Managing Active Queries

The Active Queries Management page allows you to configure and enable active queries. As part of the initial setup, Tenable recommends that you activate all query capabilities. At any time, you can activate/deactivate any query functions. You can also adjust the settings for when and how to execute the queries.

In addition to the automatic queries that run periodically, you can initiate queries on demand by enabling the Enable Manual Run toggle in the query card. If you disable the Enable Manual Run option, OT Security prompts you to override it when you select Perform Resync in the Assets Details page (Inventory > All Assets).

For more information about the queries technology, see OT Security Technologies.

Note: OT Security may fail to identify assets when you disable queries. OT Security tracks devices through passive monitoring as well as active querying.

Tip: To allow active queries to function, click the Active Queries Engine Enabled toggle. After you enable the active queries, OT Security displays a on the header to indicate that the query engine is running. To run active queries, you must still enable each individual query separately.

The Active Queries Management page categorizes queries into the following types. There is a separate query tab for each query type with its list of queries.

  • OT Queries — These are queries designed to poll controllers and embedded devices safely for more information using their proprietary protocols. OT Security performs read-only queries to gather device information, such as PLC running state and other modules connected to the backplane. It queries devices that are listening for proprietary protocols that OT Security supports. The query types include Identification Query, Backplane Mapping, Details Query, State Query, and Code Snapshots.

  • IT Queries — These queries fetch additional data points from monitored IT-type assets that OT Security observes. With the exception of NetBIOS, these IT-type queries require credentials.

    • NetBIOS query attempts to discover any devices listening for NetBIOS in the broadcast range of OT Security Sensor or OT Security itself. This type of query is suitable for identifying nearby Windows devices.

    • SNMP query uses SNMP v2 or SNMP v3 credentials to solicit network infrastructure or networked devices supporting SNMP for their identification details. OT Security queries for SNMP system description and other parameters to help add asset context and assist with fingerprinting.

    • WMI details query fetches a variety of important data points from Windows-based systems. This requires the system that OT Security queries to have a Windows account (local or domain) with sufficient permissions to poll the Windows Management Instrumentation (WMI) service.

    • WMI USB State queries determine if removable media such as USB-drives or portable hard-drives are connected to the Windows device, such as an engineering workstation or server. This query is closely related to the Change in USB Configuration on Windows Machines policy as it is a prerequisite for this policy to work correctly.

    • Nessus Basic Scan fetches system details such as IP address, FQDN, operating systems, and open ports.

    • ARP Query or Address Resolution Protocol query fetches the network interface hardware address or MAC address for IP connected devices in the same broadcast domain.

  • Discovery — These queries detect live assets in the network that OT Security monitors.
    • Asset Discovery — Leverages Internet Control Message Protocol (ICMP) or ping to detect live and responding IP addresses.

    • Active Asset Tracking — Regularly attempts to ping a known, monitored asset to ensure that it is still up and available.

    • Controller Discovery — Sends a set of multicast packets to the network to provoke controllers or ICS devices to reply directly to OT Security with their information.

    • Ping Query — Sends Internet Control Message Protocol (ICMP) pings to verify if an asset is reachable.

    • DNS Lookup — Fetches the DNS server details.

    • Port Mapping — Fetches details about open ports on monitored assets.

  • Initial Enrichment — Automatic OT Security queries based on certain criteria or conditions. Asset enrichment-based queries occur whenever Tenable initially observes a device passively or actively. With Asset Enrichment, OT Security fingerprints and identifies the device as soon as it appears on the network.

  • Nessus Scans — The Tenable Nessus plugin scan launches an advanced Nessus scan that executes a user-defined list of Plugins on the assets specified in the list of CIDRs and IP addresses. For more information, see Create Nessus Plugin Scans .

Create Custom Queries

Each type of query has a system default variation that you can run periodically or on-demand. You can also create additional variations of each query, with its own respective configuration, for different projects and functions.

For example, you can configure custom queries for the following scenarios:

  • Different maintenance times for different parts of the plant.

  • Different projects and criticality for different assets.

  • Different queries for OT functions and IT functions.

To create a query variation:

  1. Go to Active Queries > Queries Management.

    The Active Queries Management page appears.

  2. Click the required query type tab.

    OT Security displays the query type with the list of available queries.

  3. In the required query type section, click Create Query Variation.

    The Create Query Variation panel appears.

  4. In the Name box, type a name for the query.

  5. In the Assets drop-down box, select an asset group.

    Note: You can also use the Search box to search for a specific group.
  6. To repeat the query, click the Recurring Run toggle.

    OT Security enables the Repeats Every section.

  7. Type a number and select Days or Weeks from the drop-down box, . For certain queries, you can also set Minutes and Hours.

    If you select Weeks, indicate the days of the week to run the queries.

  8. In the At box, set the time of day to run the queries (in HH:MM:SS) by clicking on the clock icon and selecting the time, or by typing the time manually.

  9. (Only for Asset Discovery) In the IP Ranges box, type the IP addresses of assets.

  10. (Only for Discovery Queries) In the Number of Assets to poll simultaneously drop-down box, select the number of assets (10, 20, or 30).

  11. (Only for Discovery Queries) In the Time Between Discovery Queries drop-down box, select the time between the discovery queries (1 to 3 seconds).

  12. Click Save.

    OT Security adds the query to the Custom Variations table.

    See Run a Query Variation.

Add Restrictions

You can block queries from running on specific asset groups, such as IP ranges, OT servers, Tablets, Medical Devices, Domain Controllers, and so on. You can also apply restrictions on specific protocols (clients).

Note: Restrictions do not apply to the Discovery (ICMP) queries.

To add restrictions:

  1. Go to Active Queries > Queries Management.

    The Active Queries Management page appears.

  2. In the upper-right corner, click Add Restrictions.

    The Add Restrictions panel appears.

  3. In the Blocked Assets drop-down box, select the required asset groups to block.

    Note: You can use the search box to search for specific asset groups.
  4. In the Restricted Clients drop-down box, select the required clients.

  5. In the Blackout Period drop-down box, select the duration for which you want to block the active queries. Available options are based on Schedule Groups. Default options are: None, Working Hours.

  6. Click Save.

    OT Security applies the restrictions on the specific clients and asset groups. A banner appears at the top of each tab indicating that restrictions are in place.

Edit Query Variation

To edit details of a query:

  1. Go to Active Queries > Queries Management.

    The Active Queries Management window appears.

  2. From the list of queries, select the one to edit and do one of the following:

    • Right-click the query and select Edit.

    • Select the query, then click Actions > Edit.

    The Edit Query panel appears.

  3. Modify the query as needed.

  4. Click Save.

    OT Security saves the changes to the query variation.

Duplicate a Query Variation

  1. Go to Active Queries > Queries Management.

    The Queries Management page appears.

  2. From the list of queries, select the one to create a copy and do one of the following:

    • Right-click the query and select Duplicate.

    • Select the query, then click Actions > Duplicate.

    The Duplicate Query panel appears with details of the query.

  3. Rename the query and modify the details as needed.

  4. Click Save.

    OT Security saves the query and it appears in the Queries table.

Run a Query Variation

You can run active queries when needed.

To run a query:

  1. Go to Active Queries > Queries Management.

    The Queries Management page appears.

  2. From the list of queries, select the one you want to run and do one of the following:

    • Right-click the query and select Run now.

    • From the Actions menu, click Run now.

    A message asks for confirmation to run the query.

  3. Click Ok.

    OT Security runs the selected query.

    Note: You can use the Try Anyway option to proceed with active queries on devices or network to override the limit to the number of active query attempts.

Download Query Log

You can download the log of the last run of a query variation. You can use the log to troubleshoot issues with any of the assets or protocols included in the active query.

To download the last query log:

  1. Go to Active Queries > Queries Management.

    The Queries Management window appears.

  2. From the list of queries, select the one for which you want to download the log and do one of the following:

    • Right-click the query and select Download Last Run Log.

    • From the Actions menu, click Download Last Run Log.

OT Security downloads the log of the last active query.