Exposure Signals

An Exposure Signal can be defined as a combination of risks that could make any weakness potentially dangerous to your business. For example, an account with:

  • Privileged access to a business-critical application

  • Unpatched vulnerabilities on their device

  • A device not covered by EDR

Is a candidate for an exposure signal, because these weaknesses combined on an asset makes this person a risk to their organization.

Within Tenable Exposure Management, you can generate exposure signals that use queries to search for asset violations. Simply put, if an asset is impacted by a weakness related to the query, then the asset is considered a violation. On the Exposure Signals page, you can view, generate, and interact with the data from queries and their impacted asset violations.

Using this, you can:

  • Gain visibility into your most critical risk scenarios

  • Create custom exposure signals to view business-specific risks and weaknesses

To access the Exposure Signals page:

  1. In the left navigation menu, click Exposure Signals.

    The Exposure Signals page appears.

The Exposure Signals page includes the following sections:

On the left side of the page, you can view a list of cards representing exposure signals.

You can manage the list in the following ways:

    1. In the upper-right corner of the list, click the button.

      The search box appears.

    2. In the search box, type the criteria by which you want to search the exposure signals list.

      Tenable Exposure Management filters the list by the specified criteria.

    1. In the upper-right corner of the list, click the button.

      The Filter By Sources window appears.

    2. Select the check box next to each data source by which you want to filter the exposure signals list.

      Tenable Exposure Management filters the list by the specified criteria.

    Tip: Click Clear Filter to remove all applied filters from the list.

    1. In the upper-right corner of the list, click the button.

      The Settings window appears.

    2. In the View Preferences section, select one of the following options:

      • Show all Exposure Signals — Show all exposure signal cards regardless of if their combinations result in a violation.

      • Show only combinations resulting in violations — Show only exposure signal cards that include combinations resulting in a violation.

    3. In the Card Sorting section, select one of the following options:

      • Alphabetic Order — List exposure signal cards in alphabetical order.

      • Alphabetic Reverse — List exposure signal cards in reverse alphabetical order.

      • Highest Violation — List exposure signal in order of the highest violation first.

      • Lowest Violation — List exposure signal in order of the lowest violation first.

      • Changed frequently in the last 7 days — List only exposure signals that have been updated within the last 7 days.

    4. Click Save.

The list includes the following tabs:

  • Built-In — The cards in this section represent Tenable-provided exposure signals. You cannot edit built-in exposure signals.

  • Custom — The cards in this section represent user-created custom exposure signals. To add exposure signals to this section, you can:

  • Archive — The cards in this section represent all exposure signal cards that have been archived.

    Tip: To unarchive an exposure signal, in the upper-right corner of the card, click the Unarchive button. Tenable Exposure Management reactivates the exposure signal and moves the card to the appropriate section of the exposure signals list.

Each card includes the following information:

  • Violations — The number of assets found in violation of the exposure signal.

  • Sources — The exposure management categories associated with the exposure signal.

  • Trends — The trend and percentage of change in violations within the last 7 days. For example, if the violations for this combination have increased by 5.45%, you'd see .

Note: Because data on exposure signal cards only refreshes once every 24 hours, you may notice a difference in violation counts between these cards and the rest of the Tenable Exposure Management interface, including the Impacted Assets section.

In the upper right corner of a card, click the button to view additional options:

Tab Menu Options
Built-In

Click Archive to move the exposure signal card to the Archived section of the list.
Custom
Archive

Click Delete to permanently delete the exposure signal card from the Exposure Signals page.

When you click on a card in the Exposure Signals, the details for that card appear on the right side of the page.

At the top of the details section, you can view the following information:

  • The name of the exposure signal.

  • Last Run — The date and time at which information was last generated for the exposure signal.

  • Sources — The number of and the icons for each exposure management category associated with the exposure signal.

  • Click Show Details to view additional exposure signal information:

    • Exposure Signal Info — A brief description of the exposure signal and its creator.

    • Tenable Data Sources — The exposure management categories associated with the exposure signal.

  • (Not supported in Tenable FedRAMP Moderate) What is it about? — This section displays an AI-generated summary of the exposure signal, including information about why the combination may be a risk to you.

In this section, you can view the asset query that generated the exposure signal.

Below the query, you can select any of the following options:

  • See results in Asset Inventory — Click to navigate directly to the Assets view, where you can view the asset query and the asset list filtered by the query results.

  • Duplicate — Click to duplicate the exposure signal into a new, custom exposure signal. From here, you can manage and edit the exposure signal to fit your needs before saving it to the Custom section of the exposure signals list.

  • Copy — Click to copy the query to your device's clipboard. You can then paste the query for use/editing in the Global Asset Search, or you can save it for later.

In the Trend section, you can view a graphical representation of how the number of violations within the selected exposure signal has changed over a specific period of time.

To change the period of time for which you want to view the trend, in the upper-right corner of the section, expand the drop-down menu and select one of the following options:

  • All time

  • Last year

  • Last quarter

  • Last month

  • Last 7 days

Tip: Hover your mouse cursor over any point on the graph to view the exact number of violations on that date.

In this section, you can view a list of the impacted assets (assets found in violation) of the exposure signal.

Tip: Use the search box to search for a specific impacted asset.

This list includes the following asset information:

  • Name — The asset identifier. Tenable Exposure Management assigns this identifier based on the presence of certain asset attributes in the following order:

    1. Agent Name (if agent-scanned)

    2. NetBIOS Name

    3. FQDN

    4. IPv6 address

    5. IPv4 address

    For example, if scans identify a NetBIOS name and an IPv4 address for an asset, the NetBIOS name appears as the Asset Name.

  • Class — The class type associated with the asset. For more information, see Asset Classes.

  • Weaknesses — The weaknesses associated with the asset. For more information, see Weaknesses.

  • AES — The Asset Exposure Score for the asset. The AES represents the asset's relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

    Note:Tenable Exposure Management does not calculate an ACR for unlicensed assets.

  • The asset details panel appears.

    This panel includes the following asset information:

    Section Information
    Header View the asset name. Below the name, click See Asset Details to navigate directly to the full Asset Details page for the selected asset.
    Exposure Signal Summary (Not supported in Tenable FedRAMP Moderate) View an AI-generated summary of the exposure signals, including information about why the combination may be a risk to you.
    Key Properties

    View high-level Key Properties, including:

    • Last Observed At — The date and time at which a scan most recently identified the asset.

    • Created Date — The date and time at which the asset record was created in Tenable Exposure Management.

    • Host Fully Qualified DNS — The Host Fully Qualified Domain Names, or FQDNs, of the asset host.

    • Device System Type — The type associated with the asset's device system, for example, plc.

    • Asset Class — The asset class associated with the asset, for example, Device.

    • ACR — The Asset Criticality Rating for the asset. The ACR represents the asset's relative criticality as an integer from 1 to 10. A higher ACR indicates higher criticality.
    Weaknesses

    View a list of all weaknesses associated with the asset. Click on a weakness to navigate directly to the Weakness Details page for the selected weakness.

    Tip: Use the search box to search for a specific weakness on the asset.