Customize an Indicator

Required User Role: Administrator or organizational user with appropriate permissions.

You can customize Indicators of Exposure and Indicators of Attack for a security profile.

Note: You cannot customize the default Tenable Identity Exposure security profile. You can only view and copy the Tenable Identity Exposure security profile settings. Click on the icon at the end of the line to display the Tenable Identity Exposure profile settings.

  1. In Tenable Identity Exposure, click Accounts > Security profiles management.

    The Security profiles management pane appears.

  2. In the list of security profiles, hover over the security profile that contains the indicator you want to customize. Click on the icon at the end of the line where the security profile file name appears.

    The Profile configuration pane appears.

  1. Select the tab for Indicators of Exposure or Indicators of Attack.

  2. (Optional) In the Search an indicator box, type an indicator name.

  3. Click the name of the an indicator to customize.

    The Indicator Customization pane appears.

  4. Make the necessary customization to the indicator.

    Note: Certain indicator options require the use of regular expressions (regex). Regex are a 'contain' match instead of an 'equal' match. Example: When you provide "admin" as the input option, you can whitelist a user with "samAccountName=admin" as well as a user with "samAccountName=admintoto".
    - To get an exact match, you must use Regex special characters ("^...$") syntax.
    - You must also escape special characters with a backslash when using regex. Example: To declare "domain\user" and "CN=Vincent C (Test),DC=tenable,DC=corp", you type "domain\\user" and "CN=Vincent C. \(Test\),DC=tenable,DC=corp".

  5. Click Save as draft.

    A message confirms that Tenable Identity Exposure saved the customization options.

  1. You can either: 

    • In the Profile configuration pane, click Apply pending customization in the lower-right corner, or

    • In the Security profiles management pane, click the icon at the end of the line where the name of the security profile appears.

    A message appears to warn you that applying the customization erases all its data and requires a complete analysis of the monitored Active Directory, which can take some time.

  2. Click OK.

    A message confirms that Tenable Identity Exposure applied the customization options. In the Security analysis column in the Security profiles managementt table, Waiting indicates that the analysis according to your security profile is waiting to be run.

  • You can either: 

    • In the Profile configuration pane, click Revert pending customization in the lower-left corner, or

    • In the Security profiles management pane, click the icon at the end of the line where the name of the security profile appears.

    A message confirms that Tenable Identity Exposure canceled the customization options.

See also