life time in days [365]:
Your country (two letter code) [FR]: US
Your state or province name []: MD
Your location (e.g. town) [Paris]: Columbia
Your organization []: Tenable Network Security
Your organizational unit []:
**********
We are going to ask you some question for each client certificate
If some question have a default answer, you can force an empty answer by
entering a single dot '.'
*********
User #1 name (e.g. Nessus username) []: paul
User paul already exists
Do you want to go on and overwrite the credentials? [y]: y
Should this user be administrator? [n]: y
Country (two letter code) [US]:
State or province name [MD]:
Location (e.g. town) [Columbia]:
Organization [Tenable Network Security]:
Organizational unit []:
e-mail []:

User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that $login has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules syntax

Type the rules for this user, and enter a BLANK LINE once you are done:
(the user can have an empty rules set)

User added to Nessus.

Another client certificate? [n]: n
Your client certificates are in /tmp/nessus-043c22b5
You will have to copy them by hand
#

The certificates created contain the username entered previously, in this case paul, and are located
in the directory as listed in the example above (e.g., /tmp/nessus-043c22b5).

- 817 -
Create the nessuscert.pem Key
In the above specified tmp directory, the certificate and key files in this example are named cert_
paul.pem and key_paul.pem. These files must be concatenated to create nessuscert.pem as
follows:

# cd /tmp/nessus-043c22b5
# cat cert_paul.pem key_paul.pem > nessuscert.pem

Note: The nessuscert.pem file is used when configuring the Nessus scanner on Tenable Security Center.
This file needs to be copied to somewhere accessible for selection from your web browser during the
Nessus configuration.

Configure Nessus Daemons

To enable certificate authentication on the Nessus server, the force_pubkey_auth setting must be
enabled. Once enabled, log in to the Nessus server may only be completed by SSL certificates.
Username and password login are disabled. As the root (or equivalent) user on the Nessus server,
run the following command:

# /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes

Restart the Nessus daemons with the appropriate command for your system. The example here is
for Red Hat:

# /sbin/service nessusd restart

Change the Nessus Mode of Authentication

In Tenable Security Center, update your Tenable Nessus scanner configuration to use SSL
certificate-based authentication. For more information, see Add a Tenable Nessus Scanner.

- 818 -
Considerations for Custom Certificates
During an upgrade, Tenable Security Center will check for the presence of custom SSL certificates.
If certificates are found and the owner is not Tenable, any newly generated certificates will be
named with a .new extension and placed in the /opt/sc/support/conf directory to avoid
overwriting existing files.

Deploy to Other Nessus Scanners

After you configure authentication on one Tenable Nessus scanner, you can use the same
SSL certificates and user names to authenticate other Tenable Nessus scanners.

Before you begin:

l Set up and configure all of your Tenable Nessus scanners.

l Add your Tenable Nessus scanners to Tenable Security Center, as described in Add a Tenable
Nessus Scanner.

To duplicate the same authentication configuration on other Tenable Nessus scanners:

- 819 -
1. In the command line interface (CLI) on another Tenable Nessus server, run the following
command to copy the certificate files onto your other Tenable Nessus server:

# cd /opt/nessus/var/nessus/CA
# scp cakey.pem serverkey.pem root@nessusIP:/opt/nessus/var/nessus/CA
# cd /opt/nessus/com/nessus/CA
# scp cacert.pem servercert.pem root@nessusIP:/opt/nessus/com/nessus/CA

2. Run the following command to create a user directory on your second Tenable Nessus server,
using the same name as the user you created on the first Tenable Nessus server. Replace
admin with the user's name:

/opt/nessus/sbin/nessuscli adduser admin

A confirmation prompt appears.

3. Press y to confirm you want the user to have system administrator privileges.

Tenable Nessus creates the user.

4. Run the following command to copy the the user you created on the first Tenable Nessus
server to the directory you created in step 2. Replace admin with the user’s name:

# cd /opt/nessus/var/nessus/users
# tar –zcvf – admin | ssh –C root@nessusIP "tar –zxvf - -C
/opt/nessus/var/nessus/users"

5. Run the following command to force Tenable Nessus to authenticate via certificate:

/opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes

6. Restart the Nessus service on all the Nessus servers with the appropriate command for your
system. This example is for Red Hat:

# /sbin/service nessusd restart

- 820 -
 7. In Tenable Security Center, update all of your Tenable Nessus scanner configurations to use
SSL certificate-based authentication. For more information, see Add a Tenable Nessus
Scanner.

Tenable Nessus Certificate Configuration for Windows

Commands and Relevant Files

The following section describes the commands and relevant files involved in the Nessus SSL
process on a Windows system.

Certificate Authority and Nessus Server Certificate

The command C:\Program Files\Tenable\Nessus\nessuscli mkcert creates the Certificate
Authority and generates the server certificate. This command creates the following files:

File Name Created Purpose Where to Copy to

C:\Program This is the C:\Program

Files\Tenable\Nessus\nessus\CA\cacert.pe certificate Files\Tenable\Nessus\nessus\
m for the CA\ on any additional Nessus
Certificate servers that need to
Authority. authenticate using SSL.
If using an
existing
PKI, this
will be
provided to
you by the
PKI and
must be
copied to
this
location.

C:\Program This is the C:\Program

Files\Tenable\Nessus\nessus\CA\servercert public Files\Tenable\Nessus\nessus\
.pem CA\ on any additional Nessus

- 821 -
 File Name Created Purpose Where to Copy to

certificate servers that need to

for the authenticate using SSL.
Nessus
server that
is sent in
response
to a CSR.

C:\Program This is the C:\Program

Files\Tenable\Nessus\nessus\CA\cakey.pe private key Files\Tenable\Nessus\nessus\
m of the CA\ on any additional Nessus
Certificate servers that need to
Authority. authenticate using SSL.
It may or
may not be
provided by
the
Certificate
Authority,
depending
on if they
allow the
creation of
sub users.

C:\Program This is the C:\Program

Files\Tenable\Nessus\nessus\CA\serverkey. private key Files\Tenable\Nessus\nessus\
pem of the CA\ on any additional Nessus
Nessus servers that need to
server. authenticate using SSL.

Nessus Client Keys

- 822 -
The Nessus user, which in this case is the user ID that Tenable Security Center uses to
communicate with the Nessus server, is created by the command C:\Program
Files\Tenable\Nessus\nessuscli mkcert-client.

This command creates the keys for the Nessus clients and optionally registers them appropriately
with the Nessus server by associating a distinguished name (dname) with the user ID. It is important
to respond y (yes) when prompted to register the user with the Nessus server for this to take effect.
The user name may vary and is referred to here as user.

The certificate filename is a concatenation of cert_, the user name you entered and .pem.
Additionally, the key filename is a concatenation of key_, the user name you entered and .pem.

The following files are created by this command:

File Name Created Purpose

C:\Documents and This is the public certificate for the

Settings\<UserAccount>\Local specified user.
Settings\Temp\nessus-xxxxxxxx\cert_
<user>.pem

C:\Documents and This is the private key for the specified user.
Settings\<UserAccount>\Local
Settings\Temp\nessus-xxxxxxxx\key_
<user>.pem

C:\Program This is the distinguished name to be

Files\Tenable\Nessus\nessus\users\<user_ associated with this user. The distinguished
name>\auth\dname name consists of a number of options
separated by commas in the following
format:

"/C={country}/ST={state}/L={location}/OU=
{organizational

unit}/O={organization/CN={common name}"

Creating and Deploying SSL Authentication for Nessus

Create Keys and User on Nessus Server

- 823 -
To create the keys and user:

1. Create the Certificate Authority and Nessus server certificate using the command
C:\Program Files\Tenable\Nessus\nessuscli mkcert

2. Provide the requested information.

Caution: Critical: Any Nessus Scanner that has previously processed scans will not initially accept
these keys as a policy.db will have already been created on the Nessus Scanner. Remove the
policies.db from the Nessus Scanner to ensure the deployment finishes successfully.

3. To remove the policies.db on a Linux system issue this command as root:

rm /opt/nessus/var/nessus/users/<UserName>/policies.db

4. To remove the policies.db on a Windows system, navigate to the C:\Program

Files\Tenable\Nessus folder and remove the policies.db file. The actual location of the
policies.db differs depending on the version of Windows that is running.

5. Create the user ID for the Nessus client, which is Tenable Security Center in this case, to log
in to the Nessus server with, key and certificate using the following command:

C:\Program Files\Tenable\Nessus\nessuscli mkcert-client

If the user does not exist in the Nessus user database, it is created. If it does exist, it is
registered to the Nessus server and have a distinguished name (dname) associated with it. It
is important to respond y (yes) when prompted to register the user with the Nessus server for
this to take effect. The user must be a Nessus admin, so answer y when asked.

The certificates created contain the username entered previously, in this case admin, and are
located in the directory as listed in the example above (e.g., C:\Documents and
Settings\<UserAccount>\Local Settings\Temp\nessus-00007fb1). In the specified directory, the
certificate and key files in this example are named cert_admin.pem and key_admin.pem.

Transfer Certificates and Keys to Tenable Security Center

Transfer the cert_admin.pem and key_admin.pem files to a desired location on Tenable Security
Center, change into that directory and concatenate them as follows:

# cat cert_admin.pem key_admin.pem > nessuscert.pem

- 824 -
 Note: The nessuscert.pem file will be used when configuring the Nessus scanner on Tenable Security
Center. This file needs to be copied to somewhere accessible for selection from your web browser during
the Nessus configuration.

Configure Nessus Daemons

To enable certificate authentication on the Nessus server, the force_pubkey_auth setting must be
enabled. Once enabled, log in to the Nessus server may only be completed by SSL certificates.
Username and password login are disabled. As the root (or equivalent) user on the Nessus server,
run the following command:

C:\Program Files\Tenable\Nessus\nessuscli fix --set force_pubkey_auth=yes

Open the Nessus Server Manager GUI, click Stop Nessus Server and then click Start Nessus Server.

Change the Nessus Mode of Authentication

In Tenable Security Center, update your Tenable Nessus scanner configuration to use SSL
certificate-based authentication. For more information, see Add a Tenable Nessus Scanner.

- 825 -
Offline Plugin and Feed Updates for Tenable Security Center
You can perform offline plugin updates and feed updates in air-gapped Tenable Security Center
environments.

Perform an Offline Nessus Plugin Update

Perform an Offline Tenable Nessus Network Monitor Plugin Update

Perform an Offline Tenable Security Center Feed Update

Perform an Offline Tenable Web App Scanning Plugins Update

Configure Tenable Nessus + Tenable Web App Scanning for Tenable Security Center
Offline

Note:Tenable Security Center does not manage plugins for Log Correlation Engine. However, Log
Correlation Engine plugins are required for event analysis.

For general information about best practices in air-gapped environments, see Considerations for
Air-Gapped Environments.

Perform an Offline Nessus Plugin Update

Required User Role: Administrator

Before you begin:

l If you installed Tenable Security Center in an environment other than Tenable Core, install a
temporary Tenable Nessus scanner on the same host as Tenable Security Center. You will use
this temporary Tenable Nessus scanner to generate a challenge code for offline Tenable
Security Center registration. Do not start or otherwise configure the temporary Tenable
Nessus scanner.

To perform an offline Tenable Nessus plugin update:

1. In the command line interface (CLI), run the following command to prevent the Tenable
Nessus scanner from starting automatically upon restarting the system:

- 826 -
 /usr/bin/systemctl disable nessusd

2. Run the following command and save the challenge string that is displayed:

# /opt/nessus/sbin/nessuscli fetch --challenge

3. In your browser, navigate to https://plugins.nessus.org/offline.php.

Note: Do not click here, even if you have a newer version of Tenable Nessus installed. You cannot
use the https://plugins.nessus.org/v2/offline.php page for Tenable Security Center downloads.

4. Paste the challenge string from Step 3 and your Activation Code in the appropriate boxes on
the web page.

5. Click Submit.

6. On the next page, copy the link that starts with https://plugins.nessus.org/get.php... and
save it as a favorite. Within the saved link change all-2.0.tar.gz to sc-plugins-diff.tar.gz. This
link will be needed for future use.

Caution: Do not click the link for nessus-fetch.rc.

7. Go to the favorite you created.

The page prompts you to download a file.

8. Download the file, which is called sc-plugins-diff.tar.gz.

9. Verify the file using the MD5 checksum, as described in the knowledge base article.

10. Save the sc-plugins-diff.tar.gz on the system used to access your Tenable Security
Center web interface.

11. Log in to Tenable Security Center via the user interface.

12. Click System > Configuration.

The Configuration page appears.

13. Click Plugins/Feed.

- 827 -
 The Plugins/Feed Configuration page appears.

14. In the Schedules section, expand the Active Plugins options.

15. Click Choose File and browse to the saved sc-plugins-diff.tar.gz file.

16. Click Submit.

After several minutes, the plugin update finishes and the page updates the Last Updated date
and time.

What to do next:
l If you installed a temporary Tenable Nessus scanner on the same host as Tenable Security
Center, uninstall the Tenable Nessus scanner.

Perform an Offline Tenable Nessus Network Monitor Plugin Update

Required User Role: Administrator

Before you begin:

l If you installed Tenable Security Center in an environment other than Tenable Core, install a
temporary Tenable Nessus scanner on the same host as Tenable Security Center. You will use
this temporary Tenable Nessus scanner to generate a challenge code for offline Tenable
Security Center registration. Do not start or otherwise configure the temporary Tenable
Nessus scanner.

To perform an offline Tenable Nessus Network Monitor plugin update:

1. In the command line interface (CLI), run the following command to prevent the Tenable
Nessus Network Monitor scanner from starting automatically upon restarting the system:

/usr/bin/systemctl disable nnm

2. Run the following command and save the challenge string that is displayed:

# /opt/nnm/bin/nnm --challenge

3. In your browser, navigate to the Tenable Nessus Network Monitor plugins page.

- 828 -
 4. Paste the challenge string from Step 3 and your Activation Code in the appropriate boxes on
the web page.

5. Click Submit.

6. On the next page, copy the link that starts with https://plugins.nessus.org/v2/... and
bookmark it in your browser. The other information on the page is not relevant for use with
Tenable Security Center.

7. Click the bookmarked link.

The page prompts you to download a file.

8. Download the file, which is called sc-passive.tar.gz.

9. Verify the file using the MD5 checksum, as described in the knowledge base article.

10. Save the sc-passive.tar.gz on the system used to access your Tenable Security Center
GUI.

Note: Access the Tenable Nessus Network Monitor feed setting and change the activation from
offline to Tenable Security Center.

11. Log in to Tenable Security Center via the user interface.

12. Click System > Configuration.

The Configuration page appears.

13. Click Plugins/Feed.

The Plugins/Feed Configuration page appears.

14. In the Schedules section, expand the Passive Plugins options.

15. Click Choose File and browse to the saved sc-passive.tar.gz file.

16. Click Submit.

After several minutes, the plugin update finishes and the page updates the Last Updated date
and time.

What to do next:

- 829 -
 l If you installed a temporary Tenable Nessus scanner on the same host as Tenable Security
Center, uninstall the Tenable Nessus scanner.

Perform an Offline Tenable Security Center Feed Update

Required User Role: Administrator

Note: If you already performed a Tenable Nessus offline plugin update, start at step 7.

Before you begin:

l If you installed Tenable Security Center in an environment other than Tenable Core, install a
temporary Tenable Nessus scanner on the same host as Tenable Security Center. You will use
this temporary Tenable Nessus scanner to generate a challenge code for offline Tenable
Security Center registration. Do not start or otherwise configure the temporary Tenable
Nessus scanner.

To perform an offline Tenable Security Center feed update:

1. In the command line interface (CLI), run the following command to prevent the Tenable
Nessus scanner from starting automatically upon restarting the system:

/usr/bin/systemctl disable nessusd

2. To obtain the challenge code for an offline Tenable Security Center registration, do one of the
following:

l If you deployed Tenable Security Center + Tenable Core, navigate to the Tenable
Security Center tab in Tenable Core and save the challenge code.

l If you installed Tenable Security Center in an environment other than Tenable Core, run
the following command and save the challenge code:

# /opt/nessus/sbin/nessuscli fetch --challenge

3. In your browser, navigate to https://plugins-customers.nessus.org/offline.php.

- 830 -
 4. Paste the challenge code from Step 2 and your Activation Code in the appropriate boxes on
the web page.

5. Click Submit.

6. On the next page, copy the link that starts with https://plugins.nessus.org/get.php... and
save it as a favorite.

7. Within the saved link change all-2.0.tar.gz to SecurityCenterFeed48.tar.gz. This link is

needed for future use.

Caution: Do not click the link for nessus-fetch.rc as it is not needed.

8. Go to the favorite link you created.

The page prompts you to download a file.

9. Download the file, which will be called SecurityCenterFeed48.tar.gz.

10. Verify the file using the MD5 checksum, as described in the knowledge base article.

11. Save the SecurityCenterFeed48.tar.gz on the system used to access your Tenable
Security Center GUI.

12. Log in to Tenable Security Center via the user interface.

13. Click System > Configuration.

The Configuration page appears.

14. Click Plugins/Feed.

The Plugins/Feed Configuration page appears.

15. In the Schedules section, expand the Tenable Security Center Feed options.

16. Click Choose File and browse to the saved SecurityCenterFeed48.tar.gz file.

17. Click Submit.

After several minutes, the plugin update finishes and the page updates the Last Updated date
and time.

What to do next:

- 831 -
 l If you installed a temporary Tenable Nessus scanner on the same host as Tenable Security
Center, uninstall the Tenable Nessus scanner.

Perform an Offline Tenable Web App Scanning Plugins Update

Required User Role: Administrator

Note: If you have already updated Tenable Nessus plugins offline, or if you have updated plugins via the
Tenable Security Center feed, skip to step 8.

Before you begin:

l If you installed Tenable Security Center in an environment other than Tenable Core, install a
temporary Tenable Nessus scanner on the same host as Tenable Security Center. You will use
this temporary Tenable Nessus scanner to generate a challenge code for offline Tenable
Security Center registration. Do not start or otherwise configure the temporary Tenable
Nessus scanner.

l Ensure that you are running Tenable Security Center 6.2 or later.

l Ensure that you have a Tenable Web App Scanning license to use with Tenable Security
Center

To perform an offline Tenable Security Center feed update:

1. In the command line interface (CLI), run the following command to prevent the Tenable
Nessus scanner from starting automatically upon restarting the system:

/usr/bin/systemctl disable nessusd

2. To obtain the challenge code for an offline Tenable Security Center registration, do one of the
following:

l If you deployed Tenable Security Center + Tenable Core, in Tenable Core, click the
Tenable Security Center tab and save the challenge code.

l If you installed Tenable Security Center in an environment other than Tenable Core, run

- 832 -
 the following command and save the challenge code:

# /opt/nessus/sbin/nessuscli fetch --challenge

3. In your browser, navigate to https://plugins-customers.nessus.org/offline.php.

4. Paste the challenge code from Step 2 and your Activation Code in the corresponding boxes.

5. Click Submit.

6. On the next page, copy the link that starts with https://plugins.nessus.org/get.php...
and save it as a favorite.

7. In the saved link, change all-2.0.tar.gz to sc-was-plugins.tar.gz and change

/get.php to /v2/wasnessus.php. The link should look like this:
https://plugins.nessus.org/v2/wasnessus.php?f=sc-was-plugins.tar.gz… This link
is needed for future use; save it in a secure location.

8. Go to the favorite link you created.

The page prompts you to download the sc-was-plugins.tar.gz file.

9. Save the sc-was-plugins.tar.gz on the system used to access your Tenable Security
Center UI.

10. Log in to Tenable Security Center via the UI.

11. Click System > Configuration.

The Configuration page appears.

12. Click Plugins/Feed.

The Plugins/Feed Configuration page appears.

13. In the Schedules section, expand the WAS Plugins options.

14. Click Choose File and browse to the saved sc-was-plugins.tar.gz file.

15. Click Submit.

After several minutes, the plugin update finishes and the page updates the Last Updated date
and time.

What to do next:

- 833 -
 l If you installed a temporary Tenable Nessus scanner on the same host as Tenable Security
Center, uninstall the Tenable Nessus scanner.

l Update the was-scanner Docker image on your Tenable Nessus scanners by using the
instructions at . When updating offline Tenable Web App Scanning plugins, always update the
was-scanner Docker image and vice-versa.

Configure Tenable Nessus + Tenable Web App Scanning for Tenable Security
Center Offline

Required User Role: Administrator

Note:If you already configured Tenable Nessus + Tenable Web App Scanning for Tenable Security Center
offline, you only need to repeat steps 3-5.

Before you begin:

l Apply the Tenable Web App Scanning for Tenable Security Center license, as described in
Update an Existing License.

l Update any Tenable Web App Scanning plugins, as described in Perform an Offline Tenable
Web App Scanning Plugins Update.

To configure Tenable Nessus + Tenable Web App Scanning for Tenable Security Center
offline:

1. On a system with Docker installed that is connected to the internet, run the following
commands:

docker pull tenable/was-scanner:latest

docker save tenable/was-scanner:latest > was-scanner-image.tar

2. Transfer the was-scanner-image.tar file to the Tenable Nessus scanner you want to
configure as a Tenable Web App Scanning scanner.

3. Ensure the Tenable Nessus scanner host you’re configuring:

- 834 -
 a. Install and run Docker version 20.0.0 or later on your Tenable Nessus host. Tenable
recommends the official Docker builds and install packages.

b. Ensure you are running Tenable Nessus version 10.6.1 or later.

c. Ensure Tenable Nessus meets the Hardware Requirements.

d. Run docker load < was-scanner-image.tar.

e. Ensure tenable/was-scanner is visible when you run docker image ls.

4. Enable the Tenable Web App ScanningCapable option for the Tenable Nessus scanner in
Tenable Security Center, as described in Tenable Nessus Scanners.

5. Add a scan zone in Tenable Security Center, as described in Add a Scan Zone.

6. Add a universal repository for the scan data in Tenable Security Center, as described in Add a
Repository.

7. Configure your Tenable Web App Scanning credentials, as described in Add Credentials.

8. Create a Web App Scanning scan policy, as described in Add a Scan Policy.

9. Add a web app scan in Tenable Security Center, as described in Add a Web App Scan.

Troubleshooting
This troubleshooting section covers some of the common issues encountered with Tenable Security
Center.

l General Tenable Security Center Troubleshooting

l Tenable Log Correlation Engine Troubleshooting

l Tenable Nessus Troubleshooting

l Tenable Nessus Network Monitor Troubleshooting

l Troubleshooting Issues with the custom_CA.inc File

General Tenable Security Center Troubleshooting

Tenable Security Center does not appear to be operational

- 835 -
1. If a login page does not appear, close and reopen the web browser.

2. Ensure that the remote httpd service is running on the Tenable Security Center host:

# ps ax | grep httpd
1990 ? Ss 0:01 /opt/sc/support/bin/httpd -k start

3. Ensure that sufficient drive space exists on the Tenable Security Center host:

# df

Filesystem 1K-
blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 8506784
8506784 0 100% /
/dev/sda1 101086 24455 71412 26%
/boot
tmpfs 1037732 0
1037732 0% /dev/shm

4. If there is not enough drive space, recover sufficient space and restart the Tenable Security
Center service:

# df

Filesystem 1K-blocks
Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 8506784 6816420 1251276
85% /
/dev/sda1
101086 24455 71412 26% /boot
tmpfs 1037732 0 1037732 0%
/dev/shm

# service SecurityCenter restart

Shutting down SecurityCenter services: [ OK ]

Starting SecurityCenter services: [ OK ]
#

- 836 -
Locked out of all Tenable Security Center user accounts
Contact Tenable Support.

Invalid license error

If you receive an invalid license error while attempting to log in as a security manager or lower
organizational user, an administrator user must log in and upload a new valid license key. A user
with access to the host OS and valid permissions can also check that an up-to-date license exists in
/opt/sc/daemons. Obtain a license from Tenable and copy it to the daemons directory as the tns
user.

-rw-r--r-- 1 tns tns 1942 Oct 29 12:14 license.key

Reporting does not work

Check your Java version. The system only supports OpenJDK and Oracle JRE. The existence of
another type of Java on the system will likely break reporting.

Tenable Log Correlation Engine Troubleshooting

Tenable Log Correlation Engine server does not appear to be operational

1. Confirm that the Tenable Log Correlation Engine server state is Working along with all
attached Tenable Log Correlation Engine clients.

2. Check that you can SSH from the Tenable Security Center host to the Tenable Log Correlation
Engine host.

3. Check that the Tenable Log Correlation Engine daemon is running on its host and listening on
the configured port (TCP port 31300 by default):

# ss -pan | grep lced

tcp 0 0 0.0.0.0:31300 0.0.0.0:* LISTEN 30339/lced

4. Check that the listening ports can be reached from the network and are not blocked by a
firewall.

5. If the Tenable Log Correlation Engine server is not operational, attempt to start the service:

- 837 -
 # service lce start

Starting Log Correlation EngineLCE Daemon Configuration

LICENSE: Tenable Log Correlation Engine 3-Silo Key for [user]
EXPIRE: 11-10-2011
REMAIN: 30 days
MESSAGE: LCE (3-silo license)
MESSAGE: Valid authorization
--------------------------------------------------------
[ OK ]

No events from an attached Tenable Log Correlation Engineserver

1. Confirm that theTenable Log Correlation Engine server state is Working along with all
attached Tenable Log Correlation Engine clients.

2. Confirm connectivity by checking that heartbeat events show up in the Tenable Security
Center UI.

3. Check the Tenable Log Correlation Engine configuration settings in accordance with the
Tenable Log Correlation Engine documentation.

4. Check the individual Tenable Log Correlation Engine client configuration and authorization. If
syslog is being used to collect information and events, ensure that the syslog service is
running and configured correctly on the target syslog server in accordance with Tenable Log
Correlation Engine documentation.

5. Check for NTP time synchronization between the Tenable Security Center, Tenable Log
Correlation Engine, and Tenable Log Correlation Engine clients.

Invalid Tenable Log Correlation Engine license

1. Check that an up-to-date license exists on the Tenable Log Correlation Engine server.

Tenable Log Correlation Engine plugins fail to update

- 838 -
 1. Manually test a plugin update under Plugins with Update Plugins. If successful, the line
Passive Plugins Last Updated will update to the current date and time.

2. Ensure that the Tenable Security Center host is allowed outbound HTTPS connectivity to the
Tenable Log Correlation Engine Plugin Update Site.

3. For all other Tenable Log Correlation Engine plugin update issues, contact Tenable Support.

Tenable Nessus Troubleshooting

Tenable Nessus server does not appear to be operational

1. Verify that the Tenable Nessus scanner Status is Unable to Connect.

2. SSH to the remote Tenable Nessus host to make sure the underlying operating system is
operational.

3. Confirm that the Tenable Nessus daemon is running (Linux example below):

# service nessusd status

nessusd (pid 3853) is running...

4. If the Tenable Nessus service is not running, start the service:

# service nessusd start

Starting Nessus services:
# ps -ef | grep nessusd
root 8201 8200 60 11:41 pts/2 00:00:05 nessusd –q
root 8206 7842 0 11:41 pts/2 00:00:00 grep nessusd
#

Cannot add a Tenable Nessus server

1. Make sure the Tenable Nessus daemon was registered using the Tenable Security Center
option for registration.

2. Check connectivity from Tenable Security Center to the port the Tenable Nessus system is
running on (e.g., 8834). For example, run:

curl -k https://<scannerIPaddress>:<port>

- 839 -
Tenable Nessus scans fail to complete
1. Ensure that the Tenable Nessus service is running on the Tenable Nessus host.

2. Ensure that Tenable Nessus scanner is listed in Tenable Security Center under Resources >
Nessus Scanners and that the status of the Tenable Nessus scanner is listed as Working. For
more information, see Tenable Nessus Scanner Statuses.

3. Click Edit to ensure that the IP address or hostname, port, username, password, and selected
repositories for the Tenable Nessus scanner are all correct.

4. Edit any incorrect entries to their correct state.

5. Click Submit to attempt to reinitialize the Tenable Nessus scanning interface.

6. Right click the scan results and click Scan Details to obtain a more detailed description of the
error.

If the scan details indicate a Blocking error, this is indicative of a license IP address count
that has reached the limit. Either remove a repository to free up IP addresses or obtain a
license for more IP addresses.

7. Ensure that scan targets are permitted within the configured scan zones.

8. Ensure the Tenable Nessus scanner is running a supported Tenable Nessus version. For
minimum Tenable Nessus scanner version requirements, see the Tenable Security Center
Release Notes for your version.

Tenable Nessus plugins fail to update

1. Click System > Configuration.

The Configuration page appears.

2. Click License and ensure that the Tenable Nessus Activation Code is marked as Valid.

3. Ensure the Tenable Nessus scanner is running a supported Tenable Nessus version. For
minimum Tenable Nessus scanner version requirements, see the Tenable Security Center
Release Notes for your version.

4. Ensure that the user used to connect to the Tenable Nessus server is a Tenable Nessus
administrator.

- 840 -
 5. Ensure that the Tenable Security Center system is allowed outbound HTTPS connectivity to
the Tenable Nessus Plugin Update Site.

6. Under System, Configuration, and Update in Tenable Security Center, ensure that Active
Plugins is not set to Never.

7. Manually test a plugin update under Plugins with Update Plugins.

If successful, the line Active Plugins Last Updated updates to the current date and time.

8. For all other Tenable Nessus plugin update issues, contact Tenable Support.

Tenable Nessus Network Monitor Troubleshooting

Tenable Nessus Network Monitor server does not appear to be operational

1. Verify that the Tenable Nessus Network Monitor server appears as Unable to Connect under
Status.

2. SSH to the remote Tenable Nessus Network Monitor host to make sure the underlying
operating system is operational.

3. Confirm that the Tenable Nessus Network Monitor is running (Linux example below):

# service pvs status

NNM is stopped
NNM Proxy (pid 3142) is running
#

4. If the Tenable Nessus Network Monitor service is not running, start the service:

# service nnm start

Starting NNM Proxy [ OK ]
Starting NNM [ OK ]
#

Cannot add a Tenable Nessus Network Monitor server

- 841 -
 1. Confirm that the Tenable Nessus Network Monitor proxy is listening on the same port as
Tenable Security Center (port 8835 by default):

# ss -pan | grep 8835

tcp 0 0 0.0.0.0:8835 0.0.0.0:* LISTEN 406/pvs

2. Check connectivity by telnetting from the Tenable Security Center console into the Tenable
Nessus Network Monitor server on port 8835 (the Tenable Nessus Network Monitor listening
port). If successful, the response includes: Escape character is '^]'.

No vulnerabilities are being received from the Tenable Nessus Network

Monitor server
1. Ensure that the Tenable Nessus Network Monitor service is running on the Tenable Nessus
Network Monitor host.

2. Ensure that the Tenable Nessus Network Monitor appears in Tenable Security Center under
Resources > Tenable Nessus Network Monitors and that the status of the Tenable Nessus
Network Monitor appears as Working.

3. Click Edit to ensure that the IP address or hostname, port, username, password, and selected
repositories for the Tenable Nessus Network Monitor are correct.

4. Edit any incorrect entries to their correct state.

5. Click Submit to attempt to reinitialize the Tenable Nessus Network Monitor scanning
interface.

Tenable Nessus Network Monitor plugins fail to update

1. Manually test a plugin update under Plugins with Update Plugins.

If successful, Passive Plugins Last Updated updates to the current date and time.

2. Ensure that the Tenable Security Center host allows outbound HTTPS connectivity to the
Tenable Nessus Network Monitor Plugin Update Site.

3. For all other Tenable Nessus Network Monitor plugin update issues, contact Tenable Support.

Error Messages
For Tenable Security Center API status codes, see the Tenable Security Center API Guide.

- 842 -
 Note: Some errors are dependent on internal processes. If the error code you received is not listed, it may
not indicate a specific Tenable Security Center error.

Scanning
For more information about creating, modifying, and launching scans, see Configure Scans.

For more information about statuses, see Tenable Nessus Scanner Statuses, Scan Result Statuses,
and View Your Scan Zones.

Code Message Recommended Action

14 Progress handler has died. Your system processes may be overloaded during
the scan. Confirm your available system resources
and re-run the scan.

14 Error creating Email Do any of the following:

notifying User '<username'>
l Confirm the alert specifies one or more valid
of Scan launch.
email addresses. For more information, see
Email.

l Confirm the job queue database is not locked.

14 Error creating Email Do any of the following:

notifying User '<username>'
l Confirm the alert specifies one or more valid
of Scan completion.
email addresses. For more information, see
Email.

l Confirm the job queue database is not locked.

60 Available Zones do not For troubleshooting assistance, see the knowledge

cover any accessible Scan base article.
IPs for Scan job
#<jobIDorPID>
('<scanDefinitionName>' -
#<scanDefinitionID>).

62 No scanners ready to scan The scan may be using incorrect or insufficient

- 843 -
Code Message Recommended Action

credentials, or another issue is blocking the scan.

For troubleshooting assistance, see the knowledge
base article.

64 Scan #<scanDefinitionID> is You may have insufficient permissions to run the

disabled. scan. For troubleshooting assistance, see the
knowledge base article.

64 Scan Policy You may have insufficient permissions to run the

#<scanPolicyID> in Scan scan. For troubleshooting assistance, see the
#<scanDefinitionID> is knowledge base article.
disabled.

70 Unable to launch Scan Tenable Security Center is unable to fork the

progress process running scan process. You may need to raise the
stack size for the tns user. Contact your system
administrator for assistance.

102 Could not open Tenable Security Center may have insufficient disk
'<nessusFile>' for writing. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Error getting contents of Tenable Security Center cannot access the audit
AuditFile '<auditFileName>' file definition. Do any of the following:
for Scan job #<scanJobID>.
l Verify the specified audit file is valid.

l Create a new audit file to use with the scan.

For more information, see Audit Files.

106 Error creating temp SCAP Tenable Security Center may have insufficient disk
directory '<scapDir>'. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Error creating temp OVAL Tenable Security Center may have insufficient disk
directory '<ovalDir>'. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

- 844 -
Code Message Recommended Action

106 Error creating temp Tenable Security Center may have insufficient disk
directory '<tempDir>'. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Error untaring SCAP results Tenable Security Center may have insufficient disk
file '<file>' (rc = $rc). space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Error moving <type> result Tenable Security Center may have insufficient disk
file '<curFile>' to '<newFile>'. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Unable to get current Tenable Security Center may have insufficient disk
working directory. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Failed to change to the Tenable Security Center may have insufficient disk
SCAP directory for zipping. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Error building SCAP results Tenable Security Center may have insufficient disk
file '<scapFile>' (rc = space. Free up disk space in Tenable Security
<zipReturnCode>). Center, as described in the knowledge base article.

106 Failed to change back to Tenable Security Center may have insufficient disk
originating directory. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Unable to get current Tenable Security Center may have insufficient disk
working directory. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Failed to change to the Tenable Security Center may have insufficient disk
OVAL directory for zipping. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Error building OVAL results Tenable Security Center may have insufficient disk

- 845 -
Code Message Recommended Action

file '$ovalFile' (rc = $rc). space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 Failed to change back to Tenable Security Center may have insufficient disk
originating directory. space. Free up disk space in Tenable Security
Center, as described in the knowledge base article.

106 No results file found for Tenable Security Center cannot locate
Scan job #<jobIDorPID> /opt/sc/data/scans/#jobID/results.xml.
('<scanDefinitionName>' - Verify the following:
#<scanDefinitionID>).
l /opt/sc/data/scans/#jobID/results.xm
l is in the correct directory.

l The tns user can access the file and

directory.

106 Error creating new VDB Verify the tns user can access the following
directory for Scan job directory:
#<jobIDorPID> /opt/sc/orgs/#orgID/VDB/#dateOfScan/.
('<scanDefinitionName>' -
#<scanDefinitionID>).

106 Error moving results for Verify the tns user can access the following
Scan job #<jobIDorPID> directory:
('<scanDefinitionName>' - /opt/sc/orgs/#orgID/VDB/#dateOfScan/.
#<scanDefinitionID>).

145 Error reading AuditFile '' for Add an audit file to the scan policy, then re-run the
Scan job #<scanJobID>. scan. For more information, see Audit Files and
Unable to retrieve AuditFile Scan Policies.
#<auditFileID>"

146 Unable to find template Check for any errors with the last plugin update. If
maps for Policy template needed perform another plugin update. For more
#<policyTemplateID>. information, see Offline Plugin and Feed Updates
for Tenable Security Center.

- 846 -
Code Message Recommended Action

146 Diagnostic target is outside The scan target is not included in the scan
IPs of original Scan. configuration. If you want to include the target in
the scan, update the scan settings and then re-run
the scan.

146 Diagnostic target is not a The target of the diagnostic scan must be a single
single host. IP or FQDN. Update the scan configuration, then re-
run the scan.

146 Zone Selection is locked You may have insufficient permissions to run the
but no Zone is specified. scan, or you may need to adjust your scan
configuration.

For troubleshooting assistance, see the knowledge

base article.

146 Zone Selection is You may have insufficient permissions to run the
selectable but no Zone is scan, or you may need to adjust your scan
specified. configuration.

For troubleshooting assistance, see the knowledge

base article.

146 Entered IPs and Assets are One or more scan targets do not exist in the
empty. selected import repository. For troubleshooting
assistance, see the knowledge base article.

146 Scan IPs are restricted. You may have insufficient permissions to run the
scan, or you may need to adjust your scan
configuration.

For troubleshooting assistance, see the knowledge

base article.

146 Scan IPs are not within You may have insufficient permissions to run the
your accessible range. scan, or you may need to adjust your scan
configuration.

- 847 -
Code Message Recommended Action

For troubleshooting assistance, see the knowledge

base article.

146 The number of Scan IPs is Reduce the number of scan targets and re-run the
too large (more than 2^24 scan.
unique IPs).

147 Job #<scanJobID> not Confirm the job queue database is not locked, then
found. re-run the scan.

201 Error Setting up Scan Do any of the following, then re-run the scan:
database. <details>
l Confirm you have adequate disk space

l Confirm the tns user can access

/opt/sc/data/scans/#jobID/

201 Error creating Scan Do any of the following, then re-run the scan:
database tables. <details>
l Confirm you have adequate disk space

l Confirm the tns user can access

/opt/sc/data/scans/#jobID/

l Confirm there are no corrupted databases

202 Error message varies. Your system processes may be overloaded during
the scan. Confirm your available system resources
and re-run the scan. If the error persists, contact
your Tenable representative.

400 Scan job #<scanJobID> Your system processes may be overloaded during
stopped due to scanner the scan. Confirm your available system resources
inactivity. and re-run the scan.

65536 Failed to resolve Tenable Security Center cannot resolve the

<numFailed> scan target specified scan target hostnames. For
hostnames in Scan #job troubleshooting assistance, see the knowledge
#<jobIDorPID> base article.

- 848 -
Code Message Recommended Action

('<scanDefinitionName>' -
#<scanDefinitionID>)."

65536 Unable to scan You may have insufficient permissions to run the
<numRestrictedTargets> scan, or you may need to adjust your scan
Restricted target<plural> in configuration.
Scan job #<jobIDorPID>
For troubleshooting assistance, see the knowledge
('<scanDefinitionName>' -
base article.
#<scanDefinitionID>).

65536 Unable to scan You may have insufficient permissions to run the
<numInaccessibleTargets> scan, or you may need to adjust your scan
target(s) outside your configuration.
accessible ranges in Scan
For troubleshooting assistance, see the knowledge
#job #<jobIDorPID>
base article.
('<scanDefinitionName>' -
#<scanDefinitionID>).

65536 Usable Zones fail to cover You may have insufficient permissions to run the
<unscannableCount> scan, or you may need to adjust your scan
accessible Scan IP<plural> configuration.
for Scan job #<jobIDorPID>
For troubleshooting assistance, see the knowledge
('<scanDefinitionName>' -
base article.
#<scanDefinitionID>).

65536 Available Zones do not You may have insufficient permissions to run the
cover accessible Scan IPs scan, or you may need to adjust your scan
for Scan job #<jobIDorPID> configuration.
('<scanDefinitionName>' -
For troubleshooting assistance, see the knowledge
#<scanDefinitionID>).
base article.

- 849 -