Customize an Indicator

Required User Role: Administrator or organizational user with appropriate permissions.

You can customize Indicators of Exposure and Indicators of Attack for a security profile.

Each security profile operates independently to ensure that one profile does not impact the results of another. You should use the "Tenable" profile solely as a reference, as you cannot customize it or use it to whitelist deviances. You must create your own custom profiles to fulfill specific requirements.

The term "Global customization" on the indicator customization pane pertains to all domains rather than all profiles. Consequently, any settings that you apply to the "Global customization" for one security profile do not influence the "Tenable" profile or another profile.

Tip: To view the settings for the "Tenable" security profile, click on the icon at the end of the line.

  1. In Tenable Identity Exposure, click Accounts > Security profiles management.

    The Security profiles management pane appears.

  2. In the list of security profiles, hover over the security profile that contains the indicator you want to customize. Click on the icon at the end of the line where the security profile file name appears.

    The Profile configuration pane appears.

  1. Select the tab for Indicators of Exposure or Indicators of Attack.

  2. (Optional) In the Search an indicator box, type an indicator name.

  3. Click the name of the indicator to customize.

    The Indicator Customization pane appears.

  4. Make the necessary customization to the indicator.

    Note: Certain indicator options require the use of regular expressions (regex). Regex is a 'contain' match instead of an 'equal' match. Example: When you provide "admin" as the input option, you can whitelist a user with "samAccountName=admin" as well as a user with "samAccountName=admintoto".
    - To get an exact match, you must use Regex special characters ("^...$") syntax.
    - You must also escape special characters with a backslash when using regex. Example: To declare "domain\user" and "CN=Vincent C (Test),DC=tenable,DC=corp", you type "domain\\user" and "CN=Vincent C. \(Test\),DC=tenable,DC=corp".

  5. Click Save as draft.

    A message confirms that Tenable Identity Exposure saved the customization options.

  1. You can either: 

    • In the Profile configuration pane, click Apply pending customization in the lower-right corner, or

    • In the Security profiles management pane, click the icon at the end of the line where the name of the security profile appears.

    A message appears to warn you that applying the customization erases all its data and requires a complete analysis of the monitored Active Directory, which can take some time.

  2. Click OK.

    A message confirms that Tenable Identity Exposure applied the customization options. In the Security analysis column in the Security profiles managementt table, Waiting indicates that the analysis according to your security profile is waiting to be run.

  • You can either: 

    • In the Profile configuration pane, click Revert pending customization in the lower-left corner, or

    • In the Security profiles management pane, click the icon at the end of the line where the name of the security profile appears.

    A message confirms that Tenable Identity Exposure canceled the customization options.

See also