Tenable Identity Exposure 2023 Release Notes

Tenable Identity Exposure 3.46 (2023-05-17)

Zerologon — A new Indicator of Attack detects a failure in the Netlogon authentication process which indicates that attackers are trying to exploit the Zerologon vulnerability to gain privileges on the domain. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

Tenable Identity Exposure version 3.46 contains the following bug fixes:

Bug Fix Defect ID
The custom CA certificate trash bin removes the certificates as designed. N/A
A profile is now mandatory when configuring SYSLOG alerts for Indicators of Attack. N/A
An additional parameter, -EventLogsFileWriteFrequency X, in the Indicator of Attack deployment script allows you to address potential issues with slow or broken Distributed File System (DFS) replication that you may experience. For more information, see DFS Replication Issues Mitigation in the Administrator Guide. N/A

Tenable Identity Exposure 3.45 (2023-05-03)

Secure Relay — The Secure Relay now supports Syslog and SMTP alerting. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

Syslog and SMTP alerting can now send alerts to private servers through a Secure Relay. When creating an alert, Secure Relay platforms now ask you to select a Relay. You can set up Relays and use them for either domain monitoring and alerting, or both.

If you use Secure Relay and have existing alerts, the Tenable Identity Exposure 3.45 update automatically assigns a Relay to them for service continuity. You can edit this Relay for reasons related to your Relay-VM network rules or your preferences.

Tenable Identity Exposure version 3.45 contains the following bug fixes:

Bug Fix Defect ID
Indicators of Attack — The customization of Tenable Identity Exposure IoAs now works as expected. N/A

Secure Relay Updater — Can now launch itself without an open user session.

 N/A
AlertingTenable Identity Exposure no longer shows a drop-down menu to VPN users that was intended for Secure Relay users only. N/A

User Interface

  • Fixed the tooltip for the description of "Future Automatic Updates" on the Indicator of Attack configuration page.

  • No longer enables the "See Procedure" button on the Indicator of Attack configuration page if there is no domain configured in Tenable Identity Exposure.

 N/A

Tenable Identity Exposure 3.44 (2023-04-19)

Tenable Identity Exposure version 3.44 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure updated its password policy to require a minimum password length of 12 characters. This update ensures consistency across all cases, as some previously only required 8 characters. N/A
The alerting screens now hide in-development information. N/A
Tenable Identity Exposure now allows you to delete custom trusted Certificate Authorities (CAs). N/A
The email alerting tab shows the correct name. N/A
Tenable Identity Exposure removes the AD objects from the Tenable Cloud platform when you delete the corresponding directory in Tenable Identity Exposure. N/A
If the Recycle bin is enabled, the relevance of the event type in the Trail Flow increases when you delete a user. N/A
The active user count now takes into account restored AD objects. N/A
Tenable Identity Exposure should now always display attack names in the Indicator of Attack investigation view. N/A
The Tenable Identity Exposure IoA GPO audit.csv file now gets generated using results from Windows APIs instead of auditpol.exe output (which is localizable). N/A
It is now faster to export deviances from Indicators of Exposure. N/A
The Secure Relay updater now verifies its configuration before validating any updates and rolls back the update if the configuration check fails. N/A

Tenable Identity Exposure 3.43 (2023-03-22)

  • Secure Relay — The Secure Relay now supports HTTP proxy without authentication if your network requires a proxy server to reach the internet. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

  • Onboarding — For enhanced security, the onboarding process now requires that users change the default credentials provided for the initial login when they log in for the first time. Tenable Identity Exposure also enhanced the rules for a new password.

  • ScalabilityTenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency.

  • New Indicator of Attack — A new IoA called Unauthenticated Kerberoasting detects stealthy Kerberoasting attacks that bypass numerous detections.

Tenable Identity Exposure version 3.43 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure improved the Indicator of Exposure Application of Weak Password Policies on Users for heavy workload scenarios. N/A
Tenable Identity Exposure removed the RBAC permission related to workload quota. N/A
It is now possible to install the Relay on VM servers that do not have Internet Explorer. N/A
The IoA setup script now handles edge cases where a Resultant Set of Policy (RSOP) computation is not possible for the user running the script. N/A
The IoA NTDS Extraction can now exclude any configured process from its analysis. N/A

Tenable Identity Exposure 3.42 (2023-03-08)

  • Dashboard data availability — Enables reporting on compliance score, deviances count, and users count values over a new maximum 1-year time span (from one month).

Tenable Identity Exposure version 3.42 contains the following bug fixes:

Bug Fix Defect ID

Indicators of Exposure

  • Application of Weak Password Policies on Users introduces two new reasons to explain better two cases where you may think the GPO applies but in fact does not:

    • An Organizational Unit that contains computers may block the GPO inheritance.

    • A security filtering prevents the GPO from applying to computers.

  • Verify AAD SSO Account Password Last Change now resolves deviances when they apply to deleted AD objects.

  • Dangerous Kerberos Delegation now handles existing but empty Resource-Based Constrained Delegation (RBCD) attributes.

 N/A

Indicators of Attack

  • Reduced false positives/negatives for Tenable Identity Exposure attacks for the following IoAs: sAMAccountName Impersonation, Kerberoasting, OS Credential Dumping: LSASS Memory, DCShadow, and DPAPI Domain Backup Key Extraction.

  • OS Credential Dumping: LSASS Memory — shows more accurate process and username information when displaying the information in the UI and alerts.

 N/A

Secure Relay

  • Tenable Identity Exposure corrected an issue that disrupted the Relay's ability to send data and update itself.

  • Tenable Identity Exposure Secure Relay services have an increased resiliency to account for disruptive Windows updates that impacted event processing.

  • Tenable Identity Exposure now allows the reuse of the name of a formerly deleted relay.

 N/A
Tenable Identity Exposure no longer pushes an IoA configuration on the PDC in a deleted GPO. It now uses the installed IoA configuration for a more robust IoA automatic update experience. N/A
The Tenable Identity Exposure (Compliance) Score through the Public API now excludes deactivated checkers for the provided profile. This had led an incorrect score via the Public API. This is now improved and consistent with the Compliance Score available in the Tenable Identity Exposure UI. N/A
After deleting a directory, the Attack Path now refreshes its Tier0 graph. N/A
Tenable Identity Exposure improved the resiliency of the IoA setup script for subsequent installations of the script. N/A

Tenable Identity Exposure 3.41 (2023-02-23)

Tenable Identity Exposure version 3.41 contains the following bug fixes:

Bug Fix Defect ID

The renaming of the Tenable Identity Exposure GPO no longer has an impact on the automatic update feature of the Tenable Identity Exposure Indicator of Attack configuration.

 N/A
Tenable Identity Exposure now requires fewer permissions to obtain the same Indicator of Attack analysis. N/A
The Indicator of Attack PDF report no longer shows an erroneous header on the cover page. N/A
Elimination of false positives on the Tenable Identity Exposure GPO for these Indicators of Exposure: Verify Sensitive GPO Objects and Files Permissions and Domain Controllers Managed by Illegitimate Users. N/A

Tenable Identity Exposure 3.40 (2023-02-13)

  • LDAPS connectionTenable Identity Exposure can use the LDAPS (TCP/636) port to connect to your Active Directory in the Secure Relay architecture. This configuration is not possible in the IPSEC VPN environment.

Tenable Identity Exposure version 3.40 contains the following bug fixes:

Bug Fix Defect ID

Secure Relay:

  • Improved reliability in handling access-denied Indicator of Attack (IoA) SYSVOL files.

  • Enhanced memory handling for greater stability.

  • Permissions for Relay tasks appear in Tenable Identity Exposure's "Roles Management" tab only if your platform uses the Secure Relay architecture and not IPSEC VPN.

 N/A
AuthenticationTenable Identity Exposure now logs a successful login attempt after it validates it. N/A

Indicators of Attack:

  • Tenable Identity Exposure attack detection is now more accurate and reduces false negatives and false positives.

  • The IoA installation reestablishes security events logging.

 N/A

Tenable Identity Exposure 3.39 (2023-01-25)

  • Quicker and easier deployment of Indicators of AttackTenable Identity Exposure can now add or remove Indicators of Attack automatically from configured domain controllers without any manual intervention. For more information, see Install Indicators of Attack in Tenable Identity Exposure Administrator Guide.

  • Roles — Role configuration now allows you to set access to the Relay configuration.

Tenable Identity Exposure version 3.39 contains the following bug fixes:

Bug Fix Defect ID

Attack Path:

  • The page now shows a single menu bar.

  • Improved performance when computing Tier 0 access.

 N/A
Security — GraphQL suggestions no longer appear. N/A
Relay — The Relay can now resolve domains FQDNs. This allows you to use Kerberos on Secure Relay environments, if you also use it with a username in the UPN format in the Forest configuration. N/A
Bug Fix Defect ID

The event log consumption and other Relay events now occur in parallel to avoid memory leak issues.

 N/A
The Relay uninstaller no longer stops the Tenable Nessus Agent service. N/A

Relay installer:

  • Forces the use of TLS 1.2 for its connectivity test instead of the default TLS version.

  • Checks that the relay name is unique and asks you to select another name if it is not.

  • Checks that it can reach cloud.tenable.com before it installs the relay.

 N/A

Tenable Identity Exposure 3.38 (2023-01-11)

Tenable Identity Exposure version 3.38 contains the following bug fixes:

Bug Fix Defect ID
Tenable Identity Exposure dashboard widgets now show "0" instead of "No data" when it does not detect any deviants. N/A
Bug Fix Defect ID
Tenable Identity Exposure now checks for Secure Relay automatic updates every 15 minutes instead of daily. N/A